Re: With the release of Fedora Core 7 I have bumped the policy version in Rawhide

[Daniel J Walsh <dwalsh@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 2466 bytes --]

Christopher J. PeBenito wrote:
> On Thu, 2007-05-31 at 14:54 -0400, Daniel J Walsh wrote:
>   
>> Tomorrows rawhide will have selinux-policy-3.0.1. 
>>
>> This policy is the first release of the merged (strict/targeted) 
>> policy.  As such there is no longer a selinux-policy-strict.  This is 
>> real experimental and I expect some problems.  I have been running it 
>> here for a couple of days. 
>>
>> With this policy you can install the strict type users staff_u, user_u, 
>> sysadm_u.  As well as the unonfined_u/system_u.  You should be able to 
>> mix and match the users.  So if you want to setup a Guest X-Windows 
>> login you would set it up with a user of user_u:user_r:user_t.  And you 
>> might have your regular login as system_u:unconfined_r:unconfined_t.
>>     
>
> As a side note is that an unconfined_u seuser is going to be added,
> which will be the appropriate seuser to use for unconfined users.  So
> eventually you'll end up with unconfined_u:unconfined_r:unconfined_t.
>
>   

>> The idea is if you remove the unconfined policy package, you will be 
>> basically running in strict policy mode.  (This has not been tested.) 
>>     
>
> Actually you also have to take out anaconda and firstboot since they
> unconditionally depend on unconfined.  Otherwise it should work.
>
>   
Well in the process of making unconfined.te a module, I found lots of 
other gotcha's but
I will send you later.

I am holding off on updating until I get some more testing.  I want this 
change to go smoothly, and not force a relabel.  Since eventually we 
will be updating from F-7 to F-8 and RHEL5-RHEL6.


Looking into doing something like this in the post.

Currently __default__ logs in as user_u, which has much less privs then 
unconfined_t.  And I still the default to be unconfined_t.  So changing 
the user to system_u achieves this.

I can't put unconfined_u into the users build, since this blows up with 
unconfined as a loadable module.

%triggerpost targeted -- selinux-policy-targeted <= 3.0.1
semanage login -m -s system_u __default__
semanage login -m -s system_u root
semanage user -m -P sysadm -R "staff_r sysadm_r system_r" root
semanage user -m -P user -R user_r user_u
semanage user -a -P staff -R "staff_r sysadm_r" staff_u

Also adding (attachments)
/etc/selinux/targeted/contexts/users/user_u
/etc/selinux/targeted/contexts/users/staff_u

These probably need to be reviewed.

So that we can get the default_contexts stuff right.



[-- Attachment #2: staff_u --]
[-- Type: text/plain, Size: 516 bytes --]

system_r:local_login_t:s0	staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
system_r:remote_login_t:s0	staff_r:staff_t:s0
system_r:sshd_t:s0		staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
system_r:crond_t:s0		staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 mailman_r:user_crond_t:s0
system_r:xdm_t:s0		staff_r:staff_t:s0
staff_r:staff_su_t:s0		staff_r:staff_t:s0
staff_r:staff_sudo_t:s0		staff_r:staff_t:s0
sysadm_r:sysadm_su_t:s0		sysadm_r:sysadm_t:s0 
sysadm_r:sysadm_sudo_t:s0	sysadm_r:sysadm_t:s0

[-- Attachment #3: user_u --]
[-- Type: text/plain, Size: 282 bytes --]

system_r:local_login_t:s0	user_r:user_t:s0
system_r:remote_login_t:s0	user_r:user_t:s0
system_r:sshd_t:s0		user_r:user_t:s0
system_r:crond_t:s0		user_r:user_crond_t:s0
system_r:xdm_t:s0		user_r:user_t:s0
user_r:user_su_t:s0		user_r:user_t:s0
user_r:user_sudo_t:s0		user_r:user_t:s0