Red Hat ENTERPRISE LINUX 4 - SELINUX GUIDE Manual page 101

Chapter 6. Tools for Manipulating and Analyzing SELinux
following the mark
##
output.
278 rules match the search criteria
Number of enabled conditional rules: 23
Number of disabled conditional rules: 34
(3813) allow httpd_t var_log_t:dir { read getattr lock \
search ioctl add_name write };
(3815) allow httpd_t httpd_log_t:file { create ioctl read \
getattr lock append };
(3821) allow httpd_t httpd_log_t:dir { setattr read \
getattr lock search ioctl add_name write };
(3825) allow httpd_t httpd_log_t:lnk_file read;
(3882) allow httpd_t unconfined_t:fd use;
(3884) allow httpd_t unconfined_t:process sigchld;
## These are related to the Boolean httpd_disable_trans,
## showing that it is not set to true:
(4024) allow unconfined_t httpd_t:process transition; [Enabled]
(4074) allow httpd_t unconfined_t:process sigchld; [Enabled]
(4086) allow httpd_t unconfined_t:fd use; [Enabled]
(4088) allow unconfined_t httpd_t:fd use; [Enabled]
(4098) allow httpd_t unconfined_t:fifo_file { ioctl read \
getattr lock write append }; [Enabled]
(4108) allow httpd_t httpd_exec_t:file { read getattr lock \
execute ioctl }; [Enabled]
(4118) allow httpd_t httpd_exec_t:file entrypoint; [Enabled]
(4126) allow unconfined_t httpd_t:process { noatsecure \
siginh rlimitinh }; [Enabled]
## These are part of other httpd_* Booleans that are set
## to false in the file /etc/selinux/targeted/booleans:
(4554) allow httpd_t httpd_sys_script_t:process transition; \
[Disabled]
(4594) allow httpd_t httpd_sys_script_exec_t:file { read getattr \
execute }; [Disabled]
(4604) allow httpd_sys_script_t httpd_t:process sigchld; [Disabled]
(4616) allow httpd_sys_script_t httpd_t:fd use; [Disabled]
(4618) allow httpd_t httpd_sys_script_t:fd use; [Disabled]
Example 6-1. apol TE Rules Search Results
Within the search results, there are hyperlinks to the left of each rule. The number corresponds to
the line number in
policy.conf
policy.conf tab, taking you directly to line 3813. These hyperlinks are only visible if you have apol
analyzing the
policy.conf
If you are using a binary policy file such as
viewing. The top-level tab policy.conf is not present when analyzing the binary policy.
There are two other search capabilities within the Policy Rules tab, the Conditional Expressions and
RBAC Rules tabs.
The Conditional Expressions tab allows you to search just the conditional expressions, viewing the
rules within them. The only searchable rule types are
tional expressions are displayed in the default view; you can narrow the view using Search Options.
You can search either by specific Boolean or with regular expressions. You can reduce the quantity of
output by deselecting Display rules within conditional expression(s).
are explanations inserted for this guide and are not part of the standard apol
, and clicking on, for example, (3813) switches your view to the
file.
policy.18
, the rules are compiled and not available for
, , and
allow audit
. All condi-
transition
87