From: dominick.grift@gmail.com (Dominick Grift)
Date: Thu, 19 Sep 2013 09:59:22 +0200
Subject: [refpolicy] Fwd: Debian unstable, SELinux and Iceweasel
In-Reply-To: <523AA6C3.5000105@ping.de>
References: <52384CD9.60604@ping.de> <5239AEFF.6000902@ping.de>
	<1379534082.16771.19.camel@d30> <1379535027.16771.21.camel@d30>
	<523AA6C3.5000105@ping.de>
Message-ID: <1379577562.16771.30.camel@d30>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Thu, 2013-09-19 at 09:24 +0200, Andreas Kuckartz wrote:
> Dominick Grift:
> >> you can allow the execmem issue with audit2allow
> > 
> > err .... there actually is probably a boolean that you can toggle to
> > allow it:
> > 
> > allow_execmem
> > allow_execstack
> > 
> 
> This is suggested by audit2allow:
> 
> -----
> #============= unconfined_t ==============
> #!!!! This avc can be allowed using one of the these booleans:
> #     allow_execstack, allow_execmem
> 
> allow unconfined_t self:process execmem;
> -----
> 
> I really hesitate to accept this as a safe resolution of the issue.
> Hopefully Mozilla will improve Firefox...

You're running as unconfined_t , which is a domain basically designed to
be exempt from selinux enforcement.

SELinux framework is a very flexible/configurable and you can set it up
to enforce almost anything you want. So whatever you have in mind, it
you want it; go and get it. Like many of us do.

Ive confined basic desktop sessions (actually various times) I actually
recorded the whole process of my latest endeavor and put it on your tube
( it is a 100 plus hours worth of screencast ) (youtube.com/domg4721)

As for perfect coverage of a basic systems. Yes in a perfect world
maybe. Not this world unfortunately. Besides Debian has no active
selinux maintainers. Things been stale for quite a while there now.

Want to take on the challenge of maintaining SELinux in Debian?

> 
> Cheers,
> Andreas