[ubuntu-hardened] unconfined versus SE module in Ubuntu Jaunty: SELinux

Caleb Case calebcase at gmail.com
Tue Apr 28 20:38:26 BST 2009

On Tue, Apr 28, 2009 at 2:24 PM, Scott Smyth
<ssmyth at sapereconsulting.com> wrote:
> A clarification: the app, lld2d, actually does what
> it should when started with init scripts in the correct
> runlevel and transitions correctly to "lld2d_t".  What
> I was surprised at is that I cannot get lld2d to fail
> or report errors when I alter the configuration to
> conflict with the SELinux module.  It will always
> start as "unconfined" not matter what the conflict
> with the loaded policy.

The unconfined domain is allowed to run any application (without transition):

sesearch -A -s unconfined_t -p execute_no_trans

Found 8 syntactic av rules:
   allow files_unconfined_type file_type : { file chr_file } { ioctl
read write create getattr setattr lock relabelfrom relabelto append
unlink link rename execute swapon quotaon mounton execute_no_trans
entrypoint open } ;

> This less restrict approach is what surprised me.
> Will that change as jaunty and selinux-policy-ubuntu
> reach their final states or will it remain less
> restrictive for login and unconfined?
> I would like to make it more restrictive if not
> like Fedora Core by default.  How should I do this
> but not make it less compatible with changes in
> selinux-policy-ubuntu?

The best option is to provide a transition to unconfined for your
application using the unconfined_domtrans_to interface.

If you put your modules in /etc/selinux.d, then updates to the
selinux-policy-ubuntu package will retain your new modules.
selinux-policy-ubuntu will call update-selinux-policy to rebuild the


More information about the ubuntu-hardened mailing list