SELinux - back to basics
Daniel J Walsh
dwalsh at redhat.com
Tue Aug 18 21:49:06 UTC 2009
On 08/17/2009 01:05 AM, adrian golding wrote:
> To refine my questions in the earlier email:
> 1) many of the things the attacker can do if he exploits the Samba
> vulnerability can be found in the source policy. but there are also so many
> other rules in the policy (hundreds?), my question is how do I know if the
> other rules matter much? there are >300 rules related to smbd_t, and it
> just *seems* a lot can go wrong with the system.
Yes you got to ask the questions. You can ask a question in APOL about whether the smbd_t can read a file.
A simple query
sesearch --allow -s smbd_t -t user_home_t -c file -p read
asks whether smbd_t can read files labeled user_home_t directly. You can use apol to look for transition rules that might allow it.
SELinux is all about types so you need to user commands like
semanage port -l
To list the types that ports are assigned to or /etc/selinux/targeted/context/files/files.context to see what types are assigned to files, by default.
> 2) how do we verify the part about what the attackers cannot do? does it
> mean, if i cannot find a rule that links smbd_t with user_home_t with the
> 'read' permission, the attacker cannot read/manipulate user home
> directories? Or it is not as trivial?
Anything that is not allowed is denied. See above.
> 3) i am assuming ports 137-139 and 445 are labelled smbd_port_t, but where
> can i find this assignment in the policy? i am currently using apol.
semanage port -l
> thank you
> On Mon, Aug 17, 2009 at 10:42 AM, adrian golding <adriangolding at gmail.com>wrote:
>> dear all, can you please point me to the right place:
>> with reference to: http://danwalsh.livejournal.com/10131.html
>> i am interested in how dan knows what an attacker can make use of the samba
>> vulnerability to do by default, and what the attacker cannot do. More
>> generally speaking, how do we look at a service or application in a SELinux
>> system, and finding out what the attacker can do and cannot do in the case
>> of the service being exploited?
>> in that page, he looked at some of the relevant booleans and i guess
>> "samba_enable_home_dirs ---> off" prevents the attacker to read/manipulate
>> the user's home directories. But what about the rest? What other things can
>> an end user (who is not very experienced in SELinux) examine to know what
>> the attacker can / cannot do?
>> thank you
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
More information about the fedora-selinux-list