Chapter 6. Tools for Manipulating and Analyzing SELinux


87


following the mark


##


are explanations inserted for this guide and are not part of the standard apol


output.


278 rules match the search criteria


Number of enabled conditional rules: 23


Number of disabled conditional rules: 34


(3813) allow httpd_t var_log_t:dir { read getattr lock \


search ioctl add_name write };


(3815) allow httpd_t httpd_log_t:file { create ioctl read \


getattr lock append };


(3821) allow httpd_t httpd_log_t:dir { setattr read \


getattr lock search ioctl add_name write };


(3825) allow httpd_t httpd_log_t:lnk_file read;


(3882) allow httpd_t unconfined_t:fd use;


(3884) allow httpd_t unconfined_t:process sigchld;


## These are related to the Boolean httpd_disable_trans,


## showing that it is not set to true:


(4024) allow unconfined_t httpd_t:process transition; [Enabled]


(4074) allow httpd_t unconfined_t:process sigchld; [Enabled]


(4086) allow httpd_t unconfined_t:fd use; [Enabled]


(4088) allow unconfined_t httpd_t:fd use; [Enabled]


(4098) allow httpd_t unconfined_t:fifo_file { ioctl read \


getattr lock write append }; [Enabled]


(4108) allow httpd_t httpd_exec_t:file { read getattr lock \


execute ioctl }; [Enabled]


(4118) allow httpd_t httpd_exec_t:file entrypoint; [Enabled]


(4126) allow unconfined_t httpd_t:process { noatsecure \


siginh rlimitinh }; [Enabled]


## These are part of other httpd_* Booleans that are set


## to false in the file /etc/selinux/targeted/booleans:


(4554) allow httpd_t httpd_sys_script_t:process transition; \


[Disabled]


(4594) allow httpd_t httpd_sys_script_exec_t:file { read getattr \


execute }; [Disabled]


(4604) allow httpd_sys_script_t httpd_t:process sigchld; [Disabled]


(4616) allow httpd_sys_script_t httpd_t:fd use; [Disabled]


(4618) allow httpd_t httpd_sys_script_t:fd use; [Disabled]


Example 6 1. apol TE Rules Search Results


Within the search results, there are hyperlinks to the left of each rule. The number corresponds to


the line number in


policy.conf


, and clicking on, for example, (3813) switches your view to the


policy.conf tab, taking you directly to line 3813. These hyperlinks are only visible if you have apol


analyzing the


policy.conf


file.


If you are using a binary policy file such as


policy.18


, the rules are compiled and not available for


viewing. The top level tab policy.conf is not present when analyzing the binary policy.


There are two other search capabilities within the Policy Rules tab, the Conditional Expressions and


RBAC Rules tabs.


The Conditional Expressions tab allows you to search just the conditional expressions, viewing the


rules within them. The only searchable rule types are


allow


,


audit


, and


transition


. All condi 


tional expressions are displayed in the default view; you can narrow the view using Search Options.


You can search either by specific Boolean or with regular expressions. You can reduce the quantity of


output by deselecting Display rules within conditional expression(s).








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      adult web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved