Removing unconfined type
Anamitra Dutta Majumdar (anmajumd)
anmajumd at cisco.com
Tue Jan 15 23:07:09 UTC 2013
Hi Dan,
We have removed the unconfined_u user type .We do not see it when we do a
semanage user -l
[root at vos-cm148 home]# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
admin_u user s0 s0-s0:c0.c1023
sysadm_r system_r
git_shell_u user s0 s0
git_shell_r
guest_u user s0 s0
guest_r
root user s0 s0-s0:c0.c1023
sysadm_r system_r
specialuser_u user s0 s0
sysadm_r system_r
staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023
sysadm_r
system_u user s0 s0-s0:c0.c1023
system_r unconfined_r
user_u user s0 s0 user_r
xguest_u user s0 s0
xguest_r
But some file security contexts still have unconfined_u
drwxr-xr-x. root root system_u:object_r:home_root_t:s0 .
dr-xr-xr-x. root root system_u:object_r:root_t:s0 ..
drwx------. admin administrator user_u:object_r:user_home_dir_t:s0
admin
drwxr-x---. ccmservice ccmbase
unconfined_u:object_r:user_home_dir_t:s0 ccmservice
drwx------. drfkeys drfkeys
unconfined_u:object_r:user_home_dir_t:s0 drfkeys
drwxr-x---. drfuser platform
unconfined_u:object_r:user_home_dir_t:s0 drfuser
drwxr-xr-x. informix informix system_u:object_r:user_home_dir_t:s0
informix
drwx------. pwrecovery platform
unconfined_u:object_r:user_home_dir_t:s0 pwrecovery
drwxr-x---. sftpuser sftpuser
unconfined_u:object_r:user_home_dir_t:s0 sftpuser
drwxr-x---. tomcat tomcat unconfined_u:object_r:tomcat_t:s0
tomcat
What would be the reason for that?
Thanks,
Anamitra
On 1/15/13 9:22 AM, "Daniel J Walsh" <dwalsh at redhat.com> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On 01/15/2013 12:19 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
>> Hi Dan,
>>
>> Thanks for the prompt response.
>>
>> The reason I brought this thread alive is because I see a lot of
>>denials
>> after removing the unconfined type and doing a fixfiles && reboot and
>>as
>> you indicated They are many resources that have acquired unlabeled_t and
>> hence we see a lot of denials. So based on this I would like to ask when
>> exactly should we have the reboot after executing fixfiles. Should the
>> reboot be immediate after we have removed the unconfined type or can it
>> wait for a later time.
>>
>> Thanks, Anamitra
>>
>> On 1/15/13 9:08 AM, "Daniel J Walsh" <dwalsh at redhat.com> wrote:
>>
>> On 01/15/2013 11:48 AM, Anamitra Dutta Majumdar (anmajumd) wrote:
>>>>> Hi Dominick,
>>>>>
>>>>> Can you help me understand why step 5 is needed.
>>>>>
>>>>> Thanks, Anamitra
>>>>>
>>>>> On 10/30/12 1:03 PM, "Dominick Grift" <dominick.grift at gmail.com>
>>>>> wrote:
>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, 2012-10-30 at 19:45 +0000, Anamitra Dutta Majumdar
>>>>>> (anmajumd) wrote:
>>>>>>> We are on RHEL6 and we need to remove the unconfined type from
>>>>>>> our targeted Selinux policies so that no process runs in the
>>>>>>> unconfined domain.
>>>>>>>
>>>>>>> In order to achieve that we have removed the unconfined module
>>>>>>> .Is there anything Else we need to do.
>>>>>>>
>>>>>>> Thanks, Anamitra
>>>>>>
>>>>>> You can also disable the unconfineduser module to make it even
>>>>>> more strict
>>>>>>
>>>>>> but if you do make sure that no users are mapped to unconfined_u
>>>>>> and relabel the file system because selinux will change contexts
>>>>>> that have unconfined_u in them to unlabeled_t is unconfined_u no
>>>>>> longer exists
>>>>>>
>>>>>> so in theory:
>>>>>>
>>>>>> 1. setenforce 0 2. change you logging mappings to exclude
>>>>>> unconfined_u 3. purge /tmp and /var/tmp 4. semodule unconfineduser
>>>>>> 5. fixfiles onboot && reboot
>>>>>>
>>>>>> I think that should take care of it
>>>>>>
>>>>>> Not though that even then there will be some unconfined domains
>>>>>> left
>>>>>>
>>>>>> There is no way to get them out without manually editing and
>>>>>> rebuilding the policy
>>>>>>
>>>>>> But if you disabled the unconfined and unconfineduser modules then
>>>>>> you are running pretty strict
>>>>>>
>>>>>>> -- selinux mailing list selinux at lists.fedoraproject.org
>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>
>>>>>>
>>>>>> -- selinux mailing list selinux at lists.fedoraproject.org
>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>
>>>>> -- selinux mailing list selinux at lists.fedoraproject.org
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>
>> If you have any files that are owned by unconfined_u they will become
>> unlabeled_t and not able to be used by confined domains, which is why
>>the
>> relabel is required.
>>
>
>If you have any processes running on your system that are unconfined_t
>then
>they will become unlabled_t and start generating AVC's. Any confined apps
>that are trying to read unlabeled_u files will start to fail also.
>
>It is probably best to do this at Single User mode/permissive and then
>cleanup
>the disk.
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.13 (GNU/Linux)
>Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
>iEYEARECAAYFAlD1kD8ACgkQrlYvE4MpobMgpwCfdh76bmMo/JeP0sljxv0pGxyo
>UJwAn0kE9Dde3tmy/gQPinhyu/e+JO5P
>=PsFL
>-----END PGP SIGNATURE-----
More information about the selinux
mailing list