Displaying 3 results from an estimated 3 matches for "base_ro_file_types".
Did you mean:
base_ro_file_type
2018 Sep 10
1
Type enforcement / mechanism not clear
...attr ioctl lock open read search };
> allow domain base_ro_file_type:file { getattr ioctl lock open read };
> allow domain base_ro_file_type:lnk_file { getattr read };
> allow httpd_t base_ro_file_type:file { execute execute_no_trans getattr ioctl lock map open read };
>
>
> The base_ro_file_types are files executables that we consider part of the OS. So reading them should not reveal secrets.
Thanks for the pointer. Puuh, this gets very layered but the big picture on the other side gets more clear
So, to get a list of files that are allowed to be read, the masking attributes must be...
2018 Sep 09
3
Type enforcement / mechanism not clear
Am 09.09.2018 um 14:49 schrieb Daniel Walsh <dwalsh at redhat.com>:
>
> On 09/08/2018 09:50 PM, Leon Fauster via CentOS wrote:
>> Any SElinux expert here - briefly:
>>
>> # getenforce
>> Enforcing
>>
>> # sesearch -ACR -s httpd_t -c file -p read |grep system_conf_t
>> <no output>
>>
>> # sesearch -ACR -s httpd_t -c file
2018 Sep 09
0
Type enforcement / mechanism not clear
...n base_ro_file_type:dir { getattr ioctl lock open read search };
allow domain base_ro_file_type:file { getattr ioctl lock open read };
allow domain base_ro_file_type:lnk_file { getattr read };
allow httpd_t base_ro_file_type:file { execute execute_no_trans getattr
ioctl lock map open read };
The base_ro_file_types are files executables that we consider part of
the OS.? So reading them should not reveal secrets.? If you feel that
these files should not be part of the base_ro_files then we should open
that for discussion.