danwalsh

(a) there is such a thing as <lj-cut> tag
You'd better use it for long posts

(b) have no idea how you formatted this, but formatting is ugly: it has huge gaps before each table

(c) no one has a lightest idea WHAT the hell you are talking about.
What Fedora? Doing what exactly? - a machine can be a desktop or a server or ...[add any of the scores of possible functions here] etc.

What are you talking about??

Yes When I started I did not intend it to be so long.

The uglyness of the tables is caused by livejournal editor. I could not figure out how to fix it. It looks like it adds a whole bunch of
for no reason. But my source did not have any.

I am talking about SELinux, that is what I talk about.

Very interesting post. Thanks.

But it would be very interesting to understand why in FC12 i can ask questions about the selinux attributes and in RHEL5 no, I'm writing an article on SELinux and RHEL5 and RHEL6 (still in beta 2). For example

seinfo -adomain -x
Rule loading disabled
ERROR: Provided attribute (domain) is not a valid attribute name.

cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.5 (Tikanga)

I studied (and used) very much SELINUX - even all the books that were written - but this particular escapes me. Perhaps it is possible to produce this stat in RHEL5 in another way? sesearch maybe? Or only looking to the policy source ?

Thanks

In RHEL5 the attribute names were removed from the compiled policy in RHEL6 they are still there.

You need to check the policy modules in RHEL5.

For RHEL Enterprise Linux 5.5 with selinux-policy-2.4.6-277 (not the latest bat it is just for a first analisys).

I follow what you have done for FC-12.

In the command that follow(seinfo, sesearch) the xx variable is equal to the result of this shell script on a FC12, because i need a new version of setools-console

$rpmbuild –bi /tmp/selinux-policy-2.4.6-277.el5.src.rpm
$cd /root/rpmbuild/BUILDROOT/selinux-policy-.4.6-277.fc12.x86_64/usr/share/selinux/targeted
$xx="$PWD/base.pp $(ls -1 $PWD/*.pp | grep -E -v "(base.pp|enableaudit.pp)")"



A good estimate of the number of different confined processes is to count the number of types with the domain attribute.

seinfo -adomain -x $xx | tail -n +2 | wc -l
279

Not all domain types are confined. If we want to look at the number of unconfined domains, we can use the unconfined_domain attribute.

seinfo -aunconfined_domain_type -x $xx | tail -n +2 | wc -l
49

Unconfined Domains
---------------------
ada_t |anaconda_t|apmd_t|clvmd_t
depmod_t |firstboot_t|fsadm_t|hald_t
httpd_unconfined_script_t|inetd_child_t|inetd_t|
init_t |initrc_t|insmod_t|java_t
kernel_t |kudzu_t|ldconfig_t|local_login_t
logrotate_t|lvm_t|mdadm_t|mono_t
mount_t |pegasus_t|prelink_t|readahead_t
remote_login_t|rpm_script_t|rpm_t|rshd_t
samba_unconfined_script_t|semanage_gui_t|sendmail_t|udev_t
unconfined_execmem_t|unconfined_mount_t|unconfined_t|useradd_t
wine_t |xdm_t|xdm_xserver_t|xend_t
ricci_modcluster_t|virtd_t|qemu_unconfined_t|rgmanager_t

In RHEL5.5 permissive domain doesn’t exists

A couple of other interesting statistics.

Total number of file types.

seinfo -afile_type -x $xx | tail -n +2 | wc –l

1043

In order to get the number of allow rules, you need to use sesearch

sesearch --allow $xx | wc -l
80640

Dontaudit Rules

sesearch --dontaudit $xx | wc –l

10171

********************************************************

Does this seem consistent? Definitely not an easy way, but the results could be useful for comparison