SELinux - back to basics
Daniel J Walsh
dwalsh at redhat.com
Tue Aug 18 21:22:17 UTC 2009
On 08/16/2009 10:42 PM, adrian golding wrote:
> dear all, can you please point me to the right place:
> with reference to: http://danwalsh.livejournal.com/10131.html
>
> i am interested in how dan knows what an attacker can make use of the samba
> vulnerability to do by default, and what the attacker cannot do. More
> generally speaking, how do we look at a service or application in a SELinux
> system, and finding out what the attacker can do and cannot do in the case
> of the service being exploited?
>
> in that page, he looked at some of the relevant booleans and i guess
> "samba_enable_home_dirs ---> off" prevents the attacker to read/manipulate
> the user's home directories. But what about the rest? What other things can
> an end user (who is not very experienced in SELinux) examine to know what
> the attacker can / cannot do?
>
> thank you
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
One simple answer is I can look at the policy source code.
Secondly you can use the sesearch command
sesearch --allow -s smbd_t
Shows me all the rules of what smbd_t is allowed to do. If I want to do more complex analyses of the policy I can use a tool like apol.
More information about the fedora-selinux-list
mailing list