Thanks for answers. I'm trying to find a set of types executable by regular users which are managed by few and high privileged domains. Unfortunately, regarding 'etc_t', there's a non administrative domain, 'postgresql_t', which is allowed to create it. The case of 'noxattrfs' seems to be solvable by turning off the booleans 'user_rw_noexattrfile' and 'xguest_mount_media'.
I have just another question: it's possible to write a policy which creates a new attribute and assign to it types of another attribute with addition/subtraction of others types? For example:
attribute subset_exec_type; typeattribute { exec_type -cifs_t } subset_exec_type;
Just to simplify how to make queries which involves attributes minus some types i write a small patch for the 'setools' software, which introduces two new arguments (-u -v) to the command line utility 'sesearch' in order to indicate a type/attribute to exclude respectively from the source and the target. It works for now for av rules searched semantically and i post it as attachment for evaluation.
On Monday 13 September 2010 20:27:01 Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/13/2010 12:29 PM, Roberto Sassu wrote:
Hi all
i'm investigating what types the domain user_t is allowed to execute, in particular those that don't belong to the exec_type attribute. I need more details about the attribute 'noxattrfs' and the type 'etc_t', more precisely in which circumstances they are executed by a regular user. Thanks in advance for replies.
Roberto Sassu
In addition to Domick's comments.
Remember the user_t is still governed by DAC. Meaning that an executable labeled etc_t would only be executable by the user if he could execute it, even if SELinux was disabled. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkyObPUACgkQrlYvE4MpobOB3ACg6mdLPF/AyliygSXpdzhhDpgz KZUAnRRdv98Ta275wJ89tuIWT7sULoka =FpUa -----END PGP SIGNATURE-----