[ubuntu-hardened] unconfined versus SE module in Ubuntu Jaunty: SELinux

Scott Smyth ssmyth at sapereconsulting.com
Tue Apr 28 19:53:27 BST 2009 

Please ignore these emails.  I have it figured out and
the differences now.  Seems to be working fine
and reporting as expected as I restrict the login
mapping.  It seems that is the real difference with FC.

Nice work on the new policy btw.

thx,
Scott

--- On Tue, 4/28/09, Scott Smyth <ssmyth at sapereconsulting.com> wrote:

> From: Scott Smyth <ssmyth at sapereconsulting.com>
> Subject: Re: [ubuntu-hardened] unconfined versus SE module in Ubuntu Jaunty: SELinux
> To: "Ubuntu security discussion" <ubuntu-hardened at lists.ubuntu.com>
> Date: Tuesday, April 28, 2009, 11:24 AM
> 
> A clarification: the app, lld2d, actually does what
> it should when started with init scripts in the correct
> runlevel and transitions correctly to "lld2d_t". 
> What
> I was surprised at is that I cannot get lld2d to fail
> or report errors when I alter the configuration to
> conflict with the SELinux module.  It will always
> start as "unconfined" not matter what the conflict
> with the loaded policy.
> 
> This less restrict approach is what surprised me.
> Will that change as jaunty and selinux-policy-ubuntu
> reach their final states or will it remain less
> restrictive for login and unconfined?
> 
> I would like to make it more restrictive if not
> like Fedora Core by default.  How should I do this
> but not make it less compatible with changes in
> selinux-policy-ubuntu?
> 
> thx,
> Scott
> 
> --- On Tue, 4/28/09, Scott Smyth <ssmyth at sapereconsulting.com>
> wrote:
> 
> > From: Scott Smyth <ssmyth at sapereconsulting.com>
> > Subject: [ubuntu-hardened] unconfined versus SE module
> in Ubuntu Jaunty: SELinux
> > To: ubuntu-hardened at lists.ubuntu.com
> > Date: Tuesday, April 28, 2009, 10:57 AM
> > 
> > Hi;
> > 
> > I am new to Ubuntu Jaunty and selinux-policy-ubuntu
> but 
> > definitely not new to Linux.  I was surprised
> > to find that a module I had setup in Fedora Core did
> > not work with the loaded module compiled under Jaunty
> > selinux-policy-ubuntu set to "ubuntu".  Instead of
> > using my SE module, the program defaulted to
> "unconfined"
> > and "chkpwd_t" rather than "lld2d_t" type.
> > 
> > OS: ubuntu Jaunty 9.04 server x86
> > selinux-policy-ubuntu (0.2.20090324-0ubuntu2)
> > 
> > Is there a step I am missing for Jaunty that will
> enable
> > my module successfully?  It is loaded according to
> > "semodule -l".
> > 
> > The program is the L2 mapping daemon from Microsoft,
> > lld2d.
> > 
> > unconfined_u:system_r:chkpwd_t:s0-s0:c0.c255 root
> 4389
> > 0.0  0.0 1884 324 ?     S 
> >   10:55   0:00 /usr/sbin/lld2d eth0
> > 
> > Sincerely,
> > Scott
> > 
> > -- 
> > ubuntu-hardened mailing list
> > ubuntu-hardened at lists.ubuntu.com
> > https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
> > 
> 
> -- 
> ubuntu-hardened mailing list
> ubuntu-hardened at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>

More information about the ubuntu-hardened mailing list