List of domains & types

Fri Feb 22 20:08:09 UTC 2013

On Fri, 2013-02-22 at 17:38 +0000, Alain Williams wrote:
> My exim config needs to speak to MySQL (for greylisting). 
> 
> To allow this to work I needed to run:
> 
>     setsebool -P exim_can_connect_db 1
> 
> And that seems to do the trick.
> Now sealert tells me:
> 
>     SELinux is preventing /usr/sbin/exim from getattr access on the file /usr/share/mysql/charsets/Index.xml.
> 
>     If you want to allow exim to have getattr access on the Index.xml file
>     Then you need to change the label on /usr/share/mysql/charsets/Index.xml
>     Do
>     # semanage fcontext -a -t FILE_TYPE '/usr/share/mysql/charsets/Index.xml'
> 
> It then lists a whole set of suggested types.
> 
> The label on /usr/share/mysql/charsets/Index.xml is system_u:object_r:usr_t:s0
> 
> I picked exim_t (which seemed reasonable - just on the name). But when I try I
> get permission denied, a bit of digging tells me that exim_t is a domain for a
> process rather than a type for a file.
> 
> Questions:
> 
> a) How do I work out what type to set the file to ?
> 

In this case the optimal solution is to allow exim to read usr_t type
files but for the sake of example:

1. We know content in /usr/share is usable read-only content
2. We know the generic type fpr /usr/share is usr_t

So we need a type of file that exim_t can read-only:

sesearch -A -s exim_t -c file -p read

( in Fedora 18 exim_t is allowed to read usr_t files -- a rule return
from the command above )

But if it does not on your config you can look at the rules it returns
and see what type of files exim_t can read ( read getattr open } (are
atleast need to read a file)

So one (less optimal) type you could use would be cert_t or locale_t

By learning the sesearch , semanage and seinfo tools and by being
creative and by having a basic understanding of the way things work one
can figure out a lot

> b) I would presumably need to do so for every file in /usr/share/mysql/charsets/
> 

I guess this is a bug in Ecentos 6.3 here a quick fix:

mkdir ~/myexim; cd ~/myexim;
cat > myexim.te <<EOF
policy_module(myexim, 1.0.0)
optional_policy(`
 gen_require(`
  type exim_t;
 ')

  files_read_usr_files(exim_t)
')
EOF
make -f /usr/share/selinux/devel/Makefile myexim.pp
sudo semodule -i myexim.pp

> c) Is changing the type on a file so that the MTA can access it the right thing
>    anyway, should I not be allowing exim access to usr_t instead ... but would
>    that not open things to wide ?
> 

In this case its not the right thing to do most likely. You should
probably keep it usr_t and allow exim_t to read usr_t type of content.

> d) More generally: where do I look to get a list of all the XXX_t, what they
>    are, what they are supposed to be used for, ... so that I can work out what
>    the best choice is ?
> 

seinfo and sesearch can do wonders if you know what to look for so
examples:

all types that are classified types for processes:
seinfo -xadomain

all types that are classified types for files:
seinfo -xafile_type

all classifications of the exim_t type:
seinfo -xtexim_t

all classification of the usr_t type:
seinfo -xtusr_t

Everyone that can read usr_t files:
sesearch -A -t usr_t -c file -p read

All files that exim_t can read:
sesearch -ASCT -s exim_t -c file -p read

One can be very creative with these two commands and anaylze the policy
in detail. There are however still things that it cannot tell you but
most it can tell

For example:

It cannot tell you the main content of type attributes but it can show
you the characteristics of a type attribute:

for example (  determining the properties of the domain type attribute
):

sesearch -ASCT -s domain | grep " domain "
sesearch -ASCT -t domain | grep " domain "

> Regards
> 
> 
> PS I am using CentOS 6.3.
> 