On 04/25/2016 09:51 AM, Lukas Vrabec wrote:
On 04/22/2016 08:37 PM, Robin Lee Powell wrote:
>
> Does tranisitioning to unconfined_r/unconfined_t mean "I give up
> selinux go away" or does it mean "I'm about to do root-ish
things"?
>
> I guess what I'm wondering is, is this:
>
> rlpowell ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL
>
> really what's wanted for a system that's trying to use selinux to
> the fullest, or is there some other role that more-accurately means
> "I'm doing root-ish things now"?
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
>
http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
>
>
Hi,
unconfined_t domain can do almost anything on your system.
In fedora we don't use confined users by default, so you need to
configure this SELinux feature.
If you would like to use confined users, you can find some information
here:
http://danwalsh.livejournal.com/66587.html
For users which can run sudo, you could use staff_u SELinux user.
It is mostly about a separation between users and system processes with
Targeted policy in Fedora. It is about possible flows. You want to avoid
flows from confined domains to unconfined domains.
And how Lukas wrote above we offer a way how to confine also users from
SELinux points of view.
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.