SELinux user domain policy question
Roberto Sassu
roberto.sassu at polito.it
Tue Sep 14 09:55:24 UTC 2010
Thanks for answers. I'm trying to find a set of types executable by regular users which are managed by few and high privileged domains.
Unfortunately, regarding 'etc_t', there's a non administrative domain, 'postgresql_t', which is allowed to create it.
The case of 'noxattrfs' seems to be solvable by turning off the booleans
'user_rw_noexattrfile' and 'xguest_mount_media'.
I have just another question: it's possible to write a policy which creates a new attribute and assign to it types of another attribute with addition/subtraction of others types?
For example:
attribute subset_exec_type;
typeattribute { exec_type -cifs_t } subset_exec_type;
Just to simplify how to make queries which involves attributes minus some types i write a small patch for the 'setools' software, which introduces two new arguments (-u -v) to the command line utility 'sesearch' in order to indicate a type/attribute to exclude respectively from the source and the target.
It works for now for av rules searched semantically and i post it as attachment for evaluation.
On Monday 13 September 2010 20:27:01 Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/13/2010 12:29 PM, Roberto Sassu wrote:
> > Hi all
> >
> > i'm investigating what types the domain user_t is allowed to execute, in
> > particular those that don't belong to the exec_type attribute. I need
> > more details about the attribute 'noxattrfs' and the type 'etc_t', more
> > precisely in which circumstances they are executed by a regular user.
> > Thanks in advance for replies.
> >
> > Roberto Sassu
>
> In addition to Domick's comments.
>
> Remember the user_t is still governed by DAC. Meaning that an
> executable labeled etc_t would only be executable by the user if he
> could execute it, even if SELinux was disabled.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.16 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkyObPUACgkQrlYvE4MpobOB3ACg6mdLPF/AyliygSXpdzhhDpgz
> KZUAnRRdv98Ta275wJ89tuIWT7sULoka
> =FpUa
> -----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: setools_add_av_query_negated_type.patch
Type: text/x-patch
Size: 12430 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100914/6aebc824/attachment-0002.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4707 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100914/6aebc824/attachment-0003.bin
More information about the selinux
mailing list