SELinux: How to show all allowed rules for a type?

lairtech asked:

For an arbitrary object type, e.g. user_tmp_t, I want to know which processes are allowed to access this tag. How do I find all allow rules that reference user_tmp_t?

My answer:


You can’t directly find the processes that can transition to a given type, but you can sort of do it indirectly.

It’s time to get familiar with the sesearch tool. This tool lets you query the SELinux policy in a variety of ways.

Here, we will see which types can transition to the user_tmp_t type. Among them will be types for the processes you are interested in. As you can see, this also gives you some hints as to what the process will be allowed to do.

# sesearch -T -t user_tmp_t
Found 44 semantic te rules:
   type_transition staff_sudo_t user_tmp_t : process staff_t; 
   type_transition auditadm_sudo_t user_tmp_t : process auditadm_t; 
   type_transition thumb_t user_tmp_t : file thumb_tmp_t; 
   type_transition thumb_t user_tmp_t : dir thumb_tmp_t; 
   type_transition thumb_t user_tmp_t : sock_file thumb_tmp_t; 
   type_transition mozilla_plugin_t user_tmp_t : file mozilla_plugin_tmp_t; 
   type_transition telepathy_msn_t user_tmp_t : file telepathy_msn_tmp_t; 
   type_transition mozilla_plugin_t user_tmp_t : dir mozilla_plugin_tmp_t; 
   type_transition telepathy_msn_t user_tmp_t : dir telepathy_msn_tmp_t; 
   type_transition mozilla_plugin_t user_tmp_t : sock_file mozilla_plugin_tmp_t; 
   type_transition telepathy_msn_t user_tmp_t : sock_file telepathy_msn_tmp_t; 
   type_transition mozilla_plugin_t user_tmp_t : fifo_file mozilla_plugin_tmp_t; 
   type_transition alsa_t user_tmp_t : file alsa_tmp_t; 
   type_transition staff_gkeyringd_t user_tmp_t : dir gkeyringd_tmp_t; 
   type_transition user_gkeyringd_t user_tmp_t : dir gkeyringd_tmp_t; 
   type_transition alsa_t user_tmp_t : dir alsa_tmp_t; 
   type_transition staff_gkeyringd_t user_tmp_t : sock_file gkeyringd_tmp_t; 
   type_transition user_gkeyringd_t user_tmp_t : sock_file gkeyringd_tmp_t; 
   type_transition dbadm_sudo_t user_tmp_t : process dbadm_t; 
   type_transition secadm_sudo_t user_tmp_t : process secadm_t; 
   type_transition gpg_pinentry_t user_tmp_t : sock_file gpg_pinentry_tmp_t; 
   type_transition mozilla_plugin_config_t user_tmp_t : file mozilla_plugin_tmp_t; 
   type_transition mozilla_plugin_config_t user_tmp_t : dir mozilla_plugin_tmp_t; 
   type_transition sysadm_sudo_t user_tmp_t : process sysadm_t; 
   type_transition virt_qemu_ga_unconfined_t user_tmp_t : file svirt_tmp_t; 
   type_transition svirt_t user_tmp_t : file svirt_tmp_t; 
   type_transition virt_qemu_ga_unconfined_t user_tmp_t : dir svirt_tmp_t; 
   type_transition secadm_gkeyringd_t user_tmp_t : dir gkeyringd_tmp_t; 
   type_transition httpd_t user_tmp_t : dir httpd_tmp_t; 
   type_transition svirt_t user_tmp_t : dir svirt_tmp_t; 
   type_transition virt_qemu_ga_unconfined_t user_tmp_t : lnk_file svirt_tmp_t; 
   type_transition svirt_t user_tmp_t : lnk_file svirt_tmp_t; 
   type_transition secadm_gkeyringd_t user_tmp_t : sock_file gkeyringd_tmp_t; 
   type_transition svirt_tcg_t user_tmp_t : file svirt_tmp_t; 
   type_transition svirt_tcg_t user_tmp_t : dir svirt_tmp_t; 
   type_transition auditadm_gkeyringd_t user_tmp_t : dir gkeyringd_tmp_t; 
   type_transition xguest_gkeyringd_t user_tmp_t : dir gkeyringd_tmp_t; 
   type_transition svirt_tcg_t user_tmp_t : lnk_file svirt_tmp_t; 
   type_transition auditadm_gkeyringd_t user_tmp_t : sock_file gkeyringd_tmp_t; 
   type_transition xguest_gkeyringd_t user_tmp_t : sock_file gkeyringd_tmp_t; 
   type_transition chrome_sandbox_t user_tmp_t : file chrome_sandbox_tmp_t; 
   type_transition chrome_sandbox_t user_tmp_t : dir chrome_sandbox_tmp_t; 
   type_transition gconfd_t user_tmp_t : file gconf_tmp_t; 
   type_transition gconfd_t user_tmp_t : dir gconf_tmp_t; 

Found 298 named file transition filename_trans:
----(omitted)----

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.