From: dwalsh@redhat.com (Daniel J Walsh)
Date: Sat, 13 Feb 2010 07:18:47 -0500
Subject: [refpolicy] system_unconfined.patch
In-Reply-To: <1266005836.11004.30.camel@gorn.columbia.tresys.com>
References: <4AFC8970.5080708@redhat.com>
	<1266005836.11004.30.camel@gorn.columbia.tresys.com>
Message-ID: <4B7698A7.2080404@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 02/12/2010 03:17 PM, Christopher J. PeBenito wrote:
> On Thu, 2009-11-12 at 17:17 -0500, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/system_unconfined.patch
>>
>> Split out unconfined_t from unconfined_domain.
> 
> I don't know if this will ever be upstreamable in a fashion you like.
> My understanding is that you want to be able to have the unconfined_t
> domain loaded without the unconfined_domain module loaded, so
> unconfined_t is the only unconfined domain.  To be acceptable for
> upstreaming, the unconfined role would have to unconditionally depend on
> the unconfined domain module, which wouldn't allow you want.
> 
I don't understand your statement here.  You are saying that we can't upstream this because it is impossible, and yet it works for me.

I want unconfined users with every other process confined. 

Currently if you have the unconfined.pp package installed, you end up with processes like initrc_t, init_t, xinetd_t and something like 20 other non user domains unconfined.  Your solution is to remove all unconfined_domains when the unconfined.pp is removed and force users to use the sysadm_t domain, which I believe is a "drunken" unconfined_t.  It allows you to do everything unconfined_t can do, but breaks a lot. 

I prefer to see two levels of unconfined domains.  One that is deals with system processes and one that deals with user processes.  The way I do this is define an attribute in unconfined.te  and then set up two different interfaces.


policy_module(unconfined, 3.1.0)

########################################
#
# Declarations
#
attribute unconfined_services;


interface(`unconfined_domain',`
	gen_require(`
		attribute unconfined_services;
	')	

	unconfined_domain_noaudit($1)


THen I take the domains that I want to still work even if unconfined.pp is removed and call directly into unconfined_domain_noaudit()

If unconfined.pp is removed the unconfined_domain interface dissapears but the unconfined_domain_noaudit() interface is still there.