How to Query All SELinux Rules, File Contexts and Transitions for a Specific Type


2 views

When working with SELinux policy debugging or system hardening, you often need to identify all policy rules and system configurations related to a specific SELinux type. Here's how to comprehensively query this information from a running system.

The sesearch command from setools provides the most direct way to search policy rules:

# Search all allow rules involving httpd_t
sesearch -A -s httpd_t
sesearch -A -t httpd_t

# Include audit and dontaudit rules
sesearch --all -s httpd_t | grep -E "allow|audit"

To locate files currently labeled with a specific type:

# Find files with httpd_t type
find / -exec ls -dZ {} + 2>/dev/null | grep "httpd_t"

# Check default file contexts
semanage fcontext -l | grep "httpd_t"

Type transition rules show how processes or files change contexts:

# Find all transitions to/from httpd_t
sesearch -T -s httpd_t
sesearch -T -t httpd_t

# Show process transitions
seinfo --type_trans -x | grep httpd_t

For complete policy analysis, combine multiple tools:

# Get type attributes
seinfo -thttpd_t -x

# Check boolean tunables affecting the type
seinfo --type=httpd_t --bool

# View port mappings
semanage port -l | grep httpd_t

Let's examine a real-world scenario for httpd_t:

# Comprehensive httpd_t analysis
sesearch --all -s httpd_t | tee httpd_rules.txt
semanage fcontext -l | grep httpd_t > httpd_file_contexts.txt
seinfo -thttpd_t -x | grep -A5 "Type Attributes"

For regular audits, create a script like:

#!/bin/bash
TYPE=$1
OUTDIR="./selinux_${TYPE}_analysis"
mkdir -p $OUTDIR

sesearch --all -s $TYPE > $OUTDIR/rules.txt
find / -exec ls -dZ {} + 2>/dev/null | grep $TYPE > $OUTDIR/files.txt
semanage fcontext -l | grep $TYPE > $OUTDIR/default_contexts.txt
seinfo -t$TYPE -x > $OUTDIR/type_info.txt

When working with SELinux security policies, you often need comprehensive information about how a specific type is used throughout the system. This includes not just direct allow rules, but also file contexts, transitions, and audit configurations.

These commands will help you gather all relevant information about a specific SELinux type:

# Basic type information
sesearch --type -t httpd_t
sesearch --allow -t httpd_t
sesearch --all -t httpd_t

# File contexts
semanage fcontext -l | grep httpd_t
matchpathcon -V /path/to/file

# Transitions
seinfo --type_trans -t httpd_t

For a complete view of all rules affecting a type:

# Show all allow rules (including indirect ones)
sesearch --allow -s httpd_t
sesearch --allow -t httpd_t

# Show audit-related rules
sesearch --auditallow -t httpd_t
sesearch --dontaudit -t httpd_t

Let's examine the Apache HTTPD type as a concrete example:

# First, get all direct rules
sesearch --all -t httpd_t | less

# Then check file contexts
semanage fcontext -l | grep httpd_t

# Check role transitions if applicable
seinfo --role_allow -r httpd_role

For deeper analysis, consider these approaches:

# Generate policy module from current rules
sepolicy generate --newtype -t httpd_t -n httpd_analysis

# Check boolean tunables affecting the type
seinfo --typeattribute -t httpd_t | grep bool
getsebool -a | grep httpd

For complex environments, visualization tools can help:

# Generate Graphviz output (requires apol package)
sepolicy network -t httpd_t -g -o httpd_graph.dot
dot -Tpng httpd_graph.dot -o httpd_graph.png

Don't forget to check actual denials in logs:

ausearch -m avc -c httpd
ausearch --interpret --type avc -ts recent -se httpd_t