-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/14/2010 05:55 AM, Roberto Sassu wrote:
> Thanks for answers. I'm trying to find a set of types executable by regular users which are managed by few and high privileged domains.
> Unfortunately, regarding 'etc_t', there's a non administrative domain, 'postgresql_t', which is allowed to create it.
That seems wrong, I have no idea why postgresql would be able to manage
etc files. Chris do you have any idea? (Hopefully this did not come
from me. ) BTW there is no way for user_t to execute something as
postgresql_t
> The case of 'noxattrfs' seems to be solvable by turning off the booleans
> 'user_rw_noexattrfile' and 'xguest_mount_media'.
>
> I have just another question: it's possible to write a policy which creates a new attribute and assign to it types of another attribute with addition/subtraction of others types?
> For example:
>
> attribute subset_exec_type;
> typeattribute { exec_type -cifs_t } subset_exec_type;
>
>
> Just to simplify how to make queries which involves attributes minus some types i write a small patch for the 'setools' software, which introduces two new arguments (-u -v) to the command line utility 'sesearch' in order to indicate a type/attribute to exclude respectively from the source and the target.
> It works for now for av rules searched semantically and i post it as attachment for evaluation.
>
This patch should be sent to the selinux@xxxxxxxxxxxxx list where the
maintainers of setools would be more likely to see it.
>
>
> On Monday 13 September 2010 20:27:01 Daniel J Walsh wrote:
> On 09/13/2010 12:29 PM, Roberto Sassu wrote:
>>>> Hi all
>>>>
>>>> i'm investigating what types the domain user_t is allowed to execute, in
>>>> particular those that don't belong to the exec_type attribute. I need
>>>> more details about the attribute 'noxattrfs' and the type 'etc_t', more
>>>> precisely in which circumstances they are executed by a regular user.
>>>> Thanks in advance for replies.
>>>>
>>>> Roberto Sassu
>
> In addition to Domick's comments.
>
> Remember the user_t is still governed by DAC. Meaning that an
> executable labeled etc_t would only be executable by the user if he
> could execute it, even if SELinux was disabled.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkyPmnUACgkQrlYvE4MpobMWlwCghPQFzuI5KMtS/i+l0RBNn0Ps
daMAn3hM/vhClDg1Ij7N1Xm5zLK7yNcb
=kvUd
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
