From: roberto.sassu@polito.it (Roberto Sassu) Date: Wed, 17 Nov 2010 13:54:03 +0100 Subject: [refpolicy] SELinux UBAC question Message-ID: <201011171354.03646.roberto.sassu@polito.it> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Sorry, i'm resending it because first time it was rejected by the refpolicy at oss.tresys.com mailing list. Hi all i'm using the Fedora 13 operating system with shipped SELinux policy. I want to add a basic protection for regular users by using the UBAC feature and letting them to log on the system with the confined domain 'user_t'. A problem that i have found when using the policy with this feature enabled is that root logs on the system with user 'unconfined_u' or 'root' and files created or updated after doing an administrative task cannot be accessed by regular users. In order to have the system working i have to execute root processes that make changes on the system with user 'system_u'. One solution to overcome this issue may be to add an exception to the policy, as done for the 'system_u' user, so that UBAC will be applied only to SELinux users tied to regular users, living other users 'sysadm_u', 'staff_u', 'root', 'unconfined_u' unprotected. Does this is the right way to modify the policy in order to enforce the protection required or there are other alternatives? Thanks in advance for replies. Roberto Sassu