search for: base_ro_fil

Am 09.09.2018 um 14:49 schrieb Daniel Walsh <dwalsh at redhat.com>: > > On 09/08/2018 09:50 PM, Leon Fauster via CentOS wrote: >> Any SElinux expert here - briefly: >> >> # getenforce >> Enforcing >> >> # sesearch -ACR -s httpd_t -c file -p read |grep system_conf_t >> <no output> >> >> # sesearch -ACR -s httpd_t -c file

On 09/09/2018 07:19 AM, Daniel Walsh wrote: > sesearch -A -s httpd_t -t system_conf_t -p read > > If you feel that these files should not be part of the base_ro_files > then we should open that for discussion. I think the question was how users would know that the policy allowed access, as he was printing rules affecting httpd_t's file read access, and looking for system_conf_t in the output.? I'm not sure if base_ro_files is an alias, or if t...

...scuss that all "etc_t" files can be read but why >> sysctl.conf with "system_conf_t" type can be read where it shouldn't?? >> >> Any pointer would be greatly appreciated. >> > > We allow apache and all domains to read all of what we define as base_ro_file_type types. > > sesearch -A -s httpd_t -t system_conf_t -p read > allow domain base_ro_file_type:dir { getattr ioctl lock open read search }; > allow domain base_ro_file_type:file { getattr ioctl lock open read }; > allow domain base_ro_file_type:lnk_file { getattr read }; > all...

...; Any pointer would be greatly appreciated. > > -- > LF > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos We allow apache and all domains to read all of what we define as base_ro_file_type types. sesearch -A -s httpd_t -t system_conf_t -p read allow domain base_ro_file_type:dir { getattr ioctl lock open read search }; allow domain base_ro_file_type:file { getattr ioctl lock open read }; allow domain base_ro_file_type:lnk_file { getattr read }; allow httpd_t base_ro_file_type:f...