On 10/14/2009 09:36 AM, Joe Nall wrote:
> On Wed, Oct 14, 2009 at 6:20 AM, Christopher J. PeBenito
> <cpebenito@xxxxxxxxxx> wrote:
>> On Tue, 2009-10-13 at 16:30 -0700, Joe Nall wrote:
>>> When I use sesearch I appear to be seeing allow rules that are in
>>> tunables that are off. The rules below come from
>>> auth_manage_all_files_except_shadow which is in a disabled tunable.
>>
>> Sesearch will return all rules, regardless of being conditional or
>> unconditional. However, currently it does not tell you that a rule is
>> conditional (what the Boolean expression is for the rule).
>
> Are there any command line tools that I can use on a production box to
> show the current effective allow rules?
>
> joe
>
>
>
sesearch -A -C -t TYPE
Will show you the rules with booleans. You could eliminate all lines with booleans turned off via a script.
BTW Our version of setools has bython bindings that would allow you to do write a tool in python. Sadly upstream has not accepted the patch
import setools
>>
>>> sesearch -A -t jcdx_icm_var_t /etc/selinux/mls/modules/active/base.pp
>>> /etc/selinux/mls/modules/active/modules/*pp
>>> ...
>>> allow nfsd_t { file_type -shadow_t } : dir { ioctl read getattr
>>> lock search } ;
>>> allow nfsd_t { file_type -shadow_t } : file { ioctl read getattr lock } ;
>>> allow nfsd_t { file_type -shadow_t } : dir { getattr search } ;
>>> ...
>>>
>>> --
>>>
>>> getsebool -a | grep nfs_export_all_rw
>>> nfs_export_all_rw --> off
>>>
>>> --
>>>
>>> tunable_policy(`nfs_export_all_rw',`
>>> fs_read_noxattr_fs_files(nfsd_t)
>>> dev_getattr_all_blk_files(nfsd_t)
>>> dev_getattr_all_chr_files(nfsd_t)
>>> auth_manage_all_files_except_shadow(nfsd_t)
>>> #unprivuser_home_dir_filetrans_home_content(nfsd_t, { file dir })
>>> ')
>>>
>>> --
>>> This message was distributed to subscribers of the selinux mailing list.
>>> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
>>> the words "unsubscribe selinux" without quotes as the message.
>> --
>> Chris PeBenito
>> Tresys Technology, LLC
>> (410) 290-1411 x150
>>
>>
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
> the words "unsubscribe selinux" without quotes as the message.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
