Ticket #35 (closed Feature: fixed)

Opened 2 years ago

Last modified 1 year ago

Merge strict and targeted

Reported by: pebenito Assigned to: pebenito
Priority: High Component: Policy
Version: SVN HEAD Keywords:
Cc:

Description

Merge the strict and targeted policies into a single policy. Without the unconfined module being linked in, the policy will function as the strict policy currently does. With the unconfined module linked in, the policy will have these features added:

  1. unconfined user role (unconfined_u:unconfined_r:unconfined_t), which enables a mix of confined and unconfined users. Proper derived types (e.g., unconfined_home_dir_t) will be added for appropriate separation from confined users.
  2. tunables for making daemons unconfined instead of disable_trans tunables, so daemons don't need to be restarted for a toggle of confinement to take effect.
  3. domains that are currently always unconfined in the targeted policy will still be unconfined always (alternatively, conditionally based on a tunable).

The second and third parts require tunable support in the toolchain.

Change History

04/23/07 10:30:53 changed by pebenito

issues:

  • dropping the shlib_t -> lib_t alias will cause relabeling on targeted systems /lib and /usr/lib.
  • current targeted users are user_u:system_r:unconfined_t, changing that to unconfined_u:unconfine_r:unconfined_t will cause current running processes to become invalid.
  • changing unconfined's home directories to unconfined_home_dir_t and unconfined_home_t will cause relabeling in home directories.

10/02/07 12:20:26 changed by pebenito

  • status changed from new to closed.
  • resolution set to fixed.

Merged into trunk at revision 2437.