On 08/17/2009 01:05 AM, adrian golding wrote: > To refine my questions in the earlier email: > 1) many of the things the attacker can do if he exploits the Samba > vulnerability can be found in the source policy. but there are also so many > other rules in the policy (hundreds?), my question is how do I know if the > other rules matter much? there are >300 rules related to smbd_t, and it > just *seems* a lot can go wrong with the system. > Yes you got to ask the questions. You can ask a question in APOL about whether the smbd_t can read a file. A simple query sesearch --allow -s smbd_t -t user_home_t -c file -p read asks whether smbd_t can read files labeled user_home_t directly. You can use apol to look for transition rules that might allow it. SELinux is all about types so you need to user commands like semanage port -l To list the types that ports are assigned to or /etc/selinux/targeted/context/files/files.context to see what types are assigned to files, by default. > 2) how do we verify the part about what the attackers cannot do? does it > mean, if i cannot find a rule that links smbd_t with user_home_t with the > 'read' permission, the attacker cannot read/manipulate user home > directories? Or it is not as trivial? Anything that is not allowed is denied. See above. > > 3) i am assuming ports 137-139 and 445 are labelled smbd_port_t, but where > can i find this assignment in the policy? i am currently using apol. > semanage port -l > thank you > > > On Mon, Aug 17, 2009 at 10:42 AM, adrian golding <adriangolding@xxxxxxxxx>wrote: > >> dear all, can you please point me to the right place: >> with reference to: http://danwalsh.livejournal.com/10131.html >> >> i am interested in how dan knows what an attacker can make use of the samba >> vulnerability to do by default, and what the attacker cannot do. More >> generally speaking, how do we look at a service or application in a SELinux >> system, and finding out what the attacker can do and cannot do in the case >> of the service being exploited? >> >> in that page, he looked at some of the relevant booleans and i guess >> "samba_enable_home_dirs ---> off" prevents the attacker to read/manipulate >> the user's home directories. But what about the rest? What other things can >> an end user (who is not very experienced in SELinux) examine to know what >> the attacker can / cannot do? >> >> thank you >> >> >> > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
