I just beginning to learn SELinux and have numerous questions (I've read roughly half of the "Red Hat Enterprise Linux 7 SELinux User's and Administrator's Guide"). The first one is how to determine the domain of a daemon if it isn't running. If there's documentation on this and I've just missed it just point me to it. Thanks for your help.
Are you looking for this?
ls -lZ /path/to/daemon/on/disk
---- Cheers, Lakshmipathi.G FOSS Programmer. www.giis.co.in
On Fri, Nov 18, 2016 at 9:56 AM, leroy.tennison@verizon.net wrote:
I just beginning to learn SELinux and have numerous questions (I've read roughly half of the "Red Hat Enterprise Linux 7 SELinux User's and Administrator's Guide"). The first one is how to determine the domain of a daemon if it isn't running. If there's documentation on this and I've just missed it just point me to it. Thanks for your help. _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
Thanks for the reply, when I ran 'ls -lZ /usr/bin/rsync' I got: -rwxr-xr-x. root root system_u:object_r:rsync_exec_t:s0 /usr/bin/rsync
But, running 'rsync --daemon' then 'ps -eZ | grep rsync' I got: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2575 ? 00:00:00 rsync
When I had expected to see rsync_exec_t in the response. If I'm missing something obvious please correct my (mis)understanding.
On 11/17/2016 11:51 PM, Lakshmipathi.G wrote:
Are you looking for this?
ls -lZ /path/to/daemon/on/disk
Cheers, Lakshmipathi.G FOSS Programmer. www.giis.co.in
On Fri, Nov 18, 2016 at 9:56 AM, leroy.tennison@verizon.net wrote:
I just beginning to learn SELinux and have numerous questions (I've read roughly half of the "Red Hat Enterprise Linux 7 SELinux User's and Administrator's Guide"). The first one is how to determine the domain of a daemon if it isn't running. If there's documentation on this and I've just missed it just point me to it. Thanks for your help. _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
On Fri, Nov 18, 2016 at 04:26:45AM -0000, leroy.tennison@verizon.net wrote:
I just beginning to learn SELinux and have numerous questions (I've read roughly half of the "Red Hat Enterprise Linux 7 SELinux User's and Administrator's Guide"). The first one is how to determine the domain of a daemon if it isn't running. If there's documentation on this and I've just missed it just point me to it. Thanks for your help. __
Hi,
The context of a process usually depends on the domain which started it. In Fedora's current policy systemd runs as init_t, so to find out what the context of a daemon it starts would be we need to look for type_transition rules with init_t as the source type. You can do this by using sesearch from setools-console:
$ sesearch -CST -s init_t -c process Found 721 semantic te rules: type_transition init_t cgconfig_exec_t : process cgconfig_t; type_transition init_t deltacloudd_exec_t : process deltacloudd_t; ... snip ...
The target type in these rules is the type of the programs executable file, so to filter the sesearch results to a single program we can do this:
$ ls -laZ /sbin/dnsmasq -rwxr-xr-x. 1 root root system_u:object_r:dnsmasq_exec_t:s0 373928 Jul 15 13:57 /sbin/dnsmasq
$ sesearch -CST -s init_t -t dnsmasq_exec_t -c process Found 1 semantic te rules: type_transition init_t dnsmasq_exec_t : process dnsmasq_t;
So we know that when init_t execve()'s a program with a type of dnsmasq_exec_t it will transition to dnsmasq_t [1]. You can also achieve the same result by using selinuxexeccon from libselinux-utils:
$ selinuxexeccon /usr/sbin/dnsmasq "system_u:system_r:init_t:s0" system_u:system_r:dnsmasq_t:s0
[1] - A process can also call setexeccon() to set the context for a new process before it calls execve(). _____________________________________________
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
selinux@lists.fedoraproject.org