Still unconfined?

[Stephen Smalley]

On Tue, 2006-11-28 at 19:36 +0100, Jimmy wrote:
> Hi!
> 
> Im trying to learn SELinux from bottom up, but having some fundamental 
> issues regarding the basics.
> Im trying to load the mozilla.pp module in targeted, which works fine. I 
> set the correct contexts with restorecon on firefox-bin. But when i run 
> the binary it stills runs in unconfined_t when looking at running 
> processes (ps auxZ).
> Ivé tried to compile it myself from different sources, and load it, but 
> get the same results all the time. Then i tried with netutils.pp and 
> discovered the same problem witrh ping.
> 
> Why doesnt firefox get transfered to the $1_mozilla_t domain??? I know 
> im making some really fundamental mistake somewhere, but i cant find out 
> what it is!

If mozilla's domain was a "simple" domain, then mozilla.pp would just
contain its definition, and you would still need to set up a transition
from unconfined_t to mozilla's domain, likely by calling an interface
defined by mozilla.if from unconfined.te.   But mozilla's domain is
templated for instantiation once per user role, and targeted policy has
no notion of user roles or domains, mozilla.pp doesn't even contain the
actual domain definition, just a few type declarations for file types
used for mozilla - the real domain definition happens as a result of
template expansion for each user role.

In short, mozilla's policy was written for the strict policy.  You'd
have to do some work to instantiate it for unconfined in targeted and
ensure that none of its assumptions are broken there, and your ability
to limit what it can do will be severely constrained with targeted
policy.

-- 
Stephen Smalley
National Security Agency