How to Use SELinux sesearch for Basic Usage on AlmaLinux

This guide will walk you through the basics of using sesearch on AlmaLinux, helping you effectively query SELinux policies and enhance your system’s security management.
By İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

SELinux (Security-Enhanced Linux) is a powerful feature in AlmaLinux that enforces strict security policies to safeguard systems from unauthorized access. However, SELinux’s complexity can sometimes make it challenging for system administrators to troubleshoot and manage. This is where the sesearch tool comes into play. The sesearch command enables users to query SELinux policies and retrieve detailed information about rules, permissions, and relationships.

This guide will walk you through the basics of using sesearch on AlmaLinux, helping you effectively query SELinux policies and enhance your system’s security management.

What is SELinux sesearch?

The sesearch command is a utility in the SELinux toolset that allows you to query SELinux policy rules. It provides detailed insights into how SELinux policies are configured, including:

  • Allowed actions: What actions are permitted between subjects (processes) and objects (files, ports, etc.).
  • Booleans: How SELinux booleans influence policy behavior.
  • Types and Attributes: The relationships between SELinux types and attributes.

By using sesearch, you can troubleshoot SELinux denials, analyze policies, and better understand the underlying configurations.

Why Use SELinux sesearch on AlmaLinux?

  • Troubleshooting: Pinpoint why an SELinux denial occurred by examining policy rules.
  • Policy Analysis: Gain insights into allowed interactions between subjects and objects.
  • Boolean Examination: Understand how SELinux booleans modify behavior dynamically.
  • Enhanced Security: Verify and audit SELinux rules for compliance.

Prerequisites

Before using sesearch, ensure the following:

  1. SELinux is Enabled: Check SELinux status with:

    sestatus

    The output should indicate that SELinux is in Enforcing or Permissive mode.

  2. Install Required Tools: Install policycoreutils and setools-console, which include sesearch:

    sudo dnf install policycoreutils setools-console -y

  3. Sufficient Privileges: Root or sudo access is necessary for querying policies.

Basic Syntax of sesearch

The basic syntax for the sesearch command is:

sesearch [OPTIONS] [FILTERS]

Common Options

  • -A: Include all rules.
  • -b BOOLEAN: Display rules dependent on a specific SELinux boolean.
  • -s SOURCE_TYPE: Specify the source (subject) type.
  • -t TARGET_TYPE: Specify the target (object) type.
  • -c CLASS: Filter by a specific object class (e.g., file, dir, port).
  • --allow: Show only allow rules.

Step-by-Step Guide to Using sesearch on AlmaLinux

Step 1: Query Allowed Interactions

To identify which actions are permitted between a source type and a target type, use the --allow flag.

Example: Check which actions the httpd_t type can perform on files labeled httpd_sys_content_t.

sesearch --allow -s httpd_t -t httpd_sys_content_t -c file

Output:

allow httpd_t httpd_sys_content_t:file { read getattr open };

This output shows that processes with the httpd_t type can read, get attributes, and open files labeled with httpd_sys_content_t.

Step 2: Query Rules Dependent on Booleans

SELinux booleans modify policy rules dynamically. Use the -b option to view rules associated with a specific boolean.

Example: Check rules affected by the httpd_enable_cgi boolean.

sesearch -b httpd_enable_cgi

Output:

Found 2 conditional av rules.
...
allow httpd_t httpd_sys_script_exec_t:file { execute getattr open read };

This output shows that enabling the httpd_enable_cgi boolean allows httpd_t processes to execute script files labeled with httpd_sys_script_exec_t.

Step 3: Query All Rules for a Type

To display all rules that apply to a specific type, omit the filters and use the -s or -t options.

Example: View all rules for the ssh_t source type.

sesearch -A -s ssh_t

Step 4: Analyze Denials

When a denial occurs, use sesearch to check the policy for allowed actions.

Scenario: An application running under myapp_t is denied access to a log file labeled var_log_t.

  1. Check Policy Rules:

    sesearch --allow -s myapp_t -t var_log_t -c file

  2. Analyze Output:
    If no allow rules exist for the requested action (e.g., write), the policy must be updated.

Step 5: Combine Filters

You can combine multiple filters to refine your queries further.

Example: Query rules where httpd_t can interact with httpd_sys_content_t for the file class, dependent on the httpd_enable_homedirs boolean.

sesearch --allow -s httpd_t -t httpd_sys_content_t -c file -b httpd_enable_homedirs

Best Practices for Using sesearch

  1. Use Specific Filters: Narrow down queries by specifying source, target, class, and boolean filters.

  2. Understand Booleans: Familiarize yourself with SELinux booleans using:

    getsebool -a

  3. Document Queries: Keep a log of sesearch commands and outputs for auditing purposes.

  4. Verify Policy Changes: Always test the impact of policy changes in a non-production environment.

Real-World Scenarios for sesearch Usage

1. Debugging Web Server Access Issues

Problem: Apache cannot access files in /var/www/html.

Steps:

  1. Check current file context:

    ls -Z /var/www/html

  2. Query policy rules for httpd_t interacting with httpd_sys_content_t:

    sesearch --allow -s httpd_t -t httpd_sys_content_t -c file

  3. Enable relevant booleans if needed:

    sudo setsebool -P httpd_enable_homedirs 1

2. Diagnosing SSH Service Denials

Problem: SSH service fails to read custom configuration files.

Steps:

  1. Check the SELinux context of the configuration file:

    ls -Z /etc/ssh/custom_config

  2. Query policy rules for ssh_t and the file’s label:

    sesearch --allow -s ssh_t -t ssh_config_t -c file

  3. Restore file context if mismatched:

    sudo restorecon -v /etc/ssh/custom_config

Frequently Asked Questions (FAQs)

1. What is the difference between sesearch and audit2allow?

  • sesearch: Queries existing SELinux policy rules.
  • audit2allow: Generates policy rules based on logged denials.

2. Can sesearch modify SELinux policies?

No, sesearch is a read-only tool. Use semanage or audit2allow to modify policies.

3. How can I check all booleans affecting a type?

Combine sesearch with the -s and -b options to query booleans related to a specific source type.

4. Is sesearch available on all Linux distributions?

Yes, it is part of the SELinux toolset and is available on most distributions with SELinux enabled.

5. Can sesearch help optimize SELinux policies?

Yes, by analyzing existing rules, you can identify redundant or overly permissive policies.

6. What does the --allow flag do?

It filters the output to show only allow rules, simplifying policy analysis.

Conclusion

The sesearch tool is an indispensable utility for managing SELinux on AlmaLinux. By allowing detailed queries into SELinux policies, it helps administrators troubleshoot issues, optimize configurations, and maintain a secure environment. Whether you’re resolving access denials or auditing rules, mastering sesearch is a vital step toward effective SELinux management.

Last modified 09.01.2025: msfconsoel translations ongoing... (f7e18da)