Re: Unconfined label

Daniel J Walsh <dwalsh@xxxxxxxxxx> · Wed, 14 Dec 2016 08:24:12 -0500

    On 12/14/2016 05:25 AM, Naina Emmanuel
      wrote:

        sir, I have following questions, I am using
          Centos 7,selinux in Tagrgted Enforced mode, please help

          Q1: I have made a new user test1 and mapped that
            to SELINUX user user_u but when I switch to test3 its
            shows a label unconfined why?

            [root@localhost ~]# /usr/sbin/useradd -Z user_u test3
              && echo test3 | passwd --stdin test3
            Changing password for user test3.
            passwd: all authentication tokens updated successfully.
            [root@localhost ~]# su test3
            [test3@localhost root]$ id -Z
            unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
            [test3@localhost root]$

    su does not go through a full login process.  We only enter user
    domains through full login commands.

          Q2: When I logout from root and login as test3 then
            its show it's mapped label user_t why?

            [test3@localhost ~]$ id -Z
            user_u:user_r:user_t:s0
            [test3@localhost ~]$ 

    See above.

          Q3: If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data...... So how can we restrict any unconfined process from accessing the docker daemon?

    Don't run the process as unconfined if you want it confined.  Also
    access to the docker.socket is controlled using DAC, 

    so an unconfined user running as non root cannot talk to the socket,
    he has to become root to talk to it.

http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/

          Please help in this regard thanks!

          On 14-Dec-2016 10:37 am, "Naina
            Emmanuel" <nemmanuel1992@xxxxxxxxx>
            wrote:

              Good morning,
                I have a question that unconfined
                  (processes, users , directories) are supposed to be
                  not secured by selinux... and Docker daemon is not
                  accessed by confined user(staff, user) 
                Q: if selinux by default producing
                  unconfined_t users and root is also unconfined_t then
                  where is the difference lies that root can talk to
                  docker daemon and some user <user123> with same
                  unconfined_t label can't access the docker
                  daemon(creatte or start containers)
                Q: What these unconfined (user, Sir,
                  processes) can do then? Means what processes or
                  directories unconfined label can access??

                Thanks in advance

_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.