From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 17 Nov 2010 08:39:39 -0500 Subject: [refpolicy] SELinux UBAC question In-Reply-To: <201011171354.03646.roberto.sassu@polito.it> References: <201011171354.03646.roberto.sassu@polito.it> Message-ID: <4CE3DB1B.2010602@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 11/17/10 07:54, Roberto Sassu wrote: > i'm using the Fedora 13 operating system with shipped SELinux policy. > I want to add a basic protection for regular users by using the UBAC feature and > letting them to log on the system with the confined domain 'user_t'. > A problem that i have found when using the policy with this feature enabled > is that root logs on the system with user 'unconfined_u' or 'root' and files created > or updated after doing an administrative task cannot be accessed by regular users. > In order to have the system working i have to execute root processes that > make changes on the system with user 'system_u'. This should only be the case for user files and domains. Other system files, such as those in /etc, should be unaffected. > One solution to overcome this issue may be to add an exception to the policy, > as done for the 'system_u' user, so that UBAC will be applied only to SELinux users > tied to regular users, living other users 'sysadm_u', 'staff_u', 'root', 'unconfined_u' > unprotected. > Does this is the right way to modify the policy in order to enforce the protection > required or there are other alternatives? It depends on your security goals. If that still meets your goals, then yes. I would not include this upstream as it requires separation of all users. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com