View custom selinux policies

selinux

Solution 1:

This answer is borrowed from this question. While it doesn't exactly answer the question of seeing all custom SELinux policies applied to the machine, it does provide the set of tools you would want to use to see any custom policies or narrow it down a fair bit.

Some of the commands to obtain this info are (examples use httpd_log_t):

  1. seinfo

    # seinfo -x --type=httpd_log_t /etc/selinux/default/policy/policy.26
   httpd_log_t
      file_type
      non_security_file_type
      logfile

  2. sesearch

    # sesearch --dontaudit -t httpd_log_t /etc/selinux/default/policy/policy.26 | head
Found 35 semantic av rules:
    dontaudit run_init_t file_type : dir { getattr search open } ;
    dontaudit staff_t non_security_file_type : file getattr ;
    dontaudit staff_t non_security_file_type : dir { ioctl read getattr lock search open } ;
    dontaudit staff_t non_security_file_type : lnk_file getattr ;
    dontaudit staff_t non_security_file_type : sock_file getattr ;
    dontaudit staff_t non_security_file_type : fifo_file getattr ;
    dontaudit unconfined_t non_security_file_type : file getattr ;
    dontaudit unconfined_t non_security_file_type : dir { ioctl read getattr lock search open } ;
    dontaudit unconfined_t non_security_file_type : lnk_file getattr ;

  3. semanage

    # semanage fcontext -l | grep httpd_log_t
/etc/httpd/logs                                    all files          system_u:object_r:httpd_log_t:s0
/var/log/apache(2)?(/.*)?                          all files          system_u:object_r:httpd_log_t:s0
/var/log/apache-ssl(2)?(/.*)?                      all files          system_u:object_r:httpd_log_t:s0
/var/log/cacti(/.*)?                               all files          system_u:object_r:httpd_log_t:s0
/var/log/cgiwrap\.log.*                            regular file       system_u:object_r:httpd_log_t:s0
/var/log/horde2(/.*)?                              all files          system_u:object_r:httpd_log_t:s0
/var/log/httpd(/.*)?                               all files          system_u:object_r:httpd_log_t:s0
/var/log/lighttpd(/.*)?                            all files          system_u:object_r:httpd_log_t:s0
/var/log/piranha(/.*)?                             all files          system_u:object_r:httpd_log_t:s0
/var/www(/.*)?/logs(/.*)?                          all files          system_u:object_r:httpd_log_t:s0

References: RHEL6 SELinux manual

Solution 2:

As of RHEL 7:

 semanage export

should export all local configuration changes.

Related

need to repeat the subject in a coordinate clause?
"Floh-ree-dah" rather than "Flor-duh"
what article should go before specific games?
Why does it sound wrong to my ears when someone says a thing "is aesthetic"? [closed]
Lecturer/Tutor at Online University, which word is more appropriate? [closed]
What does this explanation mean? [closed]
What is a yard of (pudding, ale, etc.)?
What does "were this away" mean in this context?
Is this sentence of Vitalik Buterin correct?
Singular and plural possessive of "species"
Past perfect continuous with verb "fall" as the second condition
Is there a frequency of the use of different parts of speech in English?