From: roberto.sassu@polito.it (Roberto Sassu)
Date: Wed, 17 Nov 2010 13:54:03 +0100
Subject: [refpolicy] SELinux UBAC question
Message-ID: <201011171354.03646.roberto.sassu@polito.it>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Sorry, i'm resending it because first time it was rejected by the
refpolicy at oss.tresys.com mailing list.


Hi all

i'm using the Fedora 13 operating system with shipped SELinux policy.
I want to add a basic protection for regular users by using the UBAC feature and
letting them to log on the system with the confined domain 'user_t'.
A problem that i have found when using the policy with this feature enabled
is that root logs on the system with user 'unconfined_u' or 'root' and files created
or updated after doing an administrative task cannot be accessed by regular users.
In order to have the system working i have to execute root processes that
make changes on the system with user 'system_u'.
One solution to overcome this issue may be to add an exception to the policy,
as done for the 'system_u' user, so that UBAC will be applied only to SELinux users
tied to regular users, living other users 'sysadm_u', 'staff_u', 'root', 'unconfined_u'
unprotected.
Does this is the right way to modify the policy in order to enforce the protection
required or there are other alternatives?
Thanks in advance for replies.

Roberto Sassu