On 09/09/2018 07:19 AM, Daniel Walsh wrote:
sesearch -A -s httpd_t -t system_conf_t -p read
If you feel that these files should not be part of the base_ro_files
then we should open that for discussion.
I think the question was how users would know that the policy allowed
access, as he was printing rules affecting httpd_t's file read access,
and looking for system_conf_t in the output. I'm not sure if
base_ro_files is an alias, or if there's another type of association
between those two names, but I've also found that confusing in the past.
I don't see sesearch mentioned in the SELinux FAQ hosted by Fedora, and
the mention in CentOS's FAQ appears to be the invocation that Leon used,
which was less than helpful. I think both would be improved if they
started from an AVC log entry (which does appear in Fedora's FAQ), and
walked through the very simple steps of getting the type from a running
process, the type from a file or other resource, and then using sesearch
to find out what rules connect those two things, whether allowed or
disallowed.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
