Hello all i'm trying to investigate what domains in the Fedora 12 policy are allowed to modify SELinux labels (in particular domain entrypoints). After reading the article of D. J. Walsh "Confined processes statistics in Fedora 12?" i removed the "unconfined" package in order to get a shorter list. For the selection process i'm considering not only domains which are directly allowed to do relabeling, but also those that are allowed to directly interact with the system by: - loading the selinux policy - performing the setenforce command - loading kernel modules - accessing to /dev/mem device Since domains are grouped by attributes and the last have a name which suggests the type of action that can be performed on the system, i selected those that seems to meet the criteria described before. admindomain can_change_object_identity can_change_process_identity can_change_process_role can_load_kernmodule can_load_policy can_relabelto_binary_policy can_relabelto_shadow_passwords can_setenforce can_system_change can_write_binary_policy can_setsecparam kern_unconfined memory_raw_read memory_raw_write selinux_unconfined_type sysadm_usertype staff_usertype unconfined_domain_type unconfined_file_type Then i have expanded the list by listing all domains included in each attribute. Just for verifying i verified using the command sesearch --allow -d -t <file label> -p relabelto that, for some file labels, the domains obtained are included in the list built. Does this approach can be considered valid to meet the goal? Any comment about this argument may be appreciated. Thanks in advance.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
