FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 12-08-2009, 11:21 AM
Jorge Fábregas
 
Default Targeted Daemons/Apps- Fedora 12

Hello everyone,

Where can I find a list of all the targeted daemons/apps that are protected by
the current policy on Fedora 12?

Thanks,
Jorge

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-08-2009, 11:45 AM
Dominick Grift
 
Default Targeted Daemons/Apps- Fedora 12

On Tue, Dec 08, 2009 at 08:21:41AM -0400, Jorge Fábregas wrote:
> Hello everyone,
>
> Where can I find a list of all the targeted daemons/apps that are protected by
> the current policy on Fedora 12?

That is not so easy to list.

You can list installed modules that are not part of the base policy:

semodule -l

That will give you atleast some impression about what may be targeted.

But that impression is distorted. One reason is that a policy for a daemon or app may be built into the base policy.
Base policy is a group of mandatory modules.

Another reason why listing targeted daemons/apps is not so easy is because of how policy is structured.

A policy module can have policy for several daemons and apps. For example:

The irc policy module has policy for several different irc clients. They are grouped into one module because they share the property that they are all irc clients.

Another example is the git module. This module has policy for the git daemon but it also has policy for the cgit web application.

Another way to approach this issue is to run the following command:

sesearch --allow -s domain

This will list all interactions that are allowed where the source of an interaction is a type with the domain attribute (think of attributes as if they are tags)

The problem here is that this shows all domain types. One program can be sometimes run with various domain types. So this is also a distorted view. Besides that, it is not always easy to determine what daemon or app a type is for, just by looking at a type.

To really get an answer to your question , i believe you would probably need to inspect the source policy. Since you want to know the daemons targeted you would probably inspect the policy/modules/services directory carefully and determine there which daemons may be targeted. For app you would look into the policy/modules/apps directory.

But even that is not accurate.. Since policy may be available but not installed. or may be installed but not instantiated.

>
> Thanks,
> Jorge
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-09-2009, 11:06 AM
Jorge Fábregas
 
Default Targeted Daemons/Apps- Fedora 12

Thanks Dominick for the nice explanation. Ok, now I understand it's not as
straightforward as I thought.

I originally asked because I remember when RHEL4 and RHEL5 came out, among the
new features list, was this list of the "targeted daemons". Now...as I'm
considering SELinux for personal/desktop use. (in Fedora) I was wondering
which typical apps (of the base install) were protected (like Thunderbird,
Firefox, etc...).

Again, thanks for pointing me to the right direction.

All the best,
Jorge

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-09-2009, 05:34 PM
Daniel J Walsh
 
Default Targeted Daemons/Apps- Fedora 12

On 12/09/2009 07:06 AM, Jorge Fábregas wrote:
> Thanks Dominick for the nice explanation. Ok, now I understand it's not as
> straightforward as I thought.
>
> I originally asked because I remember when RHEL4 and RHEL5 came out, among the
> new features list, was this list of the "targeted daemons". Now...as I'm
> considering SELinux for personal/desktop use. (in Fedora) I was wondering
> which typical apps (of the base install) were protected (like Thunderbird,
> Firefox, etc...).
>
> Again, thanks for pointing me to the right direction.
>
> All the best,
> Jorge
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
You can see all the types associate with processes by executing

seinfo -adomain -x | wc -l
506

Permissive domains
# seinfo --permissive| wc -l
32

Unconfined domains

# seinfo -aunconfined_domain_type -x | wc -l
51

Unconfined domains with unconfined pp file disabled
#semodule -d unconfined
# seinfo -aunconfined_domain_type -x | wc -l
16

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-10-2009, 10:26 PM
Jorge Fábregas
 
Default Targeted Daemons/Apps- Fedora 12

Thank you Daniel. That's right on.

All the best,
Jorge

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 10:11 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org