Removing unconfined type
Anamitra Dutta Majumdar (anmajumd)
anmajumd at cisco.com
Thu Jan 17 00:37:45 UTC 2013
Hi Dan,
Now we are able to remove unconfined types and users successfully.
But after this removal we see a whole bunch of new denials related to
initrc_t as follows
#============= initrc_t ==============
#!!!! The source type 'initrc_t' can write to a 'dir' of the following
types:
# var_log_t, ipsec_var_run_t, pam_var_run_t, ricci_var_lib_t,
rpm_var_lib_t, net_conf_t, quota_flag_t, etc_runtime_t, dirsrv_var_run_t,
udev_var_run_t, var_lib_nfs_t, virt_var_lib_t, mysqld_db_t, named_conf_t,
initrc_tmp_t, pam_var_console_t, system_dbusd_var_lib_t,
sanlock_var_run_t, cgroup_t, boot_t, cert_t, mnt_t, root_t, tmp_t,
device_t, dkim_milter_data_t, etc_t, file_t, fonts_t, tmpfs_t, lockfile,
pidfile, tmpfile, etc_mail_t, initrc_state_t, postgresql_db_t,
alsa_etc_rw_t, gconf_etc_t, var_spool_t, xserver_log_t, virt_cache_t,
var_lib_t, var_run_t, dhcpc_state_t, faillog_t, squid_log_t, core_log_t,
svc_svc_t
allow initrc_t admin_home_t:dir { write remove_name };
allow initrc_t admin_home_t:file { execute unlink execute_no_trans setattr
};
allow initrc_t admin_home_t:lnk_file read;
allow initrc_t base_script_t:file { execute setattr read open ioctl
execute_no_trans };
#!!!! The source type 'initrc_t' can write to a 'dir' of the following
types:
# var_log_t, ipsec_var_run_t, ricci_var_lib_t, net_conf_t, quota_flag_t,
etc_runtime_t, dirsrv_var_run_t, udev_var_run_t, var_lib_nfs_t,
virt_var_lib_t, mysqld_db_t, named_conf_t, initrc_tmp_t,
system_dbusd_var_lib_t, sanlock_var_run_t, boot_t, cert_t, mnt_t, root_t,
tmp_t, device_t, etc_t, fonts_t, tmpfs_t, lockfile, etc_mail_t,
initrc_state_t, postgresql_db_t, alsa_etc_rw_t, gconf_etc_t, var_spool_t,
virt_cache_t, var_lib_t, var_run_t, dhcpc_state_t, faillog_t, squid_log_t,
core_log_t, svc_svc_t
allow initrc_t bin_t:dir { write add_name };
allow initrc_t bin_t:file setattr;
allow initrc_t bps_log_t:dir setattr;
allow initrc_t ccm_t:dir setattr;
allow initrc_t ccm_t:file setattr;
#!!!! The source type 'initrc_t' can write to a 'dir' of the following
types:
# ricci_var_lib_t, dirsrv_var_run_t, mysqld_db_t, named_conf_t,
initrc_tmp_t, mnt_t, fonts_t, tmpfs_t, lockfile, initrc_state_t,
virt_cache_t, var_run_t, faillog_t, svc_svc_t
allow initrc_t cisco_etc_t:dir { write remove_name add_name setattr };
#!!!! The source type 'initrc_t' can write to a 'file' of the following
types:
# var_log_t, initrc_var_run_t, ipsec_var_run_t, mdadm_var_run_t,
ricci_var_lib_t, net_conf_t, quota_flag_t, etc_runtime_t,
dirsrv_var_run_t, udev_var_run_t, var_lib_nfs_t, virt_var_lib_t,
initrc_tmp_t, system_dbusd_var_lib_t, sanlock_var_run_t, boot_t, cert_t,
mnt_t, device_t, fonts_t, lockfile, etc_mail_t, initrc_state_t,
alsa_etc_rw_t, gconf_etc_t, var_spool_t, virt_cache_t, var_lib_t,
dhcpc_state_t, faillog_t, squid_log_t, core_log_t, svc_svc_t
allow initrc_t cisco_etc_t:file { write setattr read create unlink open };
allow initrc_t cli_script_t:file setattr;
allow initrc_t clm_port_t:tcp_socket name_bind;
allow initrc_t clm_port_t:udp_socket name_bind;
allow initrc_t cm_bin_t:file { execute setattr };
allow initrc_t cm_conf_t:dir setattr;
allow initrc_t cm_conf_t:file setattr;
allow initrc_t cm_lib_t:file { read execute open setattr };
allow initrc_t cm_lib_t:lnk_file read;
allow initrc_t cm_locale_t:dir setattr;
allow initrc_t cm_locale_t:file setattr;
allow initrc_t cm_log_t:dir setattr;
allow initrc_t cm_security_t:dir setattr;
allow initrc_t cm_t:file setattr;
allow initrc_t cm_war_t:file setattr;
#!!!! The source type 'initrc_t' can write to a 'dir' of the following
types:
# ricci_var_lib_t, dirsrv_var_run_t, mysqld_db_t, named_conf_t,
initrc_tmp_t, mnt_t, fonts_t, tmpfs_t, lockfile, initrc_state_t,
virt_cache_t, var_run_t, faillog_t, svc_svc_t
allow initrc_t common_t:dir { write add_name setattr };
#!!!! The source type 'initrc_t' can write to a 'file' of the following
types:
# var_log_t, initrc_var_run_t, ipsec_var_run_t, mdadm_var_run_t,
ricci_var_lib_t, net_conf_t, quota_flag_t, etc_runtime_t,
dirsrv_var_run_t, udev_var_run_t, var_lib_nfs_t, virt_var_lib_t,
initrc_tmp_t, system_dbusd_var_lib_t, sanlock_var_run_t, boot_t, cert_t,
mnt_t, device_t, fonts_t, lockfile, etc_mail_t, initrc_state_t,
alsa_etc_rw_t, gconf_etc_t, var_spool_t, virt_cache_t, var_lib_t,
dhcpc_state_t, faillog_t, squid_log_t, core_log_t, svc_svc_t
allow initrc_t common_t:file { write ioctl setattr read create open append
};
#!!!! The source type 'initrc_t' can write to a 'dir' of the following
types:
# var_log_t, ipsec_var_run_t, pam_var_run_t, ricci_var_lib_t,
rpm_var_lib_t, net_conf_t, quota_flag_t, etc_runtime_t, dirsrv_var_run_t,
udev_var_run_t, var_lib_nfs_t, virt_var_lib_t, mysqld_db_t, named_conf_t,
initrc_tmp_t, pam_var_console_t, system_dbusd_var_lib_t,
sanlock_var_run_t, cgroup_t, boot_t, cert_t, mnt_t, root_t, tmp_t,
device_t, dkim_milter_data_t, etc_t, file_t, fonts_t, tmpfs_t, lockfile,
pidfile, tmpfile, etc_mail_t, initrc_state_t, postgresql_db_t,
alsa_etc_rw_t, gconf_etc_t, var_spool_t, xserver_log_t, virt_cache_t,
var_lib_t, var_run_t, dhcpc_state_t, faillog_t, squid_log_t, core_log_t,
svc_svc_t
allow initrc_t db_t:dir { write remove_name };
allow initrc_t db_t:file { read unlink open setattr };
allow initrc_t device_t:sock_file write;
#!!!! This avc can be allowed using the boolean 'allow_ypbind'
allow initrc_t dhcpc_port_t:udp_socket name_bind;
allow initrc_t dhcpd_initrc_exec_t:file setattr;
allow initrc_t drf_exec_t:file setattr;
allow initrc_t etc_t:dir create;
allow initrc_t etc_t:file { rename write setattr create unlink append };
allow initrc_t hotplug_etc_t:file setattr;
#!!!! The source type 'initrc_t' can write to a 'file' of the following
types:
# var_log_t, initrc_var_run_t, ipsec_var_run_t, mdadm_var_run_t,
ricci_var_lib_t, net_conf_t, quota_flag_t, etc_runtime_t,
dirsrv_var_run_t, udev_var_run_t, var_lib_nfs_t, virt_var_lib_t,
named_conf_t, initrc_tmp_t, system_dbusd_var_lib_t, sanlock_var_run_t,
boot_t, cert_t, mnt_t, wtmp_t, sysctl_type, device_t, locale_t, fonts_t,
lockfile, etc_mail_t, initrc_state_t, alsa_etc_rw_t, gconf_etc_t,
var_spool_t, virt_cache_t, var_lib_t, dhcpc_state_t, faillog_t,
squid_log_t, core_log_t, lastlog_t, svc_svc_t
allow initrc_t hssi_t:file { write read ioctl open setattr };
#!!!! The source type 'initrc_t' can write to a 'dir' of the following
types:
# ricci_var_lib_t, dirsrv_var_run_t, mysqld_db_t, named_conf_t,
initrc_tmp_t, boot_t, mnt_t, device_t, fonts_t, tmpfs_t, lockfile,
initrc_state_t, virt_cache_t, faillog_t, svc_svc_t
allow initrc_t ibm_t:dir { write remove_name create add_name };
#!!!! The source type 'initrc_t' can write to a 'file' of the following
types:
# var_log_t, initrc_var_run_t, ipsec_var_run_t, mdadm_var_run_t,
ricci_var_lib_t, net_conf_t, quota_flag_t, etc_runtime_t,
dirsrv_var_run_t, udev_var_run_t, var_lib_nfs_t, virt_var_lib_t,
initrc_tmp_t, system_dbusd_var_lib_t, sanlock_var_run_t, boot_t, cert_t,
mnt_t, device_t, fonts_t, lockfile, etc_mail_t, initrc_state_t,
alsa_etc_rw_t, gconf_etc_t, var_spool_t, virt_cache_t, var_lib_t,
dhcpc_state_t, faillog_t, squid_log_t, core_log_t, svc_svc_t
allow initrc_t ibm_t:file { rename read lock create write unlink open
append };
allow initrc_t ibm_t:sock_file create;
allow initrc_t initrc_exec_t:file { rename write setattr create unlink
append };
#!!!! The source type 'initrc_t' can write to a 'fifo_file' of the
following types:
# initrc_state_t, svc_svc_t
allow initrc_t initrc_tmp_t:fifo_file { write read create open };
allow initrc_t install_bin_t:file { execute setattr read open ioctl
execute_no_trans };
#!!!! The source type 'initrc_t' can write to a 'dir' of the following
types:
# var_log_t, ipsec_var_run_t, pam_var_run_t, ricci_var_lib_t,
rpm_var_lib_t, net_conf_t, quota_flag_t, etc_runtime_t, dirsrv_var_run_t,
udev_var_run_t, var_lib_nfs_t, virt_var_lib_t, mysqld_db_t, named_conf_t,
initrc_tmp_t, pam_var_console_t, system_dbusd_var_lib_t,
sanlock_var_run_t, cgroup_t, boot_t, cert_t, mnt_t, root_t, tmp_t,
device_t, dkim_milter_data_t, etc_t, file_t, fonts_t, tmpfs_t, lockfile,
pidfile, tmpfile, etc_mail_t, initrc_state_t, postgresql_db_t,
alsa_etc_rw_t, gconf_etc_t, var_spool_t, xserver_log_t, virt_cache_t,
var_lib_t, var_run_t, dhcpc_state_t, faillog_t, squid_log_t, core_log_t,
svc_svc_t
allow initrc_t install_t:dir { write remove_name };
allow initrc_t install_t:file unlink;
allow initrc_t ipprefsd_exec_t:file setattr;
allow initrc_t ipsec_exec_t:file setattr;
#!!!! The source type 'initrc_t' can write to a 'dir' of the following
types:
# ricci_var_lib_t, dirsrv_var_run_t, mysqld_db_t, named_conf_t,
initrc_tmp_t, mnt_t, fonts_t, tmpfs_t, lockfile, initrc_state_t,
virt_cache_t, var_run_t, faillog_t, svc_svc_t
allow initrc_t java_jdk_t:dir { write remove_name setattr };
allow initrc_t java_jdk_t:file { unlink setattr };
allow initrc_t java_jdk_t:lnk_file read;
allow initrc_t kdump_etc_t:file setattr;
allow initrc_t kdump_initrc_exec_t:file setattr;
allow initrc_t ntpd_log_t:file setattr;
#!!!! The source type 'initrc_t' can write to a 'dir' of the following
types:
# var_log_t, ipsec_var_run_t, pam_var_run_t, ricci_var_lib_t,
rpm_var_lib_t, net_conf_t, quota_flag_t, etc_runtime_t, dirsrv_var_run_t,
udev_var_run_t, var_lib_nfs_t, virt_var_lib_t, mysqld_db_t, named_conf_t,
initrc_tmp_t, pam_var_console_t, system_dbusd_var_lib_t,
sanlock_var_run_t, cgroup_t, boot_t, cert_t, mnt_t, root_t, tmp_t, var_t,
device_t, dkim_milter_data_t, etc_t, file_t, fonts_t, tmpfs_t, lockfile,
pidfile, tmpfile, etc_mail_t, initrc_state_t, postgresql_db_t,
alsa_etc_rw_t, gconf_etc_t, var_spool_t, xserver_log_t, virt_cache_t,
var_lib_t, var_run_t, dhcpc_state_t, faillog_t, squid_log_t, core_log_t,
svc_svc_t
allow initrc_t opt_ibm_t:dir write;
allow initrc_t opt_ibm_t:file { read execute open execute_no_trans };
allow initrc_t opt_ibm_t:lnk_file read;
allow initrc_t os_service_t:file { read execute open ioctl
execute_no_trans };
allow initrc_t os_t:file setattr;
allow initrc_t plat_bin_t:file { execute setattr read open ioctl
execute_no_trans };
#!!!! The source type 'initrc_t' can write to a 'dir' of the following
types:
# var_log_t, ipsec_var_run_t, ricci_var_lib_t, net_conf_t, quota_flag_t,
etc_runtime_t, dirsrv_var_run_t, udev_var_run_t, var_lib_nfs_t,
virt_var_lib_t, mysqld_db_t, named_conf_t, initrc_tmp_t,
system_dbusd_var_lib_t, sanlock_var_run_t, boot_t, cert_t, mnt_t, root_t,
tmp_t, device_t, etc_t, fonts_t, tmpfs_t, lockfile, etc_mail_t,
initrc_state_t, postgresql_db_t, alsa_etc_rw_t, gconf_etc_t, var_spool_t,
virt_cache_t, var_lib_t, var_run_t, dhcpc_state_t, faillog_t, squid_log_t,
core_log_t, svc_svc_t
allow initrc_t plat_conf_t:dir { write add_name };
#!!!! The source type 'initrc_t' can write to a 'file' of the following
types:
# var_log_t, initrc_var_run_t, ipsec_var_run_t, mdadm_var_run_t,
ricci_var_lib_t, net_conf_t, quota_flag_t, etc_runtime_t,
dirsrv_var_run_t, udev_var_run_t, var_lib_nfs_t, virt_var_lib_t,
initrc_tmp_t, system_dbusd_var_lib_t, sanlock_var_run_t, boot_t, cert_t,
mnt_t, device_t, fonts_t, lockfile, etc_mail_t, initrc_state_t,
alsa_etc_rw_t, gconf_etc_t, var_spool_t, virt_cache_t, var_lib_t,
dhcpc_state_t, faillog_t, squid_log_t, core_log_t, svc_svc_t
allow initrc_t plat_conf_t:file { write ioctl setattr read lock create
open };
allow initrc_t plat_conf_t:sock_file { write create };
allow initrc_t plat_jar_t:file setattr;
allow initrc_t plat_lib_t:file { read execute open };
allow initrc_t plat_lib_t:lnk_file read;
allow initrc_t plat_log_t:dir setattr;
allow initrc_t plat_log_t:file { write setattr };
allow initrc_t plat_script_t:file setattr;
allow initrc_t plat_script_t:lnk_file read;
#!!!! The source type 'initrc_t' can write to a 'dir' of the following
types:
# var_log_t, ipsec_var_run_t, pam_var_run_t, ricci_var_lib_t,
rpm_var_lib_t, net_conf_t, quota_flag_t, etc_runtime_t, dirsrv_var_run_t,
udev_var_run_t, var_lib_nfs_t, virt_var_lib_t, mysqld_db_t, named_conf_t,
initrc_tmp_t, pam_var_console_t, system_dbusd_var_lib_t,
sanlock_var_run_t, cgroup_t, boot_t, cert_t, mnt_t, root_t, tmp_t,
device_t, dkim_milter_data_t, etc_t, file_t, fonts_t, tmpfs_t, lockfile,
pidfile, tmpfile, etc_mail_t, initrc_state_t, postgresql_db_t,
alsa_etc_rw_t, gconf_etc_t, var_spool_t, xserver_log_t, virt_cache_t,
var_lib_t, var_run_t, dhcpc_state_t, faillog_t, squid_log_t, core_log_t,
svc_svc_t
allow initrc_t plat_t:dir { write remove_name };
allow initrc_t plat_t:file unlink;
allow initrc_t plugins_bin_t:file setattr;
#!!!! This avc can be allowed using the boolean 'allow_ypbind'
allow initrc_t port_t:tcp_socket name_bind;
allow initrc_t repository_port_t:tcp_socket name_bind;
allow initrc_t reserved_port_t:tcp_socket name_bind;
allow initrc_t reserved_port_t:udp_socket name_bind;
allow initrc_t rpm_script_tmp_t:file setattr;
allow initrc_t rpm_tmp_t:file setattr;
allow initrc_t security_t:file setattr;
allow initrc_t security_t:security compute_av;
allow initrc_t self:unix_dgram_socket sendto;
allow initrc_t servm_exec_t:file setattr;
allow initrc_t setroubleshoot_var_log_t:file setattr;
allow initrc_t snmp_exec_t:file setattr;
allow initrc_t snmp_script_t:file setattr;
#!!!! The source type 'initrc_t' can write to a 'dir' of the following
types:
# var_log_t, ipsec_var_run_t, ricci_var_lib_t, net_conf_t, quota_flag_t,
etc_runtime_t, dirsrv_var_run_t, udev_var_run_t, var_lib_nfs_t,
virt_var_lib_t, mysqld_db_t, named_conf_t, initrc_tmp_t,
system_dbusd_var_lib_t, sanlock_var_run_t, boot_t, cert_t, mnt_t, root_t,
tmp_t, device_t, etc_t, fonts_t, tmpfs_t, lockfile, etc_mail_t,
initrc_state_t, postgresql_db_t, alsa_etc_rw_t, gconf_etc_t, var_spool_t,
virt_cache_t, var_lib_t, var_run_t, dhcpc_state_t, faillog_t, squid_log_t,
core_log_t, svc_svc_t
allow initrc_t snmp_t:dir { write remove_name add_name };
#!!!! The source type 'initrc_t' can write to a 'file' of the following
types:
# var_log_t, initrc_var_run_t, ipsec_var_run_t, mdadm_var_run_t,
ricci_var_lib_t, net_conf_t, quota_flag_t, etc_runtime_t,
dirsrv_var_run_t, udev_var_run_t, var_lib_nfs_t, virt_var_lib_t,
initrc_tmp_t, system_dbusd_var_lib_t, sanlock_var_run_t, boot_t, cert_t,
mnt_t, device_t, fonts_t, lockfile, etc_mail_t, initrc_state_t,
alsa_etc_rw_t, gconf_etc_t, var_spool_t, virt_cache_t, var_lib_t,
dhcpc_state_t, faillog_t, squid_log_t, core_log_t, svc_svc_t
allow initrc_t snmp_t:file { rename setattr read create write ioctl unlink
open };
allow initrc_t snmpd_initrc_exec_t:file { write rename create unlink
setattr };
allow initrc_t ssh_home_t:dir setattr;
#!!!! The source type 'initrc_t' can write to a 'file' of the following
types:
# var_log_t, initrc_var_run_t, ipsec_var_run_t, mdadm_var_run_t,
ricci_var_lib_t, net_conf_t, quota_flag_t, etc_runtime_t,
dirsrv_var_run_t, udev_var_run_t, var_lib_nfs_t, virt_var_lib_t,
named_conf_t, initrc_tmp_t, system_dbusd_var_lib_t, sanlock_var_run_t,
boot_t, cert_t, mnt_t, wtmp_t, sysctl_type, device_t, locale_t, fonts_t,
lockfile, etc_mail_t, initrc_state_t, alsa_etc_rw_t, gconf_etc_t,
var_spool_t, virt_cache_t, var_lib_t, dhcpc_state_t, faillog_t,
squid_log_t, core_log_t, lastlog_t, svc_svc_t
allow initrc_t ssh_home_t:file { read write open setattr };
allow initrc_t sshd_initrc_exec_t:file setattr;
allow initrc_t syslog_conf_t:file { read ioctl open setattr };
allow initrc_t sysstat_log_t:file setattr;
allow initrc_t system_conf_t:file { write append };
allow initrc_t system_cron_spool_t:file setattr;
allow initrc_t taps_log_t:dir setattr;
allow initrc_t tmp_t:dir setattr;
#!!!! The source type 'initrc_t' can write to a 'file' of the following
types:
# var_log_t, initrc_var_run_t, ipsec_var_run_t, mdadm_var_run_t,
ricci_var_lib_t, net_conf_t, quota_flag_t, etc_runtime_t,
dirsrv_var_run_t, udev_var_run_t, var_lib_nfs_t, virt_var_lib_t,
named_conf_t, initrc_tmp_t, system_dbusd_var_lib_t, sanlock_var_run_t,
boot_t, cert_t, mnt_t, wtmp_t, sysctl_type, device_t, locale_t, fonts_t,
lockfile, etc_mail_t, initrc_state_t, alsa_etc_rw_t, mysqld_log_t,
gconf_etc_t, var_spool_t, virt_cache_t, var_lib_t, dhcpc_state_t,
faillog_t, squid_log_t, core_log_t, lastlog_t, svc_svc_t
allow initrc_t tmp_t:file { write open setattr };
allow initrc_t tmp_t:sock_file { write create setattr };
allow initrc_t tomcat_exec_t:file setattr;
allow initrc_t tomcat_log_t:dir setattr;
#!!!! The source type 'initrc_t' can write to a 'file' of the following
types:
# var_log_t, initrc_var_run_t, ipsec_var_run_t, mdadm_var_run_t,
ricci_var_lib_t, net_conf_t, quota_flag_t, etc_runtime_t,
dirsrv_var_run_t, udev_var_run_t, var_lib_nfs_t, virt_var_lib_t,
named_conf_t, initrc_tmp_t, system_dbusd_var_lib_t, sanlock_var_run_t,
boot_t, cert_t, mnt_t, wtmp_t, sysctl_type, device_t, locale_t, fonts_t,
lockfile, etc_mail_t, initrc_state_t, alsa_etc_rw_t, mysqld_log_t,
gconf_etc_t, var_spool_t, virt_cache_t, var_lib_t, dhcpc_state_t,
faillog_t, squid_log_t, core_log_t, lastlog_t, svc_svc_t
allow initrc_t tomcat_tmp_t:file { write open setattr };
allow initrc_t upgrade_exec_t:file setattr;
allow initrc_t user_home_dir_t:dir setattr;
allow initrc_t user_home_t:dir setattr;
allow initrc_t user_home_t:file setattr;
#!!!! The source type 'initrc_t' can write to a 'dir' of the following
types:
# ricci_var_lib_t, dirsrv_var_run_t, mysqld_db_t, named_conf_t,
initrc_tmp_t, mnt_t, fonts_t, tmpfs_t, lockfile, initrc_state_t,
virt_cache_t, faillog_t, svc_svc_t
allow initrc_t usr_t:dir { write remove_name create rmdir add_name };
allow initrc_t usr_t:file unlink;
allow initrc_t var_log_t:dir setattr;
allow initrc_t var_log_t:lnk_file read;
allow initrc_t var_t:dir { remove_name create add_name rmdir };
allow initrc_t var_t:file { read create open setattr append };
Is this expected .. Is there an easy way to address these denials other
than writing individual policies for the allow rules
Thanks,
Anamitra
On 1/16/13 12:33 PM, "Daniel J Walsh" <dwalsh at redhat.com> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On 01/16/2013 01:28 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
>> Hi Dan,
>>
>> I have a couple of more follow up questions.
>>
>> 1. What we have seen on our systems is just running restorecon -R does
>>not
>> fix the issue. We need to run restore -R -F to force the pick of file
>> contexts. So it seems that the -F options does more things that just
>>-R. Is
>> that a correct understanding.
>>
>Yes -F will fix the User/role/mls fields as well as the type field,
>without
>the -F, restorecon only fixes the type field.
>
>> 2. After removing the unconfined types and users and doing restorecon
>>we
>> see that root still is mapped to unconfined_u
>>
>> root unconfined_u s0-s0:c0.c1023
>>
>> Do we need to change this mapping as well. And if we do would it have
>>any
>> adverse effect on the system..
>>
>No this should be changed to sysadm_u. Which will cause your root
>account to
>login as sysadm_t.
>
>You might have to turn on a couple of booleans to allow sysadm_t to login
>directly
>
>ssh_sysadm_login --> off
>xdm_sysadm_login --> off
>
>> Thanks, Anamitra
>>
>>
>>
>> On 1/15/13 3:15 PM, "Daniel J Walsh" <dwalsh at redhat.com> wrote:
>>
>> On 01/15/2013 06:07 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
>>>>> Hi Dan,
>>>>>
>>>>> We have removed the unconfined_u user type .We do not see it when we
>>>>> do a semanage user -l
>>>>>
>>>>> [root at vos-cm148 home]# semanage user -l
>>>>>
>>>>> Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS
>>>>> Range SELinux Roles
>>>>>
>>>>> admin_u user s0 s0-s0:c0.c1023 sysadm_r
>>>>> system_r git_shell_u user s0 s0 git_shell_r
>>>>> guest_u user s0 s0 guest_r root user s0
>>>>> s0-s0:c0.c1023 sysadm_r system_r specialuser_u user s0
>>>>> s0 sysadm_r system_r staff_u user s0
>>>>> s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r sysadm_u
>>>>> user s0 s0-s0:c0.c1023 sysadm_r system_u user s0
>>>>> s0-s0:c0.c1023 system_r unconfined_r user_u user s0 s0
>>>>> user_r xguest_u user s0 s0 xguest_r
>>>>>
>>>>>
>>>>>
>>>>> But some file security contexts still have unconfined_u
>>>>>
>>>>> drwxr-xr-x. root root system_u:object_r:home_root_t:s0
>>>>> . dr-xr-xr-x. root root system_u:object_r:root_t:s0 ..
>>>>> drwx------. admin administrator
>>>>> user_u:object_r:user_home_dir_t:s0 admin drwxr-x---. ccmservice
>>>>> ccmbase unconfined_u:object_r:user_home_dir_t:s0 ccmservice
>>>>> drwx------. drfkeys drfkeys unconfined_u:object_r:user_home_dir_t:s0
>>>>> drfkeys drwxr-x---. drfuser platform
>>>>> unconfined_u:object_r:user_home_dir_t:s0 drfuser drwxr-xr-x. informix
>>>>> informix system_u:object_r:user_home_dir_t:s0 informix drwx------.
>>>>> pwrecovery platform unconfined_u:object_r:user_home_dir_t:s0
>>>>> pwrecovery drwxr-x---. sftpuser sftpuser
>>>>> unconfined_u:object_r:user_home_dir_t:s0 sftpuser drwxr-x---. tomcat
>>>>> tomcat unconfined_u:object_r:tomcat_t:s0 tomcat
>>>>>
>>>>>
>>>>> What would be the reason for that?
>>>>>
>>>>>
>>>>> Thanks, Anamitra
>>>>>
>>>>> On 1/15/13 9:22 AM, "Daniel J Walsh" <dwalsh at redhat.com> wrote:
>>>>>
>>>>> On 01/15/2013 12:19 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
>>>>>>>> Hi Dan,
>>>>>>>>
>>>>>>>> Thanks for the prompt response.
>>>>>>>>
>>>>>>>> The reason I brought this thread alive is because I see a lot
>>>>>>>> of denials after removing the unconfined type and doing a
>>>>>>>> fixfiles && reboot and as you indicated They are many resources
>>>>>>>> that have acquired unlabeled_t and hence we see a lot of
>>>>>>>> denials. So based on this I would like to ask when exactly
>>>>>>>> should we have the reboot after executing fixfiles. Should the
>>>>>>>> reboot be immediate after we have removed the unconfined type
>>>>>>>> or can it wait for a later time.
>>>>>>>>
>>>>>>>> Thanks, Anamitra
>>>>>>>>
>>>>>>>> On 1/15/13 9:08 AM, "Daniel J Walsh" <dwalsh at redhat.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> On 01/15/2013 11:48 AM, Anamitra Dutta Majumdar (anmajumd)
>>>>>>>> wrote:
>>>>>>>>>>> Hi Dominick,
>>>>>>>>>>>
>>>>>>>>>>> Can you help me understand why step 5 is needed.
>>>>>>>>>>>
>>>>>>>>>>> Thanks, Anamitra
>>>>>>>>>>>
>>>>>>>>>>> On 10/30/12 1:03 PM, "Dominick Grift"
>>>>>>>>>>> <dominick.grift at gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Tue, 2012-10-30 at 19:45 +0000, Anamitra Dutta
>>>>>>>>>>>> Majumdar (anmajumd) wrote:
>>>>>>>>>>>>> We are on RHEL6 and we need to remove the unconfined
>>>>>>>>>>>>> type from our targeted Selinux policies so that no
>>>>>>>>>>>>> process runs in the unconfined domain.
>>>>>>>>>>>>>
>>>>>>>>>>>>> In order to achieve that we have removed the
>>>>>>>>>>>>> unconfined module .Is there anything Else we need to
>>>>>>>>>>>>> do.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks, Anamitra
>>>>>>>>>>>>
>>>>>>>>>>>> You can also disable the unconfineduser module to make
>>>>>>>>>>>> it even more strict
>>>>>>>>>>>>
>>>>>>>>>>>> but if you do make sure that no users are mapped to
>>>>>>>>>>>> unconfined_u and relabel the file system because
>>>>>>>>>>>> selinux will change contexts that have unconfined_u in
>>>>>>>>>>>> them to unlabeled_t is unconfined_u no longer exists
>>>>>>>>>>>>
>>>>>>>>>>>> so in theory:
>>>>>>>>>>>>
>>>>>>>>>>>> 1. setenforce 0 2. change you logging mappings to
>>>>>>>>>>>> exclude unconfined_u 3. purge /tmp and /var/tmp 4.
>>>>>>>>>>>> semodule unconfineduser 5. fixfiles onboot && reboot
>>>>>>>>>>>>
>>>>>>>>>>>> I think that should take care of it
>>>>>>>>>>>>
>>>>>>>>>>>> Not though that even then there will be some
>>>>>>>>>>>> unconfined domains left
>>>>>>>>>>>>
>>>>>>>>>>>> There is no way to get them out without manually
>>>>>>>>>>>> editing and rebuilding the policy
>>>>>>>>>>>>
>>>>>>>>>>>> But if you disabled the unconfined and unconfineduser
>>>>>>>>>>>> modules then you are running pretty strict
>>>>>>>>>>>>
>>>>>>>>>>>>> -- selinux mailing list
>>>>>>>>>>>>> selinux at lists.fedoraproject.org
>>>>>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>>
>- -- selinux mailing list selinux at lists.fedoraproject.org
>>>>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>>
>- -- selinux mailing list selinux at lists.fedoraproject.org
>>>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>>>>>
>>>>>>>> If you have any files that are owned by unconfined_u they will
>>>>>>>> become unlabeled_t and not able to be used by confined domains,
>>>>>>>> which is why the relabel is required.
>>>>>>>>
>>>>>
>>>>> If you have any processes running on your system that are
>>>>> unconfined_t then they will become unlabled_t and start generating
>>>>> AVC's. Any confined apps that are trying to read unlabeled_u files
>>>>> will start to fail also.
>>>>>
>>>>> It is probably best to do this at Single User mode/permissive and
>>>>> then cleanup the disk.
>>>>>
>>>>> -- selinux mailing list selinux at lists.fedoraproject.org
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>
>>
>> Because you have not relabeled them.
>>
>> restorecon -R -F -v .
>>
>>
>> -- selinux mailing list selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.13 (GNU/Linux)
>Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
>iEYEARECAAYFAlD3DqYACgkQrlYvE4MpobOaVwCgshodynIrPestWf404bmGVzHf
>h7QAnjYKPUofQmgB7fKqMFo7p6Tuy4kn
>=Lk07
>-----END PGP SIGNATURE-----
More information about the selinux
mailing list