红帽全球峰会4.3. Finding the correct SELinux type for managing access to non-standard directories
If you need to set access-control rules that the default SELinux policy does not cover, start by searching for a boolean that matches your use case. If you cannot find a suitable boolean, you can use a matching SELinux type or even create a local policy module.
Prerequisites
-
The
selinux-policy-docandsetools-consolepackages are installed on your system.
Procedure
List all SELinux-related topics and limit the results to a component you want to configure. For example:
# man -k selinux | grep samba samba_net_selinux (8) - Security Enhanced Linux Policy for the samba_net processes samba_selinux (8) - Security Enhanced Linux Policy for the smbd processes …In the man page that corresponds to your scenario, find the related SELinux booleans, port types, and file types.
Note that the
man -k selinuxorapropos selinuxcommands are available only after you install theselinux-policy-docpackage.Optional: You can display the default mapping of processes on default locations by using the
semanage fcontext -lcommand, for example:# semanage fcontext -l | grep samba … /var/cache/samba(/.*)? all files system_u:object_r:samba_var_t:s0 … /var/spool/samba(/.*)? all files system_u:object_r:samba_spool_t:s0 …Use the
sesearchcommand to display rules in the default SELinux policy. You can find the type and boolean to use by listing the corresponding rule, for example:$ sesearch -A | grep samba | grep httpd … allow httpd_t cifs_t:dir { getattr open search }; [ use_samba_home_dirs && httpd_enable_homedirs ]:True …An SELinux boolean might be the most straightforward solution for your configuration problem. You can display all available booleans and their values by using the
getsebool -acommand, for example:$ getsebool -a | grep homedirs git_cgi_enable_homedirs --> off git_system_enable_homedirs --> off httpd_enable_homedirs --> off mock_enable_homedirs --> off mpd_enable_homedirs --> off openvpn_enable_homedirs --> on ssh_chroot_rw_homedirs --> offYou can verify that the selected boolean does exactly what you want by using the
sesearchcommand, for example:$ sesearch -A | grep httpd_enable_homedirs … allow httpd_suexec_t autofs_t:dir { getattr open search }; [ use_nfs_home_dirs && httpd_enable_homedirs ]:True allow httpd_suexec_t autofs_t:dir { getattr open search }; [ use_samba_home_dirs && httpd_enable_homedirs ]:True …If no boolean matches your scenario, find an SELinux type that suits your case. You can find a type for your files by querying a corresponding rule from the default policy by using
sesearch, for example:$ sesearch -A -s httpd_t -c file -p read … allow httpd_t httpd_t:file { append getattr ioctl lock open read write }; allow httpd_t httpd_tmp_t:file { append create getattr ioctl link lock map open read rename setattr unlink write }; …- If none of the previous solutions cover your scenario, you can add a custom rule to the SELinux policy. See the Creating a local SELinux policy module section for more information.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}