Thanks for answers. I'm trying to find a set of types executable by regular users
which are managed by few and high privileged domains.
Unfortunately, regarding 'etc_t', there's a non administrative domain,
'postgresql_t', which is allowed to create it.
The case of 'noxattrfs' seems to be solvable by turning off the booleans
'user_rw_noexattrfile' and 'xguest_mount_media'.
I have just another question: it's possible to write a policy which creates a new
attribute and assign to it types of another attribute with addition/subtraction of others
types?
For example:
attribute subset_exec_type;
typeattribute { exec_type -cifs_t } subset_exec_type;
Just to simplify how to make queries which involves attributes minus some types i write a
small patch for the 'setools' software, which introduces two new arguments (-u -v)
to the command line utility 'sesearch' in order to indicate a type/attribute to
exclude respectively from the source and the target.
It works for now for av rules searched semantically and i post it as attachment for
evaluation.
On Monday 13 September 2010 20:27:01 Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/13/2010 12:29 PM, Roberto Sassu wrote:
> Hi all
>
> i'm investigating what types the domain user_t is allowed to execute, in
> particular those that don't belong to the exec_type attribute. I need
> more details about the attribute 'noxattrfs' and the type 'etc_t',
more
> precisely in which circumstances they are executed by a regular user.
> Thanks in advance for replies.
>
> Roberto Sassu
In addition to Domick's comments.
Remember the user_t is still governed by DAC. Meaning that an
executable labeled etc_t would only be executable by the user if he
could execute it, even if SELinux was disabled.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAkyObPUACgkQrlYvE4MpobOB3ACg6mdLPF/AyliygSXpdzhhDpgz
KZUAnRRdv98Ta275wJ89tuIWT7sULoka
=FpUa
-----END PGP SIGNATURE-----