* Enforcing default_user, default_role, default_type, default_range
@ 2014-07-03 5:26 dE
2014-07-03 9:44 ` Daniel J Walsh
0 siblings, 1 reply; 6+ messages in thread
From: dE @ 2014-07-03 5:26 UTC (permalink / raw)
To: selinux
These rules are not enforced by the object manager, but does restorecon
read these?
Also what's the effect of these statements on SELinux aware applications?
Are there tools to list these statements? I didn't find anything in
sesearch man page, and seinfo is silent on this.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Enforcing default_user, default_role, default_type, default_range
2014-07-03 5:26 Enforcing default_user, default_role, default_type, default_range dE
@ 2014-07-03 9:44 ` Daniel J Walsh
2014-07-03 11:19 ` Richard Haines
2014-07-05 10:42 ` dE
0 siblings, 2 replies; 6+ messages in thread
From: Daniel J Walsh @ 2014-07-03 9:44 UTC (permalink / raw)
To: dE, selinux
On 07/03/2014 01:26 AM, dE wrote:
> These rules are not enforced by the object manager, but does
> restorecon read these?
No. restorecon and other labeling tools just read the fcontext files.
>
> Also what's the effect of these statements on SELinux aware applications?
>
Most likely nothing.
> Are there tools to list these statements? I didn't find anything in
> sesearch man page, and seinfo is silent on this.
> ________________
Probably not. seinfo/sesearch have not been updated to handle them
> _______________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Enforcing default_user, default_role, default_type, default_range
2014-07-03 9:44 ` Daniel J Walsh
@ 2014-07-03 11:19 ` Richard Haines
2014-07-03 14:20 ` Richard Haines
2014-07-05 10:43 ` dE
2014-07-05 10:42 ` dE
1 sibling, 2 replies; 6+ messages in thread
From: Richard Haines @ 2014-07-03 11:19 UTC (permalink / raw)
To: Daniel J Walsh, dE; +Cc: selinux
----- Original Message -----
> From: Daniel J Walsh <dwalsh@redhat.com>
> To: dE <de.techno@gmail.com>; selinux@tycho.nsa.gov
> Cc:
> Sent: Thursday, 3 July 2014, 10:44
> Subject: Re: Enforcing default_user, default_role, default_type, default_range
>
>
> On 07/03/2014 01:26 AM, dE wrote:
>> These rules are not enforced by the object manager, but does
>> restorecon read these?
> No. restorecon and other labeling tools just read the fcontext files.
>>
>> Also what's the effect of these statements on SELinux aware
> applications?
>>
> Most likely nothing.
>> Are there tools to list these statements? I didn't find anything in
>> sesearch man page, and seinfo is silent on this.
>> ________________
> Probably not. seinfo/sesearch have not been updated to handle them
There is an updated version of APOL that will show these plus all other rules to
policy version 29.
You can either built it from:
https://github.com/TresysTechnology/setools3.git
or:
https://github.com/QuarkSecurity/setools
Or download the rpms from:
https://quarksecurity.com/files/RPMS/
>> _______________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to
>> Selinux-request@tycho.nsa.gov.
>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Enforcing default_user, default_role, default_type, default_range
2014-07-03 11:19 ` Richard Haines
@ 2014-07-03 14:20 ` Richard Haines
2014-07-05 10:43 ` dE
1 sibling, 0 replies; 6+ messages in thread
From: Richard Haines @ 2014-07-03 14:20 UTC (permalink / raw)
To: dE; +Cc: selinux
----- Original Message -----
> From: Richard Haines <richard_c_haines@btinternet.com>
> To: Daniel J Walsh <dwalsh@redhat.com>; dE <de.techno@gmail.com>
> Cc: "selinux@tycho.nsa.gov" <selinux@tycho.nsa.gov>
> Sent: Thursday, 3 July 2014, 12:19
> Subject: Re: Enforcing default_user, default_role, default_type, default_range
>
>
>
> ----- Original Message -----
>> From: Daniel J Walsh <dwalsh@redhat.com>
>> To: dE <de.techno@gmail.com>; selinux@tycho.nsa.gov
>> Cc:
>> Sent: Thursday, 3 July 2014, 10:44
>> Subject: Re: Enforcing default_user, default_role, default_type,
> default_range
>>
>>
>> On 07/03/2014 01:26 AM, dE wrote:
>>> These rules are not enforced by the object manager, but does
>>> restorecon read these?
>> No. restorecon and other labeling tools just read the fcontext files.
>>>
>>> Also what's the effect of these statements on SELinux aware
>> applications?
>>>
The SELinux Notebook section 2.10 - Computing Security Contexts attemps to
explain labeling using these and other rules for SELinux-aware apps.
For the next edition I've a few minor corrections - the CIL statement names
have changed and security_compute_member always defaults to using the
tcon user.
The book is available from:
http://www.freetechbooks.com/the-selinux-notebook-the-foundations-t785.html
If you find any errors or want any clarifications let me know as I'm working
on the next version (for release one day - but not sure when).
>> Most likely nothing.
>>> Are there tools to list these statements? I didn't find anything
> in
>>> sesearch man page, and seinfo is silent on this.
>>> ________________
>> Probably not. seinfo/sesearch have not been updated to handle them
>
> There is an updated version of APOL that will show these plus all other rules to
> policy version 29.
> You can either built it from:
> https://github.com/TresysTechnology/setools3.git
> or:
> https://github.com/QuarkSecurity/setools
>
> Or download the rpms from:
> https://quarksecurity.com/files/RPMS/
>
>>> _______________________________
>>> Selinux mailing list
>>> Selinux@tycho.nsa.gov
>>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>>> To get help, send an email containing "help" to
>>> Selinux-request@tycho.nsa.gov.
>>
>>
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to
>> Selinux-request@tycho.nsa.gov.
>>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Enforcing default_user, default_role, default_type, default_range
2014-07-03 9:44 ` Daniel J Walsh
2014-07-03 11:19 ` Richard Haines
@ 2014-07-05 10:42 ` dE
1 sibling, 0 replies; 6+ messages in thread
From: dE @ 2014-07-05 10:42 UTC (permalink / raw)
To: selinux
On 07/03/14 15:14, Daniel J Walsh wrote:
> On 07/03/2014 01:26 AM, dE wrote:
>> These rules are not enforced by the object manager, but does
>> restorecon read these?
> No. restorecon and other labeling tools just read the fcontext files.
>> Also what's the effect of these statements on SELinux aware applications?
>>
> Most likely nothing.
>> Are there tools to list these statements? I didn't find anything in
>> sesearch man page, and seinfo is silent on this.
>> ________________
> Probably not. seinfo/sesearch have not been updated to handle them
>> _______________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to
>> Selinux-request@tycho.nsa.gov.
Thanks for clarifying.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Enforcing default_user, default_role, default_type, default_range
2014-07-03 11:19 ` Richard Haines
2014-07-03 14:20 ` Richard Haines
@ 2014-07-05 10:43 ` dE
1 sibling, 0 replies; 6+ messages in thread
From: dE @ 2014-07-05 10:43 UTC (permalink / raw)
To: selinux
On 07/03/14 16:49, Richard Haines wrote:
>
> ----- Original Message -----
>> From: Daniel J Walsh <dwalsh@redhat.com>
>> To: dE <de.techno@gmail.com>; selinux@tycho.nsa.gov
>> Cc:
>> Sent: Thursday, 3 July 2014, 10:44
>> Subject: Re: Enforcing default_user, default_role, default_type, default_range
>>
>>
>> On 07/03/2014 01:26 AM, dE wrote:
>>> These rules are not enforced by the object manager, but does
>>> restorecon read these?
>> No. restorecon and other labeling tools just read the fcontext files.
>>> Also what's the effect of these statements on SELinux aware
>> applications?
>> Most likely nothing.
>>> Are there tools to list these statements? I didn't find anything in
>>> sesearch man page, and seinfo is silent on this.
>>> ________________
>> Probably not. seinfo/sesearch have not been updated to handle them
> There is an updated version of APOL that will show these plus all other rules to
> policy version 29.
> You can either built it from:
> https://github.com/TresysTechnology/setools3.git
> or:
> https://github.com/QuarkSecurity/setools
>
> Or download the rpms from:
> https://quarksecurity.com/files/RPMS/
>
>>> _______________________________
>>> Selinux mailing list
>>> Selinux@tycho.nsa.gov
>>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>>> To get help, send an email containing "help" to
>>> Selinux-request@tycho.nsa.gov.
>>
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to
>> Selinux-request@tycho.nsa.gov.
>>
Graphical tools only?
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2014-07-05 10:46 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-07-03 5:26 Enforcing default_user, default_role, default_type, default_range dE
2014-07-03 9:44 ` Daniel J Walsh
2014-07-03 11:19 ` Richard Haines
2014-07-03 14:20 ` Richard Haines
2014-07-05 10:43 ` dE
2014-07-05 10:42 ` dE
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.