Re: Labelling problems with a user directly running an application in a confined domain

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stephen Smalley <sds@tycho.nsa.gov>
To: kim.lawson-jenkins@nrl.navy.mil, selinux@tycho.nsa.gov
Subject: Re: Labelling problems with a user directly running an application in a confined domain
Date: Tue, 01 Apr 2014 13:53:25 -0400	[thread overview]
Message-ID: <533AFD15.9090002@tycho.nsa.gov> (raw)
In-Reply-To: <02a801cf4dd1$b31e3a40$195aaec0$@nrl.navy.mil>

On 04/01/2014 01:42 PM, Kim Lawson-Jenkins wrote:
>> I read on a SELinux-related blog that unconfined_r should be mapped to 
>> staff_u when removing the unconfined domain, so I didn't remove 
>> unconfined _r for all of the SELinux users.  Should I remove unconfined_r
> for staff_u?
> 
> That doesn't make sense.  Can you cite this blog?
> 
> http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-eight-unconfin
> ed.html

It looks like his example was for the case where you remove only the
unconfined module, not unconfineduser.

I think you at least need to update
/etc/selinux/targeted/contexts/failsafe_context to use a different
context if fully removing unconfined_r/unconfined_t.  And certainly Red
Hat isn't testing that scenario.

> Kim's response - I'm updating a policy for an application that ran on RHEL5
> using the then-supported strict policy.  I read that removing the unconfined
> domain will make the newer systems operate as the old strict policy, so I
> went with this method for updating the policy.  I hadn't heard about using
> mls as an alternative to removing the unconfined module.

The mls policy has always been strict policy + MLS (instead of MCS).
Whether or not the specific -mls package that your distribution includes
has everything you need I don't know.

next prev parent reply	other threads:[~2014-04-01 17:53 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-04-01 13:59 Labelling problems with a user directly running an application in a confined domain Kim Lawson-Jenkins
2014-04-01 15:12 ` Stephen Smalley
2014-04-01 17:04   ` Kim Lawson-Jenkins
2014-04-01 17:07     ` Stephen Smalley
2014-04-01 17:42       ` Kim Lawson-Jenkins
2014-04-01 17:53         ` Stephen Smalley [this message]
2014-04-01 18:08           ` Kim Lawson-Jenkins

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=533AFD15.9090002@tycho.nsa.gov \
    --to=sds@tycho.nsa.gov \
    --cc=kim.lawson-jenkins@nrl.navy.mil \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.