Removing unconfined type

Tue Jan 15 17:22:07 UTC 2013

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/15/2013 12:19 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
> Hi Dan,
> 
> Thanks for the prompt response.
> 
> The reason I brought this thread alive is because I see a lot of denials 
> after removing the unconfined type and doing a fixfiles && reboot and as 
> you indicated They are many resources that have acquired unlabeled_t and
> hence we see a lot of denials. So based on this I would like to ask when
> exactly should we have the reboot after executing fixfiles. Should the
> reboot be immediate after we have removed the unconfined type or can it
> wait for a later time.
> 
> Thanks, Anamitra
> 
> On 1/15/13 9:08 AM, "Daniel J Walsh" <dwalsh at redhat.com> wrote:
> 
> On 01/15/2013 11:48 AM, Anamitra Dutta Majumdar (anmajumd) wrote:
>>>> Hi Dominick,
>>>> 
>>>> Can you help me understand why step 5 is needed.
>>>> 
>>>> Thanks, Anamitra
>>>> 
>>>> On 10/30/12 1:03 PM, "Dominick Grift" <dominick.grift at gmail.com>
>>>> wrote:
>>>> 
>>>>> 
>>>>> 
>>>>> On Tue, 2012-10-30 at 19:45 +0000, Anamitra Dutta Majumdar
>>>>> (anmajumd) wrote:
>>>>>> We are on RHEL6 and we need to remove the unconfined type from
>>>>>> our targeted Selinux policies so that no process runs in the
>>>>>> unconfined domain.
>>>>>> 
>>>>>> In order to achieve that we have removed the unconfined module
>>>>>> .Is there anything Else we need to do.
>>>>>> 
>>>>>> Thanks, Anamitra
>>>>> 
>>>>> You can also disable the unconfineduser module to make it even
>>>>> more strict
>>>>> 
>>>>> but if you do make sure that no users are mapped to unconfined_u
>>>>> and relabel the file system because selinux will change contexts
>>>>> that have unconfined_u in them to unlabeled_t is unconfined_u no
>>>>> longer exists
>>>>> 
>>>>> so in theory:
>>>>> 
>>>>> 1. setenforce 0 2. change you logging mappings to exclude
>>>>> unconfined_u 3. purge /tmp and /var/tmp 4. semodule unconfineduser
>>>>> 5. fixfiles onboot && reboot
>>>>> 
>>>>> I think that should take care of it
>>>>> 
>>>>> Not though that even then there will be some unconfined domains
>>>>> left
>>>>> 
>>>>> There is no way to get them out without manually editing and 
>>>>> rebuilding the policy
>>>>> 
>>>>> But if you disabled the unconfined and unconfineduser modules then
>>>>> you are running  pretty strict
>>>>> 
>>>>>> -- selinux mailing list selinux at lists.fedoraproject.org 
>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>> 
>>>>> 
>>>>> -- selinux mailing list selinux at lists.fedoraproject.org 
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>> 
>>>> -- selinux mailing list selinux at lists.fedoraproject.org 
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>> 
> If you have any files that are owned by unconfined_u they will become 
> unlabeled_t and not able to be used by confined domains, which is why the 
> relabel is required.
> 

If you have any processes running on your system that are unconfined_t then
they will become unlabled_t and start generating AVC's.  Any confined apps
that are trying to read unlabeled_u files will start to fail also.

It is probably best to do this at Single User mode/permissive and then cleanup
the disk.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlD1kD8ACgkQrlYvE4MpobMgpwCfdh76bmMo/JeP0sljxv0pGxyo
UJwAn0kE9Dde3tmy/gQPinhyu/e+JO5P
=PsFL
-----END PGP SIGNATURE-----