SELinux domains for relabeling

[Roberto Sassu]

Hello all

i'm trying to investigate what domains in the Fedora 12 policy are allowed to 
modify SELinux labels (in particular domain entrypoints). After reading the 
article of D. J. Walsh "Confined processes statistics in Fedora 12?" i removed 
the "unconfined" package in order to get a shorter list.
For the selection process i'm considering not only domains which are directly 
allowed to do relabeling, but also those that are allowed to directly interact 
with the system by:
 - loading the selinux policy
 - performing the setenforce command
 - loading kernel modules
 - accessing to /dev/mem device
 
Since domains are grouped by attributes and the last have a name which 
suggests the type of action that can be performed on the system, i selected 
those that seems to meet the criteria described before.

admindomain
can_change_object_identity
can_change_process_identity
can_change_process_role
can_load_kernmodule
can_load_policy
can_relabelto_binary_policy
can_relabelto_shadow_passwords
can_setenforce
can_system_change
can_write_binary_policy
can_setsecparam
kern_unconfined
memory_raw_read
memory_raw_write
selinux_unconfined_type
sysadm_usertype
staff_usertype
unconfined_domain_type
unconfined_file_type

Then i have expanded the list by listing all domains included in each 
attribute.
Just for verifying i verified using the command 

sesearch --allow -d -t <file label> -p relabelto 

that, for some file labels, the domains obtained are included in the list 
built.

Does this approach can be considered valid to meet the goal? 
Any comment about this argument may be appreciated.

Thanks in advance.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2153 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100126/d7d5147e/attachment.bin