On Tue, Jan 14, 2020 at 11:44 AM Gionatan Danti <g.danti@xxxxxxxxxx> wrote: > On 14/01/20 10:37, Ondrej Mosnacek wrote: > > Hi, > > When you access a path, you usually need only basic permissions > > (getattr, search, ...) for the parent components and the > > read/write/execute/... permissions (depending on what the service > > wants to do with the file) are only checked against the label of the > > file itself. Chances are that all/most domains already have > > permissions to traverse mnt_t directories, so it is likely that you > > won't need any additional permissions. But best to try running the > > service and see if you get any denials :) > > I'll do, thanks. > > As a side note, how can I check all permissions of a specific domains > (ie: libvirt in this case)? You can use the sesearch tool (from setools-console package). E.g.: sesearch -A -s virtd_t will show you all allow rules with "virtd_t" as the source type. Or: sesearch -A -s virtd_t -t mnt_t will show all allow rules with "virtd_t" as source type and "mnt_t" as target type. As usual, see the man page for more options. -- Ondrej Mosnacek <omosnace at redhat dot com> Software Engineer, Security Technologies Red Hat, Inc. _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx