Where do I get full list of SELinux access control types?

I cant find any explanation how do I list all access control types in SELinux. E.g. httpd_log_t httpd_sys_content_t..

I would like to see them all


Solution 1:

You can get a list of types by running the command seinfo -t.

But note, not all types are object types, some are considered domain types.

A typically more surgical command is sesearch which might offer you more of an explanation of what you want. You can for example find out all the permitted files that httpd_t can access using sesearch.

$ sesearch -s httpd_t -c file -A
allow daemon cluster_conf_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ daemons_enable_cluster_mode ]:True
allow daemon cluster_conf_t:file { getattr ioctl lock open read }; [ daemons_enable_cluster_mode ]:False
...
...
allow nsswitch_domain var_yp_t:file { getattr ioctl lock open read }; [ nis_enabled ]:True
allow nsswitch_domain virt_var_lib_t:file { getattr ioctl lock open read };

Or perhaps you're only interested in the files httpd_t can write..

$ sesearch -s httpd_t -c file -A -p write
allow daemon cluster_conf_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ daemons_enable_cluster_mode ]:True
allow daemon cluster_tmp_t:file { append getattr ioctl lock read write }; [ daemons_enable_cluster_mode ]:True
allow daemon cluster_var_lib_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ daemons_enable_cluster_mode ]:True
allow daemon cluster_var_run_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ daemons_enable_cluster_mode ]:True
...
...
allow httpd_t zarafa_var_lib_t:file { append create getattr ioctl link lock open read rename setattr unlink write };
allow httpd_t zoneminder_rw_content_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ httpd_builtin_scripting ]:True
allow httpd_t zoneminder_var_lib_t:file { append create getattr ioctl link lock open read rename setattr unlink write };

Alternatively, perhaps you want to know what types have the ability to write into certain files like httpd_log_t.

$ sesearch -t httpd_log_t -c file -p write -A
allow abrt_dump_oops_t non_security_file_type:file { append create getattr ioctl link lock map open read rename setattr unlink write };
...
...
allow systemd_tmpfiles_t non_auth_file_type:file { append create getattr ioctl link lock open read relabelfrom relabelto rename setattr unlink write };
allow webadm_t httpd_log_t:file { append create getattr ioctl link lock open read relabelfrom relabelto rename setattr unlink write };

Furthermore if you want to know what classes of objects there are and the permissions available for them, a list can be obtained using seinfo -xc.

All these in combination let you create custom sesearch rules to look through policy and see what is permitted.