Home / server / Questions / 1082414
Accepted
Boppity Bop
Asked: 2021-11-03 06:22:30 +0800 CST

Where do I get full list of SELinux access control types?

  • 772

I cant find any explanation how do I list all access control types in SELinux. E.g. httpd_log_t httpd_sys_content_t..

I would like to see them all

centos8 selinux

1 Answers

  1. Best Answer

    You can get a list of types by running the command seinfo -t.

    But note, not all types are object types, some are considered domain types.

    A typically more surgical command is sesearch which might offer you more of an explanation of what you want. You can for example find out all the permitted files that httpd_t can access using sesearch.

    $ sesearch -s httpd_t -c file -A
allow daemon cluster_conf_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ daemons_enable_cluster_mode ]:True
allow daemon cluster_conf_t:file { getattr ioctl lock open read }; [ daemons_enable_cluster_mode ]:False
...
...
allow nsswitch_domain var_yp_t:file { getattr ioctl lock open read }; [ nis_enabled ]:True
allow nsswitch_domain virt_var_lib_t:file { getattr ioctl lock open read };

    Or perhaps you're only interested in the files httpd_t can write..

    $ sesearch -s httpd_t -c file -A -p write
allow daemon cluster_conf_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ daemons_enable_cluster_mode ]:True
allow daemon cluster_tmp_t:file { append getattr ioctl lock read write }; [ daemons_enable_cluster_mode ]:True
allow daemon cluster_var_lib_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ daemons_enable_cluster_mode ]:True
allow daemon cluster_var_run_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ daemons_enable_cluster_mode ]:True
...
...
allow httpd_t zarafa_var_lib_t:file { append create getattr ioctl link lock open read rename setattr unlink write };
allow httpd_t zoneminder_rw_content_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ httpd_builtin_scripting ]:True
allow httpd_t zoneminder_var_lib_t:file { append create getattr ioctl link lock open read rename setattr unlink write };

    Alternatively, perhaps you want to know what types have the ability to write into certain files like httpd_log_t.

    $ sesearch -t httpd_log_t -c file -p write -A
allow abrt_dump_oops_t non_security_file_type:file { append create getattr ioctl link lock map open read rename setattr unlink write };
...
...
allow systemd_tmpfiles_t non_auth_file_type:file { append create getattr ioctl link lock open read relabelfrom relabelto rename setattr unlink write };
allow webadm_t httpd_log_t:file { append create getattr ioctl link lock open read relabelfrom relabelto rename setattr unlink write };

    Furthermore if you want to know what classes of objects there are and the permissions available for them, a list can be obtained using seinfo -xc.

    All these in combination let you create custom sesearch rules to look through policy and see what is permitted.

    • 1