SELinux : Use sesearch
2016/07/26 |
Search SELinux Policy to use sesearch command.
|
|
[1] | Some examples of using sesearch are follows. If sesearch command is none, Install it with "yum install setools-console". |
# display allowed rules all (displayed many rules) [root@dlp ~]# sesearch --allow Found 95937 semantic av rules: allow logrotate_t systemd_passwd_var_run_t : sock_file { ioctl read write create getattr setattr lock... allow dmidecode_t virtd_t : fd use ; allow ssh_keygen_t anaconda_t : fd use ; allow logadm_t systemd_passwd_var_run_t : sock_file { ioctl read write create getattr setattr lock app... allow unconfined_dbusd_t unconfined_dbusd_t : x_device { getattr setattr use read write getfocus setfo... ..... ..... # display rules which httpd_t domain is allowed to access # -d (--direct) means literally search [root@dlp ~]# sesearch -s httpd_t --allow -d Found 915 semantic av rules: allow httpd_t system_dbusd_t : unix_stream_socket connectto ; allow httpd_t dirsrv_config_t : file { ioctl read write create getattr setattr lock append unlink link rename op... allow httpd_t dirsrv_config_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name r... allow httpd_t httpd_squirrelmail_t : file { ioctl read write create getattr setattr lock append unlink link rena... ..... ..... # display allowed rules which domain can access to httpd_sys_script_exec_t type [root@dlp ~]# sesearch -t httpd_sys_script_exec_t --allow -d Found 10 semantic av rules: allow httpd_sys_script_t httpd_sys_script_exec_t : file { ioctl read getattr lock execute execute_no_trans entryp... allow httpd_sys_script_t httpd_sys_script_exec_t : dir { ioctl read getattr lock search open } ; allow httpd_sys_script_exec_t httpd_sys_script_exec_t : filesystem associate ; allow openshift_domain httpd_sys_script_exec_t : file { ioctl read getattr lock execute execute_no_trans open } ; allow openshift_domain httpd_sys_script_exec_t : dir { getattr search open } ; ..... ..... # display allowed rules which domain can write to shadow_t type files [root@dlp ~]# sesearch -t shadow_t -c file -p write --allow Found 10 semantic av rules: allow updpwd_t shadow_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow yppasswdd_t shadow_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unl... allow pegasus_openlmi_account_t shadow_t : file { ioctl read write create getattr setattr lock relabelfrom relabe... allow files_unconfined_type file_type : file { ioctl read write create getattr setattr lock relabelfrom relabelto... allow sysadm_passwd_t shadow_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append... ..... ..... # display defined rules on Boolean value samba_enable_home_dirs [root@dlp ~]# sesearch -b samba_enable_home_dirs --allow -d Found 8 semantic av rules: allow smbd_t home_root_t : dir { ioctl read getattr lock search open } ; allow smbd_t home_root_t : lnk_file { read getattr } ; allow smbd_t user_home_type : file { ioctl read write create getattr setattr lock append unlink link rename open ... allow smbd_t user_home_type : dir { ioctl read write create getattr setattr lock unlink link rename add_name remov... allow smbd_t user_home_type : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ; ..... ..... |