On Wed, 2010-01-27 at 14:27 -0500, Stephen Smalley wrote:
> On Wed, 2010-01-27 at 14:03 +0100, Roberto Sassu wrote:
> > Hello
> >
> > I tried to execute:
> >
> > for i in `seinfo -aexec_type -x`; do
> > if [ $i = "exec_type" ]; then
> > continue;
> > fi
> > sesearch --allow -s domain -t $i -c file -p relabelto | awk
> > '/allow/{print $2}' >> domains.tmp
> > done;
> > cat domains.tmp | sort | uniq -c
> >
> > This is the result:
> > 552 prelink_t
> > 1 pulseaudio_t
> > 552 restorecond_t
> > 552 rpm_script_t
> > 552 rpm_t
> > 552 setfiles_mac_t
> > 552 setfiles_t
> > 4 seunshare_t
> > 4 staff_t
> > 552 sysadm_t
> > 1 unconfined_t
> > 1 useradd_t
> > 4 user_t
> > 14 webadm_t
> >
> >
> > OK, i hope this is the correct list (for now, until the setools bug will be
> > solved).
>
> I think you need to consider the target type of the relabelto. For
> example, user_t can only relabelto httpd_user_script_exec_t, a type for
> user cgi scripts in their ~public_html directory. Thus the fact that
> user_t appears above does not imply that user_t can relabelto an
> entrypoint type for any more privileged domain than itself.
>
> Also, if you are interested in what domains can effectively introduce
> new entrypoints, then you should not only look at relabelto but also
> create permission to exec_type.
>
> Finally, you also need to consider whether the rules are in fact enabled
> or not. sesearch -AC will show you additional information about
> conditional rules, such as whether they are enabled or disabled and on
> what boolean expression they depend.
BTW, you might want to try the Analysis tab of apol, as that provides
support for more complex forms of analysis, including information flow,
transitions, relabeling, and relationships.
--
Stephen Smalley
National Security Agency
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
