Now that we know more about types (both in the context of processes as well as files and other resources), let's look into how these are used in the SELinux policy in more detail.
We have discussed the sesearch
application already and how it can be used to query the current SELinux policy. Let us look again at the process transitions, this time on a Fedora system:
$ sesearch -s initrc_t -t httpd_t -c process -p transition -A Found 1 semantic av rules: allow initrc_domain daemon : process transition ;
Even though we asked for the rules related to the initrc_t
source and the httpd_t
target, we get a rule back for the initrc_domain
source and the daemon
target. What sesearch
did here was it told us a privilege of initrc_t
based on a privilege assigned to an attribute.
Type attributes in SELinux are used to group multiple types and assign privileges on these groups, rather than having to assign the privileges on each type individually...