CentOS 6
Sponsored Link

SELinux : Use sesearch
2016/07/26
 
Search SELinux Policy to use sesearch command.
[1] Some examples of using sesearch are follows.
If sesearch command is none, Install it with "yum install setools-console".
# display allowed rules all (displayed many rules)

[root@dlp ~]#
sesearch --allow

Found 95937 semantic av rules:
   allow logrotate_t systemd_passwd_var_run_t : sock_file { ioctl read write create getattr setattr lock...
   allow dmidecode_t virtd_t : fd use ;
   allow ssh_keygen_t anaconda_t : fd use ;
   allow logadm_t systemd_passwd_var_run_t : sock_file { ioctl read write create getattr setattr lock app...
   allow unconfined_dbusd_t unconfined_dbusd_t : x_device { getattr setattr use read write getfocus setfo...
.....
.....


# display rules which httpd_t domain is allowed to access

# -d (--direct) means literally search

[root@dlp ~]#
sesearch -s httpd_t --allow -d

Found 915 semantic av rules:
   allow httpd_t system_dbusd_t : unix_stream_socket connectto ;
   allow httpd_t dirsrv_config_t : file { ioctl read write create getattr setattr lock append unlink link rename op...
   allow httpd_t dirsrv_config_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name r...
   allow httpd_t httpd_squirrelmail_t : file { ioctl read write create getattr setattr lock append unlink link rena...
.....
.....


# display allowed rules which domain can access to httpd_sys_script_exec_t type

[root@dlp ~]#
sesearch -t httpd_sys_script_exec_t --allow -d

Found 10 semantic av rules:
   allow httpd_sys_script_t httpd_sys_script_exec_t : file { ioctl read getattr lock execute execute_no_trans entryp...
   allow httpd_sys_script_t httpd_sys_script_exec_t : dir { ioctl read getattr lock search open } ;
   allow httpd_sys_script_exec_t httpd_sys_script_exec_t : filesystem associate ;
   allow openshift_domain httpd_sys_script_exec_t : file { ioctl read getattr lock execute execute_no_trans open } ;
   allow openshift_domain httpd_sys_script_exec_t : dir { getattr search open } ;
.....
.....


# display allowed rules which domain can write to shadow_t type files

[root@dlp ~]#
sesearch -t shadow_t -c file -p write --allow

Found 10 semantic av rules:
   allow updpwd_t shadow_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;
   allow yppasswdd_t shadow_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unl...
   allow pegasus_openlmi_account_t shadow_t : file { ioctl read write create getattr setattr lock relabelfrom relabe...
   allow files_unconfined_type file_type : file { ioctl read write create getattr setattr lock relabelfrom relabelto...
   allow sysadm_passwd_t shadow_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append...
.....
.....

# display defined rules on Boolean value samba_enable_home_dirs

[root@dlp ~]#
sesearch -b samba_enable_home_dirs --allow -d

Found 8 semantic av rules:
   allow smbd_t home_root_t : dir { ioctl read getattr lock search open } ;
   allow smbd_t home_root_t : lnk_file { read getattr } ;
   allow smbd_t user_home_type : file { ioctl read write create getattr setattr lock append unlink link rename open  ...
   allow smbd_t user_home_type : dir { ioctl read write create getattr setattr lock unlink link rename add_name remov...
   allow smbd_t user_home_type : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ;
.....
.....
 
Tweet