[ubuntu-hardened] unconfined versus SE module in Ubuntu Jaunty: SELinux
Scott Smyth
ssmyth at sapereconsulting.com
Tue Apr 28 19:24:35 BST 2009
A clarification: the app, lld2d, actually does what
it should when started with init scripts in the correct
runlevel and transitions correctly to "lld2d_t". What
I was surprised at is that I cannot get lld2d to fail
or report errors when I alter the configuration to
conflict with the SELinux module. It will always
start as "unconfined" not matter what the conflict
with the loaded policy.
This less restrict approach is what surprised me.
Will that change as jaunty and selinux-policy-ubuntu
reach their final states or will it remain less
restrictive for login and unconfined?
I would like to make it more restrictive if not
like Fedora Core by default. How should I do this
but not make it less compatible with changes in
selinux-policy-ubuntu?
thx,
Scott
--- On Tue, 4/28/09, Scott Smyth <ssmyth at sapereconsulting.com> wrote:
> From: Scott Smyth <ssmyth at sapereconsulting.com>
> Subject: [ubuntu-hardened] unconfined versus SE module in Ubuntu Jaunty: SELinux
> To: ubuntu-hardened at lists.ubuntu.com
> Date: Tuesday, April 28, 2009, 10:57 AM
>
> Hi;
>
> I am new to Ubuntu Jaunty and selinux-policy-ubuntu but
> definitely not new to Linux. I was surprised
> to find that a module I had setup in Fedora Core did
> not work with the loaded module compiled under Jaunty
> selinux-policy-ubuntu set to "ubuntu". Instead of
> using my SE module, the program defaulted to "unconfined"
> and "chkpwd_t" rather than "lld2d_t" type.
>
> OS: ubuntu Jaunty 9.04 server x86
> selinux-policy-ubuntu (0.2.20090324-0ubuntu2)
>
> Is there a step I am missing for Jaunty that will enable
> my module successfully? It is loaded according to
> "semodule -l".
>
> The program is the L2 mapping daemon from Microsoft,
> lld2d.
>
> unconfined_u:system_r:chkpwd_t:s0-s0:c0.c255 root 4389
> 0.0 0.0 1884 324 ? S
> 10:55 0:00 /usr/sbin/lld2d eth0
>
> Sincerely,
> Scott
>
> --
> ubuntu-hardened mailing list
> ubuntu-hardened at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>
More information about the ubuntu-hardened
mailing list