Hi,
I was using sesearch to verify the allow rule for sshd and how it transitions to unconfined_t:
# sesearch --allow -s sshd_t -c process -p transition Found 12 semantic av rules: allow sshd_t oddjob_mkhomedir_t : process transition ; allow domain abrt_helper_t : process transition ; allow sshd_t chkpwd_t : process transition ; allow sshd_t passwd_t : process transition ; allow sshd_t updpwd_t : process transition ; allow sshd_t mount_t : process transition ; allow sshd_t rssh_t : process transition ; allow sshd_t xauth_t : process transition ; allow sshd_t nx_server_t : process transition ; allow sshd_t unpriv_userdomain : process { transition signal } ; allow polydomain setfiles_t : process transition ; allow unconfined_login_domain unconfined_t : process transition ;
I see it transitions to unconfined_t by means of "unconfined_login_domain" that I guess it's a type alias. How can I list all types that have "uncofnined_login_domain" as an alias? Is there a way to do this with sesearch or without having the policy source installed?
Thanks, Jorge
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/22/2010 11:07 PM, Jorge Fábregas wrote:
Hi,
I was using sesearch to verify the allow rule for sshd and how it transitions to unconfined_t:
# sesearch --allow -s sshd_t -c process -p transition Found 12 semantic av rules: allow sshd_t oddjob_mkhomedir_t : process transition ; allow domain abrt_helper_t : process transition ; allow sshd_t chkpwd_t : process transition ; allow sshd_t passwd_t : process transition ; allow sshd_t updpwd_t : process transition ; allow sshd_t mount_t : process transition ; allow sshd_t rssh_t : process transition ; allow sshd_t xauth_t : process transition ; allow sshd_t nx_server_t : process transition ; allow sshd_t unpriv_userdomain : process { transition signal } ; allow polydomain setfiles_t : process transition ; allow unconfined_login_domain unconfined_t : process transition ;
I see it transitions to unconfined_t by means of "unconfined_login_domain" that I guess it's a type alias. How can I list all types that have
It is an attribute actually i believe
"uncofnined_login_domain" as an alias? Is there a way to do this with sesearch or without having the policy source installed?
seinfo -x -aunconfined_login_domain
lists all types that have the unconfined_login_domain attribute assigned to it.
Thanks, Jorge -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On Thursday, December 23, 2010 04:50:22 am Dominick Grift wrote:
I see it transitions to unconfined_t by means of "unconfined_login_domain" that I guess it's a type alias. How can I list all types that have
It is an attribute actually i believe
Yes, it's an attribute and not an alias as I thought.
"uncofnined_login_domain" as an alias? Is there a way to do this with sesearch or without having the policy source installed?
seinfo -x -aunconfined_login_domain
That's exactly what I was looking for!
As always, many thanks for your help Dominick!
All the best, Jorge
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/23/2010 03:50 AM, Dominick Grift wrote:
On 12/22/2010 11:07 PM, Jorge Fábregas wrote:
Hi,
I was using sesearch to verify the allow rule for sshd and how it transitions to unconfined_t:
# sesearch --allow -s sshd_t -c process -p transition Found 12 semantic av rules: allow sshd_t oddjob_mkhomedir_t : process transition ; allow domain abrt_helper_t : process transition ; allow sshd_t chkpwd_t : process transition ; allow sshd_t passwd_t : process transition ; allow sshd_t updpwd_t : process transition ; allow sshd_t mount_t : process transition ; allow sshd_t rssh_t : process transition ; allow sshd_t xauth_t : process transition ; allow sshd_t nx_server_t : process transition ; allow sshd_t unpriv_userdomain : process { transition signal } ; allow polydomain setfiles_t : process transition ; allow unconfined_login_domain unconfined_t : process transition ;
I see it transitions to unconfined_t by means of "unconfined_login_domain" that I guess it's a type alias. How can I list all types that have
It is an attribute actually i believe
"uncofnined_login_domain" as an alias? Is there a way to do this with sesearch or without having the policy source installed?
seinfo -x -aunconfined_login_domain
lists all types that have the unconfined_login_domain attribute assigned to it.
Thanks, Jorge -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
sshd_t is not allowed to transition to unconfined_t by this rule. It is allowed to transition via the rule:
allow sshd_t unpriv_userdomain : process { transition signal } ;
unpriv_userdomain git_shell_t unconfined_mount_t xguest_openoffice_t user_openoffice_t user_java_t user_mono_t user_wine_t staff_java_t staff_mono_t staff_wine_t staff_execmem_t user_execmem_t unconfined_notrans_t unconfined_execmem_t unconfined_java_t unconfined_mono_t xguest_t guest_t staff_t user_t xguest_java_t xguest_mono_t unconfined_t staff_openoffice_t
On Thursday, December 23, 2010 10:10:03 am Daniel J Walsh wrote:
sshd_t is not allowed to transition to unconfined_t by this rule. It is allowed to transition via the rule:
allow sshd_t unpriv_userdomain : process { transition signal } ;
Thanks for that. I was misleaded by the "unconfined_t" on the output by being on the target side of the rule but now I know there might be type attributes there as well!
Thanks, Jorge
selinux@lists.fedoraproject.org