Re: user guide draft: "Targeted Policy" review

[Daniel J Walsh <dwalsh@redhat.com>]

Murray McAllister wrote:
> Daniel J Walsh wrote:
>> Murray McAllister wrote:
>>> Stephen Smalley wrote:
>>>> On Wed, 2008-09-03 at 17:41 +1000, Murray McAllister wrote:
> 
>>> When a confined subject is compromised by an attacker, depending on
>>> SELinux policy configuration, the attacker's access is to resources and
>>> the possible damage they can do is limited.
>>>
>> If a confined ...
> 
> Changed.
> 
>>>>> Unconfined Subjects
>>>>>
>>>>> Unconfined subjects run in the unconfined_t domain type. This means
>>>>> that SELinux policy rules do not apply, and only DAC permissions are
>>>>> used.
>> Only unconfined login users run as unconfined_t, init programs run in
>> the unconfined domain initrc_t, unconfined inetd processes run in the
>> inetd_child_t domain.  Unconfined kernel processes run in kernel_t.
>> There are about 20 unconfined domains in Fedora 10.
> 
> How about:
> 
> Unconfined subjects run in unconfined domains, for example, init
> programs run in the unconfined initrc_t domain, unconfined kernel
> subjects run in the kernel_t domain, and unconfined Linux users run in
> the unconfined_t domain. For unconfined subjects, SELinux policy rules
> are applied, but policy rules exist that allow subjects running in
> unconfined domains almost all access. Subjects running in unconfined
> domains almost always fall back to using DAC rules exclusively. If an
> unconfined subject is compromised, SELinux does not prevent the attacker
> from gaining access to system resources and data, but of course, DAC
> rules are still used. SELinux is a security enhancement above DAC rules
> - it does not replace them.

I don't think you need the "almost always"


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.