SELinux - back to basics
Daniel J Walsh
dwalsh at redhat.com
Tue Aug 18 21:51:08 UTC 2009
On 08/17/2009 08:33 AM, Dominick Grift wrote:
> On Mon, Aug 17, 2009 at 12:28:02PM +0000, Stephen Smalley wrote:
>> On Mon, 2009-08-17 at 10:42 +0800, adrian golding wrote:
>>> dear all, can you please point me to the right place:
>>>
>>> with reference to: http://danwalsh.livejournal.com/10131.html
>>>
>>>
>>> i am interested in how dan knows what an attacker can make use of the
>>> samba vulnerability to do by default, and what the attacker cannot
>>> do. More generally speaking, how do we look at a service or
>>> application in a SELinux system, and finding out what the attacker can
>>> do and cannot do in the case of the service being exploited?
>>>
>>>
>>> in that page, he looked at some of the relevant booleans and i guess
>>> "samba_enable_home_dirs ---> off" prevents the attacker to
>>> read/manipulate the user's home directories. But what about the rest?
>>> What other things can an end user (who is not very experienced in
>>> SELinux) examine to know what the attacker can / cannot do?
>>
>> sesearch can be a very useful tool for interrogating the policy to see
>> what a given domain can access, and the information flow and domain
>> transition analysis capabilities of apol are likewise quite useful.
>
> With regard to sesearch it is good to know that it displays all rules, also the rules that maybe disabled by boolean.
> So with that in mind sesearch can be a bit misleading.
>
> if you encounter a situation where access is denied, but where sesearch returns a rule that would have allowed the access, then pipe the avc denial into audit2why.
>
>>
>> --
>> Stephen Smalley
>> National Security Agency
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>> ------------------------------------------------------------------------
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
If you use the -C option it will show you the boolean. Of course it will not tell you if it is enabled or not.
More information about the fedora-selinux-list
mailing list