selinux policy UBAC question
Dominick Grift
domg472 at gmail.com
Mon Oct 25 14:27:22 UTC 2010
On Mon, Oct 25, 2010 at 02:45:54PM +0200, Roberto Sassu wrote:
> Hi all
>
> i'm using the selinux policy shipped with Fedora 13 and UBAC turned on.
> I removed the unconfined package and i noted the unconfined_t domain with
> unconfined_u user is unable to access a file with another selinux user.
> I tried to build a custom module which contains the line:
>
> ubac_process_exempt(unconfined_t)
like it says this only exempts the callers access to processes
in the sysadm module this is added:
ubac_process_exempt(sysadm_t)
ubac_file_exempt(sysadm_t)
ubac_fd_exempt(sysadm_t)
That should pretty much exempt the caller.
Note though that ubac has issues, i am not sure how much issues in fedora but in normal refpolicy the *_admins do not work because you want to start services as system_u else unpriv users wont be ableto access resources. There is no way to change to system_u unless i guess you use runcon.
That brings us to the second issue that is that you probably want to build policy with sysadm_direct_initrc option enabled. That way to can for example run rpm /yum in the rpm_t domain with system_u. Else it will install files with sysadm_u id and then ubac users cannot access it.
Those two issues were enough reason for me to turn it of. (especially not being able to use the *_admins.
>
> but this does not solve the issue. How do i configure the policy to allow some
> domains to circumvent the UBAC enforcement?
> Thanks in advance for replies.
>
> Roberto Sassu
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20101025/33b781f1/attachment.bin
More information about the selinux
mailing list