Join Log in
Score:1
Boppity Bop avatar Server

Where do I get full list of SELinux access control types?

cn flag
Boppity Bop

I cant find any explanation how do I list all access control types in SELinux. E.g. httpd_log_t httpd_sys_content_t..

I would like to see them all

72
0 + 0
Score:1
Matthew Ife avatar Server
jo flag
Matthew Ife

You can get a list of types by running the command seinfo -t.

But note, not all types are object types, some are considered domain types.

A typically more surgical command is sesearch which might offer you more of an explanation of what you want. You can for example find out all the permitted files that httpd_t can access using sesearch.

$ sesearch -s httpd_t -c file -A
allow daemon cluster_conf_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ daemons_enable_cluster_mode ]:True
allow daemon cluster_conf_t:file { getattr ioctl lock open read }; [ daemons_enable_cluster_mode ]:False
...
...
allow nsswitch_domain var_yp_t:file { getattr ioctl lock open read }; [ nis_enabled ]:True
allow nsswitch_domain virt_var_lib_t:file { getattr ioctl lock open read };

Or perhaps you're only interested in the files httpd_t can write..

$ sesearch -s httpd_t -c file -A -p write
allow daemon cluster_conf_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ daemons_enable_cluster_mode ]:True
allow daemon cluster_tmp_t:file { append getattr ioctl lock read write }; [ daemons_enable_cluster_mode ]:True
allow daemon cluster_var_lib_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ daemons_enable_cluster_mode ]:True
allow daemon cluster_var_run_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ daemons_enable_cluster_mode ]:True
...
...
allow httpd_t zarafa_var_lib_t:file { append create getattr ioctl link lock open read rename setattr unlink write };
allow httpd_t zoneminder_rw_content_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ httpd_builtin_scripting ]:True
allow httpd_t zoneminder_var_lib_t:file { append create getattr ioctl link lock open read rename setattr unlink write };

Alternatively, perhaps you want to know what types have the ability to write into certain files like httpd_log_t.

$ sesearch -t httpd_log_t -c file -p write -A
allow abrt_dump_oops_t non_security_file_type:file { append create getattr ioctl link lock map open read rename setattr unlink write };
...
...
allow systemd_tmpfiles_t non_auth_file_type:file { append create getattr ioctl link lock open read relabelfrom relabelto rename setattr unlink write };
allow webadm_t httpd_log_t:file { append create getattr ioctl link lock open read relabelfrom relabelto rename setattr unlink write };

Furthermore if you want to know what classes of objects there are and the permissions available for them, a list can be obtained using seinfo -xc.

All these in combination let you create custom sesearch rules to look through policy and see what is permitted.

0 + 0
Boppity Bop avatar
cn flag
Boppity Bop
Great answer thank you!
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.