----- Original Message ----- > From: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> > To: Daniel J Walsh <dwalsh@xxxxxxxxxx>; dE <de.techno@xxxxxxxxx> > Cc: "selinux@xxxxxxxxxxxxx" <selinux@xxxxxxxxxxxxx> > Sent: Thursday, 3 July 2014, 12:19 > Subject: Re: Enforcing default_user, default_role, default_type, default_range > > > > ----- Original Message ----- >> From: Daniel J Walsh <dwalsh@xxxxxxxxxx> >> To: dE <de.techno@xxxxxxxxx>; selinux@xxxxxxxxxxxxx >> Cc: >> Sent: Thursday, 3 July 2014, 10:44 >> Subject: Re: Enforcing default_user, default_role, default_type, > default_range >> >> >> On 07/03/2014 01:26 AM, dE wrote: >>> These rules are not enforced by the object manager, but does >>> restorecon read these? >> No. restorecon and other labeling tools just read the fcontext files. >>> >>> Also what's the effect of these statements on SELinux aware >> applications? >>> The SELinux Notebook section 2.10 - Computing Security Contexts attemps to explain labeling using these and other rules for SELinux-aware apps. For the next edition I've a few minor corrections - the CIL statement names have changed and security_compute_member always defaults to using the tcon user. The book is available from: http://www.freetechbooks.com/the-selinux-notebook-the-foundations-t785.html If you find any errors or want any clarifications let me know as I'm working on the next version (for release one day - but not sure when). >> Most likely nothing. >>> Are there tools to list these statements? I didn't find anything > in >>> sesearch man page, and seinfo is silent on this. >>> ________________ >> Probably not. seinfo/sesearch have not been updated to handle them > > There is an updated version of APOL that will show these plus all other rules to > policy version 29. > You can either built it from: > https://github.com/TresysTechnology/setools3.git > or: > https://github.com/QuarkSecurity/setools > > Or download the rpms from: > https://quarksecurity.com/files/RPMS/ > >>> _______________________________ >>> Selinux mailing list >>> Selinux@xxxxxxxxxxxxx >>> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. >>> To get help, send an email containing "help" to >>> Selinux-request@xxxxxxxxxxxxx. >> >> >> _______________________________________________ >> Selinux mailing list >> Selinux@xxxxxxxxxxxxx >> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. >> To get help, send an email containing "help" to >> Selinux-request@xxxxxxxxxxxxx. >> > > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to > Selinux-request@xxxxxxxxxxxxx. > _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
