88


Chapter 6. Tools for Manipulating and Analyzing SELinux


Each rule is marked if it is


[enabled]


or


[disabled]


, which shows the current state of that con 


ditional in the policy. Changing a value in the Booleans tab within the Policy Components tab is


reflected in the Conditional Expressions Display by running your search again. This is another way


of analyzing the consequences of toggling a Boolean value, entirely within apol.


The last tab under the Policy Rules tab is the RBAC Rules tab. Effectively, you only use the Allow


choice, since role transitions are deprecated. Using the Transition selection is only useful in analyzing


roles in older versions of the SELinux policy, which will not appear in Red Hat Enterprise Linux. The


Default Role menu is disabled because it is only used in the deprecated


role_transition


analysis.


To search, set a Source Role, either as source or any if you want to search for it in both positions in an


allow


rule. Then you set a Target Role value. The search result shows if the source role may assume


the targeted role.


6.3.3. Domain Transition Analysis


Domain transition is one important aspect of TE. Since being in a particular domain is the key to


controlling that domain's derivative types, the strict control of what domains can transition to what


other domains is essential to SELinux security.


Domain transition is looked at from two directions, forward and reverse. In a forward analysis, you


select a source type and search to find all target types it can transition to. You can use search parameters


to refine the results. For a reverse analysis, you select a target type and discover all the source types


that can transition to the target type.


For a domain transition to occur, there must be three particular


allow


rules. These rules control


the source domain that is attempting to transition to the target domain. One rule permits the process


transition itself, a second rule allows the source access to the entry point executable for the target


domain, and the third rule allows the target domain itself to use the executable as an entry point.


Domain transition


analysis


with apol


centers


around


identifying


these


three


rules.


In some cases, more than one appropriate rule is found. The extensive help file,


/usr/share/doc/setools  version /dta_help.txt


, is useful in explaining this analysis.


b


c


6.3.4. Direct and Transitive Information Flow


Information flow analysis is a central and challenging part of analyzing an SELinux policy. Your


analysis may find unexpected or dangerous information flows. For example, if you want to be sure


that the content in your


/home/


directories (


user_home_dir_t


) is flowing as you configured it


into the


httpd_t


domain, apol searches through the policy to reveal all the ways information flows


between the two types. This search is show in Figure 6 8:








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      adult web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved