SELinux - back to basics

[Dominick Grift]

On Mon, Aug 17, 2009 at 12:28:02PM +0000, Stephen Smalley wrote:
> On Mon, 2009-08-17 at 10:42 +0800, adrian golding wrote:
> > dear all, can you please point me to the right place:
> > 
> > with reference to: http://danwalsh.livejournal.com/10131.html
> > 
> > 
> > i am interested in how dan knows what an attacker can make use of the
> > samba vulnerability to do by default, and what the attacker cannot
> > do.  More generally speaking, how do we look at a service or
> > application in a SELinux system, and finding out what the attacker can
> > do and cannot do in the case of the service being exploited?  
> > 
> > 
> > in that page, he looked at some of the relevant booleans and i guess
> > "samba_enable_home_dirs ---> off" prevents the attacker to
> > read/manipulate the user's home directories. But what about the rest?
> >  What other things can an end user (who is not very experienced in
> > SELinux) examine to know what the attacker can / cannot do? 
> 
> sesearch can be a very useful tool for interrogating the policy to see
> what a given domain can access, and the information flow and domain
> transition analysis capabilities of apol are likewise quite useful.

With regard to sesearch it is good to know that it displays all rules, also the rules that maybe disabled by boolean.
So with that in mind sesearch can be a bit misleading.

if you encounter a situation where access is denied, but where sesearch returns a rule that would have allowed the access, then pipe the avc denial into audit2why.

> 
> -- 
> Stephen Smalley
> National Security Agency
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090817/5bfc1e7c/attachment.sig>