Re: Question on unconfined_t

[Dominick Grift <dac.override@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 2522 bytes --]

On Mon, Nov 17, 2014 at 09:18:51PM +0000, Paddie O'Brien wrote:
> Thanks. I was under the mistaken impression that unconfined_t got
> something for free. My new understanding is that it's by convention
> that policy writers give access to unconfined_t to their domains and
> they do so by adding explicit rules.
> 
> Also I was missing file_type(mytype_exec_t) although I had
> domain_type(mytpe_t). Is there a way to see what things like file_type
> and domain_type expand to? I want to know what's going on in the
> background.
> 

Yes, Generally what file_type() and domain_type() do is associate a "type attribute" with the calling type

type attributes are a way to group common rules. You could look at them as tags in a way

consider this example

attribute cars

type pinto, cars;
type chevy, cars;

attribute bicycle 

type specialized, bicycle;
type cannondale, bicycle;

Now we have 4 types grouped into two categories using type attributes: cars and bicycles

now the type attributes can be used to write rules that apply to all the types associated with a particular type attribute.

allow cars i85:interstate 100mph;

stupid example that allows "all cars (pinto and chevy)" to drive 100mph on the i95 interstate

This concept of grouping types by associating type attributes with them is what is used a lot

file_type(myfile_t) associates the files_type attribute with the myfile_t type, effectively categorizing myfile_t as a type for a file
similarely domain_type(myprocess_t) categorizes myprocess_t as a type for processes

so if you want to give some type access to all "files" rather than individual types:

allow myprocess_t files_type:file read;

or if you want to allow all types associated with processes to write all types associated with files:

allow domain_type files_type:file write;

There are alot of type attributes and types (and other identifiers like roles) are grouped in many ways

To see which rules apply you can use the seinfo and sesearch command creatively.

Example:

to list all attributes: seinfo -a
to example all attributes: seinfo -xa

see which attributes are associated with the unconfined_t type: seinfo -xtunconfined_t

to see all rules associated with a particular attribute: sesearch -A -t files_type

it takes a while to get creative with those two commands and with those concepts.

Just remember selinux is like accounting in some ways, its all about grouping and associating.

-- 
Dominick Grift

[-- Attachment #2: Type: application/pgp-signature, Size: 648 bytes --]