On 09/09/2018 07:19 AM, Daniel Walsh wrote:
sesearch -A -s httpd_t -t system_conf_t -p read
If you feel that these files should not be part of the base_ro_files then we should open that for discussion.
I think the question was how users would know that the policy allowed access, as he was printing rules affecting httpd_t's file read access, and looking for system_conf_t in the output. I'm not sure if base_ro_files is an alias, or if there's another type of association between those two names, but I've also found that confusing in the past.
I don't see sesearch mentioned in the SELinux FAQ hosted by Fedora, and the mention in CentOS's FAQ appears to be the invocation that Leon used, which was less than helpful. I think both would be improved if they started from an AVC log entry (which does appear in Fedora's FAQ), and walked through the very simple steps of getting the type from a running process, the type from a file or other resource, and then using sesearch to find out what rules connect those two things, whether allowed or disallowed.