I am trying to get my head around SELinux but one question keeps popping-up in my head: CONTEXT.
When I'm writing custom rules and modules (on CentOS 7), I end up just taking contexts out of the air - this is my understanding so far:
seinfo -t -xlists all contexts along with their attributes.sesearchdisplays all present rules, so if I were interested in what httpd_t can currently access I would use something likesesearch -A -s httpd_t.semanage fcontext -lto list all present rules./etc/selinux/targeted/contextsa few files here such as customizable_types, so I end up using those.
However I still am just picking contexts out of the air with no real information about what context should be used.
I have been searching everywhere for context descriptions, but there seem to be none available - apache alone has:
httpd_php_tmp_t httpd_var_lib_t httpd_var_run_t httpd_user_htaccess_t httpd_sys_content_t httpd_sys_htaccess_t httpd_user_script_exec_t httpd_rotatelogs_t httpd_suexec_tmp_t httpd_unconfined_script_exec_t httpd_user_ra_content_t httpd_user_rw_content_t httpd_suexec_t httpd_config_t httpd_bool_t httpd_php_t httpd_tmp_t httpd_user_script_t httpd_helper_exec_t httpd_squirrelmail_t httpd_php_exec_t httpd_sys_ra_content_t httpd_sys_rw_content_t httpd_modules_t httpd_sys_script_t httpd_user_content_t httpd_suexec_exec_t httpd_unit_file_t httpd_unconfined_script_t httpd_initrc_exec_t httpd_t httpd_rotatelogs_exec_t httpd_passwd_t httpd_helper_t httpd_keytab_t httpd_exec_t httpd_lock_t httpd_log_t httpd_cache_t httpd_tmpfs_t httpd_sys_script_exec_t httpd_passwd_exec_t
Some of the names of the contexts are self-explanatory, however surely there is some documentation somewhere for this?
