In RHEL4 we estimated around 15.
In RHEL5 we estimated around 200.
Well there is a cool tool called seinfo (setools package) that allows you query the installed policy for attributes and types, as well as other policy features. In SELinux, every process type has an attribute associated with it called "domain".
A good estimate of the number of different confined processes is to count the number of types with the domain attribute.
seinfo -adomain -x | tail -n +2 | wc -l
513
Note: I am removing the first line because it lists the attribute name.
Not all domain types are confined. If we want to look at the number of unconfined domains, we can use the unconfined_domain attribute.
seinfo -aunconfined_domain_type -x | tail -n +2 | wc -l
52
| bootloader_t | devicekit_power_t | ldconfig_t | unconfined_cronjob_t | unconfined_sendmail_t | |
| setfiles_mac_t | initrc_t | ada_t | fsadm_t | kudzu_t | |
| lvm_t | mdadm_t | mono_t | rpm_t | wine_t | |
| unconfined_mount_t | prelink_t | anaconda_t | rpm_script_t | system_cronjob_t | |
| tmpreaper_t | samba_unconfined_net_t | unconfined_notrans_t | unconfined_execmem_t | devicekit_disk_t | |
| firstboot_t | samba_unconfined_script_t | unconfined_java_t | unconfined_mono_t | httpd_unconfined_script_t | |
| depmod_t | insmod_t | kernel_t | livecd_t | apmd_t | |
| clvmd_t | crond_t | inetd_t | init_t | udev_t | virtd_t |
| xend_t | nagios_unconfined_plugin_t | devicekit_t | remote_login_t | inetd_child_t | |
| qemu_unconfined_t | unconfined_t | ricci_modcluster_t | useradd_t | xserver_t |
If you disable the unconfined policy package, which I recommend.
This leaves only user domains unconfined, along with some domains that do not make sense to confine. (anaconda, firstboot, kernel,rpm)
# semodule -d unconfined
seinfo -aunconfined_domain_type -x | tail -n +2 | wc -l
14
| unconfined_sendmail_t | rpm_t | unconfined_mount_t | anaconda_t | rpm_script_t |
| unconfined_notrans_t | unconfined_execmem_t | firstboot_t | unconfined_java_t | unconfined_mono_t |
| kernel_t | livecd_t | qemu_unconfined_t | unconfined_t |
You can disable all unconfined domains by disabling unconfineduser module
# semodule -d unconfineduser
Note: You need to setup all your users as confined users, before removing the unconfineduser module.
Disabling the unconfined and unconfineduser policy modules is the equivalent of what we used to call strict policy.
One other interesting domain is permissive domains. Permissive domains can be listed with the --permissive qualifier.
# seinfo --permissive -x | tail -n +3 | wc -l
31
| gitd_session_t | smoltclient_t | kdumpgui_t | sandbox_xserver_t | prelink_cron_system_t |
| abrt_helper_t | firewallgui_t | corosync_t | asterisk_t | dnsmasq_t |
| plymouth_t | chrome_sandbox_t | nut_upsd_t | plymouthd_t | ksmtuned_t |
| nagios_checkdisk_plugin_t | nagios_services_plugin_t | abrt_t | clogd_t | gitd_t |
| kdump_t | tgtd_t | tuned_t | nagios_system_plugin_t | nut_upsmon_t |
| rgmanager_t | certmonger_t | sectoolm_t | chronyd_t | nut_upsdrvctl_t |
| vhostmd_t |
A couple of other interesting statistics.
Total number of file types.
seinfo -afile_type -x | tail -n +2 | wc -l
1630
In order to get the number of allow rules, you need to use sesearch
sesearch --allow | wc -l
225042
Dontaudit Rules
sesearch --dontaudit | wc -l
106021
Re: What for RHEL5 ?
2010-07-22 01:28 pm (UTC)
You need to check the policy modules in RHEL5.