On 01/26/2010 05:40 PM, Stephen Smalley wrote:
> On Tue, 2010-01-26 at 17:14 +0100, Dominick Grift wrote:
>> On 01/26/2010 02:27 PM, Roberto Sassu wrote:
>>> Hello all
>>>
>>> i'm trying to investigate what domains in the Fedora 12 policy are allowed to
>>> modify SELinux labels (in particular domain entrypoints).
>>
>> sesearch --allow -s domain -t exec_type -c file -p relabelto
>> sesearch --allow -s domain -t exec_type -c file -p relabelfrom
>>
>> This lists all source domain types relabelto and relabelfrom access to
>> executable file types (entry types)
>
> Does that work for you?
You are right it does not work. I wonder why. Why would sysadm_t be a
"domain" and unconfined_t not?
> sesearch --allow -s domain -t exec_type -c file -p relabelto | awk '/allow/{print $2}' | sort | uniq -c
> 1 prelink_t
> 568 restorecond_t
> 568 rpm_t
> 568 sysadm_t
>
> Where is unconfined_t and friends?
>
> sesearch --allow -s unconfined_t -t sshd_exec_t -c file -p relabelto
> Found 1 semantic av rules:
> allow files_unconfined_type file_type : file { ioctl read write
> create getattr setattr lock relabelfrom relabelto append unlink link
> rename execute swapon quotaon mounton execute_no_trans entrypoint
> open } ;
>
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
