[OpenAFS] OpenAFS clients and _confined_ SELinux users

Chaskiel Grundman cg2v@andrew.cmu.edu
Mon, 25 Aug 2008 13:23:27 -0400 (EDT)


> I have two shell servers running RHEL5 with AFS homedirs and selinux
> enabled with the targeted policy. I had to enable the nfs_home_dirs
> seboolean, but that's all I recall about getting things to work.
>
The targeted policy makes user accounts unconfined, which means theu are 
exempt from any selinux policy enforcement. This means that weak passwords 
+ privilege escalation vulnerabilities = broken server

> Are looking for a more restrictive policy to use with a policy other
> than the targeted one?

Yes, I want to use the strict policy (or in current terms, I want to use 
'semanage login' to map __default__ to user_u, not unconfined_u. root 
will remain unconfined_u, so it isn't really strict policy either. it's 
somewhere between targeted and strict)