Stop confined application/process from affecting other processes on the system.
One of the biggest ways that a process can affect another process is by writing content that that process reads.
- If a hacked process can write ~/.bashrc in a users home directory; the next time the user logs in, the hacker gets control of a process running as unconfined_t.
- If a hacked process can write to /etc/httpd/config, the hacker gets control of the Apache process.
Users want to know:
What label is my application allowed to write to?
Where on the file system are these labels?
For example in another blog, I got asked today where can mozilla_plugins write their logs?
Well in an effort to better document SELinux policy we have been auto-generating man pages, and have just added a new section called MANAGED FILES. This section of the man page will list the files/directories that a confined application is able to write.
The SELinux user type mozilla_plugin_t can manage files labelled with
the following file types. The paths listed are the default paths for
these file types. Note the processes UID still need to have DAC per‐
In Fedora 18, we now have 951 man pages related to SELinux.
> man -k selinux | wc -l
We will be generating these Man Pages in Fedora 17 and RHEL6/RHEL6 and hope to put them up on a web site so that "search engines" will have an easier time searching them.
You can generate your own man pages using these tools, which should be showing up in policycoreutils soon.