[ubuntu-hardened] unconfined versus SE module in Ubuntu Jaunty: SELinux

Scott Smyth ssmyth at sapereconsulting.com
Tue Apr 28 20:42:00 BST 2009 

Perfect.  That is what I needed.  Thx, Scott

--- On Tue, 4/28/09, Caleb Case <calebcase at gmail.com> wrote:

> From: Caleb Case <calebcase at gmail.com>
> Subject: Re: [ubuntu-hardened] unconfined versus SE module in Ubuntu Jaunty: SELinux
> To: "Ubuntu security discussion" <ubuntu-hardened at lists.ubuntu.com>
> Date: Tuesday, April 28, 2009, 12:38 PM
> On Tue, Apr 28, 2009 at 2:24 PM,
> Scott Smyth
> <ssmyth at sapereconsulting.com>
> wrote:
> >
> > A clarification: the app, lld2d, actually does what
> > it should when started with init scripts in the
> correct
> > runlevel and transitions correctly to "lld2d_t".
>  What
> > I was surprised at is that I cannot get lld2d to fail
> > or report errors when I alter the configuration to
> > conflict with the SELinux module.  It will always
> > start as "unconfined" not matter what the conflict
> > with the loaded policy.
> 
> The unconfined domain is allowed to run any application
> (without transition):
> 
> sesearch -A -s unconfined_t -p execute_no_trans
> /etc/selinux/ubuntu/modules/active/base.pp
> /etc/selinux/ubuntu/modules/active/modules/*.pp
> 
> Found 8 syntactic av rules:
> <snip>
>    allow files_unconfined_type file_type : {
> file chr_file } { ioctl
> read write create getattr setattr lock relabelfrom
> relabelto append
> unlink link rename execute swapon quotaon mounton
> execute_no_trans
> entrypoint open } ;
> <snip>
> 
> >
> > This less restrict approach is what surprised me.
> > Will that change as jaunty and selinux-policy-ubuntu
> > reach their final states or will it remain less
> > restrictive for login and unconfined?
> >
> > I would like to make it more restrictive if not
> > like Fedora Core by default.  How should I do this
> > but not make it less compatible with changes in
> > selinux-policy-ubuntu?
> 
> The best option is to provide a transition to unconfined
> for your
> application using the unconfined_domtrans_to interface.
> 
> If you put your modules in /etc/selinux.d, then updates to
> the
> selinux-policy-ubuntu package will retain your new
> modules.
> selinux-policy-ubuntu will call update-selinux-policy to
> rebuild the
> policy.
> 
> Caleb
> 
> -- 
> ubuntu-hardened mailing list
> ubuntu-hardened at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>

More information about the ubuntu-hardened mailing list