playing with unconfined domains and users on Fedora 16
Klaus Lichtenwalder
lichtenwalder at gmail.com
Thu Feb 2 13:13:38 UTC 2012
Hi,
after reading Dan's Blog post about upping the security with SE Linux I
thought I'd give it another try. So I did the following on my Netbook,
wich is a Fedora 16 XFCE Spin:
(I'm playing in Permissive mode right now ;-)
semodule -d unconfined
Which was relatively painless after a reboot (only Networkmananager
seems to have problems (re)starting sendmail, but I did not want to use
this anyway)
So I went further:
# semanage login -m -s staff_u root
# semanage login -m -s staff_u __default__
# semanage user -d unconfined_u
# semanage user -m -R "staff_r system_r sysadm_r" staff_u
I did not remove the unconfineduser for the moment.
The following happens, which I guess is a bug in gpg-agents policy?
Output of audit2allow
#============= gpg_agent_t ==============
#!!!! The source type 'gpg_agent_t' can write to a 'dir' of
the following types:
# tmp_t, gpg_agent_tmp_t, gpg_secret_t
allow gpg_agent_t cache_home_t:dir { write add_name };
#!!!! The source type 'gpg_agent_t' can write to a 'file' of
the following types:
# gpg_agent_tmp_t, gpg_secret_t
allow gpg_agent_t cache_home_t:file { write create open getattr };
allow gpg_agent_t gpg_secret_t:sock_file { write create };
which would render gpg-agent probably useless...
Then I'm coming on shaky ground. If I understand correctly, I have to
have sudo rules for getting administrative work done. This is my sudoers
rule, which seems to work:
klaus ALL = TYPE=unconfined_t ROLE=system_r ALL
But I get the following avcs:
#============= staff_sudo_t ==============
allow staff_sudo_t unconfined_t:process transition;
#============= staff_t ==============
allow staff_t etc_t:file entrypoint;
allow staff_t xauth_exec_t:file entrypoint;
I did not try this with enforcing.
Any recommendations?
Full AVC Log is in the attachment
Thanks,
Klaus
--
------------------------------------------------------------------------
Klaus Lichtenwalder, Dipl. Inform., http://www.lichtenwalder.name
PGP Key fingerprint: FEDE 1D2A EE70 FB60 9CA2 669D 2F59 3F34 6E81 5A89
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: AVC
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20120202/7041bc95/attachment.ksh>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20120202/7041bc95/attachment.sig>
More information about the selinux
mailing list