The concept of unconfined_t
Dominick Grift
domg472 at gmail.com
Thu Dec 9 09:26:19 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/09/2010 02:46 AM, Jorge Fábregas wrote:
> On Wednesday 08 December 2010 05:30:52 Dominick Grift wrote:
>> in theory unconfined cannot: execmem, execmod, execstack, execheap by
>> default. In practice this can be worked around by toggling the
>> allow_execmem, allow_execstack booleans respectively.
>>
>> Also objects can be labelled with type textrel_shlib_t to allow execmod
>> which is done pretty often.
>>
>> The concept of unconfined_t is that like the name suggests, this user
>> domain should be unconfined. In practice its not that straightforward
>> For example the memory protections i described above aren't always
>> allowed by unconfined_t.
>>
>> Then there is the problem that unconfined_t needs to create files with
>> proper labels , and to do this it sometimes has to transition out of the
>> unconfined domain.
>
> Thanks again Dominick. This is indeed overwhelming but nevertheless, I now
> have a better idea of what's behind unconfined_t (way more subtleties than
> expected :)
>
> Now that I'm paying more attention to SELinux - from the destkop point of
> view- I was surprised to find out that Firefox runs as unconfined_t. I really
> thought that it was confined. I spent some time using sesearch and found out
> there's no firefox_t or mozilla_t around. Shouldn't the most used desktop app
> these days - a web browser - be confined? I was going to ask about this but
> then I found out a blog post from Dan Walsh on "sandbox -X" where he mentions
> the difficulties of locking down Firefox or any other desktop app.
locking down the desktop is a huge undertaking and maintaining it is as
well. The audience for this is also limited. most fedora people do not
want to be confined.
yet, i agree with you and this is why i maintain my own policy that aims
to confine the whole (gnome) desktop environment. To use it is not easy
and it is bug ridden. But it certainly works very good for me.
http://fedorapeople.org/gitweb?p=domg472/public_git/refpolicy.git;a=summary
> I haven't tried sandbox -X...I will soon.
Sandbox is neat the only issue i have with it is that usage is to the
discretion of the user. Is also is different from confining the whole
desktop where everything is isolated and not just firefox (or whatever
app you run in a sandbox)
>
> Thanks again!
> Jorge
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0AoLsACgkQMlxVo39jgT+ekQCgnlYKAzZn0GrfLO5/q8eqo2ul
HUEAoIknAMlfHtIhySX8sAvrBPZnLC6X
=y8Ny
-----END PGP SIGNATURE-----
More information about the selinux
mailing list