Find the answer to your Linux question:
Results 1 to 3 of 3
I've been reading up on selinux and there is one thing I have thus far been unable to find out. I suspect I am not searching for the correct things. ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Penguin of trust elija's Avatar
    Join Date
    Jul 2004
    Location
    Either at home or at work or down the pub
    Posts
    3,309

    selinux: domains and types


    I've been reading up on selinux and there is one thing I have thus far been unable to find out. I suspect I am not searching for the correct things.

    If I was to examine a file under the /var/www/html directory I would see something like
    Code:
    $ ls -Z /var/www/html/index.html   -rw-r--r--  username username system_u:object_r:httpd_sys_content_t /var/www/html/index.html
    If I was to look at the Apache process, I would see
    Code:
    $ ps axZ | grep httpd
    system_u:system_r:httpd_t        3234 ?        Ss     0:00 /usr/sbin/httpd
    My question is what links the domain type httpd_t to the type httpd_sys_content_t?
    What do we want?
    Time machines!

    When do we want 'em?
    Doesn't really matter does it!?


    Conkybots: Interactive plugins for your Conkys!

  2. #2
    Linux Engineer
    Join Date
    Apr 2012
    Location
    Virginia, USA
    Posts
    779
    This is the behind the scenes stuff of SELinux.

    You have a confined process, httpd. httpd can only access files that have specific contexts such has httpd_sys_content_t.

    Policy modules define which processes are confined, and which file contexts they can access.

    The most pressing question is, how do I know what's already configured? On RHEL and related distros, you can check out the targeted service man pages:
    man -k '_selinux'

    Here are some links to some information:
    https://fedoraproject.org/wiki/SELin.../PolicyModules
    Red Hat Magazine | A step-by-step guide to building a new SELinux policy*module
    HowTos/SELinux - CentOS Wiki

  3. #3
    Penguin of trust elija's Avatar
    Join Date
    Jul 2004
    Location
    Either at home or at work or down the pub
    Posts
    3,309
    Quote Originally Posted by mizzle View Post
    Policy modules define which processes are confined, and which file contexts they can access.
    Bingo! That's exactly what I wasn't getting. I've read the CentOS link a couple of times through so I'll have a look at the others as well. I'm unlikely to need to use the info but I am a curious soul.
    What do we want?
    Time machines!

    When do we want 'em?
    Doesn't really matter does it!?


    Conkybots: Interactive plugins for your Conkys!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •