Dan’s another great idea
I had a message from Dan Walsh on an IRC channel some weeks ago. He told me he had added a new policy module called “permissivedomain” to Fedora16.
What does this module contain?
As you probably know we have cool thing called “permissive domain” in Fedora. But all these declarations were located in appropriate policy modules which means you could not remove a permissive domain from the policy simply.
Dan had moved all these declarations into the permissivedomain policy module. It means a user, an admin can remove all permissive domains from his machine. Also we can stop shipping them in MLS policy.
How could you do this? Just execute
# semodule -d permissidomains
You can also lock your machine more using
# semodule -d unconfined
That means, no unconfined or permissive domains on your machine. Pretty cool, right?
Actually the latest command leaves user domains unconfined and some domains that do not make sense to confine. You can use seinfo to list them.
# seinfo -aunconfined_domain_type -x
I use the following configuration on my laptop without the unconfined policy module and with confined users.
# semanage login -a -s staff_u -r s0-s0:c0.c1023 mgrepl
Which causes I log in as staff_u SELinux user. You need to log out/in to make this working.
# id -Z
# tail -n 3 /etc/sudoers
mgrepl ALL=(ALL) ROLE=unconfined_r TYPE=unconfined_t ALL
mgrepl ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r /bin/sh
mgrepl ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r /bin/zsh
If you add these lines to your /etc/sudoers file and then execute
# sudo zsh
# id -Z
you will end up as sysadm_t and you should be able to manage your system. Using
# sudo sh
# id -Z
you will end up as unconfined user.
In the next blog, I will show you how to remove unconfined from your machine at all .