selinux July 2011 archive
Main Archive Page > Month Archives  > selinux archives
selinux: Re: Best base policy to use

Re: Best base policy to use

From: Dominick Grift <domg472_at_nospam>
Date: Wed Jul 06 2011 - 06:09:56 GMT
To: Jeremiah Jahn <>

On Tue, 2011-07-05 at 17:11 -0500, Jeremiah Jahn wrote:
> So I'm in the process of Upgrading my servers from RHEL5 to RHEL6. On my
> RHEL5 system I had to build the reference policy from scratch in order to
> prevent users from being able to transition to init_t through initrc_t.
> Basically, I want systems that have to be rebooted in order to restart
> certain services, like auditd, or at least be able to split those duties
> into different roles. One role can edit a file or install something, but a
> different role must restart it. Because life the universe and everything
> goes through initrc_t, just about anything on the system running as root can
> mess with services. I'd like to highly limit things, and haven't really
> looked at any new developments in selinux for about 4 years. What's the best
> way/place to start removing domain transitions and requiring additional
> roles.

Main difference between el5 and el6 policy is that el6 policy is a
hybrid policy of the old targeted and strict policy. (strict policy was
merged into targeted policy)

You can now tune your policy to make it behave like the old strict
policy by removing or disabling the unconfined and unconfineduser

In Redhat policy only unconfined_t can transition directly to initrc.
Sysadm_t needs to use run_init to transition to initrc_t in the system_r

el6 policy allows you to easily create new roles.

So what you could do in my view is, disable or remove both unconfined
and unconfineduser modules and then create your own roles, selinux user
identities and logins.

In that regard el6 policy has pretty much the same properties as current
reference policy.

> thanks,
> -jj-

-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to with the words "unsubscribe selinux" without quotes as the message.