SELinux : sesearch Basic Usage2025/01/02 |
Search SELinux Policy to use [sesearch] command. |
|
[1] | Some examples of using [sesearch] are follows. If [sesearch] command is none, Install it with [dnf install setools-console]. |
# display allowed rules all (many rules displayed) [root@dlp ~]# sesearch --allow allow NetworkManager_dispatcher_chronyc_script_t NetworkManager_dispatcher_chronyc_script_t:filesystem associate; allow NetworkManager_dispatcher_chronyc_t NetworkManager_dispatcher_chronyc_script_t:file { entrypoint execute getattr ioctl lock map open read }; allow NetworkManager_dispatcher_chronyc_t NetworkManager_dispatcher_chronyc_t:association sendto; allow NetworkManager_dispatcher_chronyc_t NetworkManager_dispatcher_chronyc_t:dir { getattr ioctl lock open read search watch }; allow NetworkManager_dispatcher_chronyc_t NetworkManager_dispatcher_chronyc_t:fifo_file { append getattr ioctl lock open read write }; allow NetworkManager_dispatcher_chronyc_t NetworkManager_dispatcher_chronyc_t:fifo_file { create link rename setattr unlink }; [ fips_mode ]:True allow NetworkManager_dispatcher_chronyc_t NetworkManager_dispatcher_chronyc_t:file { append getattr ioctl lock open read write }; allow NetworkManager_dispatcher_chronyc_t NetworkManager_dispatcher_chronyc_t:lnk_file { getattr ioctl lock read }; allow NetworkManager_dispatcher_chronyc_t NetworkManager_dispatcher_chronyc_t:peer recv; allow NetworkManager_dispatcher_chronyc_t NetworkManager_dispatcher_chronyc_t:process { fork getcap getsched sigchld sigkill signal signull sigstop }; ..... ..... # display rules which [httpd_t] domain is allowed to access [root@dlp ~]# sesearch -s httpd_t --allow allow corenet_unlabeled_type unlabeled_t:association { recvfrom sendto }; allow corenet_unlabeled_type unlabeled_t:dccp_socket recvfrom; allow corenet_unlabeled_type unlabeled_t:peer recv; allow corenet_unlabeled_type unlabeled_t:rawip_socket recvfrom; allow corenet_unlabeled_type unlabeled_t:tcp_socket recvfrom; allow corenet_unlabeled_type unlabeled_t:udp_socket recvfrom; allow daemon abrt_t:unix_stream_socket connectto; allow daemon abrt_var_run_t:sock_file { append getattr open write }; allow daemon auth_port_t:tcp_socket name_connect; [ daemons_use_tcp_wrapper ]:True allow daemon cluster_conf_t:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write }; [ daemons_enable_cluster_mode ]:True ..... ..... # display allowed rules which domain can access to [httpd_sys_script_exec_t] type [root@dlp ~]# sesearch -t httpd_sys_script_exec_t --allow allow NetworkManager_ssh_t file_type:filesystem getattr; allow NetworkManager_t file_type:filesystem getattr; allow abrt_dump_oops_t file_type:filesystem getattr; allow abrt_dump_oops_t non_security_file_type:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write }; allow abrt_dump_oops_t non_security_file_type:file { append create getattr ioctl link lock map open read rename setattr unlink watch watch_reads write }; allow abrt_dump_oops_t non_security_file_type:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write }; allow abrt_helper_t exec_type:dir { getattr open search }; allow abrt_helper_t exec_type:file { getattr ioctl lock open read }; allow abrt_helper_t file_type:filesystem getattr; allow abrt_t exec_type:file { execute execute_no_trans ioctl lock map open read }; ..... ..... # display allowed rules which domain can write to [shadow_t type] files [root@dlp ~]# sesearch -t shadow_t -c file -p write --allow allow cockpit_session_t shadow_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; allow files_unconfined_type file_type:file { append audit_access create execute execute_no_trans getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink watch watch_mount watch_reads watch_sb watch_with_perm write }; allow groupadd_t shadow_t:file { append create getattr ioctl link lock open read relabelfrom relabelto rename setattr unlink watch watch_reads write }; allow kernel_t file_type:file { append create execute getattr ioctl link lock map open read relabelfrom relabelto rename setattr unlink watch watch_reads write }; allow passwd_t shadow_t:file { append create getattr ioctl link lock map open read relabelfrom relabelto rename setattr unlink watch watch_reads write }; allow pegasus_openlmi_account_t shadow_t:file { append create getattr ioctl link lock open read relabelfrom relabelto rename setattr unlink watch watch_reads write }; allow sysadm_passwd_t shadow_t:file { append create getattr ioctl link lock open read relabelfrom relabelto rename setattr unlink watch watch_reads write }; allow updpwd_t shadow_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; allow useradd_t shadow_t:file { append create getattr ioctl link lock open read relabelfrom relabelto rename setattr unlink watch watch_reads write }; allow yppasswdd_t shadow_t:file { append create getattr ioctl link lock open read relabelfrom relabelto rename setattr unlink watch watch_reads write }; ..... ..... # display defined rules on Boolean value [samba_enable_home_dirs] [root@dlp ~]# sesearch -b samba_enable_home_dirs --allow allow smbd_t httpd_user_content_t:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write }; [ samba_enable_home_dirs ]:True allow smbd_t httpd_user_content_t:dir { add_name getattr ioctl lock open read remove_name search write }; [ samba_enable_home_dirs ]:True allow smbd_t httpd_user_content_t:dir { add_name getattr ioctl lock open read remove_name search write }; [ samba_enable_home_dirs ]:True allow smbd_t httpd_user_content_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; [ samba_enable_home_dirs ]:True allow smbd_t httpd_user_content_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write }; [ samba_enable_home_dirs ]:True allow smbd_t user_home_dir_t:dir watch; [ samba_enable_home_dirs ]:True allow smbd_t user_home_dir_t:dir { add_name ioctl lock read remove_name write }; [ samba_enable_home_dirs ]:True allow smbd_t user_home_dir_t:dir { add_name ioctl lock read remove_name write }; [ samba_enable_home_dirs ]:True allow smbd_t user_home_dir_t:dir { add_name ioctl lock read remove_name write }; [ samba_enable_home_dirs ]:True allow smbd_t user_home_dir_t:dir { add_name ioctl lock read remove_name write }; [ samba_enable_home_dirs ]:True ..... ..... |
Sponsored Link |
|