SELinux domains for relabeling

Dominick Grift domg472 at gmail.com
Wed Jan 27 13:23:10 UTC 2010


On 01/27/2010 02:03 PM, Roberto Sassu wrote:
> Hello
> 
> I tried to execute:
> 
> for i in `seinfo -aexec_type -x`; do
>         if [ $i = "exec_type" ]; then
>                 continue;
>         fi
>         sesearch --allow -s domain -t $i -c file -p relabelto | awk 
> '/allow/{print $2}' >> domains.tmp
> done;
> cat domains.tmp | sort | uniq -c
> 
> This is the result:
>     552 prelink_t
>       1 pulseaudio_t
>     552 restorecond_t
>     552 rpm_script_t
>     552 rpm_t
>     552 setfiles_mac_t
>     552 setfiles_t
>       4 seunshare_t
>       4 staff_t
>     552 sysadm_t
>       1 unconfined_t
>       1 useradd_t
>       4 user_t
>      14 webadm_t
> 
> 
> OK, i hope this is the correct list (for now, until the setools bug will be 
> solved). 
> Another aspect of the policy which i need to understand is the list of domains 
> which are allowed to modify the file labelling behaviour, when it is enforced. 
> For example, when i enter the sysadm_t domain, i can disable the enforcement 
> or i can load a custom policy module that add new rules. What are the criteria 
> to pass to the sesearch tool in order to get the correct list?
> Thanks. 

I think this:

[root at localhost Desktop]# sesearch --allow -p load_policy

( and permission setenforce to disable enforcement and setbool to load
tunable policy which probably atleast also needs rw_file_perms for
boolean_type files )

Found 3 semantic av rules:
   allow selinux_unconfined_type security_t : security { load_policy
setenforce setbool } ;
   allow kernel_t security_t : security load_policy ;
   allow load_policy_t security_t : security { load_policy setbool } ;

From selinux.te:

if(!secure_mode_policyload) {
	allow selinux_unconfined_type boolean_type:file rw_file_perms;
	allow selinux_unconfined_type security_t:security { load_policy
setenforce setbool };

But i might be wrong.




> 
> On Tuesday 26 January 2010 18:14:42 Stephen Smalley wrote:
>> On Tue, 2010-01-26 at 17:54 +0100, Dominick Grift wrote:
>>> On 01/26/2010 05:40 PM, Stephen Smalley wrote:
>>>> On Tue, 2010-01-26 at 17:14 +0100, Dominick Grift wrote:
>>>>> On 01/26/2010 02:27 PM, Roberto Sassu wrote:
>>>>>> Hello all
>>>>>>
>>>>>> i'm trying to investigate what domains in the Fedora 12 policy are
>>>>>> allowed to modify SELinux labels (in particular domain entrypoints).
>>>>>
>>>>> sesearch --allow -s domain -t exec_type -c file -p relabelto
>>>>> sesearch --allow -s domain -t exec_type -c file -p relabelfrom
>>>>>
>>>>> This lists all source domain types relabelto and relabelfrom access to
>>>>> executable file types (entry types)
>>>>
>>>> Does that work for you?
>>>
>>> You are right it does not work. I wonder why. Why would sysadm_t be a
>>> "domain" and unconfined_t not?
>>
>> # seinfo -adomain -x | grep unconfined_t
>>       qemu_unconfined_t
>>       unconfined_t
>>
>> unconfined_t is a domain.  This appears to be a bug in setools.
>>
>>>> sesearch --allow -s domain -t exec_type -c file -p relabelto | awk
>>>> '/allow/{print $2}' | sort | uniq -c 1 prelink_t
>>>>     568 restorecond_t
>>>>     568 rpm_t
>>>>     568 sysadm_t
>>>>
>>>> Where is unconfined_t and friends?
>>>>
>>>> sesearch --allow -s unconfined_t -t sshd_exec_t -c file -p relabelto
>>>> Found 1 semantic av rules:
>>>>    allow files_unconfined_type file_type : file { ioctl read write
>>>> create getattr setattr lock relabelfrom relabelto append unlink link
>>>> rename execute swapon quotaon mounton execute_no_trans entrypoint
>>>> open } ;
>>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100127/3ef28d00/attachment.bin 


More information about the selinux mailing list