No semantic av rules displayed by "sesearch -A -s httpd_sys_script_t -p name_bind -C | grep -v ^D"

Sat Nov 1 02:57:39 UTC 2014

On my fedora20 box, I tried to check Bash Expoit as Dan did on his latest
blog post.

What I got is,

[root at xxxx ~]# sesearch -A -s httpd_sys_script_t -p name_bind -C | grep -v
^D
Found 12 semantic av rules:

Though 12 rules caught by sesearch, but none displayed.

 Next I typed,

[root at xxxx ~]# sesearch -A -s httpd_sys_script_t -p name_connect -C | grep
-v ^D
Found 24 semantic av rules:
   allow nsswitch_domain dns_port_t : tcp_socket { recv_msg send_msg
name_connect } ;
   allow nsswitch_domain dnssec_port_t : tcp_socket name_connect ;
ET allow httpd_sys_script_t gds_db_port_t : tcp_socket name_connect ; [
httpd_can_network_connect_db ]
ET allow httpd_sys_script_t mysqld_port_t : tcp_socket { recv_msg send_msg
name_connect } ; [ httpd_can_network_connect_db ]
ET allow nsswitch_domain ocsp_port_t : tcp_socket name_connect ; [
kerberos_enabled ]
ET allow httpd_sys_script_t postgresql_port_t : tcp_socket { recv_msg
send_msg name_connect } ; [ httpd_can_network_connect_db ]
ET allow httpd_sys_script_t oracle_port_t : tcp_socket name_connect ; [
httpd_can_network_connect_db ]
ET allow httpd_sys_script_t mssql_port_t : tcp_socket name_connect ; [
httpd_can_network_connect_db ]
ET allow nsswitch_domain kerberos_port_t : tcp_socket { recv_msg send_msg
name_connect } ; [ kerberos_enabled ]
ET allow httpd_sys_script_t port_type : tcp_socket { recv_msg send_msg
name_connect } ; [ httpd_enable_cgi httpd_can_network_connect && ]

This is ok.

What's wrong with name_bind thing?

I use
setools-console                    x86_64                    3.3.7-41.fc20

-- 
日本にヘヴィメタル・ハードロックを根付かせるページ
http://heavymetalhardrock.no-ip.info/

世界中でセキュアＯＳのSELinuxを使いやすくするフリーソフト
http://sourceforge.net/projects/segatex/

CMS（PHPとPostgreSQLを使ったフリーソフト）
http://sourceforge.net/projects/webon/
https://github.com/intrajp/irforum_jp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20141101/2b506d79/attachment.html>