playing with unconfined domains and users on Fedora 16
Dominick Grift
dominick.grift at gmail.com
Thu Feb 2 14:01:56 UTC 2012
On Thu, 2012-02-02 at 14:13 +0100, Klaus Lichtenwalder wrote:
> Hi,
>
> after reading Dan's Blog post about upping the security with SE Linux I
> thought I'd give it another try. So I did the following on my Netbook,
> wich is a Fedora 16 XFCE Spin:
>
> (I'm playing in Permissive mode right now ;-)
>
> semodule -d unconfined
>
> Which was relatively painless after a reboot (only Networkmananager
> seems to have problems (re)starting sendmail, but I did not want to use
> this anyway)
>
> So I went further:
> # semanage login -m -s staff_u root
> # semanage login -m -s staff_u __default__
> # semanage user -d unconfined_u
> # semanage user -m -R "staff_r system_r sysadm_r" staff_u
>
> I did not remove the unconfineduser for the moment.
>
> The following happens, which I guess is a bug in gpg-agents policy?
>
> Output of audit2allow
> #============= gpg_agent_t ==============
> #!!!! The source type 'gpg_agent_t' can write to a 'dir' of
> the following types:
> # tmp_t, gpg_agent_tmp_t, gpg_secret_t
>
> allow gpg_agent_t cache_home_t:dir { write add_name };
> #!!!! The source type 'gpg_agent_t' can write to a 'file' of
> the following types:
> # gpg_agent_tmp_t, gpg_secret_t
>
> allow gpg_agent_t cache_home_t:file { write create open getattr };
> allow gpg_agent_t gpg_secret_t:sock_file { write create };
>
> which would render gpg-agent probably useless...
I have not encountered similar avc denials here. I wonder what i am
doing differently.
I you are sure you have configured gpg agent properly , then this may
indeed be bug in policy.
The SELinux framework aims to make it easy for one to make adjustments
to policy.
>
>
> Then I'm coming on shaky ground. If I understand correctly, I have to
> have sudo rules for getting administrative work done. This is my sudoers
> rule, which seems to work:
>
> klaus ALL = TYPE=unconfined_t ROLE=system_r ALL
>
Thats wrong:
klaus ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL
if you want to use unconfined_r as you have specified above than you
need to map the unconfined_r to the staff_u SELinux user:
semanage user -m -R "staff_r system_r sysadm_r unconfined_r" staff_u
> But I get the following avcs:
> #============= staff_sudo_t ==============
> allow staff_sudo_t unconfined_t:process transition;
>
> #============= staff_t ==============
> allow staff_t etc_t:file entrypoint;
> allow staff_t xauth_exec_t:file entrypoint;
>
> I did not try this with enforcing.
> Any recommendations?
> Full AVC Log is in the attachment
>
> Thanks,
> Klaus
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
More information about the selinux
mailing list