With the release of Fedora Core 7 I have bumped the policy version in Rawhide

All of lore.kernel.org
 help / color / mirror / Atom feed

* With the release of Fedora Core 7 I have bumped the policy version in Rawhide
@ 2007-05-31 18:54 Daniel J Walsh
  2007-06-01 15:01 ` Christopher J. PeBenito
  0 siblings, 1 reply; 3+ messages in thread
From: Daniel J Walsh @ 2007-05-31 18:54 UTC (permalink / raw)
  To: SE Linux

Tomorrows rawhide will have selinux-policy-3.0.1. 

This policy is the first release of the merged (strict/targeted) 
policy.  As such there is no longer a selinux-policy-strict.  This is 
real experimental and I expect some problems.  I have been running it 
here for a couple of days. 

With this policy you can install the strict type users staff_u, user_u, 
sysadm_u.  As well as the unonfined_u/system_u.  You should be able to 
mix and match the users.  So if you want to setup a Guest X-Windows 
login you would set it up with a user of user_u:user_r:user_t.  And you 
might have your regular login as system_u:unconfined_r:unconfined_t.

The idea is if you remove the unconfined policy package, you will be 
basically running in strict policy mode.  (This has not been tested.) 

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: With the release of Fedora Core 7 I have bumped the policy version in Rawhide
  2007-05-31 18:54 With the release of Fedora Core 7 I have bumped the policy version in Rawhide Daniel J Walsh
@ 2007-06-01 15:01 ` Christopher J. PeBenito
  2007-06-01 15:57   ` Daniel J Walsh
  0 siblings, 1 reply; 3+ messages in thread
From: Christopher J. PeBenito @ 2007-06-01 15:01 UTC (permalink / raw)
  To: Daniel J Walsh; +Cc: SELinux Mail List

On Thu, 2007-05-31 at 14:54 -0400, Daniel J Walsh wrote:
> Tomorrows rawhide will have selinux-policy-3.0.1. 
> 
> This policy is the first release of the merged (strict/targeted) 
> policy.  As such there is no longer a selinux-policy-strict.  This is 
> real experimental and I expect some problems.  I have been running it 
> here for a couple of days. 
> 
> With this policy you can install the strict type users staff_u, user_u, 
> sysadm_u.  As well as the unonfined_u/system_u.  You should be able to 
> mix and match the users.  So if you want to setup a Guest X-Windows 
> login you would set it up with a user of user_u:user_r:user_t.  And you 
> might have your regular login as system_u:unconfined_r:unconfined_t.

As a side note is that an unconfined_u seuser is going to be added,
which will be the appropriate seuser to use for unconfined users.  So
eventually you'll end up with unconfined_u:unconfined_r:unconfined_t.

> The idea is if you remove the unconfined policy package, you will be 
> basically running in strict policy mode.  (This has not been tested.) 

Actually you also have to take out anaconda and firstboot since they
unconditionally depend on unconfined.  Otherwise it should work.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: With the release of Fedora Core 7 I have bumped the policy version in Rawhide
  2007-06-01 15:01 ` Christopher J. PeBenito
@ 2007-06-01 15:57   ` Daniel J Walsh
  0 siblings, 0 replies; 3+ messages in thread
From: Daniel J Walsh @ 2007-06-01 15:57 UTC (permalink / raw)
  To: Christopher J. PeBenito; +Cc: SELinux Mail List

[-- Attachment #1: Type: text/plain, Size: 2466 bytes --]

Christopher J. PeBenito wrote:
> On Thu, 2007-05-31 at 14:54 -0400, Daniel J Walsh wrote:
>   
>> Tomorrows rawhide will have selinux-policy-3.0.1. 
>>
>> This policy is the first release of the merged (strict/targeted) 
>> policy.  As such there is no longer a selinux-policy-strict.  This is 
>> real experimental and I expect some problems.  I have been running it 
>> here for a couple of days. 
>>
>> With this policy you can install the strict type users staff_u, user_u, 
>> sysadm_u.  As well as the unonfined_u/system_u.  You should be able to 
>> mix and match the users.  So if you want to setup a Guest X-Windows 
>> login you would set it up with a user of user_u:user_r:user_t.  And you 
>> might have your regular login as system_u:unconfined_r:unconfined_t.
>>     
>
> As a side note is that an unconfined_u seuser is going to be added,
> which will be the appropriate seuser to use for unconfined users.  So
> eventually you'll end up with unconfined_u:unconfined_r:unconfined_t.
>
>   

>> The idea is if you remove the unconfined policy package, you will be 
>> basically running in strict policy mode.  (This has not been tested.) 
>>     
>
> Actually you also have to take out anaconda and firstboot since they
> unconditionally depend on unconfined.  Otherwise it should work.
>
>   
Well in the process of making unconfined.te a module, I found lots of 
other gotcha's but
I will send you later.

I am holding off on updating until I get some more testing.  I want this 
change to go smoothly, and not force a relabel.  Since eventually we 
will be updating from F-7 to F-8 and RHEL5-RHEL6.


Looking into doing something like this in the post.

Currently __default__ logs in as user_u, which has much less privs then 
unconfined_t.  And I still the default to be unconfined_t.  So changing 
the user to system_u achieves this.

I can't put unconfined_u into the users build, since this blows up with 
unconfined as a loadable module.

%triggerpost targeted -- selinux-policy-targeted <= 3.0.1
semanage login -m -s system_u __default__
semanage login -m -s system_u root
semanage user -m -P sysadm -R "staff_r sysadm_r system_r" root
semanage user -m -P user -R user_r user_u
semanage user -a -P staff -R "staff_r sysadm_r" staff_u

Also adding (attachments)
/etc/selinux/targeted/contexts/users/user_u
/etc/selinux/targeted/contexts/users/staff_u

These probably need to be reviewed.

So that we can get the default_contexts stuff right.



[-- Attachment #2: staff_u --]
[-- Type: text/plain, Size: 516 bytes --]

system_r:local_login_t:s0	staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
system_r:remote_login_t:s0	staff_r:staff_t:s0
system_r:sshd_t:s0		staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
system_r:crond_t:s0		staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 mailman_r:user_crond_t:s0
system_r:xdm_t:s0		staff_r:staff_t:s0
staff_r:staff_su_t:s0		staff_r:staff_t:s0
staff_r:staff_sudo_t:s0		staff_r:staff_t:s0
sysadm_r:sysadm_su_t:s0		sysadm_r:sysadm_t:s0 
sysadm_r:sysadm_sudo_t:s0	sysadm_r:sysadm_t:s0

[-- Attachment #3: user_u --]
[-- Type: text/plain, Size: 282 bytes --]

system_r:local_login_t:s0	user_r:user_t:s0
system_r:remote_login_t:s0	user_r:user_t:s0
system_r:sshd_t:s0		user_r:user_t:s0
system_r:crond_t:s0		user_r:user_crond_t:s0
system_r:xdm_t:s0		user_r:user_t:s0
user_r:user_su_t:s0		user_r:user_t:s0
user_r:user_sudo_t:s0		user_r:user_t:s0

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2007-06-01 15:57 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-05-31 18:54 With the release of Fedora Core 7 I have bumped the policy version in Rawhide Daniel J Walsh
2007-06-01 15:01 ` Christopher J. PeBenito
2007-06-01 15:57   ` Daniel J Walsh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.