danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
Confined processes statistics in Fedora 12?
danwalsh
I often get asked how many processes are confined with SELinux. 

In RHEL4 we estimated around 15.
In RHEL5 we estimated around 200.

Well there is a cool tool called seinfo (setools package) that allows you query the installed policy for attributes and types,  as well as other policy features.  In SELinux, every process type has an attribute associated with it called "domain". 

A good estimate of the number of different confined processes is to count the number of types with the domain attribute.

seinfo -adomain -x | tail -n +2 | wc -l
513


Note: I am removing the first line because it lists the attribute name.

Not all domain types are confined. If we want to look at the number of unconfined domains, we can use the unconfined_domain attribute.

seinfo -aunconfined_domain_type -x | tail -n +2 | wc -l
52









































































Unconfined Domains
bootloader_tdevicekit_power_tldconfig_tunconfined_cronjob_tunconfined_sendmail_t
setfiles_mac_tinitrc_tada_tfsadm_tkudzu_t
lvm_tmdadm_tmono_trpm_twine_t
unconfined_mount_tprelink_tanaconda_trpm_script_tsystem_cronjob_t
tmpreaper_tsamba_unconfined_net_tunconfined_notrans_tunconfined_execmem_tdevicekit_disk_t
firstboot_tsamba_unconfined_script_tunconfined_java_tunconfined_mono_thttpd_unconfined_script_t
depmod_tinsmod_tkernel_tlivecd_tapmd_t
clvmd_tcrond_tinetd_tinit_tudev_tvirtd_t
xend_tnagios_unconfined_plugin_tdevicekit_tremote_login_tinetd_child_t
qemu_unconfined_tunconfined_tricci_modcluster_tuseradd_txserver_t


If you disable the unconfined policy package, which I recommend.

This leaves only user domains unconfined, along with some domains that do not make sense to confine.  (anaconda, firstboot, kernel,rpm)

# semodule -d unconfined
seinfo -aunconfined_domain_type -x | tail -n +2 | wc -l
14























Unconfined User Domains
unconfined_sendmail_trpm_tunconfined_mount_tanaconda_trpm_script_t
unconfined_notrans_tunconfined_execmem_tfirstboot_tunconfined_java_tunconfined_mono_t
kernel_tlivecd_tqemu_unconfined_tunconfined_t


You can disable all unconfined domains by disabling unconfineduser module

# semodule -d unconfineduser


Note: You need to setup all your users as confined users, before removing the unconfineduser module.
Disabling the unconfined and unconfineduser policy modules is the equivalent of what we used to call strict policy.

One other interesting domain is permissive domains. Permissive domains can be listed with the --permissive qualifier.

# seinfo --permissive -x | tail -n +3 | wc -l
31
















































Permissive Domains
gitd_session_tsmoltclient_tkdumpgui_tsandbox_xserver_tprelink_cron_system_t
abrt_helper_tfirewallgui_tcorosync_tasterisk_tdnsmasq_t
plymouth_tchrome_sandbox_tnut_upsd_tplymouthd_tksmtuned_t
nagios_checkdisk_plugin_tnagios_services_plugin_tabrt_tclogd_tgitd_t
kdump_ttgtd_ttuned_tnagios_system_plugin_tnut_upsmon_t
rgmanager_tcertmonger_tsectoolm_tchronyd_tnut_upsdrvctl_t
vhostmd_t

A couple of other interesting statistics.

Total number of file types.

seinfo -afile_type -x | tail -n +2  | wc -l
1630


In order to get the number of allow rules, you need to use sesearch

sesearch --allow | wc -l
225042


Dontaudit Rules

sesearch --dontaudit | wc -l
106021

Yes When I started I did not intend it to be so long.

The uglyness of the tables is caused by livejournal editor. I could not figure out how to fix it. It looks like it adds a whole bunch of
for no reason. But my source did not have any.

I am talking about SELinux, that is what I talk about.

No HTML allowed in subject

  
 
   
 

(will be screened)

You are viewing danwalsh