On Mon, Nov 17, 2014 at 09:18:51PM +0000, Paddie O'Brien wrote: > Thanks. I was under the mistaken impression that unconfined_t got > something for free. My new understanding is that it's by convention > that policy writers give access to unconfined_t to their domains and > they do so by adding explicit rules. > > Also I was missing file_type(mytype_exec_t) although I had > domain_type(mytpe_t). Is there a way to see what things like file_type > and domain_type expand to? I want to know what's going on in the > background. > Yes, Generally what file_type() and domain_type() do is associate a "type attribute" with the calling type type attributes are a way to group common rules. You could look at them as tags in a way consider this example attribute cars type pinto, cars; type chevy, cars; attribute bicycle type specialized, bicycle; type cannondale, bicycle; Now we have 4 types grouped into two categories using type attributes: cars and bicycles now the type attributes can be used to write rules that apply to all the types associated with a particular type attribute. allow cars i85:interstate 100mph; stupid example that allows "all cars (pinto and chevy)" to drive 100mph on the i95 interstate This concept of grouping types by associating type attributes with them is what is used a lot file_type(myfile_t) associates the files_type attribute with the myfile_t type, effectively categorizing myfile_t as a type for a file similarely domain_type(myprocess_t) categorizes myprocess_t as a type for processes so if you want to give some type access to all "files" rather than individual types: allow myprocess_t files_type:file read; or if you want to allow all types associated with processes to write all types associated with files: allow domain_type files_type:file write; There are alot of type attributes and types (and other identifiers like roles) are grouped in many ways To see which rules apply you can use the seinfo and sesearch command creatively. Example: to list all attributes: seinfo -a to example all attributes: seinfo -xa see which attributes are associated with the unconfined_t type: seinfo -xtunconfined_t to see all rules associated with a particular attribute: sesearch -A -t files_type it takes a while to get creative with those two commands and with those concepts. Just remember selinux is like accounting in some ways, its all about grouping and associating. -- Dominick Grift
Attachment:
pgpStmvWx9kpR.pgp
Description: PGP signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
