On 08/17/2009 08:33 AM, Dominick Grift wrote: > On Mon, Aug 17, 2009 at 12:28:02PM +0000, Stephen Smalley wrote: >> On Mon, 2009-08-17 at 10:42 +0800, adrian golding wrote: >>> dear all, can you please point me to the right place: >>> >>> with reference to: http://danwalsh.livejournal.com/10131.html >>> >>> >>> i am interested in how dan knows what an attacker can make use of the >>> samba vulnerability to do by default, and what the attacker cannot >>> do. More generally speaking, how do we look at a service or >>> application in a SELinux system, and finding out what the attacker can >>> do and cannot do in the case of the service being exploited? >>> >>> >>> in that page, he looked at some of the relevant booleans and i guess >>> "samba_enable_home_dirs ---> off" prevents the attacker to >>> read/manipulate the user's home directories. But what about the rest? >>> What other things can an end user (who is not very experienced in >>> SELinux) examine to know what the attacker can / cannot do? >> >> sesearch can be a very useful tool for interrogating the policy to see >> what a given domain can access, and the information flow and domain >> transition analysis capabilities of apol are likewise quite useful. > > With regard to sesearch it is good to know that it displays all rules, also the rules that maybe disabled by boolean. > So with that in mind sesearch can be a bit misleading. > > if you encounter a situation where access is denied, but where sesearch returns a rule that would have allowed the access, then pipe the avc denial into audit2why. > >> >> -- >> Stephen Smalley >> National Security Agency >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list@xxxxxxxxxx >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> ------------------------------------------------------------------------ >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list@xxxxxxxxxx >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list If you use the -C option it will show you the boolean. Of course it will not tell you if it is enabled or not. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
