SELinux domains for relabeling
Dominick Grift
domg472 at gmail.com
Tue Jan 26 16:14:17 UTC 2010
On 01/26/2010 02:27 PM, Roberto Sassu wrote:
> Hello all
>
> i'm trying to investigate what domains in the Fedora 12 policy are allowed to
> modify SELinux labels (in particular domain entrypoints).
sesearch --allow -s domain -t exec_type -c file -p relabelto
sesearch --allow -s domain -t exec_type -c file -p relabelfrom
This lists all source domain types relabelto and relabelfrom access to
executable file types (entry types)
After reading the
> article of D. J. Walsh "Confined processes statistics in Fedora 12?" i removed
> the "unconfined" package in order to get a shorter list.
> For the selection process i'm considering not only domains which are directly
> allowed to do relabeling, but also those that are allowed to directly interact
> with the system by:
> - loading the selinux policy
> - performing the setenforce command
> - loading kernel modules
> - accessing to /dev/mem device
>
> Since domains are grouped by attributes and the last have a name which
> suggests the type of action that can be performed on the system, i selected
> those that seems to meet the criteria described before.
>
> admindomain
> can_change_object_identity
> can_change_process_identity
> can_change_process_role
> can_load_kernmodule
> can_load_policy
> can_relabelto_binary_policy
> can_relabelto_shadow_passwords
> can_setenforce
> can_system_change
> can_write_binary_policy
> can_setsecparam
> kern_unconfined
> memory_raw_read
> memory_raw_write
> selinux_unconfined_type
> sysadm_usertype
> staff_usertype
> unconfined_domain_type
> unconfined_file_type
>
> Then i have expanded the list by listing all domains included in each
> attribute.
> Just for verifying i verified using the command
>
> sesearch --allow -d -t <file label> -p relabelto
>
> that, for some file labels, the domains obtained are included in the list
> built.
>
> Does this approach can be considered valid to meet the goal?
> Any comment about this argument may be appreciated.
>
> Thanks in advance.
>
>
>
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100126/2454546d/attachment.bin
More information about the selinux
mailing list