SELinux - back to basics
Stephen Smalley
sds at tycho.nsa.gov
Mon Aug 17 12:28:02 UTC 2009
On Mon, 2009-08-17 at 10:42 +0800, adrian golding wrote:
> dear all, can you please point me to the right place:
>
> with reference to: http://danwalsh.livejournal.com/10131.html
>
>
> i am interested in how dan knows what an attacker can make use of the
> samba vulnerability to do by default, and what the attacker cannot
> do. More generally speaking, how do we look at a service or
> application in a SELinux system, and finding out what the attacker can
> do and cannot do in the case of the service being exploited?
>
>
> in that page, he looked at some of the relevant booleans and i guess
> "samba_enable_home_dirs ---> off" prevents the attacker to
> read/manipulate the user's home directories. But what about the rest?
> What other things can an end user (who is not very experienced in
> SELinux) examine to know what the attacker can / cannot do?
sesearch can be a very useful tool for interrogating the policy to see
what a given domain can access, and the information flow and domain
transition analysis capabilities of apol are likewise quite useful.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list