[ubuntu-hardened] unconfined versus SE module in Ubuntu Jaunty: SELinux
Scott Smyth
ssmyth at sapereconsulting.com
Tue Apr 28 19:53:27 BST 2009
Please ignore these emails. I have it figured out and
the differences now. Seems to be working fine
and reporting as expected as I restrict the login
mapping. It seems that is the real difference with FC.
Nice work on the new policy btw.
thx,
Scott
--- On Tue, 4/28/09, Scott Smyth <ssmyth at sapereconsulting.com> wrote:
> From: Scott Smyth <ssmyth at sapereconsulting.com>
> Subject: Re: [ubuntu-hardened] unconfined versus SE module in Ubuntu Jaunty: SELinux
> To: "Ubuntu security discussion" <ubuntu-hardened at lists.ubuntu.com>
> Date: Tuesday, April 28, 2009, 11:24 AM
>
> A clarification: the app, lld2d, actually does what
> it should when started with init scripts in the correct
> runlevel and transitions correctly to "lld2d_t".
> What
> I was surprised at is that I cannot get lld2d to fail
> or report errors when I alter the configuration to
> conflict with the SELinux module. It will always
> start as "unconfined" not matter what the conflict
> with the loaded policy.
>
> This less restrict approach is what surprised me.
> Will that change as jaunty and selinux-policy-ubuntu
> reach their final states or will it remain less
> restrictive for login and unconfined?
>
> I would like to make it more restrictive if not
> like Fedora Core by default. How should I do this
> but not make it less compatible with changes in
> selinux-policy-ubuntu?
>
> thx,
> Scott
>
> --- On Tue, 4/28/09, Scott Smyth <ssmyth at sapereconsulting.com>
> wrote:
>
> > From: Scott Smyth <ssmyth at sapereconsulting.com>
> > Subject: [ubuntu-hardened] unconfined versus SE module
> in Ubuntu Jaunty: SELinux
> > To: ubuntu-hardened at lists.ubuntu.com
> > Date: Tuesday, April 28, 2009, 10:57 AM
> >
> > Hi;
> >
> > I am new to Ubuntu Jaunty and selinux-policy-ubuntu
> but
> > definitely not new to Linux. I was surprised
> > to find that a module I had setup in Fedora Core did
> > not work with the loaded module compiled under Jaunty
> > selinux-policy-ubuntu set to "ubuntu". Instead of
> > using my SE module, the program defaulted to
> "unconfined"
> > and "chkpwd_t" rather than "lld2d_t" type.
> >
> > OS: ubuntu Jaunty 9.04 server x86
> > selinux-policy-ubuntu (0.2.20090324-0ubuntu2)
> >
> > Is there a step I am missing for Jaunty that will
> enable
> > my module successfully? It is loaded according to
> > "semodule -l".
> >
> > The program is the L2 mapping daemon from Microsoft,
> > lld2d.
> >
> > unconfined_u:system_r:chkpwd_t:s0-s0:c0.c255 root
> 4389
> > 0.0 0.0 1884 324 ? S
> > 10:55 0:00 /usr/sbin/lld2d eth0
> >
> > Sincerely,
> > Scott
> >
> > --
> > ubuntu-hardened mailing list
> > ubuntu-hardened at lists.ubuntu.com
> > https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
> >
>
> --
> ubuntu-hardened mailing list
> ubuntu-hardened at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>
More information about the ubuntu-hardened
mailing list