Re: Labelling problems with a user directly running an application in a confined domain

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stephen Smalley <sds@tycho.nsa.gov>
To: kim.lawson-jenkins@nrl.navy.mil, selinux@tycho.nsa.gov
Subject: Re: Labelling problems with a user directly running an application in a confined domain
Date: Tue, 01 Apr 2014 13:07:10 -0400	[thread overview]
Message-ID: <533AF23E.5070809@tycho.nsa.gov> (raw)
In-Reply-To: <02a201cf4dcc$692b5b70$3b821250$@nrl.navy.mil>

On 04/01/2014 01:04 PM, Kim Lawson-Jenkins wrote:
> Steven,
> 
> Here's the output of semanage user -l
> 
> SELinux User                SELinux Roles
> appuser_u                   appuser_r
> confinedapp_u          user_r, system_r
> root                                staff_r, sysadm_r, system_r,
> unconfined_r
> staff_u                          staff_r, sysadm_r, system_r, unconfined_r
> sysadm_u                    sysadm_r
> system_u                     system_r unconfined_r
> user_u                           user_r
> 
> 
> I read on a SELinux-related blog that unconfined_r should be mapped to
> staff_u when removing the unconfined domain, so I didn't remove unconfined
> _r for all of the SELinux users.  Should I remove unconfined_r for staff_u?

That doesn't make sense.  Can you cite this blog?

> Here is the output of semanage login -l
> 
> Login Name            SELinux User
> __default__           staff_u
> appuser                    appuser_u
> root                            staff_u
> system_u                system_u
> 
> Thanks for a response.

I expect you would need to update or remove all references to
unconfined_u, unconfined_r, and unconfined_t from your semanage
login/user mappings and from any of the
/etc/selinux/$SELINUXTYPE/contexts files before deleting the unconfined
module.

Is there a reason you aren't just using the mls policy if you want to
avoid the unconfined module?

next prev parent reply	other threads:[~2014-04-01 17:07 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-04-01 13:59 Labelling problems with a user directly running an application in a confined domain Kim Lawson-Jenkins
2014-04-01 15:12 ` Stephen Smalley
2014-04-01 17:04   ` Kim Lawson-Jenkins
2014-04-01 17:07     ` Stephen Smalley [this message]
2014-04-01 17:42       ` Kim Lawson-Jenkins
2014-04-01 17:53         ` Stephen Smalley
2014-04-01 18:08           ` Kim Lawson-Jenkins

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=533AF23E.5070809@tycho.nsa.gov \
    --to=sds@tycho.nsa.gov \
    --cc=kim.lawson-jenkins@nrl.navy.mil \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.