SELinux domains for relabeling
Roberto Sassu
roberto.sassu at polito.it
Tue Jan 26 13:27:35 UTC 2010
Hello all
i'm trying to investigate what domains in the Fedora 12 policy are allowed to
modify SELinux labels (in particular domain entrypoints). After reading the
article of D. J. Walsh "Confined processes statistics in Fedora 12?" i removed
the "unconfined" package in order to get a shorter list.
For the selection process i'm considering not only domains which are directly
allowed to do relabeling, but also those that are allowed to directly interact
with the system by:
- loading the selinux policy
- performing the setenforce command
- loading kernel modules
- accessing to /dev/mem device
Since domains are grouped by attributes and the last have a name which
suggests the type of action that can be performed on the system, i selected
those that seems to meet the criteria described before.
admindomain
can_change_object_identity
can_change_process_identity
can_change_process_role
can_load_kernmodule
can_load_policy
can_relabelto_binary_policy
can_relabelto_shadow_passwords
can_setenforce
can_system_change
can_write_binary_policy
can_setsecparam
kern_unconfined
memory_raw_read
memory_raw_write
selinux_unconfined_type
sysadm_usertype
staff_usertype
unconfined_domain_type
unconfined_file_type
Then i have expanded the list by listing all domains included in each
attribute.
Just for verifying i verified using the command
sesearch --allow -d -t <file label> -p relabelto
that, for some file labels, the domains obtained are included in the list
built.
Does this approach can be considered valid to meet the goal?
Any comment about this argument may be appreciated.
Thanks in advance.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2153 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100126/d7d5147e/attachment.bin
More information about the selinux
mailing list