danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Add to Memories Share Next Entry
New Security Feature in Fedora 18 Part 8: Introducing sepolicy transition
danwalsh
Another advanced topic of SELinux, that is hard to understand is process transitions.  Basically this is the mechanism where most processes get their labels.  The init_t domain transition to the initrc_t domain when it executes an initrc_exec_t labelled script.  initrc_t transition to httpd_t when it executes and file labelled httpd_exec_t ...

Two questions can arise from this,
  • What process domains can one process domain transition too?
  • Can one process domain transition to another?

I orginally created a tool called setrans but now we are shipping it as part of the sepolicy suite.

> man sepolicy-transition
sepolicy-transition(8)                                  sepolicy-transition(8)

NAME
       sepolicy-transition - Examine the SELinux Policy and generate a process transition report

SYNOPSIS
       sepolicy transition [-h] -s SOURCE

       sepolicy transition [-h] -s SOURCE -t TARGET

DESCRIPTION
       sepolicy transition will show all domains that a  give  SELinux  source domain can transition to, including the entrypoint.

       If  a  target  domain is given, sepolicy transition will examine policy for all transition paths from the source domain to the  target  domain,  and  will  list the paths.  If a transition is possible, this tool will print out all transition paths from the source  domain  to  the  target domain

OPTIONS
       -h, --help
              Display help message

       -s, --source
              Specify the source SELinux domain type.

       -t, --target
              Specify the target SELinux domain type.



If I want to see what process domains guest_t can transition too, I can execute the following:

# sepolicy transition -s guest_t
guest_t @ abrt_helper_exec_t --> abrt_helper_t
guest_t @ loadkeys_exec_t --> loadkeys_t
guest_t @ chkpwd_exec_t --> chkpwd_t
guest_t @ passwd_exec_t --> passwd_t
guest_t @ updpwd_exec_t --> updpwd_t
guest_t @ chfn_exec_t --> chfn_t
guest_t @ oddjob_mkhomedir_exec_t --> oddjob_mkhomedir_t
guest_t @ shell_exec_t --> httpd_user_script_t

If I wanted to see how httpd_t can read system_mail_t

# sepolicy transition -s httpd_t -t system_mail_t
httpd_t --> httpd_suexec_t --> httpd_mojomojo_script_t --> system_mail_t
httpd_t --> httpd_suexec_t --> httpd_openshift_script_t --> openshift_initrc_t --> openshift_domain --> openshift_t --> openshift_mail_t --> postfix_showq_t --> spamc_t --> system_mail_t
httpd_t --> httpd_suexec_t --> httpd_openshift_script_t --> openshift_initrc_t --> openshift_domain --> openshift_t --> openshift_mail_t --> exim_t --> dovecot_deliver_t --> uux_t --> system_mail_t
httpd_t --> httpd_suexec_t --> httpd_openshift_script_t --> openshift_initrc_t --> openshift_domain --> openshift_t --> openshift_mail_t --> exim_t --> dovecot_deliver_t --> sendmail_t --> uux_t --> system_mail_t
httpd_t --> httpd_suexec_t --> httpd_openshift_script_t --> openshift_initrc_t --> openshift_domain --> openshift_t --> openshift_mail_t --> exim_t --> dovecot_deliver_t --> sendmail_t --> procmail_t --> clamscan_t --> system_mail_t
httpd_t --> httpd_suexec_t --> httpd_openshift_script_t --> openshift_initrc_t --> openshift_domain --> openshift_t --> openshift_mail_t --> exim_t --> dovecot_deliver_t --> sendmail_t --> postfix_master_t --> postfix_local_t --> system_mail_t
httpd_t --> httpd_suexec_t --> httpd_openshift_script_t --> openshift_initrc_t --> openshift_domain --> openshift_t --> openshift_mail_t --> exim_t --> dovecot_deliver_t --> sendmail_t --> postfix_master_t --> postfix_pipe_t --> system_mail_t
httpd_t --> httpd_suexec_t --> httpd_openshift_script_t --> openshift_initrc_t --> openshift_domain --> openshift_t --> openshift_mail_t --> exim_t --> uux_t --> system_mail_t
httpd_t --> httpd_suexec_t --> httpd_openshift_script_t --> openshift_initrc_t --> openshift_domain --> openshift_t --> openshift_mail_t --> exim_t --> clamscan_t --> system_mail_t
httpd_t --> httpd_suexec_t --> httpd_bugzilla_script_t --> system_mail_t
httpd_t --> abrt_retrace_worker_t --> mock_t --> mount_t --> lvm_t --> insmod_t --> initrc_t --> daemon --> system_mail_t
httpd_t --> abrt_retrace_worker_t --> mock_t --> mount_t --> lvm_t --> insmod_t --> initrc_t --> systemprocess --> system_mail_t
httpd_t --> abrt_retrace_worker_t --> mock_t --> mount_t --> lvm_t --> insmod_t --> initrc_t --> sulogin_t --> unconfined_t --> dhcpc_t --> NetworkManager_t --> pppd_t --> system_mail_t
httpd_t --> abrt_retrace_worker_t --> mock_t --> mount_t --> lvm_t --> insmod_t --> initrc_t --> sulogin_t --> unconfined_t --> rpm_t --> rpm_script_t --> system_mail_t
httpd_t --> abrt_retrace_worker_t --> mock_t --> mount_t --> lvm_t --> insmod_t --> initrc_t --> sulogin_t --> unconfined_t --> rpm_script_t --> system_mail_t
httpd_t --> passenger_t --> system_mail_t
httpd_t --> httpd_bugzilla_script_t --> system_mail_t
httpd_t --> httpd_mojomojo_script_t --> system_mail_t


Note currently this command does not take into account boolean settings, it is just showing you that it is possible.  Future enhancements would be to list the booleans required to allow the access.


No HTML allowed in subject

  
 
   
 

(will be screened)

You are viewing danwalsh