SELinux domains for relabeling

Dominick Grift domg472 at gmail.com
Tue Jan 26 16:14:17 UTC 2010 

On 01/26/2010 02:27 PM, Roberto Sassu wrote:
> Hello all
> 
> i'm trying to investigate what domains in the Fedora 12 policy are allowed to 
> modify SELinux labels (in particular domain entrypoints).

sesearch --allow -s domain -t exec_type -c file -p relabelto
sesearch --allow -s domain -t exec_type -c file -p relabelfrom

This lists all source domain types relabelto and relabelfrom access to
executable file types (entry types)

 After reading the
> article of D. J. Walsh "Confined processes statistics in Fedora 12?" i removed 
> the "unconfined" package in order to get a shorter list.
> For the selection process i'm considering not only domains which are directly 
> allowed to do relabeling, but also those that are allowed to directly interact 
> with the system by:
>  - loading the selinux policy
>  - performing the setenforce command
>  - loading kernel modules
>  - accessing to /dev/mem device
>  
> Since domains are grouped by attributes and the last have a name which 
> suggests the type of action that can be performed on the system, i selected 
> those that seems to meet the criteria described before.
> 
> admindomain
> can_change_object_identity
> can_change_process_identity
> can_change_process_role
> can_load_kernmodule
> can_load_policy
> can_relabelto_binary_policy
> can_relabelto_shadow_passwords
> can_setenforce
> can_system_change
> can_write_binary_policy
> can_setsecparam
> kern_unconfined
> memory_raw_read
> memory_raw_write
> selinux_unconfined_type
> sysadm_usertype
> staff_usertype
> unconfined_domain_type
> unconfined_file_type
> 
> Then i have expanded the list by listing all domains included in each 
> attribute.
> Just for verifying i verified using the command 
> 
> sesearch --allow -d -t <file label> -p relabelto 
> 
> that, for some file labels, the domains obtained are included in the list 
> built.
> 
> Does this approach can be considered valid to meet the goal? 
> Any comment about this argument may be appreciated.
> 
> Thanks in advance.
> 
> 
> 
> 
> 
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100126/2454546d/attachment.bin

More information about the selinux mailing list