SELinux - back to basics

Daniel J Walsh dwalsh at
Tue Aug 18 21:22:17 UTC 2009

On 08/16/2009 10:42 PM, adrian golding wrote:
> dear all, can you please point me to the right place:
> with reference to:
> i am interested in how dan knows what an attacker can make use of the samba
> vulnerability to do by default, and what the attacker cannot do.  More
> generally speaking, how do we look at a service or application in a SELinux
> system, and finding out what the attacker can do and cannot do in the case
> of the service being exploited?
> in that page, he looked at some of the relevant booleans and i guess
> "samba_enable_home_dirs ---> off" prevents the attacker to read/manipulate
> the user's home directories. But what about the rest?  What other things can
> an end user (who is not very experienced in SELinux) examine to know what
> the attacker can / cannot do?
> thank you
> ------------------------------------------------------------------------
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at

One simple answer is I can look at the policy source code.

Secondly you can use the sesearch command

sesearch --allow -s smbd_t 

Shows me all the rules of what smbd_t is allowed to do.  If I want to do more complex analyses of the policy I can use a tool like apol.

More information about the fedora-selinux-list mailing list