sesearch output

Dominick Grift dominick.grift at gmail.com
Tue Oct 16 15:04:06 UTC 2012 


On Tue, 2012-10-16 at 15:39 +0100, Moray Henderson wrote:
> On CentOS 6 I'm trying to get logrotate to work on some web files.  At the
> moment they're httpd_sys_content_t and give 
> 
> Oct 16 03:43:06 sls kernel: type=1400 audit(1350355386.304:42512): avc:
> denied  { read write } for  pid=1275 comm="logrotate" name="dnsview.html"
> dev=dm-4 ino=263703 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
> 
> I wanted to see what did have access to those files, so used 
> 
> # sesearch --allow -t httpd_sys_content_t | less
> 
> I thought that would show me all the allow rules with a target of
> httpd_sys_content_t, but it seems to show other stuff as well, which
> confused me:
> 
>    allow logwatch_t file_type : filesystem getattr ;
>    allow logwatch_t file_type : file getattr ;
>    allow logwatch_t file_type : dir { getattr search open } ;
>    allow logwatch_t file_type : lnk_file getattr ;
> 
> and so on.  Is that supposed to show up?  Does it mean that logwatch can
> search all directories regardless of their context?

httpd_sys_content_t is classified a file_type thus sesearch returning
these make sense

when you run:

sesearch --allow -t httpd_sys_content_t | less

you query the policy.db for all allow rules where httpd_sys_content_t is
a target direct or indirect.

> Is there a context that would be appropriate for my files or will I need
> custom policy if I want to rotate them?
> 

logrotate is for rotating logfiles. types for log files are classified
"logfile"

So either classify your type logfile or use a existing type that is
classified logfile

list all types that are classified logfile
seinfo -xalogfile

list all the classification of the httpd_sys_content_type
seinfo -xthttpd_sys_content_t

list all classifications
seinfo -a

list all types
seinfo -t

query policy data base for logrotate_t access allowed to logfile targets

sesearch --ASCT -s logrotate_t -t logfile

etc etc

When you understand the concept of classifying things with type and role
attributes and learn how to use semanage, seinfo and sesearch to query
the policy.db then you can find solutions to any selinux policy problem.

I look at attributes as being able to append metadata to a type

It basically tells you or allow you to specify the property of a type

by default a type is just a type

to make a type for example a type for files you assign the existing
file_type type attribute to the type. now it is classified a file type

Then you can write rules that apply to groups of types

so  for example in stead of allowing "myapp_t" to write a files with a
single file type of "myfile_t" you can allow it to write all types that
are types of files (classified file_type)

allow myapp_t myfile_t:file write;

versus

allow myapp_t file_type:file write;

There are many classifications (type attributes) and you can create your
own and assign them to types

> 
> Moray.
> "To err is human; to purr, feline."
> 
> 
> 
> 
> 
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

More information about the selinux mailing list