10:26 p.m.
I just beginning to learn SELinux and have numerous questions (I've read roughly half
of the "Red Hat Enterprise Linux 7 SELinux User's and Administrator's
Guide"). The first one is how to determine the domain of a daemon if it isn't
running. If there's documentation on this and I've just missed it just point me
to it. Thanks for your help.
11:51 p.m.
Are you looking for this?
ls -lZ /path/to/daemon/on/disk
----
Cheers,
Lakshmipathi.G
FOSS Programmer.
www.giis.co.in
On Fri, Nov 18, 2016 at 9:56 AM, <leroy.tennison(a)verizon.net> wrote:
> I just beginning to learn SELinux and have numerous questions (I've read roughly
half of the "Red Hat Enterprise Linux 7 SELinux User's and Administrator's
Guide"). The first one is how to determine the domain of a daemon if it isn't
running. If there's documentation on this and I've just missed it just point me
to it. Thanks for your help.
> _______________________________________________
> selinux mailing list -- selinux(a)lists.fedoraproject.org
> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
10:21 p.m.
Thanks for the reply, when I ran 'ls -lZ /usr/bin/rsync' I got:
-rwxr-xr-x. root root system_u:object_r:rsync_exec_t:s0 /usr/bin/rsync
But, running 'rsync --daemon' then 'ps -eZ | grep rsync' I got:
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2575 ? 00:00:00 rsync
When I had expected to see rsync_exec_t in the response. If I'm missing
something obvious please correct my (mis)understanding.
On 11/17/2016 11:51 PM, Lakshmipathi.G wrote:
Are you looking for this?
ls -lZ /path/to/daemon/on/disk
----
Cheers,
Lakshmipathi.G
FOSS Programmer.
www.giis.co.in
On Fri, Nov 18, 2016 at 9:56 AM, <leroy.tennison(a)verizon.net> wrote:
> I just beginning to learn SELinux and have numerous questions (I've read roughly
half of the "Red Hat Enterprise Linux 7 SELinux User's and Administrator's
Guide"). The first one is how to determine the domain of a daemon if it isn't
running. If there's documentation on this and I've just missed it just point me
to it. Thanks for your help.
> _______________________________________________
> selinux mailing list -- selinux(a)lists.fedoraproject.org
> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
8:30 p.m.
On Fri, Nov 18, 2016 at 04:26:45AM -0000, leroy.tennison(a)verizon.net wrote:
I just beginning to learn SELinux and have numerous questions
(I've read roughly half of the "Red Hat Enterprise Linux 7 SELinux User's and
Administrator's Guide"). The first one is how to determine the domain of a
daemon if it isn't running. If there's documentation on this and I've just
missed it just point me to it. Thanks for your help.
__
Hi,
The context of a process usually depends on the domain which started it.
In Fedora's current policy systemd runs as init_t, so to find out what
the context of a daemon it starts would be we need to look for
type_transition rules with init_t as the source type. You can do this
by using sesearch from setools-console:
$ sesearch -CST -s init_t -c process
Found 721 semantic te rules:
type_transition init_t cgconfig_exec_t : process cgconfig_t;
type_transition init_t deltacloudd_exec_t : process deltacloudd_t;
... snip ...
The target type in these rules is the type of the programs executable
file, so to filter the sesearch results to a single program we can do this:
$ ls -laZ /sbin/dnsmasq
-rwxr-xr-x. 1 root root system_u:object_r:dnsmasq_exec_t:s0 373928 Jul 15 13:57
/sbin/dnsmasq
$ sesearch -CST -s init_t -t dnsmasq_exec_t -c process
Found 1 semantic te rules:
type_transition init_t dnsmasq_exec_t : process dnsmasq_t;
So we know that when init_t execve()'s a program with a type of
dnsmasq_exec_t it will transition to dnsmasq_t [1]. You can also
achieve the same result by using selinuxexeccon from libselinux-utils:
$ selinuxexeccon /usr/sbin/dnsmasq "system_u:system_r:init_t:s0"
system_u:system_r:dnsmasq_t:s0
[1] - A process can also call setexeccon() to set the context for a new
process before it calls execve().
_____________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
--
Gary Tierney
GPG fingerprint: 412C 0EF9 C305 68E6 B660BDAF 706E D765 85AA 79D8
https://sks-keyservers.net/pks/lookup?op=get&search=0x706ED76585AA79D8
2707
days inactive
2709
days old
selinux@lists.fedoraproject.org
3 comments
3 participants
participants (3)
-
Gary Tierney -
Lakshmipathi.G -
Leroy Tennison