List of domains & types

Mon Feb 25 09:40:28 UTC 2013

On 02/22/2013 09:08 PM, Dominick Grift wrote:
> On Fri, 2013-02-22 at 17:38 +0000, Alain Williams wrote:
>> My exim config needs to speak to MySQL (for greylisting).
>>
>> To allow this to work I needed to run:
>>
>>      setsebool -P exim_can_connect_db 1
>>
>> And that seems to do the trick.
>> Now sealert tells me:
>>
>>      SELinux is preventing /usr/sbin/exim from getattr access on the file /usr/share/mysql/charsets/Index.xml.
>>
>>      If you want to allow exim to have getattr access on the Index.xml file
>>      Then you need to change the label on /usr/share/mysql/charsets/Index.xml
>>      Do
>>      # semanage fcontext -a -t FILE_TYPE '/usr/share/mysql/charsets/Index.xml'
>>
>> It then lists a whole set of suggested types.
>>
>> The label on /usr/share/mysql/charsets/Index.xml is system_u:object_r:usr_t:s0
>>
>> I picked exim_t (which seemed reasonable - just on the name). But when I try I
>> get permission denied, a bit of digging tells me that exim_t is a domain for a
>> process rather than a type for a file.
>>
>> Questions:
>>
>> a) How do I work out what type to set the file to ?
>>
> In this case the optimal solution is to allow exim to read usr_t type
> files but for the sake of example:
>
> 1. We know content in /usr/share is usable read-only content
> 2. We know the generic type fpr /usr/share is usr_t
>
> So we need a type of file that exim_t can read-only:
>
> sesearch -A -s exim_t -c file -p read
>
> ( in Fedora 18 exim_t is allowed to read usr_t files -- a rule return
> from the command above )
>
> But if it does not on your config you can look at the rules it returns
> and see what type of files exim_t can read ( read getattr open } (are
> atleast need to read a file)
>
> So one (less optimal) type you could use would be cert_t or locale_t
>
> By learning the sesearch , semanage and seinfo tools and by being
> creative and by having a basic understanding of the way things work one
> can figure out a lot
>
>> b) I would presumably need to do so for every file in /usr/share/mysql/charsets/
>>
> I guess this is a bug in Ecentos 6.3 here a quick fix:
>
> mkdir ~/myexim; cd ~/myexim;
> cat > myexim.te <<EOF
> policy_module(myexim, 1.0.0)
> optional_policy(`
>   gen_require(`
>    type exim_t;
>   ')
>
>    files_read_usr_files(exim_t)
> ')
> EOF
> make -f /usr/share/selinux/devel/Makefile myexim.pp
> sudo semodule -i myexim.pp
>
>> c) Is changing the type on a file so that the MTA can access it the right thing
>>     anyway, should I not be allowing exim access to usr_t instead ... but would
>>     that not open things to wide ?
>>
> In this case its not the right thing to do most likely. You should
> probably keep it usr_t and allow exim_t to read usr_t type of content.
>
>> d) More generally: where do I look to get a list of all the XXX_t, what they
>>     are, what they are supposed to be used for, ... so that I can work out what
>>     the best choice is ?
>>
> seinfo and sesearch can do wonders if you know what to look for so
> examples:
>
> all types that are classified types for processes:
> seinfo -xadomain
>
> all types that are classified types for files:
> seinfo -xafile_type
>
> all classifications of the exim_t type:
> seinfo -xtexim_t
>
> all classification of the usr_t type:
> seinfo -xtusr_t
>
> Everyone that can read usr_t files:
> sesearch -A -t usr_t -c file -p read
>
> All files that exim_t can read:
> sesearch -ASCT -s exim_t -c file -p read
>
> One can be very creative with these two commands and anaylze the policy
> in detail. There are however still things that it cannot tell you but
> most it can tell
>
> For example:
>
> It cannot tell you the main content of type attributes but it can show
> you the characteristics of a type attribute:
>
> for example (  determining the properties of the domain type attribute
> ):
>
> sesearch -ASCT -s domain | grep " domain "
> sesearch -ASCT -t domain | grep " domain "
>
>
>
>> Regards
>>
>>
>> PS I am using CentOS 6.3.
>>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Yeap, this is a bug. I added a fix to RHEL6.5. Please go with the local 
policy which Dominick posted.