selinux: domains and types

[elija]

I've been reading up on selinux and there is one thing I have thus far been unable to find out. I suspect I am not searching for the correct things.

If I was to examine a file under the /var/www/html directory I would see something like

Code:

$ ls -Z /var/www/html/index.html   -rw-r--r--  username username system_u:object_r:httpd_sys_content_t /var/www/html/index.html

If I was to look at the Apache process, I would see

Code:

$ ps axZ | grep httpd
system_u:system_r:httpd_t        3234 ?        Ss     0:00 /usr/sbin/httpd

My question is what links the domain type httpd_t to the type httpd_sys_content_t?

[mizzle]

This is the behind the scenes stuff of SELinux.

You have a confined process, httpd. httpd can only access files that have specific contexts such has httpd_sys_content_t.

Policy modules define which processes are confined, and which file contexts they can access.

The most pressing question is, how do I know what's already configured? On RHEL and related distros, you can check out the targeted service man pages:
man -k '_selinux'

Here are some links to some information:
https://fedoraproject.org/wiki/SELin.../PolicyModules
Red Hat Magazine | A step-by-step guide to building a new SELinux policy*module
HowTos/SELinux - CentOS Wiki

[elija]

Policy modules define which processes are confined, and which file contexts they can access.

Bingo! That's exactly what I wasn't getting. I've read the CentOS link a couple of times through so I'll have a look at the others as well. I'm unlikely to need to use the info but I am a curious soul.