From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1QfchF-0003Z7-Sn for garchives@archives.gentoo.org; Sat, 09 Jul 2011 18:56:10 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 0295321C0FB; Sat, 9 Jul 2011 18:56:01 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id CAD0221C08B for ; Sat, 9 Jul 2011 18:56:01 +0000 (UTC) Received: from pelican.gentoo.org (unknown [66.219.59.40]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 3E0C01B405B for ; Sat, 9 Jul 2011 18:56:01 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by pelican.gentoo.org (Postfix) with ESMTP id A4AE18003F for ; Sat, 9 Jul 2011 18:56:00 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <9a8ada766ea873a6030534f21ccd22b2c70fffc3.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/ X-VCS-Repository: proj/hardened-docs X-VCS-Files: xml/selinux/hb-using-commands.xml X-VCS-Directories: xml/selinux/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 9a8ada766ea873a6030534f21ccd22b2c70fffc3 Date: Sat, 9 Jul 2011 18:56:00 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: quoted-printable X-Archives-Salt: X-Archives-Hash: aad078cc9c81a64c0be4af5815feac49 commit: 9a8ada766ea873a6030534f21ccd22b2c70fffc3 Author: Sven Vermeulen siphos be> AuthorDate: Sat Jul 9 18:54:04 2011 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Sat Jul 9 18:54:04 2011 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=3Dproj/hardened-docs= .git;a=3Dcommit;h=3D9a8ada76 Introduce how to query for booleans (and their result) --- xml/selinux/hb-using-commands.xml | 29 +++++++++++++++++++++++++++-- 1 files changed, 27 insertions(+), 2 deletions(-) diff --git a/xml/selinux/hb-using-commands.xml b/xml/selinux/hb-using-com= mands.xml index d22bb3c..a76e97f 100644 --- a/xml/selinux/hb-using-commands.xml +++ b/xml/selinux/hb-using-commands.xml @@ -7,8 +7,8 @@ =20 -3 -2011-05-31 +4 +2011-07-09 =20
SELinux Information Commands @@ -177,6 +177,31 @@ rules: for each domain that has file_type set, the s= earch tries to find rules that allow file-write access to that particular domain.

=20 +

+Another interesting functionality of the sesearch command is to s= how you +the rules that are applicable depending on the state of a boolean. If yo= u want +to query on a particular boolean, use -b. If you want to see the = logic +that the policy uses, use -C (and yes, both can be combined). +

+ +

+As an example, we'll check what we allow (or deny) when the global_ss= p +boolean is set: +

+ +
+~# sesearch -b global_ssp -A -C -d
+Found 2 semantic av rules:
+ET allow domain device_t : dir { getattr search open } ; [ global_ssp ]
+ET allow domain urandom_device_t : chr_file { ioctl read getattr lock op=
en } ; [ global_ssp ]
+
+ +

+Of this prefix you see (which can be ET, DT, EF or DF) the second letter= is +important as it tells you when the rule will be enabled. If the boolean = needs to +be on (true) then it is T. Otherwise, you'll see F. +

+