On 04/25/2016 09:51 AM, Lukas Vrabec wrote: > On 04/22/2016 08:37 PM, Robin Lee Powell wrote: >> >> Does tranisitioning to unconfined_r/unconfined_t mean "I give up >> selinux go away" or does it mean "I'm about to do root-ish things"? >> >> I guess what I'm wondering is, is this: >> >> rlpowell ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL >> >> really what's wanted for a system that's trying to use selinux to >> the fullest, or is there some other role that more-accurately means >> "I'm doing root-ish things now"? >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx >> >> > > Hi, > > unconfined_t domain can do almost anything on your system. > In fedora we don't use confined users by default, so you need to > configure this SELinux feature. > > If you would like to use confined users, you can find some information > here: > http://danwalsh.livejournal.com/66587.html > > For users which can run sudo, you could use staff_u SELinux user. > It is mostly about a separation between users and system processes with Targeted policy in Fedora. It is about possible flows. You want to avoid flows from confined domains to unconfined domains. And how Lukas wrote above we offer a way how to confine also users from SELinux points of view. -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
