WEBVTT 00:01.500 --> 00:03.140 Hello and welcome back. 00:04.980 --> 00:13.050 And this movie we're going to be taking a look at how a targeted policy allows interactions between 00:13.140 --> 00:15.240 System objects. 00:15.240 --> 00:16.990 Let's begin. 00:17.070 --> 00:23.850 So here in my server if I go through an acid search dash dash allow this is going to show me all the 00:23.850 --> 00:32.040 rows that S.E. Linux uses to allow interactions between objects in different domains. 00:32.100 --> 00:40.590 If I do a word count on this you can see this over one hundred thousand barrels and used by the targeted 00:40.590 --> 00:42.270 policy. 00:42.270 --> 00:48.450 If you were still confused and I suspect that you are that's OK. 00:48.750 --> 00:57.810 We're going to do a quick example to help clarify the significance of allow rules for this I'm going 00:57.810 --> 00:59.670 to be needing the Apache web server. 00:59.670 --> 01:10.830 So let's go ahead and install that type TTP the That's control C and kill this process with kill 9 9 01:10.830 --> 01:14.880 7 4 6 and retry 01:17.840 --> 01:19.470 after the install. 01:19.490 --> 01:27.480 I'm going to sys CTO status if I can spell it correctly. 01:27.520 --> 01:27.960 Right. 01:28.030 --> 01:32.620 TBD to check if my service is active and running it isn't. 01:32.650 --> 01:34.390 So let's go ahead and stop this. 01:34.400 --> 01:40.720 I'm going to change that to start and if I check again. 01:41.600 --> 01:47.190 So my service is up and running and I can track the default document through it with a long list. 01:47.570 --> 01:50.960 So that's a dub dub dub height t ever. 01:51.860 --> 01:54.560 There's nothing in this folder of the moment. 01:54.560 --> 01:58.100 So I can go ahead and say touch. 01:58.130 --> 02:02.950 Let's call the file index dot height see all. 02:03.020 --> 02:12.050 If I now go through indeed and SC Linux please turn on this file you can see the type. 02:12.620 --> 02:17.560 I'm also going to pass dash e Zi and grab for height. 02:17.570 --> 02:19.370 TTP D 02:23.420 --> 02:24.240 Hi. 02:24.350 --> 02:38.190 D O K so this is the domain of the Apache demon and this is the type of the file I won't shoot right 02:38.220 --> 02:41.690 down the street values so we can check them against the allowed. 02:42.480 --> 02:45.680 I'm just gonna go ahead and cover this. 02:45.990 --> 02:56.140 So that's copy that controls you see and well a few seconds ago I did as a search dash dash. 02:56.160 --> 03:00.890 Allow me to list all the allow rows on this server. 03:01.050 --> 03:10.350 This time I'm going to grab for this domain so let's clear my screen and enter. 03:10.410 --> 03:18.210 We've still got a lot of lines so let's streamline the results further with grep high GDP D. 03:18.240 --> 03:26.550 On the score t let's clear my screen and redo that so we can see things very clearly. 03:26.610 --> 03:34.000 These are the rows that currently controls the interaction between the objects and these two domains. 03:34.080 --> 03:41.860 So presently the demons in this domain are allowed to access the files the folders and the shortcuts 03:41.890 --> 03:43.830 in this domain. 03:43.830 --> 03:51.930 We can go through and test this where w gets something to hide TTP Blacklock block local host for Slash 03:51.930 --> 03:55.640 index dark hide t email. 03:56.300 --> 04:02.910 And if I do a list then you can see that we were able to successfully download the file because the 04:02.910 --> 04:10.100 web server demon the Apache demon is allowed to interact with the domain of the requested file. 04:10.170 --> 04:17.740 Let's change the context of the index file with change icon dash T. 04:17.760 --> 04:30.990 I'm going to call this new domain admin home on the score t on var dub dub dub high female index at 04:30.990 --> 04:32.680 height t email. 04:33.060 --> 04:39.490 We can verify with a long list and let's just cover the path and paste it. 04:41.010 --> 04:43.370 Here we go for now. 04:43.380 --> 04:55.750 Attempts to retry the W get command this time it fails because the file is now inside a domain. 04:55.770 --> 05:03.850 If it's not allowed to interact with the Apache process so this was a rather simplistic example. 05:04.260 --> 05:11.400 I want you to go back and watch this movie again until you understand the demonstrations and the concept 05:11.850 --> 05:13.670 of allow grows. 05:13.890 --> 05:15.480 Well that's all for now. 05:15.510 --> 05:18.990 Thank you for your time and I hope to see you in the next lesson.