Re: sesearch question

[Daniel J Walsh <dwalsh@redhat.com>]

On 10/14/2009 09:36 AM, Joe Nall wrote:
> On Wed, Oct 14, 2009 at 6:20 AM, Christopher J. PeBenito
> <cpebenito@tresys.com> wrote:
>> On Tue, 2009-10-13 at 16:30 -0700, Joe Nall wrote:
>>> When I use sesearch I appear to be seeing allow rules that are in
>>> tunables that are off. The rules below come from
>>> auth_manage_all_files_except_shadow which is in a disabled tunable.
>>
>> Sesearch will return all rules, regardless of being conditional or
>> unconditional.  However, currently it does not tell you that a rule is
>> conditional (what the Boolean expression is for the rule).
> 
> Are there any command line tools that I can use on a production box to
> show the current effective allow rules?
> 
> joe
> 
> 
> 
sesearch -A -C -t  TYPE
Will show you the rules with booleans.  You could eliminate all lines with booleans turned off via a script.

BTW Our version of setools has bython bindings that would allow you to do write a tool in python.  Sadly upstream has not accepted the patch

import setools



>>
>>> sesearch -A -t jcdx_icm_var_t /etc/selinux/mls/modules/active/base.pp
>>> /etc/selinux/mls/modules/active/modules/*pp
>>> ...
>>>    allow nfsd_t { file_type -shadow_t } : dir { ioctl read getattr
>>> lock search } ;
>>>    allow nfsd_t { file_type -shadow_t } : file { ioctl read getattr lock } ;
>>>    allow nfsd_t { file_type -shadow_t } : dir { getattr search } ;
>>> ...
>>>
>>> --
>>>
>>> getsebool -a | grep nfs_export_all_rw
>>> nfs_export_all_rw --> off
>>>
>>> --
>>>
>>> tunable_policy(`nfs_export_all_rw',`
>>>         fs_read_noxattr_fs_files(nfsd_t)
>>>         dev_getattr_all_blk_files(nfsd_t)
>>>         dev_getattr_all_chr_files(nfsd_t)
>>>         auth_manage_all_files_except_shadow(nfsd_t)
>>>         #unprivuser_home_dir_filetrans_home_content(nfsd_t, { file dir })
>>> ')
>>>
>>> --
>>> This message was distributed to subscribers of the selinux mailing list.
>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>>> the words "unsubscribe selinux" without quotes as the message.
>> --
>> Chris PeBenito
>> Tresys Technology, LLC
>> (410) 290-1411 x150
>>
>>
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.