sir, I have following questions, I am using Centos 7,selinux in Tagrgted Enforced mode, please help
Q1: I have made a new user test1 and mapped that to SELINUX user user_u but when I switch to test3 its shows a label unconfined why?
[root@localhost ~]# /usr/sbin/useradd -Z user_u test3 && echo test3 | passwd --stdin test3
Changing password for user test3.
passwd: all authentication tokens updated successfully.
[root@localhost ~]# su test3
[test3@localhost root]$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[test3@localhost root]$
Q2: When I logout from root and login as test3 then its show it's mapped label user_t why?
[test3@localhost ~]$ id -Z
user_u:user_r:user_t:s0
[test3@localhost ~]$
Q3: If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data...... So how can we restrict any unconfined process from accessing the docker daemon?
Please help in this regard thanks!
On 14-Dec-2016 10:37 am, "Naina Emmanuel" <nemmanuel1992@xxxxxxxxx> wrote:
Good morning,I have a question that unconfined (processes, users , directories) are supposed to be not secured by selinux... and Docker daemon is not accessed by confined user(staff, user)Q: if selinux by default producing unconfined_t users and root is also unconfined_t then where is the difference lies that root can talk to docker daemon and some user <user123> with same unconfined_t label can't access the docker daemon(creatte or start containers)Q: What these unconfined (user, Sir, processes) can do then? Means what processes or directories unconfined label can access??Thanks in advance
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
