-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/14/2010 05:55 AM, Roberto Sassu wrote:
Thanks for answers. I'm trying to find a set of types executable
by regular users which are managed by few and high privileged domains.
Unfortunately, regarding 'etc_t', there's a non administrative domain,
'postgresql_t', which is allowed to create it.
That seems wrong, I have no
idea why postgresql would be able to manage
etc files. Chris do you have any idea? (Hopefully this did not come
from me. ) BTW there is no way for user_t to execute something as
postgresql_t
The case of 'noxattrfs' seems to be solvable by turning off
the booleans
'user_rw_noexattrfile' and 'xguest_mount_media'.
I have just another question: it's possible to write a policy which creates a new
attribute and assign to it types of another attribute with addition/subtraction of others
types?
For example:
attribute subset_exec_type;
typeattribute { exec_type -cifs_t } subset_exec_type;
Just to simplify how to make queries which involves attributes minus some types i write a
small patch for the 'setools' software, which introduces two new arguments (-u -v)
to the command line utility 'sesearch' in order to indicate a type/attribute to
exclude respectively from the source and the target.
It works for now for av rules searched semantically and i post it as attachment for
evaluation.
This patch should be sent to the selinux(a)tycho.nsa.gov list where the
maintainers of setools would be more likely to see it.
On Monday 13 September 2010 20:27:01 Daniel J Walsh wrote:
On 09/13/2010 12:29 PM, Roberto Sassu wrote:
>>> Hi all
>>>
>>> i'm investigating what types the domain user_t is allowed to execute, in
>>> particular those that don't belong to the exec_type attribute. I need
>>> more details about the attribute 'noxattrfs' and the type
'etc_t', more
>>> precisely in which circumstances they are executed by a regular user.
>>> Thanks in advance for replies.
>>>
>>> Roberto Sassu
In addition to Domick's comments.
Remember the user_t is still governed by DAC. Meaning that an
executable labeled etc_t would only be executable by the user if he
could execute it, even if SELinux was disabled.
-----BEGIN PGP
SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAkyPmnUACgkQrlYvE4MpobMWlwCghPQFzuI5KMtS/i+l0RBNn0Ps
daMAn3hM/vhClDg1Ij7N1Xm5zLK7yNcb
=kvUd
-----END PGP SIGNATURE-----