SELinux domains for relabeling
Stephen Smalley
sds at tycho.nsa.gov
Tue Jan 26 17:14:42 UTC 2010
On Tue, 2010-01-26 at 17:54 +0100, Dominick Grift wrote:
> On 01/26/2010 05:40 PM, Stephen Smalley wrote:
> > On Tue, 2010-01-26 at 17:14 +0100, Dominick Grift wrote:
> >> On 01/26/2010 02:27 PM, Roberto Sassu wrote:
> >>> Hello all
> >>>
> >>> i'm trying to investigate what domains in the Fedora 12 policy are allowed to
> >>> modify SELinux labels (in particular domain entrypoints).
> >>
> >> sesearch --allow -s domain -t exec_type -c file -p relabelto
> >> sesearch --allow -s domain -t exec_type -c file -p relabelfrom
> >>
> >> This lists all source domain types relabelto and relabelfrom access to
> >> executable file types (entry types)
> >
> > Does that work for you?
>
> You are right it does not work. I wonder why. Why would sysadm_t be a
> "domain" and unconfined_t not?
# seinfo -adomain -x | grep unconfined_t
qemu_unconfined_t
unconfined_t
unconfined_t is a domain. This appears to be a bug in setools.
> > sesearch --allow -s domain -t exec_type -c file -p relabelto | awk '/allow/{print $2}' | sort | uniq -c
> > 1 prelink_t
> > 568 restorecond_t
> > 568 rpm_t
> > 568 sysadm_t
> >
> > Where is unconfined_t and friends?
> >
> > sesearch --allow -s unconfined_t -t sshd_exec_t -c file -p relabelto
> > Found 1 semantic av rules:
> > allow files_unconfined_type file_type : file { ioctl read write
> > create getattr setattr lock relabelfrom relabelto append unlink link
> > rename execute swapon quotaon mounton execute_no_trans entrypoint
> > open } ;
> >
>
>
--
Stephen Smalley
National Security Agency
More information about the selinux
mailing list