Stephen, OK. I understand. Thanks for all of the responses. Kim -----Original Message----- From: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx] Sent: Tuesday, April 01, 2014 1:53 PM To: kim.lawson-jenkins@xxxxxxxxxxxx; selinux@xxxxxxxxxxxxx Subject: Re: Labelling problems with a user directly running an application in a confined domain On 04/01/2014 01:42 PM, Kim Lawson-Jenkins wrote: >> I read on a SELinux-related blog that unconfined_r should be mapped >> to staff_u when removing the unconfined domain, so I didn't remove >> unconfined _r for all of the SELinux users. Should I remove >> unconfined_r > for staff_u? > > That doesn't make sense. Can you cite this blog? > > http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-eight-un > confin > ed.html It looks like his example was for the case where you remove only the unconfined module, not unconfineduser. I think you at least need to update /etc/selinux/targeted/contexts/failsafe_context to use a different context if fully removing unconfined_r/unconfined_t. And certainly Red Hat isn't testing that scenario. > Kim's response - I'm updating a policy for an application that ran on > RHEL5 using the then-supported strict policy. I read that removing > the unconfined domain will make the newer systems operate as the old > strict policy, so I went with this method for updating the policy. I > hadn't heard about using mls as an alternative to removing the unconfined module. The mls policy has always been strict policy + MLS (instead of MCS). Whether or not the specific -mls package that your distribution includes has everything you need I don't know.
