[CentOS] Type enforcement / mechanism not clear

Sun Sep 9 16:23:56 UTC 2018
Gordon Messmer <gordon.messmer at gmail.com>

On 09/09/2018 07:19 AM, Daniel Walsh wrote:
> sesearch -A -s httpd_t -t system_conf_t -p read
> If you feel that these files should not be part of the base_ro_files 
> then we should open that for discussion.

I think the question was how users would know that the policy allowed 
access, as he was printing rules affecting httpd_t's file read access, 
and looking for system_conf_t in the output.  I'm not sure if 
base_ro_files is an alias, or if there's another type of association 
between those two names, but I've also found that confusing in the past.

I don't see sesearch mentioned in the SELinux FAQ hosted by Fedora, and 
the mention in CentOS's FAQ appears to be the invocation that Leon used, 
which was less than helpful.  I think both would be improved if they 
started from an AVC log entry (which does appear in Fedora's FAQ), and 
walked through the very simple steps of getting the type from a running 
process, the type from a file or other resource, and then using sesearch 
to find out what rules connect those two things, whether allowed or