On Mon, Sep 13, 2010 at 06:29:29PM +0200, Roberto Sassu wrote: > Hi all > > i'm investigating what types the domain user_t is allowed to execute, in > particular those that don't belong to the exec_type attribute. I need more So you could first query which file_types user_t can execute, that show all file types: sesearch -SC --allow -s user_t -t file_type -c file execute Then you can see if a particular type is assigned the exec_type attribute: seinfo -x -tbin_t > details about the attribute 'noxattrfs' Thats an attribute that is addigned to filesystems that do not support extended attributes: seinfo -x -anoxattrfs simple example would be dosfs and the type 'etc_t', more precisely etc_t is the generic type for content in /etc. So by default all files in /etc get type etc_t. sesearch -SC --allow -s user_t -t etc_t -c file looks like fedora allows user_t to execute etc_t files but only read types with the configfile attribute. (files_config_file files in /etc that do not have the generic etc_t type) > in which circumstances they are executed by a regular user. Fedora tries to confine as little as possible. She really targets what she thinks are treats. obviously she does not consider user_t executing etc_t files or reading configfiles a threat. > Thanks in advance for replies. > > Roberto Sassu > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
pgpTUgqV36TGs.pgp
Description: PGP signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
