playing with unconfined domains and users on Fedora 16

Dominick Grift dominick.grift at gmail.com
Thu Feb 2 14:01:56 UTC 2012 

On Thu, 2012-02-02 at 14:13 +0100, Klaus Lichtenwalder wrote:
> Hi,
> 
> after reading Dan's Blog post about upping the security with SE Linux I
> thought I'd give it another try. So I did the following on my Netbook,
> wich is a Fedora 16 XFCE Spin:
> 
> (I'm playing in Permissive mode right now ;-)
> 
> 	semodule -d unconfined
> 
> Which was relatively painless after a reboot (only Networkmananager
> seems to have problems (re)starting sendmail, but I did not want to use
> this anyway)
> 
> So I went further:
> # semanage login -m -s staff_u root
> # semanage login -m -s staff_u __default__
> # semanage user -d unconfined_u
> # semanage user -m -R "staff_r system_r sysadm_r" staff_u
> 
> I did not remove the unconfineduser for the moment.
> 
> The following happens, which I guess is a bug in gpg-agents policy?
> 
> Output of audit2allow
> 	#============= gpg_agent_t ==============
> 	#!!!! The source type 'gpg_agent_t' can write to a 'dir' of 	
> 	the	following types:
> 	# tmp_t, gpg_agent_tmp_t, gpg_secret_t
> 
> 	allow gpg_agent_t cache_home_t:dir { write add_name };
> 	#!!!! The source type 'gpg_agent_t' can write to a 'file' of 	
> 	the following types:
> 	# gpg_agent_tmp_t, gpg_secret_t
> 
> 	allow gpg_agent_t cache_home_t:file { write create open getattr };
> 	allow gpg_agent_t gpg_secret_t:sock_file { write create };
> 
> which would render gpg-agent probably useless...

I have not encountered similar avc denials here. I wonder what i am
doing differently. 

I you are sure you have configured gpg agent properly , then this may
indeed be bug in policy.

The SELinux framework aims to make it easy for one to make adjustments
to policy.

> 
> 
> Then I'm coming on shaky ground. If I understand correctly, I have to
> have sudo rules for getting administrative work done. This is my sudoers
> rule, which seems to work:
> 
> 	klaus   ALL = TYPE=unconfined_t ROLE=system_r ALL
> 

Thats wrong:

klaus ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL

if you want to use unconfined_r as you have specified above than you
need to map the unconfined_r to the staff_u SELinux user:

semanage user -m -R "staff_r system_r sysadm_r unconfined_r" staff_u

> But I get the following avcs:
> 	#============= staff_sudo_t ==============
> 	allow staff_sudo_t unconfined_t:process transition;
> 
> 	#============= staff_t ==============
> 	allow staff_t etc_t:file entrypoint;
> 	allow staff_t xauth_exec_t:file entrypoint;
> 
> I did not try this with enforcing.
> Any recommendations?
> Full AVC Log is in the attachment
> 
> Thanks,
> Klaus
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

More information about the selinux mailing list