On 01/26/2010 05:40 PM, Stephen Smalley wrote:
On Tue, 2010-01-26 at 17:14 +0100, Dominick Grift wrote:
On 01/26/2010 02:27 PM, Roberto Sassu wrote:
Hello all
i'm trying to investigate what domains in the Fedora 12 policy are allowed to modify SELinux labels (in particular domain entrypoints).
sesearch --allow -s domain -t exec_type -c file -p relabelto sesearch --allow -s domain -t exec_type -c file -p relabelfrom
This lists all source domain types relabelto and relabelfrom access to executable file types (entry types)
Does that work for you?
You are right it does not work. I wonder why. Why would sysadm_t be a "domain" and unconfined_t not?
sesearch --allow -s domain -t exec_type -c file -p relabelto | awk '/allow/{print $2}' | sort | uniq -c 1 prelink_t 568 restorecond_t 568 rpm_t 568 sysadm_t
Where is unconfined_t and friends?
sesearch --allow -s unconfined_t -t sshd_exec_t -c file -p relabelto Found 1 semantic av rules: allow files_unconfined_type file_type : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton execute_no_trans entrypoint open } ;
On Tue, 2010-01-26 at 17:54 +0100, Dominick Grift wrote:
On 01/26/2010 05:40 PM, Stephen Smalley wrote:
On Tue, 2010-01-26 at 17:14 +0100, Dominick Grift wrote:
On 01/26/2010 02:27 PM, Roberto Sassu wrote:
Hello all
i'm trying to investigate what domains in the Fedora 12 policy are allowed to modify SELinux labels (in particular domain entrypoints).
sesearch --allow -s domain -t exec_type -c file -p relabelto sesearch --allow -s domain -t exec_type -c file -p relabelfrom
This lists all source domain types relabelto and relabelfrom access to executable file types (entry types)
Does that work for you?
You are right it does not work. I wonder why. Why would sysadm_t be a "domain" and unconfined_t not?
# seinfo -adomain -x | grep unconfined_t qemu_unconfined_t unconfined_t
unconfined_t is a domain. This appears to be a bug in setools.
sesearch --allow -s domain -t exec_type -c file -p relabelto | awk '/allow/{print $2}' | sort | uniq -c 1 prelink_t 568 restorecond_t 568 rpm_t 568 sysadm_t
Where is unconfined_t and friends?
sesearch --allow -s unconfined_t -t sshd_exec_t -c file -p relabelto Found 1 semantic av rules: allow files_unconfined_type file_type : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton execute_no_trans entrypoint open } ;
Hello
I tried to execute:
for i in `seinfo -aexec_type -x`; do if [ $i = "exec_type" ]; then continue; fi sesearch --allow -s domain -t $i -c file -p relabelto | awk '/allow/{print $2}' >> domains.tmp done; cat domains.tmp | sort | uniq -c
This is the result: 552 prelink_t 1 pulseaudio_t 552 restorecond_t 552 rpm_script_t 552 rpm_t 552 setfiles_mac_t 552 setfiles_t 4 seunshare_t 4 staff_t 552 sysadm_t 1 unconfined_t 1 useradd_t 4 user_t 14 webadm_t
OK, i hope this is the correct list (for now, until the setools bug will be solved). Another aspect of the policy which i need to understand is the list of domains which are allowed to modify the file labelling behaviour, when it is enforced. For example, when i enter the sysadm_t domain, i can disable the enforcement or i can load a custom policy module that add new rules. What are the criteria to pass to the sesearch tool in order to get the correct list? Thanks.
On Tuesday 26 January 2010 18:14:42 Stephen Smalley wrote:
On Tue, 2010-01-26 at 17:54 +0100, Dominick Grift wrote:
On 01/26/2010 05:40 PM, Stephen Smalley wrote:
On Tue, 2010-01-26 at 17:14 +0100, Dominick Grift wrote:
On 01/26/2010 02:27 PM, Roberto Sassu wrote:
Hello all
i'm trying to investigate what domains in the Fedora 12 policy are allowed to modify SELinux labels (in particular domain entrypoints).
sesearch --allow -s domain -t exec_type -c file -p relabelto sesearch --allow -s domain -t exec_type -c file -p relabelfrom
This lists all source domain types relabelto and relabelfrom access to executable file types (entry types)
Does that work for you?
You are right it does not work. I wonder why. Why would sysadm_t be a "domain" and unconfined_t not?
# seinfo -adomain -x | grep unconfined_t qemu_unconfined_t unconfined_t
unconfined_t is a domain. This appears to be a bug in setools.
sesearch --allow -s domain -t exec_type -c file -p relabelto | awk '/allow/{print $2}' | sort | uniq -c 1 prelink_t 568 restorecond_t 568 rpm_t 568 sysadm_t
Where is unconfined_t and friends?
sesearch --allow -s unconfined_t -t sshd_exec_t -c file -p relabelto Found 1 semantic av rules: allow files_unconfined_type file_type : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton execute_no_trans entrypoint open } ;
On 01/27/2010 02:03 PM, Roberto Sassu wrote:
Hello
I tried to execute:
for i in `seinfo -aexec_type -x`; do if [ $i = "exec_type" ]; then continue; fi sesearch --allow -s domain -t $i -c file -p relabelto | awk '/allow/{print $2}' >> domains.tmp done; cat domains.tmp | sort | uniq -c
This is the result: 552 prelink_t 1 pulseaudio_t 552 restorecond_t 552 rpm_script_t 552 rpm_t 552 setfiles_mac_t 552 setfiles_t 4 seunshare_t 4 staff_t 552 sysadm_t 1 unconfined_t 1 useradd_t 4 user_t 14 webadm_t
OK, i hope this is the correct list (for now, until the setools bug will be solved). Another aspect of the policy which i need to understand is the list of domains which are allowed to modify the file labelling behaviour, when it is enforced. For example, when i enter the sysadm_t domain, i can disable the enforcement or i can load a custom policy module that add new rules. What are the criteria to pass to the sesearch tool in order to get the correct list? Thanks.
I think this:
[root@localhost Desktop]# sesearch --allow -p load_policy
( and permission setenforce to disable enforcement and setbool to load tunable policy which probably atleast also needs rw_file_perms for boolean_type files )
Found 3 semantic av rules: allow selinux_unconfined_type security_t : security { load_policy setenforce setbool } ; allow kernel_t security_t : security load_policy ; allow load_policy_t security_t : security { load_policy setbool } ;
From selinux.te:
if(!secure_mode_policyload) { allow selinux_unconfined_type boolean_type:file rw_file_perms; allow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
But i might be wrong.
On Tuesday 26 January 2010 18:14:42 Stephen Smalley wrote:
On Tue, 2010-01-26 at 17:54 +0100, Dominick Grift wrote:
On 01/26/2010 05:40 PM, Stephen Smalley wrote:
On Tue, 2010-01-26 at 17:14 +0100, Dominick Grift wrote:
On 01/26/2010 02:27 PM, Roberto Sassu wrote:
Hello all
i'm trying to investigate what domains in the Fedora 12 policy are allowed to modify SELinux labels (in particular domain entrypoints).
sesearch --allow -s domain -t exec_type -c file -p relabelto sesearch --allow -s domain -t exec_type -c file -p relabelfrom
This lists all source domain types relabelto and relabelfrom access to executable file types (entry types)
Does that work for you?
You are right it does not work. I wonder why. Why would sysadm_t be a "domain" and unconfined_t not?
# seinfo -adomain -x | grep unconfined_t qemu_unconfined_t unconfined_t
unconfined_t is a domain. This appears to be a bug in setools.
sesearch --allow -s domain -t exec_type -c file -p relabelto | awk '/allow/{print $2}' | sort | uniq -c 1 prelink_t 568 restorecond_t 568 rpm_t 568 sysadm_t
Where is unconfined_t and friends?
sesearch --allow -s unconfined_t -t sshd_exec_t -c file -p relabelto Found 1 semantic av rules: allow files_unconfined_type file_type : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton execute_no_trans entrypoint open } ;
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On Wed, 2010-01-27 at 14:03 +0100, Roberto Sassu wrote:
Hello
I tried to execute:
for i in `seinfo -aexec_type -x`; do if [ $i = "exec_type" ]; then continue; fi sesearch --allow -s domain -t $i -c file -p relabelto | awk '/allow/{print $2}' >> domains.tmp done; cat domains.tmp | sort | uniq -c
This is the result: 552 prelink_t 1 pulseaudio_t 552 restorecond_t 552 rpm_script_t 552 rpm_t 552 setfiles_mac_t 552 setfiles_t 4 seunshare_t 4 staff_t 552 sysadm_t 1 unconfined_t 1 useradd_t 4 user_t 14 webadm_t
OK, i hope this is the correct list (for now, until the setools bug will be solved).
I think you need to consider the target type of the relabelto. For example, user_t can only relabelto httpd_user_script_exec_t, a type for user cgi scripts in their ~public_html directory. Thus the fact that user_t appears above does not imply that user_t can relabelto an entrypoint type for any more privileged domain than itself.
Also, if you are interested in what domains can effectively introduce new entrypoints, then you should not only look at relabelto but also create permission to exec_type.
Finally, you also need to consider whether the rules are in fact enabled or not. sesearch -AC will show you additional information about conditional rules, such as whether they are enabled or disabled and on what boolean expression they depend.
Another aspect of the policy which i need to understand is the list of domains which are allowed to modify the file labelling behaviour, when it is enforced. For example, when i enter the sysadm_t domain, i can disable the enforcement or i can load a custom policy module that add new rules. What are the criteria to pass to the sesearch tool in order to get the correct list? Thanks.
On Wed, 2010-01-27 at 14:27 -0500, Stephen Smalley wrote:
On Wed, 2010-01-27 at 14:03 +0100, Roberto Sassu wrote:
Hello
I tried to execute:
for i in `seinfo -aexec_type -x`; do if [ $i = "exec_type" ]; then continue; fi sesearch --allow -s domain -t $i -c file -p relabelto | awk '/allow/{print $2}' >> domains.tmp done; cat domains.tmp | sort | uniq -c
This is the result: 552 prelink_t 1 pulseaudio_t 552 restorecond_t 552 rpm_script_t 552 rpm_t 552 setfiles_mac_t 552 setfiles_t 4 seunshare_t 4 staff_t 552 sysadm_t 1 unconfined_t 1 useradd_t 4 user_t 14 webadm_t
OK, i hope this is the correct list (for now, until the setools bug will be solved).
I think you need to consider the target type of the relabelto. For example, user_t can only relabelto httpd_user_script_exec_t, a type for user cgi scripts in their ~public_html directory. Thus the fact that user_t appears above does not imply that user_t can relabelto an entrypoint type for any more privileged domain than itself.
Also, if you are interested in what domains can effectively introduce new entrypoints, then you should not only look at relabelto but also create permission to exec_type.
Finally, you also need to consider whether the rules are in fact enabled or not. sesearch -AC will show you additional information about conditional rules, such as whether they are enabled or disabled and on what boolean expression they depend.
BTW, you might want to try the Analysis tab of apol, as that provides support for more complex forms of analysis, including information flow, transitions, relabeling, and relationships.
selinux@lists.fedoraproject.org