Skip to content

Dan’s another great idea

September 25, 2011

I had a message from Dan Walsh on an IRC channel some weeks ago. He told me he had added a new policy module called “permissivedomain” to Fedora16.

What does this module contain?

As you probably know we have cool thing called “permissive domain” in Fedora. But all these declarations were located in appropriate policy modules which means you could not remove a permissive domain from the policy simply.

Dan had moved all these declarations into the permissivedomain policy module. It means a user, an admin can remove all permissive domains from his machine. Also we can stop shipping them in MLS policy.

How could you do this? Just execute

# semodule -d permissidomains

You can also lock your machine more using

# semodule -d unconfined

That means, no unconfined or permissive domains on your machine. Pretty cool, right? 😉

Actually the latest command leaves user domains unconfined and some domains that do not make sense to confine. You can use seinfo to list them.

# seinfo -aunconfined_domain_type -x

I use the following configuration on my laptop without the unconfined policy module and with confined users.

# semanage login -a -s staff_u -r s0-s0:c0.c1023 mgrepl

Which causes I log in as staff_u SELinux user. You need to log out/in to make this working.

# id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023

# tail -n 3 /etc/sudoers
mgrepl ALL=(ALL) ROLE=unconfined_r TYPE=unconfined_t ALL
mgrepl ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r /bin/sh
mgrepl ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r /bin/zsh

If you add these lines to your /etc/sudoers file and then execute

# sudo zsh
# id -Z
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023

you will end up as sysadm_t and you should be able to manage your system. Using

# sudo sh
# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

you will end up as unconfined user.

In the next blog, I will show you how to remove unconfined from your machine at all .

Advertisements
Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: