Software: Apache/2.2.3 (CentOS). PHP/5.1.6 uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44 uid=48(apache) gid=48(apache) groups=48(apache) Safe-mode: OFF (not secure) /usr/share/setools/ drwxr-xr-x | |
| Viewing file: Select action/file-type: Semantic Policy Difference Tool for Security Enhanced Linux
sediff, version 3.0
October 1, 2006
selinux@tresys.com
Overview:
---------
The sediff and sediffx programs are policy analysis tools that parse
two given policy files and compare them showing a list of the
differences; the former is a command-line only program while the
latter is a GTK+ application. They can compare source and/or binary
policies and can also compare different versions of policy. For
source policies, versions 12 and higher of SELinux policies are
supported. For binary policies, versions 15 and higher are supported.
Limitations:
------------
The programs currently compare the following policy elements:
- object classes and common classes
- types and attributes
- roles
- users
- booleans
- type enforcement rules (allows, type_transitions, etc.)
- role allow rules
- role transition rules
What is a Semantic Diff?
------------------------
The challenge with comparing two policies is that a straightforward
textual comparison is of little value. What one needs is the ability
to determine semantically how two policies differ. For example, one
could not simply grep for allow rules with a given type, and then
compare them to a similar list from another policy. Many factors
affect the semantic meaning of the rules. For example, multiple rules
can allow differing sets of permissions. Attributes can allow
permissions to/from a type. What was a type in one policy could
become an alias in another.
What sediff (and sediffx) does is analyze each policy semantically.
We define "semantically" as how the kernel security server uses a
policy to make enforcement decisions. This approach also allows
binary and source policies to be compared, as well as different
versions of policies.
NOTE: The one semantic assumption sediff makes is that when an
identifier (e.g., a type name) has the same string value in each
policy, then it represents the same semantic meaning in both policies.
sediff and sediffx Commands:
----------------------------
The tools may be run from the command line or in a graphical
environment. Use sediff (see "sediff --help") for the command line
and sediffx ("sediffx --help") for the graphical interface. We
recommend using sediffx as that it gives additional details about
policy differences; the remainder of this document focuses on sediffx.
Understanding sediffx's Results:
--------------------------------
After calculating differences between two policies, the GUI shows the
policy areas compared in the top-left frame. Besides each policy
component is a number representing the total number of differences for
that component. As a general rule, for each policy component the
right-hand window shows the detailed results.
NOTE: All differences are shown from the perspective of the first
policy given (i.e., "original policy") to the second ("modified
policy"). There are five types of differences shown:
- Added (+): A policy component was added by the second policy (in
modified policy but not original policy).
- Removed (-): A policy component was removed by the second policy
(in original policy but not modified policy).
- Modified (*): A policy component was present in both policies, but
is different in the modified policy.
Where appropriate, two other differences are available:
- Added because of new type (+): This policy component could not
exist in the original policy because that policy does not declare
a necessary type.
- Removed because of missing type (-): This policy component could
not exist in the modified policy because that policy no longer
declares a necessary type.
Supported Policy Areas Differences:
-----------------------------------
Below is an explanation of the difference for each supported policy
area:
Classes:
--------
Classes can be added, removed, or modified. Modified means that
the list of permissions associated with a class is different.
Commons:
--------
Commons are compared much like classes. They too may be added,
removed, or modified.
Types:
------
Types can be added, removed, or modified. Modified means that the
attributes associated with a type are different between the two
policies. Because attribute names do not exist within binary
policies, if either the original or modified policy is a binary then
the 'modified' check will be skipped.
Attributes:
-----------
Attributes are compared like types. They can be added, removed,
or modified. Modified means that the types associated with the
attributes are different (types can be added or removed from the
attribute). As before, if either policy is a binary then attributes
will not be checked.
Roles:
------
Roles can be added, removed, or modified. Modified means that the
types associated with a role are different between the two policies.
Types can be added or removed from a role.
Users:
------
Users can be added, removed, or modified. Modified means that the
roles associated with a user are different between the two
policies. Roles can be added or removed from a user.
Booleans:
---------
Booleans can be added, removed, or modified. If you compare a
version 15 or earlier policy with a version 16 or later policy, all
the booleans will be added or removed (booleans came in version 16).
Modified means that the default value is different between the two
policies.
TE Rules:
---------
The TE rules checks cover the majority of a diff. This includes AV
rules (allow, neverallow auditallow, and dontaudit) and Type rules
(type_transition, type_change, and type_member). The rule
comparison is truly semantic. All issues of redundancy and
duplication, as well as indirect access through attributes are
resolved. All rules are keyed by the "source-target-class" (STC)
triple. In addition, conditional rules are distinguished from
non-conditional rules. Thus, for example, two rules with the same
STC will not be compared if one is non-conditional and the other is
conditional, or if both are conditional but conditioned on two
different conditional expressions. For conditional rules, the
conditional expression is compared to ensure that conditional rules
are meaningfully compared. In the results pane, conditional rules
are displayed with their associated conditional expression and if
the rule was in conditional's TRUE or FALSE branch.
NOTE: For conditional rules, the default and current values of
the booleans are ignored. Conditional expressions are compared
as if the booleans were in the same state.
Rules can be added, removed, or modified. Added means the STC
triple for that rule is not present in the original policy but in
the modified one. Removed means the STC triple is present in the
original but not modified policy. For AV rules, modified means that
the permissions for the rule are different between the policies.
For Type rules, modified means that the default type is different
between the policies.
When source policies are compared, hyperlinked line numbers are
shown that take you to the source ".conf" file where the rule was
defined. If there were more than one source rules that contributed
to a STC triple for a given rule, then all source rules are linked.
RBAC Rules:
-----------
RBAC includes role allow and role_transition rules. Role allow
rules determine if a role is allowed to transition to another role.
Diffing a role allow involves taking the source role and checking to
see if there are corresponding rules in the other policy. If there
is no rule with this source in the first policy it is an add.
Likewise if there is none in the second policy it is a remove. If
role allows with the same source exist in both policies then the
target roles are shown as a modified. Role transitions are handled
similarly to type_transitions; if the default role is different then
the statement is marked as modified.
Policy Tabs:
------------
Each policy has a tab on the main window labeled Policy #: followed by
the policy file name. Under these tabs are a policy statistics tab
and a source tab.
Policy Statistics Tab:
----------------------
The policy statistics tab displays a summary of that policy's
contents.
Source Tab:
-----------
If the policy is a source policy, this tab displays the source of
that policy.
Remapping Types:
----------------
The diff algorithm implicitly treats a type with the same name across
both policies as the same semantic item. This includes a name that
was a type in one policy but became an alias in the other. There may
be instances where the operator has special knowledge of the remaining
unmapped types. In this case, he may use sediffx's "Remap Types"
dialog to explicitly remap types. From the main interface, select
"Remap Types" from the Tools menu to open a dialog box. From here, he
may add additional remappings between types. Note that sediffx will
only list types that have not been implicitly remapped.
|
:: Command execute :: | |
:: Shadow's tricks :D :: | |
Useful Commands
|
|
:: Preddy's tricks :D :: | |
Php Safe-Mode Bypass (Read Files)
|
|
--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0123 ]-- |