Re: SELinux - back to basics

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 08/16/2009 10:42 PM, adrian golding wrote:
> dear all, can you please point me to the right place:
> with reference to: http://danwalsh.livejournal.com/10131.html
> 
> i am interested in how dan knows what an attacker can make use of the samba
> vulnerability to do by default, and what the attacker cannot do.  More
> generally speaking, how do we look at a service or application in a SELinux
> system, and finding out what the attacker can do and cannot do in the case
> of the service being exploited?
> 
> in that page, he looked at some of the relevant booleans and i guess
> "samba_enable_home_dirs ---> off" prevents the attacker to read/manipulate
> the user's home directories. But what about the rest?  What other things can
> an end user (who is not very experienced in SELinux) examine to know what
> the attacker can / cannot do?
> 
> thank you
> 
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list


One simple answer is I can look at the policy source code.

Secondly you can use the sesearch command

sesearch --allow -s smbd_t 

Shows me all the rules of what smbd_t is allowed to do.  If I want to do more complex analyses of the policy I can use a tool like apol.


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux