[ubuntu-hardened] unconfined versus SE module in Ubuntu Jaunty: SELinux
Caleb Case
calebcase at gmail.com
Tue Apr 28 20:38:26 BST 2009
On Tue, Apr 28, 2009 at 2:24 PM, Scott Smyth
<ssmyth at sapereconsulting.com> wrote:
>
> A clarification: the app, lld2d, actually does what
> it should when started with init scripts in the correct
> runlevel and transitions correctly to "lld2d_t". What
> I was surprised at is that I cannot get lld2d to fail
> or report errors when I alter the configuration to
> conflict with the SELinux module. It will always
> start as "unconfined" not matter what the conflict
> with the loaded policy.
The unconfined domain is allowed to run any application (without transition):
sesearch -A -s unconfined_t -p execute_no_trans
/etc/selinux/ubuntu/modules/active/base.pp
/etc/selinux/ubuntu/modules/active/modules/*.pp
Found 8 syntactic av rules:
<snip>
allow files_unconfined_type file_type : { file chr_file } { ioctl
read write create getattr setattr lock relabelfrom relabelto append
unlink link rename execute swapon quotaon mounton execute_no_trans
entrypoint open } ;
<snip>
>
> This less restrict approach is what surprised me.
> Will that change as jaunty and selinux-policy-ubuntu
> reach their final states or will it remain less
> restrictive for login and unconfined?
>
> I would like to make it more restrictive if not
> like Fedora Core by default. How should I do this
> but not make it less compatible with changes in
> selinux-policy-ubuntu?
The best option is to provide a transition to unconfined for your
application using the unconfined_domtrans_to interface.
If you put your modules in /etc/selinux.d, then updates to the
selinux-policy-ubuntu package will retain your new modules.
selinux-policy-ubuntu will call update-selinux-policy to rebuild the
policy.
Caleb
More information about the ubuntu-hardened
mailing list