From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] system_unconfined.patch
Date: Sat, 13 Feb 2010 07:18:47 -0500 [thread overview]
Message-ID: <4B7698A7.2080404@redhat.com> (raw)
In-Reply-To: <1266005836.11004.30.camel@gorn.columbia.tresys.com>
On 02/12/2010 03:17 PM, Christopher J. PeBenito wrote:
> On Thu, 2009-11-12 at 17:17 -0500, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/system_unconfined.patch
>>
>> Split out unconfined_t from unconfined_domain.
>
> I don't know if this will ever be upstreamable in a fashion you like.
> My understanding is that you want to be able to have the unconfined_t
> domain loaded without the unconfined_domain module loaded, so
> unconfined_t is the only unconfined domain. To be acceptable for
> upstreaming, the unconfined role would have to unconditionally depend on
> the unconfined domain module, which wouldn't allow you want.
>
I don't understand your statement here. You are saying that we can't upstream this because it is impossible, and yet it works for me.
I want unconfined users with every other process confined.
Currently if you have the unconfined.pp package installed, you end up with processes like initrc_t, init_t, xinetd_t and something like 20 other non user domains unconfined. Your solution is to remove all unconfined_domains when the unconfined.pp is removed and force users to use the sysadm_t domain, which I believe is a "drunken" unconfined_t. It allows you to do everything unconfined_t can do, but breaks a lot.
I prefer to see two levels of unconfined domains. One that is deals with system processes and one that deals with user processes. The way I do this is define an attribute in unconfined.te and then set up two different interfaces.
policy_module(unconfined, 3.1.0)
########################################
#
# Declarations
#
attribute unconfined_services;
interface(`unconfined_domain',`
gen_require(`
attribute unconfined_services;
')
unconfined_domain_noaudit($1)
THen I take the domains that I want to still work even if unconfined.pp is removed and call directly into unconfined_domain_noaudit()
If unconfined.pp is removed the unconfined_domain interface dissapears but the unconfined_domain_noaudit() interface is still there.
next prev parent reply other threads:[~2010-02-13 12:18 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-12 22:17 [refpolicy] system_unconfined.patch Daniel J Walsh
2010-02-12 20:17 ` Christopher J. PeBenito
2010-02-13 12:18 ` Daniel J Walsh [this message]
2010-02-16 13:54 ` Christopher J. PeBenito
2010-02-16 17:26 ` Daniel J Walsh
-- strict thread matches above, loose matches on Subject: below --
2010-08-26 23:46 Daniel J Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B7698A7.2080404@redhat.com \
--to=dwalsh@redhat.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.