SELinux - back to basics

Daniel J Walsh dwalsh at redhat.com
Tue Aug 18 21:49:06 UTC 2009 

On 08/17/2009 01:05 AM, adrian golding wrote:
> To refine my questions in the earlier email:
> 1) many of the things the attacker can do if he exploits the Samba
> vulnerability can be found in the source policy.  but there are also so many
> other rules in the policy (hundreds?), my question is how do I know if the
> other rules matter much?  there are >300 rules related to smbd_t, and it
> just *seems* a lot can go wrong with the system.
> 
Yes you got to ask the questions.  You can ask a question in APOL about whether the smbd_t can read a file.

A simple query 
sesearch --allow -s smbd_t -t user_home_t -c file -p read

asks whether smbd_t can read files labeled user_home_t directly.  You can use apol to look for transition rules that might allow it.

SELinux is all about types so you need to user commands like 

semanage port -l

To list the types that ports are assigned to or /etc/selinux/targeted/context/files/files.context to see what types are assigned to files, by default.

> 2) how do we verify the part about what the attackers cannot do? does it
> mean, if i cannot find a rule that links smbd_t with user_home_t with the
> 'read' permission, the attacker cannot read/manipulate user home
> directories?  Or it is not as trivial?
Anything that is not allowed is denied.   See above.
> 
> 3) i am assuming ports 137-139 and 445 are labelled smbd_port_t, but where
> can i find this assignment in the policy? i am currently using apol.
> 
semanage port -l

> thank you
> 
> 
> On Mon, Aug 17, 2009 at 10:42 AM, adrian golding <adriangolding at gmail.com>wrote:
> 
>> dear all, can you please point me to the right place:
>> with reference to: http://danwalsh.livejournal.com/10131.html
>>
>> i am interested in how dan knows what an attacker can make use of the samba
>> vulnerability to do by default, and what the attacker cannot do.  More
>> generally speaking, how do we look at a service or application in a SELinux
>> system, and finding out what the attacker can do and cannot do in the case
>> of the service being exploited?
>>
>> in that page, he looked at some of the relevant booleans and i guess
>> "samba_enable_home_dirs ---> off" prevents the attacker to read/manipulate
>> the user's home directories. But what about the rest?  What other things can
>> an end user (who is not very experienced in SELinux) examine to know what
>> the attacker can / cannot do?
>>
>> thank you
>>
>>
>>
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list