-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/15/2013 12:19 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
Hi Dan,
Thanks for the prompt response.
The reason I brought this thread alive is because I see a lot of denials
after removing the unconfined type and doing a fixfiles && reboot and as
you indicated They are many resources that have acquired unlabeled_t and
hence we see a lot of denials. So based on this I would like to ask when
exactly should we have the reboot after executing fixfiles. Should the
reboot be immediate after we have removed the unconfined type or can it
wait for a later time.
Thanks, Anamitra
On 1/15/13 9:08 AM, "Daniel J Walsh" <dwalsh(a)redhat.com> wrote:
On 01/15/2013 11:48 AM, Anamitra Dutta Majumdar (anmajumd) wrote:
>>> Hi Dominick,
>>>
>>> Can you help me understand why step 5 is needed.
>>>
>>> Thanks, Anamitra
>>>
>>> On 10/30/12 1:03 PM, "Dominick Grift"
<dominick.grift(a)gmail.com>
>>> wrote:
>>>
>>>>
>>>>
>>>> On Tue, 2012-10-30 at 19:45 +0000, Anamitra Dutta Majumdar
>>>> (anmajumd) wrote:
>>>>> We are on RHEL6 and we need to remove the unconfined type from
>>>>> our targeted Selinux policies so that no process runs in the
>>>>> unconfined domain.
>>>>>
>>>>> In order to achieve that we have removed the unconfined module
>>>>> .Is there anything Else we need to do.
>>>>>
>>>>> Thanks, Anamitra
>>>>
>>>> You can also disable the unconfineduser module to make it even
>>>> more strict
>>>>
>>>> but if you do make sure that no users are mapped to unconfined_u
>>>> and relabel the file system because selinux will change contexts
>>>> that have unconfined_u in them to unlabeled_t is unconfined_u no
>>>> longer exists
>>>>
>>>> so in theory:
>>>>
>>>> 1. setenforce 0 2. change you logging mappings to exclude
>>>> unconfined_u 3. purge /tmp and /var/tmp 4. semodule unconfineduser
>>>> 5. fixfiles onboot && reboot
>>>>
>>>> I think that should take care of it
>>>>
>>>> Not though that even then there will be some unconfined domains
>>>> left
>>>>
>>>> There is no way to get them out without manually editing and
>>>> rebuilding the policy
>>>>
>>>> But if you disabled the unconfined and unconfineduser modules then
>>>> you are running pretty strict
>>>>
>>>>> -- selinux mailing list selinux(a)lists.fedoraproject.org
>>>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>>>>
>>>> -- selinux mailing list selinux(a)lists.fedoraproject.org
>>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>> -- selinux mailing list selinux(a)lists.fedoraproject.org
>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
If you have any files that are owned by unconfined_u they will become
unlabeled_t and not able to be used by confined domains, which is why the
relabel is required.
If you have any processes running on your system that are unconfined_t then
they will become unlabled_t and start generating AVC's. Any confined apps
that are trying to read unlabeled_u files will start to fail also.
It is probably best to do this at Single User mode/permissive and then cleanup
the disk.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlD1kD8ACgkQrlYvE4MpobMgpwCfdh76bmMo/JeP0sljxv0pGxyo
UJwAn0kE9Dde3tmy/gQPinhyu/e+JO5P
=PsFL
-----END PGP SIGNATURE-----