[CentOS] Type enforcement / mechanism not clear
Gordon Messmer
gordon.messmer at gmail.com
Sun Sep 9 16:23:56 UTC 2018
On 09/09/2018 07:19 AM, Daniel Walsh wrote:
> sesearch -A -s httpd_t -t system_conf_t -p read
>
> If you feel that these files should not be part of the base_ro_files
> then we should open that for discussion.
I think the question was how users would know that the policy allowed
access, as he was printing rules affecting httpd_t's file read access,
and looking for system_conf_t in the output. I'm not sure if
base_ro_files is an alias, or if there's another type of association
between those two names, but I've also found that confusing in the past.
I don't see sesearch mentioned in the SELinux FAQ hosted by Fedora, and
the mention in CentOS's FAQ appears to be the invocation that Leon used,
which was less than helpful. I think both would be improved if they
started from an AVC log entry (which does appear in Fedora's FAQ), and
walked through the very simple steps of getting the type from a running
process, the type from a file or other resource, and then using sesearch
to find out what rules connect those two things, whether allowed or
disallowed.
More information about the CentOS
mailing list