On Mon, Sep 13, 2010 at 06:29:29PM +0200, Roberto Sassu wrote:
Hi all
i'm investigating what types the domain user_t is allowed to execute, in
particular those that don't belong to the exec_type attribute. I need more
So you could first query which file_types user_t can execute, that show all file types:
sesearch -SC --allow -s user_t -t file_type -c file execute
Then you can see if a particular type is assigned the exec_type attribute:
seinfo -x -tbin_t
details about the attribute 'noxattrfs'
Thats an attribute that is addigned to filesystems that do not support extended
attributes:
seinfo -x -anoxattrfs
simple example would be dosfs
and the type 'etc_t', more precisely
etc_t is the generic type for content in /etc. So by default all files in /etc get type
etc_t.
sesearch -SC --allow -s user_t -t etc_t -c file
looks like fedora allows user_t to execute etc_t files but only read types with the
configfile attribute. (files_config_file files in /etc that do not have the generic etc_t
type)
in which circumstances they are executed by a regular user.
Fedora tries to confine as little as possible. She really targets what she thinks are
treats. obviously she does not consider user_t executing etc_t files or reading
configfiles a threat.
Thanks in advance for replies.
Roberto Sassu
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux