-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/15/2013 11:48 AM, Anamitra Dutta Majumdar (anmajumd) wrote:
Hi Dominick,
Can you help me understand why step 5 is needed.
Thanks, Anamitra
On 10/30/12 1:03 PM, "Dominick Grift" <dominick.grift(a)gmail.com> wrote:
>
>
> On Tue, 2012-10-30 at 19:45 +0000, Anamitra Dutta Majumdar (anmajumd)
> wrote:
>> We are on RHEL6 and we need to remove the unconfined type from our
>> targeted Selinux policies so that no process runs in the unconfined
>> domain.
>>
>> In order to achieve that we have removed the unconfined module .Is
>> there anything Else we need to do.
>>
>> Thanks, Anamitra
>
> You can also disable the unconfineduser module to make it even more
> strict
>
> but if you do make sure that no users are mapped to unconfined_u and
> relabel the file system because selinux will change contexts that have
> unconfined_u in them to unlabeled_t is unconfined_u no longer exists
>
> so in theory:
>
> 1. setenforce 0 2. change you logging mappings to exclude unconfined_u 3.
> purge /tmp and /var/tmp 4. semodule unconfineduser 5. fixfiles onboot &&
> reboot
>
> I think that should take care of it
>
> Not though that even then there will be some unconfined domains left
>
> There is no way to get them out without manually editing and rebuilding
> the policy
>
> But if you disabled the unconfined and unconfineduser modules then you
> are running pretty strict
>
>> -- selinux mailing list selinux(a)lists.fedoraproject.org
>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> -- selinux mailing list selinux(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
If you have any files that are owned by unconfined_u they will become
unlabeled_t and not able to be used by confined domains, which is why the
relabel is required.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlD1jSkACgkQrlYvE4MpobM/lgCgpj/7c1J2ZDtoNazcScHiqm4g
HQUAoIg2VCS8nqJsSa9E0gDowFH4UbeK
=zUUf
-----END PGP SIGNATURE-----