[OpenAFS] OpenAFS clients and _confined_ SELinux users

[Jason Edgecombe]

Chaskiel Grundman wrote:
>> I have two shell servers running RHEL5 with AFS homedirs and selinux
>> enabled with the targeted policy. I had to enable the nfs_home_dirs
>> seboolean, but that's all I recall about getting things to work.
>>
> The targeted policy makes user accounts unconfined, which means theu
> are exempt from any selinux policy enforcement. This means that weak
> passwords + privilege escalation vulnerabilities = broken server
>
>> Are looking for a more restrictive policy to use with a policy other
>> than the targeted one?
>
> Yes, I want to use the strict policy (or in current terms, I want to
> use 'semanage login' to map __default__ to user_u, not unconfined_u.
> root will remain unconfined_u, so it isn't really strict policy
> either. it's somewhere between targeted and strict)
hmmm,

thanks for the info. I kind of knew that, but I hadn't really thought
about it before.

Jason