[prev in list] [next in list] [prev in thread] [next in thread]
List: selinux
Subject: Re: regarding privilege granting
From: Stephen Smalley <sds () tycho ! nsa ! gov>
Date: 2007-06-25 17:03:11
Message-ID: 1182790991.5636.87.camel () moss-spartans ! epoch ! ncsc ! mil
[Download RAW message or body]
On Mon, 2007-06-25 at 09:26 -0700, Steve G wrote:
> >I'm pretty surprised that you are making the argument that these method
> >of granting capabilities is harder to analyze. SELinux allows you to
> >understand exactly what domains have the capabilities in exactly which
> >situations. Since executable code is tightly bound to the domains
> >already finding executables that can run with additional capabilities it
> >not hard.
>
> OK, what would I type at the command line to get the list of all apps with
> elevated privileges? I already showed you the 1 line in bash that finds all
> programs with elevated privileges today.
Doesn't exist today, but not hard to do as an extension to sesearch I
would think - search policy for all allow rules on cap_override class,
then find the entrypoint types for those domains, then feed that list of
types to a find command.
The fact that we don't have a one-line command line to do it today is
hardly surprising given that the kernel functionality is only just being
proposed.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic