SELinux - back to basics

Stephen Smalley sds at
Mon Aug 17 12:28:02 UTC 2009

On Mon, 2009-08-17 at 10:42 +0800, adrian golding wrote:
> dear all, can you please point me to the right place:
> with reference to:
> i am interested in how dan knows what an attacker can make use of the
> samba vulnerability to do by default, and what the attacker cannot
> do.  More generally speaking, how do we look at a service or
> application in a SELinux system, and finding out what the attacker can
> do and cannot do in the case of the service being exploited?  
> in that page, he looked at some of the relevant booleans and i guess
> "samba_enable_home_dirs ---> off" prevents the attacker to
> read/manipulate the user's home directories. But what about the rest?
>  What other things can an end user (who is not very experienced in
> SELinux) examine to know what the attacker can / cannot do? 

sesearch can be a very useful tool for interrogating the policy to see
what a given domain can access, and the information flow and domain
transition analysis capabilities of apol are likewise quite useful.

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list