Hi all
i'm investigating what types the domain user_t is allowed to execute, in particular those that don't belong to the exec_type attribute. I need more details about the attribute 'noxattrfs' and the type 'etc_t', more precisely in which circumstances they are executed by a regular user. Thanks in advance for replies.
Roberto Sassu
On Mon, Sep 13, 2010 at 06:29:29PM +0200, Roberto Sassu wrote:
Hi all
i'm investigating what types the domain user_t is allowed to execute, in particular those that don't belong to the exec_type attribute. I need more details about the attribute 'noxattrfs' and the type 'etc_t', more precisely in which circumstances they are executed by a regular user. Thanks in advance for replies.
Have you tried the seinfo and sesearch commands. Here are some examples:
sesearch -SC --allow -s user_t -t file_type -c file -p execute sesearch -SC --allow -s userdomain -t etc_t -c file sesearch -SC --allow -t exec_type
(man sesearch)
seinfo -x -aexec_type seinfo -x -tetc_t
(man seinfo)
Roberto Sassu
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Have you tried the seinfo and sesearch commands. Here are some examples:
sesearch -SC --allow -s user_t -t file_type -c file -p execute sesearch -SC --allow -s userdomain -t etc_t -c file sesearch -SC --allow -t exec_type
(man sesearch)
seinfo -x -aexec_type seinfo -x -tetc_t
(man seinfo)
Oh man, how I've been looking for this command for absolute ages!!!
I've had a 'problem' with the '*_server_packet_t' and '*_client_packet_t' types which are 'automatically' created when the network_port() macro is called and could not figure out whether these types already exist or not (had to guess!) after I could not find any suitable command to search the policy for them ... until now!
On Mon, Sep 13, 2010 at 06:29:29PM +0200, Roberto Sassu wrote:
Hi all
i'm investigating what types the domain user_t is allowed to execute, in particular those that don't belong to the exec_type attribute. I need more
So you could first query which file_types user_t can execute, that show all file types:
sesearch -SC --allow -s user_t -t file_type -c file execute
Then you can see if a particular type is assigned the exec_type attribute:
seinfo -x -tbin_t
details about the attribute 'noxattrfs'
Thats an attribute that is addigned to filesystems that do not support extended attributes:
seinfo -x -anoxattrfs
simple example would be dosfs
and the type 'etc_t', more precisely
etc_t is the generic type for content in /etc. So by default all files in /etc get type etc_t.
sesearch -SC --allow -s user_t -t etc_t -c file
looks like fedora allows user_t to execute etc_t files but only read types with the configfile attribute. (files_config_file files in /etc that do not have the generic etc_t type)
in which circumstances they are executed by a regular user.
Fedora tries to confine as little as possible. She really targets what she thinks are treats. obviously she does not consider user_t executing etc_t files or reading configfiles a threat.
Thanks in advance for replies.
Roberto Sassu
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/13/2010 12:29 PM, Roberto Sassu wrote:
Hi all
i'm investigating what types the domain user_t is allowed to execute, in particular those that don't belong to the exec_type attribute. I need more details about the attribute 'noxattrfs' and the type 'etc_t', more precisely in which circumstances they are executed by a regular user. Thanks in advance for replies.
Roberto Sassu
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
In addition to Domick's comments.
Remember the user_t is still governed by DAC. Meaning that an executable labeled etc_t would only be executable by the user if he could execute it, even if SELinux was disabled.
Thanks for answers. I'm trying to find a set of types executable by regular users which are managed by few and high privileged domains. Unfortunately, regarding 'etc_t', there's a non administrative domain, 'postgresql_t', which is allowed to create it. The case of 'noxattrfs' seems to be solvable by turning off the booleans 'user_rw_noexattrfile' and 'xguest_mount_media'.
I have just another question: it's possible to write a policy which creates a new attribute and assign to it types of another attribute with addition/subtraction of others types? For example:
attribute subset_exec_type; typeattribute { exec_type -cifs_t } subset_exec_type;
Just to simplify how to make queries which involves attributes minus some types i write a small patch for the 'setools' software, which introduces two new arguments (-u -v) to the command line utility 'sesearch' in order to indicate a type/attribute to exclude respectively from the source and the target. It works for now for av rules searched semantically and i post it as attachment for evaluation.
On Monday 13 September 2010 20:27:01 Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/13/2010 12:29 PM, Roberto Sassu wrote:
Hi all
i'm investigating what types the domain user_t is allowed to execute, in particular those that don't belong to the exec_type attribute. I need more details about the attribute 'noxattrfs' and the type 'etc_t', more precisely in which circumstances they are executed by a regular user. Thanks in advance for replies.
Roberto Sassu
In addition to Domick's comments.
Remember the user_t is still governed by DAC. Meaning that an executable labeled etc_t would only be executable by the user if he could execute it, even if SELinux was disabled. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkyObPUACgkQrlYvE4MpobOB3ACg6mdLPF/AyliygSXpdzhhDpgz KZUAnRRdv98Ta275wJ89tuIWT7sULoka =FpUa -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/14/2010 05:55 AM, Roberto Sassu wrote:
Thanks for answers. I'm trying to find a set of types executable by regular users which are managed by few and high privileged domains. Unfortunately, regarding 'etc_t', there's a non administrative domain, 'postgresql_t', which is allowed to create it.
That seems wrong, I have no idea why postgresql would be able to manage etc files. Chris do you have any idea? (Hopefully this did not come from me. ) BTW there is no way for user_t to execute something as postgresql_t
The case of 'noxattrfs' seems to be solvable by turning off the booleans 'user_rw_noexattrfile' and 'xguest_mount_media'.
I have just another question: it's possible to write a policy which creates a new attribute and assign to it types of another attribute with addition/subtraction of others types? For example:
attribute subset_exec_type; typeattribute { exec_type -cifs_t } subset_exec_type;
Just to simplify how to make queries which involves attributes minus some types i write a small patch for the 'setools' software, which introduces two new arguments (-u -v) to the command line utility 'sesearch' in order to indicate a type/attribute to exclude respectively from the source and the target. It works for now for av rules searched semantically and i post it as attachment for evaluation.
This patch should be sent to the selinux@tycho.nsa.gov list where the maintainers of setools would be more likely to see it.
On Monday 13 September 2010 20:27:01 Daniel J Walsh wrote: On 09/13/2010 12:29 PM, Roberto Sassu wrote:
Hi all
i'm investigating what types the domain user_t is allowed to execute, in particular those that don't belong to the exec_type attribute. I need more details about the attribute 'noxattrfs' and the type 'etc_t', more precisely in which circumstances they are executed by a regular user. Thanks in advance for replies.
Roberto Sassu
In addition to Domick's comments.
Remember the user_t is still governed by DAC. Meaning that an executable labeled etc_t would only be executable by the user if he could execute it, even if SELinux was disabled.
selinux@lists.fedoraproject.org