Eigenes Profil erstellen SELinux: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| Zeile 49: | Zeile 49: | ||
/etc/systemd/system/mydaemon_selinux.spec # Spec file | /etc/systemd/system/mydaemon_selinux.spec # Spec file | ||
/etc/systemd/system/mydaemon.sh # Setup Script | /etc/systemd/system/mydaemon.sh # Setup Script | ||
| + | =Erstellen Sie die Systemrichtlinie mit dem neuen Richtlinienmodul mithilfe des mit dem vorherigen Befehl erstellten Setup-Skripts neu= | ||
| + | *./mydaemon.sh | ||
| + | <pre> | ||
| + | Building and Loading Policy | ||
| + | + make -f /usr/share/selinux/devel/Makefile mydaemon.pp | ||
| + | Compiling targeted mydaemon module | ||
| + | Creating targeted mydaemon.pp policy package | ||
| + | rm tmp/mydaemon.mod tmp/mydaemon.mod.fc | ||
| + | + /usr/sbin/semodule -i mydaemon.pp | ||
| + | + sepolicy manpage -p . -d mydaemon_t | ||
| + | ./mydaemon_selinux.8 | ||
| + | + /sbin/restorecon -F -R -v /usr/local/bin/mydaemon | ||
| + | Relabeled /usr/local/bin/mydaemon from unconfined_u:object_r:bin_t:s0 to system_u:object_r:mydaemon_exec_t:s0 | ||
| + | ++ pwd | ||
| + | + pwd=/etc/systemd/system | ||
| + | + rpmbuild --define '_sourcedir /etc/systemd/system' --define '_specdir /etc/systemd/system' --define '_builddir /etc/systemd/system' --define '_srcrpmdir /etc/systemd/system' --define '_rpmdir /etc/systemd/system' --define '_buildrootdir /etc/systemd/system/.build' -ba mydaemon_selinux.spec | ||
| + | ./mydaemon.sh: line 52: rpmbuild: command not found | ||
| + | </pre> | ||
=Links= | =Links= | ||
*https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/writing-a-custom-selinux-policy_using-selinux | *https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/writing-a-custom-selinux-policy_using-selinux | ||
Version vom 22. November 2022, 14:14 Uhr
Eigenes Programm
- cat ~/mydaemon.c
#include <unistd.h>
#include <stdio.h>
FILE *f;
int main(void)
{
while(1) {
f = fopen("/var/log/messages","w");
sleep(5);
fclose(f);
}
}
Kompilieren
- gcc -o mydaemon mydaemon.c
Kopieren
- cp mydaemon /usr/local/sbin
System Dienst
- cat /etc/systemd/system/mydaemon.service
vi mydaemon.service [Unit] Description=Simple testing daemon [Service] Type=simple ExecStart=/usr/local/bin/mydaemon [Install] WantedBy=multi-user.target
Systemctl status
- systemctl start mydaemon
- systemctl status mydaemon
Check that the new daemon is not confined by SELinux
- ps -efZ | grep mydaemon
system_u:system_r:unconfined_service_t:s0 root 5812 1 0 15:41 ? 00:00:00 /usr/local/bin/mydaemon
Generieren Sie eine benutzerdefinierte Richtlinie für den Daemon
- sepolicy generate --init /usr/local/bin/mydaemon
Created the following files: /etc/systemd/system/mydaemon.te # Type Enforcement file /etc/systemd/system/mydaemon.if # Interface file /etc/systemd/system/mydaemon.fc # File Contexts file /etc/systemd/system/mydaemon_selinux.spec # Spec file /etc/systemd/system/mydaemon.sh # Setup Script
Erstellen Sie die Systemrichtlinie mit dem neuen Richtlinienmodul mithilfe des mit dem vorherigen Befehl erstellten Setup-Skripts neu
- ./mydaemon.sh
Building and Loading Policy + make -f /usr/share/selinux/devel/Makefile mydaemon.pp Compiling targeted mydaemon module Creating targeted mydaemon.pp policy package rm tmp/mydaemon.mod tmp/mydaemon.mod.fc + /usr/sbin/semodule -i mydaemon.pp + sepolicy manpage -p . -d mydaemon_t ./mydaemon_selinux.8 + /sbin/restorecon -F -R -v /usr/local/bin/mydaemon Relabeled /usr/local/bin/mydaemon from unconfined_u:object_r:bin_t:s0 to system_u:object_r:mydaemon_exec_t:s0 ++ pwd + pwd=/etc/systemd/system + rpmbuild --define '_sourcedir /etc/systemd/system' --define '_specdir /etc/systemd/system' --define '_builddir /etc/systemd/system' --define '_srcrpmdir /etc/systemd/system' --define '_rpmdir /etc/systemd/system' --define '_buildrootdir /etc/systemd/system/.build' -ba mydaemon_selinux.spec ./mydaemon.sh: line 52: rpmbuild: command not found