[OpenAFS] OpenAFS clients and _confined_ SELinux users
Chaskiel Grundman
cg2v@andrew.cmu.edu
Mon, 25 Aug 2008 13:23:27 -0400 (EDT)
> I have two shell servers running RHEL5 with AFS homedirs and selinux
> enabled with the targeted policy. I had to enable the nfs_home_dirs
> seboolean, but that's all I recall about getting things to work.
>
The targeted policy makes user accounts unconfined, which means theu are
exempt from any selinux policy enforcement. This means that weak passwords
+ privilege escalation vulnerabilities = broken server
> Are looking for a more restrictive policy to use with a policy other
> than the targeted one?
Yes, I want to use the strict policy (or in current terms, I want to use
'semanage login' to map __default__ to user_u, not unconfined_u. root
will remain unconfined_u, so it isn't really strict policy either. it's
somewhere between targeted and strict)