Re: Processes running unconfined in Fedora Desktop 27

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 03/20/2018 09:46 PM, Nathan Owen wrote:
> I recently moved from Ubuntu to Fedora 27, in part due to selinux being enabled by default.
> 
> When I run `ps -alZ` I notice that there are a number of processes running unconfined (full list included below). 
> 
> Is it generally considered acceptable to have these processes running unconfined?  It seems like a security vulnerability to me.
> 
> If this is a vulnerability, does anyone know if it is safe to disable unconfined on my Fedora desktop and what would be the best way to go about this?
> 

Hi Nathan,

We don't confine users by default on Fedora, only system services are
confined by default. What is executed by user, it's unconfined.

If you would like to use confined users, please follow these steps:
https://plautrba.fedorapeople.org/selinux-confined-system-with-fedora-27.html

I need to say, that maybe you'll see few SELinux denials related to
staff_t, feel free to send it to this thread, we can discuss it.

Lukas.

> Thank you,
> Nathan Owen
> 
> `ps -alZ | grep unconfined` output (plus header line for clarity):
> 
> LABEL                           F S   UID   PID  PPID  C PRI  NI ADDR SZ WCHAN  TTY          TIME CMD
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1444 1439  0 80 0 - 166430 SyS_po tty2 00:00:00 gnome-session-b
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1518 1444  5 80 0 - 1005208 SyS_po tty2 00:02:17 gnome-shell
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1574 1518  0 80 0 - 136312 SyS_ep tty2 00:00:17 Xwayland
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1621 1518  0 80 0 - 136717 SyS_po tty2 00:00:00 ibus-daemon
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1630 1621  0 80 0 - 96892 SyS_po tty2 00:00:00 ibus-dconf
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1632 1  0 80 0 - 128345 SyS_po tty2 00:00:00 ibus-x11
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1703 1444  0 80 0 - 127621 SyS_po tty2 00:00:00 gsd-mouse
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1704 1444  0 80 0 - 172146 SyS_po tty2 00:00:00 gsd-power
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1705 1444  0 80 0 - 139106 SyS_po tty2 00:00:00 gsd-print-notif
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1706 1444  0 80 0 - 163911 SyS_po tty2 00:00:00 gsd-rfkill
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1707 1444  0 80 0 - 127008 SyS_po tty2 00:00:00 gsd-screensaver
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1708 1444  0 80 0 - 141153 SyS_po tty2 00:00:00 gsd-sharing
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1711 1444  0 80 0 - 153280 SyS_po tty2 00:00:00 gsd-smartcard
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1713 1444  0 80 0 - 149563 SyS_po tty2 00:00:00 gsd-wacom
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1716 1444  0 80 0 - 165971 SyS_po tty2 00:00:00 gsd-xsettings
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1724 1444  0 80 0 - 138212 SyS_po tty2 00:00:00 gsd-sound
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1731 1444  0 80 0 - 127619 SyS_po tty2 00:00:00 gsd-a11y-settin
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1735 1444  0 80 0 - 150568 SyS_po tty2 00:00:00 gsd-a11y-keyboa
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1736 1444  0 80 0 - 136716 SyS_po tty2 00:00:00 gsd-datetime
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1738 1444  0 80 0 - 128251 SyS_po tty2 00:00:00 gsd-clipboard
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1739 1444  0 80 0 - 210310 SyS_po tty2 00:00:00 gsd-color
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1742 1444  0 80 0 - 245373 SyS_po tty2 00:00:00 gsd-media-keys
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1743 1444  0 80 0 - 148237 SyS_po tty2 00:00:00 gsd-housekeepin
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1745 1444  0 80 0 - 168438 SyS_po tty2 00:00:00 gsd-keyboard
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1803 1621  0 80 0 - 78439 SyS_po tty2 00:00:00 ibus-engine-sim
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1878 1444  0 80 0 - 298030 SyS_po tty2 00:00:00 evolution-alarm
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1884 1444  0 80 0 - 160994 SyS_po tty2 00:00:00 abrt-applet
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1889 1444  0 99 - - 197079 SyS_po tty2 00:00:00 tracker-miner-a
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1891 1444  0 99 19 - 183615 SyS_po tty2 00:00:00 tracker-miner-f
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1895 1444  0 99 - - 414121 SyS_po tty2 00:00:00 tracker-extract
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1901 1444  0 80 0 - 352568 SyS_po tty2 00:00:10 gnome-software
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1912 1444  0 80 0 - 142411 SyS_po tty2 00:00:00 seapplet
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1919 1444  0 80 0 - 69563 SyS_po tty2 00:00:00 gsd-disk-utilit
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1937 1  0 80 0 - 154397 SyS_po tty2 00:00:00 gsd-printer
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 4 S 1000 2610 1518  4 80 0 - 364264 SyS_po tty2 00:01:33 chrome
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 2617 2610  0 80 0 - 28706 - tty2 00:00:00 cat
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 2618 2610  0 80 0 - 28706 - tty2 00:00:00 cat
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 4 S 1000 2621 2610  0 80 0 - 132436 - tty2 00:00:00 chrome
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 4 S 1000 2622 2621  0 80 0 - 5996 - tty2 00:00:00 nacl_helper
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5 S 1000 2625 2621  0 80 0 - 132436 SyS_pp tty2 00:00:00 chrome
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 2707 2610  2 80 0 - 174162 SyS_po tty2 00:00:49 chrome
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1 S 1000 2721 2707  0 80 0 - 140547 - tty2 00:00:00 chrome
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1 S 1000 2747 2625  0 80 0 - 429151 - tty2 00:00:15 chrome
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1 S 1000 2799 2625  0 80 0 - 310051 - tty2 00:00:00 chrome
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1 S 1000 2828 2625  0 80 0 - 306781 - tty2 00:00:02 chrome
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 3612 1  0 80 0 - 497232 SyS_po tty2 00:00:09 slack
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 3615 3612  0 80 0 - 115362 SyS_pp tty2 00:00:00 slack
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 3646 3612  0 80 0 - 144992 SyS_po tty2 00:00:02 slack
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1 S 1000 3701 3615  0 80 0 - 303569 - tty2 00:00:01 slack
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1 S 1000 3776 2625  2 80 0 - 393635 - tty2 00:00:38 chrome
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1 S 1000 3798 2625  0 80 0 - 309618 - tty2 00:00:00 chrome
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1 S 1000 3908 3615  0 80 0 - 441636 - tty2 00:00:13 slack
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1 S 1000 5213 2625  8 80 0 - 325779 - tty2 00:00:46 chrome
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 5326 2146  0 80 0 - 38420 core_s pts/1 00:00:00 vim
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 4 R 1000 5586 2151  0 80 0 - 35760 - pts/2 00:00:00 ps
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 5587 2151  0 80 0 - 29882 - pts/2 00:00:00 grep
> _______________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> 


-- 
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux