Types, permissions, and constraints
Now that we know more about types (for processes, files, and other resources), let's explore how these are used in the SELinux policy in more detail.
Understanding type attributes
We have discussed the sesearch
application already and how it can be used to query the current SELinux policy. Let's look at a specific process transition:
$ sesearch -s initrc_t -t httpd_t -c process -p transition -A allow initrc_domain daemon:process transition;
Even though we asked for the rules related to the initrc_t
source domain and the httpd_t
target, we get a rule back for the initrc_domain
source domain and the daemon
target. What sesearch
did here was show us how the SELinux policy allows the requested permission, but through attributes assigned to the initrc_t
and httpd_t
types.
Type attributes in SELinux are used to group multiple types and assign privileges to those groups rather than having to assign the privileges to each type individually...