SELinux domains for relabeling
Dominick Grift
domg472 at gmail.com
Wed Jan 27 13:23:10 UTC 2010
On 01/27/2010 02:03 PM, Roberto Sassu wrote:
> Hello
>
> I tried to execute:
>
> for i in `seinfo -aexec_type -x`; do
> if [ $i = "exec_type" ]; then
> continue;
> fi
> sesearch --allow -s domain -t $i -c file -p relabelto | awk
> '/allow/{print $2}' >> domains.tmp
> done;
> cat domains.tmp | sort | uniq -c
>
> This is the result:
> 552 prelink_t
> 1 pulseaudio_t
> 552 restorecond_t
> 552 rpm_script_t
> 552 rpm_t
> 552 setfiles_mac_t
> 552 setfiles_t
> 4 seunshare_t
> 4 staff_t
> 552 sysadm_t
> 1 unconfined_t
> 1 useradd_t
> 4 user_t
> 14 webadm_t
>
>
> OK, i hope this is the correct list (for now, until the setools bug will be
> solved).
> Another aspect of the policy which i need to understand is the list of domains
> which are allowed to modify the file labelling behaviour, when it is enforced.
> For example, when i enter the sysadm_t domain, i can disable the enforcement
> or i can load a custom policy module that add new rules. What are the criteria
> to pass to the sesearch tool in order to get the correct list?
> Thanks.
I think this:
[root at localhost Desktop]# sesearch --allow -p load_policy
( and permission setenforce to disable enforcement and setbool to load
tunable policy which probably atleast also needs rw_file_perms for
boolean_type files )
Found 3 semantic av rules:
allow selinux_unconfined_type security_t : security { load_policy
setenforce setbool } ;
allow kernel_t security_t : security load_policy ;
allow load_policy_t security_t : security { load_policy setbool } ;
From selinux.te:
if(!secure_mode_policyload) {
allow selinux_unconfined_type boolean_type:file rw_file_perms;
allow selinux_unconfined_type security_t:security { load_policy
setenforce setbool };
But i might be wrong.
>
> On Tuesday 26 January 2010 18:14:42 Stephen Smalley wrote:
>> On Tue, 2010-01-26 at 17:54 +0100, Dominick Grift wrote:
>>> On 01/26/2010 05:40 PM, Stephen Smalley wrote:
>>>> On Tue, 2010-01-26 at 17:14 +0100, Dominick Grift wrote:
>>>>> On 01/26/2010 02:27 PM, Roberto Sassu wrote:
>>>>>> Hello all
>>>>>>
>>>>>> i'm trying to investigate what domains in the Fedora 12 policy are
>>>>>> allowed to modify SELinux labels (in particular domain entrypoints).
>>>>>
>>>>> sesearch --allow -s domain -t exec_type -c file -p relabelto
>>>>> sesearch --allow -s domain -t exec_type -c file -p relabelfrom
>>>>>
>>>>> This lists all source domain types relabelto and relabelfrom access to
>>>>> executable file types (entry types)
>>>>
>>>> Does that work for you?
>>>
>>> You are right it does not work. I wonder why. Why would sysadm_t be a
>>> "domain" and unconfined_t not?
>>
>> # seinfo -adomain -x | grep unconfined_t
>> qemu_unconfined_t
>> unconfined_t
>>
>> unconfined_t is a domain. This appears to be a bug in setools.
>>
>>>> sesearch --allow -s domain -t exec_type -c file -p relabelto | awk
>>>> '/allow/{print $2}' | sort | uniq -c 1 prelink_t
>>>> 568 restorecond_t
>>>> 568 rpm_t
>>>> 568 sysadm_t
>>>>
>>>> Where is unconfined_t and friends?
>>>>
>>>> sesearch --allow -s unconfined_t -t sshd_exec_t -c file -p relabelto
>>>> Found 1 semantic av rules:
>>>> allow files_unconfined_type file_type : file { ioctl read write
>>>> create getattr setattr lock relabelfrom relabelto append unlink link
>>>> rename execute swapon quotaon mounton execute_no_trans entrypoint
>>>> open } ;
>>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100127/3ef28d00/attachment.bin
More information about the selinux
mailing list