On Wed, 2010-01-27 at 14:03 +0100, Roberto Sassu wrote:
> Hello
>
> I tried to execute:
>
> for i in `seinfo -aexec_type -x`; do
> if [ $i = "exec_type" ]; then
> continue;
> fi
> sesearch --allow -s domain -t $i -c file -p relabelto | awk
> '/allow/{print $2}' >> domains.tmp
> done;
> cat domains.tmp | sort | uniq -c
>
> This is the result:
> 552 prelink_t
> 1 pulseaudio_t
> 552 restorecond_t
> 552 rpm_script_t
> 552 rpm_t
> 552 setfiles_mac_t
> 552 setfiles_t
> 4 seunshare_t
> 4 staff_t
> 552 sysadm_t
> 1 unconfined_t
> 1 useradd_t
> 4 user_t
> 14 webadm_t
>
>
> OK, i hope this is the correct list (for now, until the setools bug will be
> solved).
I think you need to consider the target type of the relabelto. For
example, user_t can only relabelto httpd_user_script_exec_t, a type for
user cgi scripts in their ~public_html directory. Thus the fact that
user_t appears above does not imply that user_t can relabelto an
entrypoint type for any more privileged domain than itself.
Also, if you are interested in what domains can effectively introduce
new entrypoints, then you should not only look at relabelto but also
create permission to exec_type.
Finally, you also need to consider whether the rules are in fact enabled
or not. sesearch -AC will show you additional information about
conditional rules, such as whether they are enabled or disabled and on
what boolean expression they depend.
> Another aspect of the policy which i need to understand is the list of domains
> which are allowed to modify the file labelling behaviour, when it is enforced.
> For example, when i enter the sysadm_t domain, i can disable the enforcement
> or i can load a custom policy module that add new rules. What are the criteria
> to pass to the sesearch tool in order to get the correct list?
> Thanks.
--
Stephen Smalley
National Security Agency
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
