http://people.fedoraproject.org/~dwalsh/SELinux/F12/system_unconfined.patch
Split out unconfined_t from unconfined_domain.
On Thu, 2009-11-12 at 17:17 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F12/system_unconfined.patch
>
> Split out unconfined_t from unconfined_domain.
I don't know if this will ever be upstreamable in a fashion you like.
My understanding is that you want to be able to have the unconfined_t
domain loaded without the unconfined_domain module loaded, so
unconfined_t is the only unconfined domain. To be acceptable for
upstreaming, the unconfined role would have to unconditionally depend on
the unconfined domain module, which wouldn't allow you want.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
On 02/12/2010 03:17 PM, Christopher J. PeBenito wrote:
> On Thu, 2009-11-12 at 17:17 -0500, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/system_unconfined.patch
>>
>> Split out unconfined_t from unconfined_domain.
>
> I don't know if this will ever be upstreamable in a fashion you like.
> My understanding is that you want to be able to have the unconfined_t
> domain loaded without the unconfined_domain module loaded, so
> unconfined_t is the only unconfined domain. To be acceptable for
> upstreaming, the unconfined role would have to unconditionally depend on
> the unconfined domain module, which wouldn't allow you want.
>
I don't understand your statement here. You are saying that we can't upstream this because it is impossible, and yet it works for me.
I want unconfined users with every other process confined.
Currently if you have the unconfined.pp package installed, you end up with processes like initrc_t, init_t, xinetd_t and something like 20 other non user domains unconfined. Your solution is to remove all unconfined_domains when the unconfined.pp is removed and force users to use the sysadm_t domain, which I believe is a "drunken" unconfined_t. It allows you to do everything unconfined_t can do, but breaks a lot.
I prefer to see two levels of unconfined domains. One that is deals with system processes and one that deals with user processes. The way I do this is define an attribute in unconfined.te and then set up two different interfaces.
policy_module(unconfined, 3.1.0)
########################################
#
# Declarations
#
attribute unconfined_services;
interface(`unconfined_domain',`
gen_require(`
attribute unconfined_services;
')
unconfined_domain_noaudit($1)
THen I take the domains that I want to still work even if unconfined.pp is removed and call directly into unconfined_domain_noaudit()
If unconfined.pp is removed the unconfined_domain interface dissapears but the unconfined_domain_noaudit() interface is still there.
On Sat, 2010-02-13 at 07:18 -0500, Daniel J Walsh wrote:
> On 02/12/2010 03:17 PM, Christopher J. PeBenito wrote:
> > On Thu, 2009-11-12 at 17:17 -0500, Daniel J Walsh wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F12/system_unconfined.patch
> >>
> >> Split out unconfined_t from unconfined_domain.
> >
> > I don't know if this will ever be upstreamable in a fashion you like.
> > My understanding is that you want to be able to have the unconfined_t
> > domain loaded without the unconfined_domain module loaded, so
> > unconfined_t is the only unconfined domain. To be acceptable for
> > upstreaming, the unconfined role would have to unconditionally depend on
> > the unconfined domain module, which wouldn't allow you want.
> >
> I don't understand your statement here. You are saying that we can't
> upstream this because it is impossible, and yet it works for me.
I didn't mean that its technically impossible. It breaks concepts in
refpolicy. The concept of an unconfined domain resides in the
unconfined module. Remove the unconfined module, then there is no
concept of unconfined domains; thus, there cannot be an unconfined user
domain.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
On 02/16/2010 08:54 AM, Christopher J. PeBenito wrote:
> On Sat, 2010-02-13 at 07:18 -0500, Daniel J Walsh wrote:
>> On 02/12/2010 03:17 PM, Christopher J. PeBenito wrote:
>>> On Thu, 2009-11-12 at 17:17 -0500, Daniel J Walsh wrote:
>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/system_unconfined.patch
>>>>
>>>> Split out unconfined_t from unconfined_domain.
>>>
>>> I don't know if this will ever be upstreamable in a fashion you like.
>>> My understanding is that you want to be able to have the unconfined_t
>>> domain loaded without the unconfined_domain module loaded, so
>>> unconfined_t is the only unconfined domain. To be acceptable for
>>> upstreaming, the unconfined role would have to unconditionally depend on
>>> the unconfined domain module, which wouldn't allow you want.
>>>
>> I don't understand your statement here. You are saying that we can't
>> upstream this because it is impossible, and yet it works for me.
>
> I didn't mean that its technically impossible. It breaks concepts in
> refpolicy. The concept of an unconfined domain resides in the
> unconfined module. Remove the unconfined module, then there is no
> concept of unconfined domains; thus, there cannot be an unconfined user
> domain.
>
Well then maybe we need an unconfineduser and unconfinedsystem policy package and you could choose to remove one or the other or remove unconfined and they all disappear.