Where do I get full list of SELinux access control types?

selinux centos8

I cant find any explanation how do I list all access control types in SELinux. E.g. httpd_log_t httpd_sys_content_t..

I would like to see them all


Solution 1:

You can get a list of types by running the command seinfo -t.

But note, not all types are object types, some are considered domain types.

A typically more surgical command is sesearch which might offer you more of an explanation of what you want. You can for example find out all the permitted files that httpd_t can access using sesearch.

$ sesearch -s httpd_t -c file -A
allow daemon cluster_conf_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ daemons_enable_cluster_mode ]:True
allow daemon cluster_conf_t:file { getattr ioctl lock open read }; [ daemons_enable_cluster_mode ]:False
...
...
allow nsswitch_domain var_yp_t:file { getattr ioctl lock open read }; [ nis_enabled ]:True
allow nsswitch_domain virt_var_lib_t:file { getattr ioctl lock open read };

Or perhaps you're only interested in the files httpd_t can write..

$ sesearch -s httpd_t -c file -A -p write
allow daemon cluster_conf_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ daemons_enable_cluster_mode ]:True
allow daemon cluster_tmp_t:file { append getattr ioctl lock read write }; [ daemons_enable_cluster_mode ]:True
allow daemon cluster_var_lib_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ daemons_enable_cluster_mode ]:True
allow daemon cluster_var_run_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ daemons_enable_cluster_mode ]:True
...
...
allow httpd_t zarafa_var_lib_t:file { append create getattr ioctl link lock open read rename setattr unlink write };
allow httpd_t zoneminder_rw_content_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ httpd_builtin_scripting ]:True
allow httpd_t zoneminder_var_lib_t:file { append create getattr ioctl link lock open read rename setattr unlink write };

Alternatively, perhaps you want to know what types have the ability to write into certain files like httpd_log_t.

$ sesearch -t httpd_log_t -c file -p write -A
allow abrt_dump_oops_t non_security_file_type:file { append create getattr ioctl link lock map open read rename setattr unlink write };
...
...
allow systemd_tmpfiles_t non_auth_file_type:file { append create getattr ioctl link lock open read relabelfrom relabelto rename setattr unlink write };
allow webadm_t httpd_log_t:file { append create getattr ioctl link lock open read relabelfrom relabelto rename setattr unlink write };

Furthermore if you want to know what classes of objects there are and the permissions available for them, a list can be obtained using seinfo -xc.

All these in combination let you create custom sesearch rules to look through policy and see what is permitted.

Related

Are SHA-1 client certificates unsupported in W10 Edge/IE11?
could not launch vCenter vSphere client
How to increase speed of RAID 5 with mdadm + luks + lvm
How to create conditional behaviour with pam_exec and PAM_TYPE?
AWS Organizations - How to globally set boundaries to allow assess only to predefined set of services?
Modelling or modeling? [duplicate]
What is the meaning of "less a function of" in the following sentence
What is the origin of the phrase "do a line with someone"?
The meaning and usage of "logo schmogo" [duplicate]
Improper placement of a comma
What does it mean "It’s raining men"? [closed]
Use of "will" in a past tense sentence