Goal
All processes run with a confined domain.
Setup
^_^ semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ staff_u s0-s0:c0.c1023 *
plautrba staff_u s0-s0:c0.c1023 *
root root s0-s0:c0.c1023 *
^_^ semanage user -l | grep staff_u
staff_u user s0 s0-s0:c0.c1023 secadm_r staff_r sysadm_r system_r unconfined_r
^_^ semanage boolean -l -C
SELinux boolean State Default Description
selinuxuser_tcp_server (on , on) Allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols.
staff_use_svirt (on , on) allow staff user to create and transition to svirt domains.
xserver_execmem (on , on) Allows XServer to execute writable memory
^_^ cat /etc/sudoers.d/selinux
%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL
%wheel ALL=(ALL) TYPE=secadm_t ROLE=secadm_r /usr/local/bin/zsh-secadm
%wheel ALL=(ALL) TYPE=secadm_t ROLE=secadm_r /usr/sbin/semanage,/usr/sbin/semodule
Missing rules
A lot - myconfined.cil ;)
^_^ wc -l myconfined.cil
119 myconfined.cil
Current state
^_^ getenforce
Enforcing
Confined users
^_^ id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023
^_^ sudo -i
^_^ id -Z
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
Confined processes
^_^ ps Z
LABEL PID TTY STAT TIME COMMAND
staff_u:staff_r:staff_t:s0-s0:c0.c1023 2401 pts/2 Ss 0:00 /usr/bin/zsh
staff_u:sysadm_r:ssh_t:s0-s0:c0.c1023 10526 pts/12 S+ 0:00 ssh localhost
staff_u:staff_r:staff_t:s0-s0:c0.c1023 10605 pts/11 S+ 0:00 vim Fully-SELinux-confined-system-with-Fedora-27.adoc
staff_u:staff_r:staff_screen_t:s0-s0:c0.c1023 14770 pts/4 S+ 0:00 tmux new-session -s openscap
staff_u:staff_r:staff_t:s0-s0:c0.c1023 18754 pts/9 S+ 0:02 vim src/OVAL/probes/unix/process58.c
staff_u:staff_r:staff_t:s0-s0:c0.c1023 25788 pts/10 S+ 0:00 cscope -R
staff_u:staff_r:staff_t:s0-s0:c0.c1023 26368 pts/10 S+ 0:00 vim +85 libselinux/src/ccntext.c
^_^ ps axZ | grep unconfined
staff_u:staff_r:staff_t:s0-s0:c0.c1023 13740 pts/12 S+ 0:00 grep --color=auto --exclude-dir=.bzr --exclude-dir=CVS --exclude-dir=.git --exclude-dir=.hg --exclude-dir=.svn unconfined
unconfined module disabled
^_^ sudo semodule -lfull | grep unconfined
100 unconfined pp disabled
100 unconfineduser pp