Hi, This is kind of a difficult question to answer. First, do you want to verify the rules for a given daemon/user/resource are enforced? Or do you want to verify that the rules, as given, are correct? If you want to verify enforcement, I think the way to go for a definitive test is to write a brute force suite that tries all enforced system calls/access all resources, etc and catalogs the ones that succeeds and then compares with the rules. I have seen brute forcers for Linux capabilities and I'm sure people interested in probing SE Linux for weakness will try the exact same thing. As for verifying the rules are correct, that's more difficult. I'm sure it will involve compiling sources & libraries statically (or resolving all library function calls), using nm to pick out system calls. Access of resources might be trickier if it builds the name dynamically or takes it from the command line. I'm sure there's more to it than this. Both of the above are issues that I am interested in figuring out. These tools may already exist, too. I haven't really looked. -Steve Grubb _______________________________ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com
