search for: base_ro_files

Am 09.09.2018 um 14:49 schrieb Daniel Walsh <dwalsh at redhat.com>: > > On 09/08/2018 09:50 PM, Leon Fauster via CentOS wrote: >> Any SElinux expert here - briefly: >> >> # getenforce >> Enforcing >> >> # sesearch -ACR -s httpd_t -c file -p read |grep system_conf_t >> <no output> >> >> # sesearch -ACR -s httpd_t -c file

On 09/09/2018 07:19 AM, Daniel Walsh wrote: > sesearch -A -s httpd_t -t system_conf_t -p read > > If you feel that these files should not be part of the base_ro_files > then we should open that for discussion. I think the question was how users would know that the policy allowed access, as he was printing rules affecting httpd_t's file read access, and looking for system_conf_t in the output.? I'm not sure if base_ro_files is an alias, or if the...

...tem_conf_t) ; done tmpfile: configfile: system_conf_t rpm_transition_domain: base_ro_file_type: system_conf_t If the output of sesearch shows the preferred order then the "configfile" attribute allows actually the access ?? > If you feel that these files should not be part of the base_ro_files then we should open that for discussion. Despite this concrete case, a good practice is the one that follows the "need to known" principle. I will "disable" some read access here locally and accumulate some experiences with this approach. -- LF

...getattr read }; allow httpd_t base_ro_file_type:file { execute execute_no_trans getattr ioctl lock map open read }; The base_ro_file_types are files executables that we consider part of the OS.? So reading them should not reveal secrets.? If you feel that these files should not be part of the base_ro_files then we should open that for discussion.