SELinux user domain policy question
Dominick Grift
domg472 at gmail.com
Mon Sep 13 16:52:51 UTC 2010
On Mon, Sep 13, 2010 at 06:29:29PM +0200, Roberto Sassu wrote:
> Hi all
>
> i'm investigating what types the domain user_t is allowed to execute, in
> particular those that don't belong to the exec_type attribute. I need more
So you could first query which file_types user_t can execute, that show all file types:
sesearch -SC --allow -s user_t -t file_type -c file execute
Then you can see if a particular type is assigned the exec_type attribute:
seinfo -x -tbin_t
> details about the attribute 'noxattrfs'
Thats an attribute that is addigned to filesystems that do not support extended attributes:
seinfo -x -anoxattrfs
simple example would be dosfs
and the type 'etc_t', more precisely
etc_t is the generic type for content in /etc. So by default all files in /etc get type etc_t.
sesearch -SC --allow -s user_t -t etc_t -c file
looks like fedora allows user_t to execute etc_t files but only read types with the configfile attribute. (files_config_file files in /etc that do not have the generic etc_t type)
> in which circumstances they are executed by a regular user.
Fedora tries to confine as little as possible. She really targets what she thinks are treats. obviously she does not consider user_t executing etc_t files or reading configfiles a threat.
> Thanks in advance for replies.
>
> Roberto Sassu
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100913/9fe21489/attachment.bin
More information about the selinux
mailing list