playing with unconfined domains and users on Fedora 16

Klaus Lichtenwalder lichtenwalder at gmail.com
Thu Feb 2 13:13:38 UTC 2012 

Hi,

after reading Dan's Blog post about upping the security with SE Linux I
thought I'd give it another try. So I did the following on my Netbook,
wich is a Fedora 16 XFCE Spin:

(I'm playing in Permissive mode right now ;-)

	semodule -d unconfined

Which was relatively painless after a reboot (only Networkmananager
seems to have problems (re)starting sendmail, but I did not want to use
this anyway)

So I went further:
# semanage login -m -s staff_u root
# semanage login -m -s staff_u __default__
# semanage user -d unconfined_u
# semanage user -m -R "staff_r system_r sysadm_r" staff_u

I did not remove the unconfineduser for the moment.

The following happens, which I guess is a bug in gpg-agents policy?

Output of audit2allow
	#============= gpg_agent_t ==============
	#!!!! The source type 'gpg_agent_t' can write to a 'dir' of 	
	the	following types:
	# tmp_t, gpg_agent_tmp_t, gpg_secret_t

	allow gpg_agent_t cache_home_t:dir { write add_name };
	#!!!! The source type 'gpg_agent_t' can write to a 'file' of 	
	the following types:
	# gpg_agent_tmp_t, gpg_secret_t

	allow gpg_agent_t cache_home_t:file { write create open getattr };
	allow gpg_agent_t gpg_secret_t:sock_file { write create };

which would render gpg-agent probably useless...


Then I'm coming on shaky ground. If I understand correctly, I have to
have sudo rules for getting administrative work done. This is my sudoers
rule, which seems to work:

	klaus   ALL = TYPE=unconfined_t ROLE=system_r ALL

But I get the following avcs:
	#============= staff_sudo_t ==============
	allow staff_sudo_t unconfined_t:process transition;

	#============= staff_t ==============
	allow staff_t etc_t:file entrypoint;
	allow staff_t xauth_exec_t:file entrypoint;

I did not try this with enforcing.
Any recommendations?
Full AVC Log is in the attachment

Thanks,
Klaus

-- 
------------------------------------------------------------------------
 Klaus Lichtenwalder, Dipl. Inform.,  http://www.lichtenwalder.name
 PGP Key fingerprint: FEDE 1D2A EE70 FB60 9CA2  669D 2F59 3F34 6E81 5A89
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: AVC
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20120202/7041bc95/attachment.ksh>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20120202/7041bc95/attachment.sig>

More information about the selinux mailing list