SELinux domains for relabeling

[Roberto Sassu]

Hello

I tried to execute:

for i in `seinfo -aexec_type -x`; do
        if [ $i = "exec_type" ]; then
                continue;
        fi
        sesearch --allow -s domain -t $i -c file -p relabelto | awk 
'/allow/{print $2}' >> domains.tmp
done;
cat domains.tmp | sort | uniq -c

This is the result:
    552 prelink_t
      1 pulseaudio_t
    552 restorecond_t
    552 rpm_script_t
    552 rpm_t
    552 setfiles_mac_t
    552 setfiles_t
      4 seunshare_t
      4 staff_t
    552 sysadm_t
      1 unconfined_t
      1 useradd_t
      4 user_t
     14 webadm_t


OK, i hope this is the correct list (for now, until the setools bug will be 
solved). 
Another aspect of the policy which i need to understand is the list of domains 
which are allowed to modify the file labelling behaviour, when it is enforced. 
For example, when i enter the sysadm_t domain, i can disable the enforcement 
or i can load a custom policy module that add new rules. What are the criteria 
to pass to the sesearch tool in order to get the correct list?
Thanks. 

On Tuesday 26 January 2010 18:14:42 Stephen Smalley wrote:
> On Tue, 2010-01-26 at 17:54 +0100, Dominick Grift wrote:
> > On 01/26/2010 05:40 PM, Stephen Smalley wrote:
> > > On Tue, 2010-01-26 at 17:14 +0100, Dominick Grift wrote:
> > >> On 01/26/2010 02:27 PM, Roberto Sassu wrote:
> > >>> Hello all
> > >>>
> > >>> i'm trying to investigate what domains in the Fedora 12 policy are
> > >>> allowed to modify SELinux labels (in particular domain entrypoints).
> > >>
> > >> sesearch --allow -s domain -t exec_type -c file -p relabelto
> > >> sesearch --allow -s domain -t exec_type -c file -p relabelfrom
> > >>
> > >> This lists all source domain types relabelto and relabelfrom access to
> > >> executable file types (entry types)
> > >
> > > Does that work for you?
> >
> > You are right it does not work. I wonder why. Why would sysadm_t be a
> > "domain" and unconfined_t not?
> 
> # seinfo -adomain -x | grep unconfined_t
>       qemu_unconfined_t
>       unconfined_t
> 
> unconfined_t is a domain.  This appears to be a bug in setools.
> 
> > > sesearch --allow -s domain -t exec_type -c file -p relabelto | awk
> > > '/allow/{print $2}' | sort | uniq -c 1 prelink_t
> > >     568 restorecond_t
> > >     568 rpm_t
> > >     568 sysadm_t
> > >
> > > Where is unconfined_t and friends?
> > >
> > > sesearch --allow -s unconfined_t -t sshd_exec_t -c file -p relabelto
> > > Found 1 semantic av rules:
> > >    allow files_unconfined_type file_type : file { ioctl read write
> > > create getattr setattr lock relabelfrom relabelto append unlink link
> > > rename execute swapon quotaon mounton execute_no_trans entrypoint
> > > open } ;
>