On 03/20/2018 09:46 PM, Nathan Owen wrote:
I recently moved from Ubuntu to Fedora 27, in part due to selinux
being enabled by default.
When I run `ps -alZ` I notice that there are a number of processes running unconfined
(full list included below).
Is it generally considered acceptable to have these processes running unconfined? It
seems like a security vulnerability to me.
If this is a vulnerability, does anyone know if it is safe to disable unconfined on my
Fedora desktop and what would be the best way to go about this?
Hi Nathan,
We don't confine users by default on Fedora, only system services are
confined by default. What is executed by user, it's unconfined.
If you would like to use confined users, please follow these steps:
https://plautrba.fedorapeople.org/selinux-confined-system-with-fedora-27....
I need to say, that maybe you'll see few SELinux denials related to
staff_t, feel free to send it to this thread, we can discuss it.
Lukas.
Thank you,
Nathan Owen
`ps -alZ | grep unconfined` output (plus header line for clarity):
LABEL F S UID PID PPID C PRI NI ADDR SZ WCHAN TTY
TIME CMD
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1444 1439 0 80 0 - 166430
SyS_po tty2 00:00:00 gnome-session-b
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1518 1444 5 80 0 -
1005208 SyS_po tty2 00:02:17 gnome-shell
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1574 1518 0 80 0 - 136312
SyS_ep tty2 00:00:17 Xwayland
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1621 1518 0 80 0 - 136717
SyS_po tty2 00:00:00 ibus-daemon
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1630 1621 0 80 0 - 96892
SyS_po tty2 00:00:00 ibus-dconf
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1632 1 0 80 0 - 128345
SyS_po tty2 00:00:00 ibus-x11
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1703 1444 0 80 0 - 127621
SyS_po tty2 00:00:00 gsd-mouse
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1704 1444 0 80 0 - 172146
SyS_po tty2 00:00:00 gsd-power
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1705 1444 0 80 0 - 139106
SyS_po tty2 00:00:00 gsd-print-notif
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1706 1444 0 80 0 - 163911
SyS_po tty2 00:00:00 gsd-rfkill
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1707 1444 0 80 0 - 127008
SyS_po tty2 00:00:00 gsd-screensaver
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1708 1444 0 80 0 - 141153
SyS_po tty2 00:00:00 gsd-sharing
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1711 1444 0 80 0 - 153280
SyS_po tty2 00:00:00 gsd-smartcard
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1713 1444 0 80 0 - 149563
SyS_po tty2 00:00:00 gsd-wacom
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1716 1444 0 80 0 - 165971
SyS_po tty2 00:00:00 gsd-xsettings
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1724 1444 0 80 0 - 138212
SyS_po tty2 00:00:00 gsd-sound
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1731 1444 0 80 0 - 127619
SyS_po tty2 00:00:00 gsd-a11y-settin
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1735 1444 0 80 0 - 150568
SyS_po tty2 00:00:00 gsd-a11y-keyboa
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1736 1444 0 80 0 - 136716
SyS_po tty2 00:00:00 gsd-datetime
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1738 1444 0 80 0 - 128251
SyS_po tty2 00:00:00 gsd-clipboard
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1739 1444 0 80 0 - 210310
SyS_po tty2 00:00:00 gsd-color
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1742 1444 0 80 0 - 245373
SyS_po tty2 00:00:00 gsd-media-keys
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1743 1444 0 80 0 - 148237
SyS_po tty2 00:00:00 gsd-housekeepin
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1745 1444 0 80 0 - 168438
SyS_po tty2 00:00:00 gsd-keyboard
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1803 1621 0 80 0 - 78439
SyS_po tty2 00:00:00 ibus-engine-sim
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1878 1444 0 80 0 - 298030
SyS_po tty2 00:00:00 evolution-alarm
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1884 1444 0 80 0 - 160994
SyS_po tty2 00:00:00 abrt-applet
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1889 1444 0 99 - - 197079
SyS_po tty2 00:00:00 tracker-miner-a
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1891 1444 0 99 19 -
183615 SyS_po tty2 00:00:00 tracker-miner-f
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1895 1444 0 99 - - 414121
SyS_po tty2 00:00:00 tracker-extract
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1901 1444 0 80 0 - 352568
SyS_po tty2 00:00:10 gnome-software
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1912 1444 0 80 0 - 142411
SyS_po tty2 00:00:00 seapplet
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1919 1444 0 80 0 - 69563
SyS_po tty2 00:00:00 gsd-disk-utilit
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 1937 1 0 80 0 - 154397
SyS_po tty2 00:00:00 gsd-printer
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 4 S 1000 2610 1518 4 80 0 - 364264
SyS_po tty2 00:01:33 chrome
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 2617 2610 0 80 0 - 28706
- tty2 00:00:00 cat
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 2618 2610 0 80 0 - 28706
- tty2 00:00:00 cat
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 4 S 1000 2621 2610 0 80 0 - 132436
- tty2 00:00:00 chrome
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 4 S 1000 2622 2621 0 80 0 - 5996 -
tty2 00:00:00 nacl_helper
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5 S 1000 2625 2621 0 80 0 - 132436
SyS_pp tty2 00:00:00 chrome
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 2707 2610 2 80 0 - 174162
SyS_po tty2 00:00:49 chrome
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1 S 1000 2721 2707 0 80 0 - 140547
- tty2 00:00:00 chrome
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1 S 1000 2747 2625 0 80 0 - 429151
- tty2 00:00:15 chrome
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1 S 1000 2799 2625 0 80 0 - 310051
- tty2 00:00:00 chrome
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1 S 1000 2828 2625 0 80 0 - 306781
- tty2 00:00:02 chrome
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 3612 1 0 80 0 - 497232
SyS_po tty2 00:00:09 slack
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 3615 3612 0 80 0 - 115362
SyS_pp tty2 00:00:00 slack
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 3646 3612 0 80 0 - 144992
SyS_po tty2 00:00:02 slack
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1 S 1000 3701 3615 0 80 0 - 303569
- tty2 00:00:01 slack
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1 S 1000 3776 2625 2 80 0 - 393635
- tty2 00:00:38 chrome
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1 S 1000 3798 2625 0 80 0 - 309618
- tty2 00:00:00 chrome
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1 S 1000 3908 3615 0 80 0 - 441636
- tty2 00:00:13 slack
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1 S 1000 5213 2625 8 80 0 - 325779
- tty2 00:00:46 chrome
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 5326 2146 0 80 0 - 38420
core_s pts/1 00:00:00 vim
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 4 R 1000 5586 2151 0 80 0 - 35760
- pts/2 00:00:00 ps
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 S 1000 5587 2151 0 80 0 - 29882
- pts/2 00:00:00 grep
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.