Removing unconfined type
Anamitra Dutta Majumdar (anmajumd)
anmajumd at cisco.com
Tue Jan 15 16:48:57 UTC 2013
Hi Dominick,
Can you help me understand why step 5 is needed.
Thanks,
Anamitra
On 10/30/12 1:03 PM, "Dominick Grift" <dominick.grift at gmail.com> wrote:
>
>
>On Tue, 2012-10-30 at 19:45 +0000, Anamitra Dutta Majumdar (anmajumd)
>wrote:
>> We are on RHEL6 and we need to remove the unconfined type from our
>>targeted
>> Selinux policies so that no process runs in the unconfined domain.
>>
>> In order to achieve that we have removed the unconfined module .Is there
>> anything
>> Else we need to do.
>>
>> Thanks,
>> Anamitra
>
>You can also disable the unconfineduser module to make it even more
>strict
>
>but if you do make sure that no users are mapped to unconfined_u and
>relabel the file system because selinux will change contexts that have
>unconfined_u in them to unlabeled_t is unconfined_u no longer exists
>
>so in theory:
>
>1. setenforce 0
>2. change you logging mappings to exclude unconfined_u
>3. purge /tmp and /var/tmp
>4. semodule unconfineduser
>5. fixfiles onboot && reboot
>
>I think that should take care of it
>
>Not though that even then there will be some unconfined domains left
>
>There is no way to get them out without manually editing and rebuilding
>the policy
>
>But if you disabled the unconfined and unconfineduser modules then you
>are running pretty strict
>
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>--
>selinux mailing list
>selinux at lists.fedoraproject.org
>https://admin.fedoraproject.org/mailman/listinfo/selinux
More information about the selinux
mailing list