In RHEL4 we estimated around 15.
In RHEL5 we estimated around 200.
Well there is a cool tool called seinfo (setools package) that allows you query the installed policy for attributes and types, as well as other policy features. In SELinux, every process type has an attribute associated with it called "domain".
A good estimate of the number of different confined processes is to count the number of types with the domain attribute.
seinfo -adomain -x | tail -n +2 | wc -l
513
Note: I am removing the first line because it lists the attribute name.
Not all domain types are confined. If we want to look at the number of unconfined domains, we can use the unconfined_domain attribute.
seinfo -aunconfined_domain_type -x | tail -n +2 | wc -l
52
| bootloader_t | devicekit_power_t | ldconfig_t | unconfined_cronjob_t | unconfined_sendmail_t | |
| setfiles_mac_t | initrc_t | ada_t | fsadm_t | kudzu_t | |
| lvm_t | mdadm_t | mono_t | rpm_t | wine_t | |
| unconfined_mount_t | prelink_t | anaconda_t | rpm_script_t | system_cronjob_t | |
| tmpreaper_t | samba_unconfined_net_t | unconfined_notrans_t | unconfined_execmem_t | devicekit_disk_t | |
| firstboot_t | samba_unconfined_script_t | unconfined_java_t | unconfined_mono_t | httpd_unconfined_script_t | |
| depmod_t | insmod_t | kernel_t | livecd_t | apmd_t | |
| clvmd_t | crond_t | inetd_t | init_t | udev_t | virtd_t |
| xend_t | nagios_unconfined_plugin_t | devicekit_t | remote_login_t | inetd_child_t | |
| qemu_unconfined_t | unconfined_t | ricci_modcluster_t | useradd_t | xserver_t |
If you disable the unconfined policy package, which I recommend.
This leaves only user domains unconfined, along with some domains that do not make sense to confine. (anaconda, firstboot, kernel,rpm)
# semodule -d unconfined
seinfo -aunconfined_domain_type -x | tail -n +2 | wc -l
14
| unconfined_sendmail_t | rpm_t | unconfined_mount_t | anaconda_t | rpm_script_t |
| unconfined_notrans_t | unconfined_execmem_t | firstboot_t | unconfined_java_t | unconfined_mono_t |
| kernel_t | livecd_t | qemu_unconfined_t | unconfined_t |
You can disable all unconfined domains by disabling unconfineduser module
# semodule -d unconfineduser
Note: You need to setup all your users as confined users, before removing the unconfineduser module.
Disabling the unconfined and unconfineduser policy modules is the equivalent of what we used to call strict policy.
One other interesting domain is permissive domains. Permissive domains can be listed with the --permissive qualifier.
# seinfo --permissive -x | tail -n +3 | wc -l
31
| gitd_session_t | smoltclient_t | kdumpgui_t | sandbox_xserver_t | prelink_cron_system_t |
| abrt_helper_t | firewallgui_t | corosync_t | asterisk_t | dnsmasq_t |
| plymouth_t | chrome_sandbox_t | nut_upsd_t | plymouthd_t | ksmtuned_t |
| nagios_checkdisk_plugin_t | nagios_services_plugin_t | abrt_t | clogd_t | gitd_t |
| kdump_t | tgtd_t | tuned_t | nagios_system_plugin_t | nut_upsmon_t |
| rgmanager_t | certmonger_t | sectoolm_t | chronyd_t | nut_upsdrvctl_t |
| vhostmd_t |
A couple of other interesting statistics.
Total number of file types.
seinfo -afile_type -x | tail -n +2 | wc -l
1630
In order to get the number of allow rules, you need to use sesearch
sesearch --allow | wc -l
225042
Dontaudit Rules
sesearch --dontaudit | wc -l
106021
2010-01-06 08:53 pm (UTC)
The uglyness of the tables is caused by livejournal editor. I could not figure out how to fix it. It looks like it adds a whole bunch of
for no reason. But my source did not have any.
I am talking about SELinux, that is what I talk about.