SELinux Policy: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
 
(20 dazwischenliegende Versionen von einem anderen Benutzer werden nicht angezeigt)
Zeile 1: Zeile 1:
* SELinux Policies werden hauptsächlich in einer ''.te'' Datei definiert
+
<span id="regelstruktur"></span>
* Ein Grundgerüst kann mit ''sepolicy generate'' erstellt werden
+
= Regelstruktur =
 +
 
 +
* sesearch -t ping_t -c tcp_socket --allow -dt
 +
allow ping_t ping_t:tcp_socket { accept listen }; [ nis_enabled ]:True
 +
allow ping_t ping_t:tcp_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
 +
 
 +
 
 +
<!----->
 +
{{#drawio:selinux-regelstruktur-1}}
 +
 
 +
* Attribute werden benutzt, um Typen zu gruppieren.
 +
* Attribute wirken sich nicht direkt auf Berechtigungen aus, sondern entscheiden über Dinge wie File- und Portlabeling
 +
* Klassen werden in allow/disallow Regeln bestimmten Typen zugeordnet
 +
* Klassen fassen Berechtigungen zusammen
 +
 
 +
<!----->
 +
<span id="regeln-suchen"></span>
 +
 
 +
= Regeln suchen =
 +
 
 +
* mit ''sesearch'' können SELinux-Regeln gesucht werden
 +
* suchbare Felder sind Quell (-s)-/Zieltypen (-t), Objektklasse (-c), Berechtigungen (-p) und mit der Regel assoziierte Booleans (-b)
 +
* mit ''-ds'' und ''-dt'' wird explizit nach dem Namen des jeweiligen Quell- und Zieltyp gesucht, statt nur nach passenden Attributen zu matchen
 +
* Man muss angeben, ob man nach allow-Regeln (--allow) oder nach Typentransitionsregeln (-T) sucht
 +
 
 +
<!----->
 +
<span id="allow-regeln-und-domänentranstion-anhand-von-user_t-und-dem-ping-programm"></span>
 +
= allow-Regeln und Domänentranstion anhand von ''user_t'' und dem ping-Programm =
 +
 
 +
<span id="welche-programme-darf-user_t-ausführen"></span>
 +
== Welche Programme darf ''user_t'' ausführen? ==
 +
 
 +
* sesearch -s user_t -p execute --allow -ds | head
 +
 
 +
<!----->
 +
allow user_t application_exec_type:file { execute execute_no_trans getattr ioctl lock map open read };
 +
allow user_t bin_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };
 +
allow user_t bluetooth_helper_exec_t:file { execute getattr ioctl map open read };
 +
allow user_t cdrecord_exec_t:file { execute getattr ioctl map open read };
 +
allow user_t checkpolicy_exec_t:file { execute execute_no_trans getattr ioctl lock map open read };
 +
allow user_t chfn_exec_t:file { execute getattr ioctl map open read };
 +
allow user_t chkpwd_exec_t:file { execute getattr ioctl map open read };
 +
allow user_t chromium_exec_t:file { execute getattr ioctl map open read };
 +
allow user_t chroot_exec_t:file { execute execute_no_trans getattr ioctl lock map open read };
 +
allow user_t cifs_t:file { execute execute_no_trans getattr ioctl map open read }; [ use_samba_home_dirs ]:True
 +
* sesearch -s user_t -p execute --allow -ds | grep ping_
  
 
<!----->
 
<!----->
<span id="vorhandene-definitionen-verwenden"></span>
+
allow user_t ping_exec_t:file { execute getattr ioctl map open read }; [ user_ping ]:True
= Vorhandene Definitionen verwenden =
+
<span id="domänentransition"></span>
 +
== Domänentransition ==
  
* Mit '''require''' können bereits bekannte Variablen wie Typen, Attribute, etc. geladen werden
+
* Für eine Domänentransition muss der Übergang definiert und explicit erlaubt werden
* Eine vollständige Liste kann mit ''seinfo'' eingesehen werden
+
* sesearch -s user_t -t ping_exec_t -T
* Syntax Beispiel:
 
  
 
<!----->
 
<!----->
  policy_module(custom, 1.0.0)
+
  type_transition user_t ping_exec_t:process ping_t; [ user_ping ]:True
   
+
* sesearch -s user_t -t ping_t -p transition --allow
  require {
+
 
    type mnt_t;
+
<!----->
  class file;
+
allow user_t ping_t:process transition; [ user_ping ]:True
  attribute port_type;
+
* Beim Aufruf von ''ping_exec_t'' über ''user_t'' geht der Prozess somit in ''ping_t'' über
 +
 
 +
<!----->
 +
<span id="berechtigungen-von-ping_t-anzeigen"></span>
 +
== Berechtigungen von ''ping_t'' anzeigen ==
 +
 
 +
* sesearch -s ping_t --allow -ds | head
 +
 
 +
<!----->
 +
allow ping_t auditadm_t:fd use; [ user_ping ]:True
 +
allow ping_t auditadm_t:fifo_file { append getattr ioctl lock read write }; [ user_ping ]:True
 +
allow ping_t auditadm_t:process sigchld; [ user_ping ]:True
 +
allow ping_t console_device_t:chr_file { append getattr ioctl lock open write };
 +
allow ping_t device_t:dir { getattr ioctl lock open read search };
 +
allow ping_t device_t:lnk_file { getattr read };
 +
allow ping_t devlog_t:sock_file { append getattr open write };
 +
allow ping_t devpts_t:dir { getattr ioctl lock open read search };
 +
allow ping_t dhcpc_t:fd use;
 +
allow ping_t dhcpc_t:fifo_file { append getattr ioctl lock read write };
 +
* sesearch -s ping_t --allow -ds | grep socket
 +
 
 +
<!----->
 +
allow ping_t init_t:unix_dgram_socket sendto;
 +
allow ping_t init_t:unix_stream_socket { getattr ioctl read write };
 +
allow ping_t kernel_t:unix_dgram_socket sendto;
 +
allow ping_t netlabel_peer_t:rawip_socket recvfrom;
 +
allow ping_t netlabel_peer_t:tcp_socket recvfrom;
 +
allow ping_t netlabel_peer_t:udp_socket recvfrom;
 +
allow ping_t node_t:rawip_socket node_bind;
 +
allow ping_t ping_t:icmp_socket create;
 +
allow ping_t ping_t:netlink_route_socket { append bind connect create getattr getopt ioctl nlmsg_read nlmsg_write read setattr setopt shutdown write };
 +
allow ping_t ping_t:packet_socket { bind create getopt ioctl read setopt write };
 +
allow ping_t ping_t:rawip_socket { bind create getattr getopt ioctl read setopt write };
 +
allow ping_t ping_t:tcp_socket { accept append bind connect create getattr getopt ioctl listen read setattr setopt shutdown write }; [ allow_ypbind ]:True
 +
allow ping_t ping_t:tcp_socket { append bind connect create getattr getopt ioctl read setattr setopt shutdown write };
 +
allow ping_t ping_t:tcp_socket { append bind connect create getattr getopt ioctl read setattr setopt shutdown write }; [ allow_kerberos ]:True
 +
allow ping_t ping_t:tcp_socket { append bind connect create getattr getopt ioctl read setattr setopt shutdown write }; [ authlogin_nsswitch_use_ldap ]:True
 +
allow ping_t ping_t:udp_socket { append bind connect create getattr getopt ioctl read setattr setopt shutdown write };
 +
allow ping_t ping_t:udp_socket { append bind connect create getattr getopt ioctl read setattr setopt shutdown write }; [ allow_kerberos ]:True
 +
allow ping_t ping_t:udp_socket { append bind connect create getattr getopt ioctl read setattr setopt shutdown write }; [ allow_ypbind ]:True
 +
allow ping_t ping_t:unix_dgram_socket { append bind connect create getattr getopt ioctl read setattr setopt shutdown write };
 +
allow ping_t ping_t:unix_stream_socket { accept append bind connect create getattr getopt ioctl listen read setattr setopt shutdown write };
 +
allow ping_t ping_t:unix_stream_socket { accept append bind connect create getattr getopt ioctl listen read setattr setopt shutdown write }; [ nscd_use_shm ]:True
 +
  allow ping_t ping_t:unix_stream_socket { accept append bind connect create getattr getopt ioctl listen read setattr setopt shutdown write }; [ nscd_use_shm ]:True
 +
  allow ping_t ping_t:unix_stream_socket { append bind connect create getattr getopt ioctl read setattr setopt shutdown write }; [ nscd_use_shm ]:False
 +
allow ping_t ping_t:unix_stream_socket { append bind connect create getattr getopt ioctl read setattr setopt shutdown write }; [ nscd_use_shm ]:False
 +
  allow ping_t syslogd_t:unix_dgram_socket sendto;
 +
  allow ping_t syslogd_t:unix_stream_socket connectto;
 +
<span id="infos-zum-objekt-tcp_socket"></span>
 +
== Infos zum Objekt ''tcp_socket'' ==
 +
 
 +
* seinfo -c tcp_socket -x
 +
 
 +
<!----->
 +
Classes: 1
 +
    class tcp_socket
 +
    inherits socket
 +
{
 +
    node_bind
 +
    name_connect
 +
}
 +
* seinfo --common socket -x
 +
 
 +
<!----->
 +
Commons: 1
 +
    common socket
 +
{
 +
    lock
 +
        setattr
 +
        relabelto
 +
        shutdown
 +
        setopt
 +
        read
 +
        ioctl
 +
        listen
 +
        name_bind
 +
        bind
 +
        connect
 +
        recvfrom
 +
        getattr
 +
        write
 +
        getopt
 +
        append
 +
        create
 +
        relabelfrom
 +
        sendto
 +
        map
 +
        accept
 
  }
 
  }
<span id="neuen-porttyp-definieren"></span>
+
<span id="installierte-policy-module-anschauen"></span>
= Neuen Porttyp definieren =
+
= Installierte Policy Module anschauen =
  
* Erforderliche Attribute importieren
+
* Die Policy Module liegen in kompilierte Form vor
* Neuen Porttyp deklarieren
+
* Man kann geladene Module extrahieren und dekompilieren
* Neuen Porttyp mit den Attributen assozieren
+
* semodule -l | grep ssh
* Syntax Beispiel
+
* semodule -E ssh
 +
* semodule_unpackage ssh.pp ssh.mod ssh.fc
  
 
<!----->
 
<!----->
  policy_module(custom, 1.0.0)
+
''ssh.fc'' enthält die file-contexts
 +
 
 +
* head ssh.fc
 +
 
 +
<!----->
 +
  HOME_DIR/\.ssh(/.*)?                    system_u:object_r:ssh_home_t:s0
 +
HOME_DIR/\.ansible/cp/.*        -s      system_u:object_r:ssh_home_t:s0
 +
HOME_DIR/\.shosts                      system_u:object_r:ssh_home_t:s0
 
   
 
   
  require {
+
  /var/lib/[^/]+/\.ssh(/.*)?              system_u:object_r:ssh_home_t:s0
    attribute port_type;
+
  /var/lib/amanda/\.ssh(/.*)?            system_u:object_r:ssh_home_t:s0
    attribute defined_port_type;
+
  /var/lib/gitolite/\.ssh(/.*)?  system_u:object_r:ssh_home_t:s0
    attribute reserved_port_type;
+
  /var/lib/gitolite3/\.ssh(/.*)? system_u:object_r:ssh_home_t:s0
  }
+
  /var/lib/nocpulse/\.ssh(/.*)?  system_u:object_r:ssh_home_t:s0
   
+
  /var/lib/one/\.ssh(/.*)?                system_u:object_r:ssh_home_t:s0
  type custom_port_t;
+
''ssh.mod'' enthält alle allow-Regeln, Booleans, Rollen, Typen, etc. in binärer Form
  typeattribute custom_port_t port_type;
 
  typeattribute custom_port_t defined_port_type;
 
  typeattribute custom_port_t reserved_port_type;
 
<span id="type-transition"></span>
 
= Type transition =
 
  
* Damit ein Programm einen [https://xinux.net/index.php/SELinux_Handling#add_port gelabelten Port] benutzen darf, muss es eine Transistion zu den Porttyp machen
+
* sedismod ssh.mod
* Das wird mit den '''allow''' Befehlen in den Konfigurationsdatei erreicht
 
* Syntax Beispiel:
 
  
 
<!----->
 
<!----->
  policy_module(custom, 1.0.0)
+
  Reading policy...
 +
libsepol.policydb_index_others: security:  0 users, 2 roles, 313 types, 13 bools
 +
libsepol.policydb_index_others: security: 1 sens, 1024 cats
 +
libsepol.policydb_index_others: security:  112 classes, 0 rules, 0 cond rules
 +
libsepol.policydb_index_others: security:  0 users, 2 roles, 313 types, 13 bools
 +
libsepol.policydb_index_others: security: 1 sens, 1024 cats
 +
libsepol.policydb_index_others: security:  112 classes, 0 rules, 0 cond rules
 +
Binary policy module file loaded.
 +
Module name: ssh
 +
Module version: 2.4.2
 +
Policy version: 21
 +
 +
 +
Select a command:
 +
1)  display unconditional AVTAB
 +
2)  display conditional AVTAB
 +
3)  display users
 +
4)  display bools
 +
5)  display roles
 +
6)  display types, attributes, and aliases
 +
7)  display role transitions
 +
8)  display role allows
 +
9)  Display policycon
 +
0) Display initial SIDs
 
   
 
   
  require {
+
  a)  Display avrule requirements
    attribute port_type;
+
b)  Display avrule declarations
    attribute defined_port_type;
+
c)  Display policy capabilities
    attribute reserved_port_type;
+
l)  Link in a module
  }
+
  u)  Display the unknown handling setting
 +
F)  Display filename_trans rules
 
   
 
   
  type custom_t;
+
  f)  set output file
  type custom_port_t;
+
  m)  display menu
  typeattribute custom_port_t port_type;
+
  q)  quit
 
   
 
   
  # Zwei verschiedene Typentransitionen müssen erfolgen, damit ein Programm auf einen Port lauschen darf.
+
  Command ('m' for menu): 
  allow custom_t custom_port_t:tcp_socket { name_bind };
+
* Die Regeln kann man mit 1 oder 2 anschauen
  allow custom_t node_t:tcp_socket { node_bind };
+
* bedingungslose Regeln
  allow custom_t self:tcp_socket { listen accept };
+
 
 +
<!----->
 +
unconditional avtab:
 +
--- begin avrule block ---
 +
decl 1:
 +
  allow ssh_keygen_t ssh_keygen_exec_t : [file] { entrypoint };
 +
  allow ssh_keygen_t ssh_keygen_exec_t : [file] { ioctl read getattr lock map execute open };
 +
  type_transition [initrc_domain] ssh_keygen_exec_t : [process] ssh_keygen_t;
 +
  allow sshd_keygen_t sshd_keygen_exec_t : [file] { entrypoint };
 +
  allow sshd_keygen_t sshd_keygen_exec_t : [file] { ioctl read getattr lock map execute open };
 +
  type_transition [initrc_domain] sshd_keygen_exec_t : [process] sshd_keygen_t;
 +
  allow sshd_t [security_t] : [lnk_file] { read getattr };
 +
  ...
 +
* bedingte Regeln
 +
 
 +
<!----->
 +
conditional avtab:
 +
--- begin avrule block ---
 +
decl 1:
 +
expression: use_samba_home_dirs current state: 0
 +
True list:
 +
  allow chroot_user_t [cifs_t] : [lnk_file] { read getattr };
 +
  allow chroot_user_t [cifs_t] : [dir] { getattr open search };
 +
  allow chroot_user_t [cifs_t] : [dir] { ioctl read getattr lock open search };
 +
  allow chroot_user_t [cifs_t] : [file] { ioctl read getattr lock open };
 +
  allow chroot_user_t [cifs_t] : [dir] { getattr open search };
 +
  allow chroot_user_t [cifs_t] : [dir] { ioctl read getattr lock open search };
 +
...

Aktuelle Version vom 17. Januar 2023, 13:00 Uhr

Regelstruktur

  • sesearch -t ping_t -c tcp_socket --allow -dt
allow ping_t ping_t:tcp_socket { accept listen }; [ nis_enabled ]:True
allow ping_t ping_t:tcp_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };


  • Attribute werden benutzt, um Typen zu gruppieren.
  • Attribute wirken sich nicht direkt auf Berechtigungen aus, sondern entscheiden über Dinge wie File- und Portlabeling
  • Klassen werden in allow/disallow Regeln bestimmten Typen zugeordnet
  • Klassen fassen Berechtigungen zusammen

Regeln suchen

  • mit sesearch können SELinux-Regeln gesucht werden
  • suchbare Felder sind Quell (-s)-/Zieltypen (-t), Objektklasse (-c), Berechtigungen (-p) und mit der Regel assoziierte Booleans (-b)
  • mit -ds und -dt wird explizit nach dem Namen des jeweiligen Quell- und Zieltyp gesucht, statt nur nach passenden Attributen zu matchen
  • Man muss angeben, ob man nach allow-Regeln (--allow) oder nach Typentransitionsregeln (-T) sucht

allow-Regeln und Domänentranstion anhand von user_t und dem ping-Programm

Welche Programme darf user_t ausführen?

  • sesearch -s user_t -p execute --allow -ds | head
allow user_t application_exec_type:file { execute execute_no_trans getattr ioctl lock map open read };
allow user_t bin_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };
allow user_t bluetooth_helper_exec_t:file { execute getattr ioctl map open read };
allow user_t cdrecord_exec_t:file { execute getattr ioctl map open read };
allow user_t checkpolicy_exec_t:file { execute execute_no_trans getattr ioctl lock map open read };
allow user_t chfn_exec_t:file { execute getattr ioctl map open read };
allow user_t chkpwd_exec_t:file { execute getattr ioctl map open read };
allow user_t chromium_exec_t:file { execute getattr ioctl map open read };
allow user_t chroot_exec_t:file { execute execute_no_trans getattr ioctl lock map open read };
allow user_t cifs_t:file { execute execute_no_trans getattr ioctl map open read }; [ use_samba_home_dirs ]:True
  • sesearch -s user_t -p execute --allow -ds | grep ping_
allow user_t ping_exec_t:file { execute getattr ioctl map open read }; [ user_ping ]:True

Domänentransition

  • Für eine Domänentransition muss der Übergang definiert und explicit erlaubt werden
  • sesearch -s user_t -t ping_exec_t -T
type_transition user_t ping_exec_t:process ping_t; [ user_ping ]:True
  • sesearch -s user_t -t ping_t -p transition --allow
allow user_t ping_t:process transition; [ user_ping ]:True
  • Beim Aufruf von ping_exec_t über user_t geht der Prozess somit in ping_t über

Berechtigungen von ping_t anzeigen

  • sesearch -s ping_t --allow -ds | head
allow ping_t auditadm_t:fd use; [ user_ping ]:True
allow ping_t auditadm_t:fifo_file { append getattr ioctl lock read write }; [ user_ping ]:True
allow ping_t auditadm_t:process sigchld; [ user_ping ]:True
allow ping_t console_device_t:chr_file { append getattr ioctl lock open write };
allow ping_t device_t:dir { getattr ioctl lock open read search };
allow ping_t device_t:lnk_file { getattr read };
allow ping_t devlog_t:sock_file { append getattr open write };
allow ping_t devpts_t:dir { getattr ioctl lock open read search };
allow ping_t dhcpc_t:fd use;
allow ping_t dhcpc_t:fifo_file { append getattr ioctl lock read write };
  • sesearch -s ping_t --allow -ds | grep socket
allow ping_t init_t:unix_dgram_socket sendto;
allow ping_t init_t:unix_stream_socket { getattr ioctl read write };
allow ping_t kernel_t:unix_dgram_socket sendto;
allow ping_t netlabel_peer_t:rawip_socket recvfrom;
allow ping_t netlabel_peer_t:tcp_socket recvfrom;
allow ping_t netlabel_peer_t:udp_socket recvfrom;
allow ping_t node_t:rawip_socket node_bind;
allow ping_t ping_t:icmp_socket create;
allow ping_t ping_t:netlink_route_socket { append bind connect create getattr getopt ioctl nlmsg_read nlmsg_write read setattr setopt shutdown write };
allow ping_t ping_t:packet_socket { bind create getopt ioctl read setopt write };
allow ping_t ping_t:rawip_socket { bind create getattr getopt ioctl read setopt write };
allow ping_t ping_t:tcp_socket { accept append bind connect create getattr getopt ioctl listen read setattr setopt shutdown write }; [ allow_ypbind ]:True
allow ping_t ping_t:tcp_socket { append bind connect create getattr getopt ioctl read setattr setopt shutdown write };
allow ping_t ping_t:tcp_socket { append bind connect create getattr getopt ioctl read setattr setopt shutdown write }; [ allow_kerberos ]:True
allow ping_t ping_t:tcp_socket { append bind connect create getattr getopt ioctl read setattr setopt shutdown write }; [ authlogin_nsswitch_use_ldap ]:True
allow ping_t ping_t:udp_socket { append bind connect create getattr getopt ioctl read setattr setopt shutdown write };
allow ping_t ping_t:udp_socket { append bind connect create getattr getopt ioctl read setattr setopt shutdown write }; [ allow_kerberos ]:True
allow ping_t ping_t:udp_socket { append bind connect create getattr getopt ioctl read setattr setopt shutdown write }; [ allow_ypbind ]:True
allow ping_t ping_t:unix_dgram_socket { append bind connect create getattr getopt ioctl read setattr setopt shutdown write };
allow ping_t ping_t:unix_stream_socket { accept append bind connect create getattr getopt ioctl listen read setattr setopt shutdown write };
allow ping_t ping_t:unix_stream_socket { accept append bind connect create getattr getopt ioctl listen read setattr setopt shutdown write }; [ nscd_use_shm ]:True
allow ping_t ping_t:unix_stream_socket { accept append bind connect create getattr getopt ioctl listen read setattr setopt shutdown write }; [ nscd_use_shm ]:True
allow ping_t ping_t:unix_stream_socket { append bind connect create getattr getopt ioctl read setattr setopt shutdown write }; [ nscd_use_shm ]:False
allow ping_t ping_t:unix_stream_socket { append bind connect create getattr getopt ioctl read setattr setopt shutdown write }; [ nscd_use_shm ]:False
allow ping_t syslogd_t:unix_dgram_socket sendto;
allow ping_t syslogd_t:unix_stream_socket connectto;

Infos zum Objekt tcp_socket

  • seinfo -c tcp_socket -x
Classes: 1
   class tcp_socket
   inherits socket
{
    node_bind
    name_connect
}
  • seinfo --common socket -x
Commons: 1
   common socket
{
    lock
        setattr
        relabelto
        shutdown
        setopt
        read
        ioctl
        listen
        name_bind
        bind
        connect
        recvfrom
        getattr
        write
        getopt
        append
        create
        relabelfrom
        sendto
        map
        accept
}

Installierte Policy Module anschauen

  • Die Policy Module liegen in kompilierte Form vor
  • Man kann geladene Module extrahieren und dekompilieren
  • semodule -l | grep ssh
  • semodule -E ssh
  • semodule_unpackage ssh.pp ssh.mod ssh.fc

ssh.fc enthält die file-contexts

  • head ssh.fc
HOME_DIR/\.ssh(/.*)?                    system_u:object_r:ssh_home_t:s0
HOME_DIR/\.ansible/cp/.*        -s      system_u:object_r:ssh_home_t:s0
HOME_DIR/\.shosts                       system_u:object_r:ssh_home_t:s0

/var/lib/[^/]+/\.ssh(/.*)?              system_u:object_r:ssh_home_t:s0
/var/lib/amanda/\.ssh(/.*)?             system_u:object_r:ssh_home_t:s0
/var/lib/gitolite/\.ssh(/.*)?   system_u:object_r:ssh_home_t:s0
/var/lib/gitolite3/\.ssh(/.*)?  system_u:object_r:ssh_home_t:s0
/var/lib/nocpulse/\.ssh(/.*)?   system_u:object_r:ssh_home_t:s0
/var/lib/one/\.ssh(/.*)?                system_u:object_r:ssh_home_t:s0

ssh.mod enthält alle allow-Regeln, Booleans, Rollen, Typen, etc. in binärer Form

  • sedismod ssh.mod
Reading policy...
libsepol.policydb_index_others: security:  0 users, 2 roles, 313 types, 13 bools
libsepol.policydb_index_others: security: 1 sens, 1024 cats
libsepol.policydb_index_others: security:  112 classes, 0 rules, 0 cond rules
libsepol.policydb_index_others: security:  0 users, 2 roles, 313 types, 13 bools
libsepol.policydb_index_others: security: 1 sens, 1024 cats
libsepol.policydb_index_others: security:  112 classes, 0 rules, 0 cond rules
Binary policy module file loaded.
Module name: ssh
Module version: 2.4.2
Policy version: 21


Select a command:
1)  display unconditional AVTAB
2)  display conditional AVTAB
3)  display users
4)  display bools
5)  display roles
6)  display types, attributes, and aliases
7)  display role transitions
8)  display role allows
9)  Display policycon
0)  Display initial SIDs

a)  Display avrule requirements
b)  Display avrule declarations
c)  Display policy capabilities
l)  Link in a module
u)  Display the unknown handling setting
F)  Display filename_trans rules

f)  set output file
m)  display menu
q)  quit

Command ('m' for menu):
  • Die Regeln kann man mit 1 oder 2 anschauen
  • bedingungslose Regeln
unconditional avtab:
--- begin avrule block ---
decl 1:
  allow ssh_keygen_t ssh_keygen_exec_t : [file] { entrypoint };
  allow ssh_keygen_t ssh_keygen_exec_t : [file] { ioctl read getattr lock map execute open };
  type_transition [initrc_domain] ssh_keygen_exec_t : [process]  ssh_keygen_t;
  allow sshd_keygen_t sshd_keygen_exec_t : [file] { entrypoint };
  allow sshd_keygen_t sshd_keygen_exec_t : [file] { ioctl read getattr lock map execute open };
  type_transition [initrc_domain] sshd_keygen_exec_t : [process]  sshd_keygen_t;
  allow sshd_t [security_t] : [lnk_file] { read getattr };
...
  • bedingte Regeln
conditional avtab:
--- begin avrule block ---
decl 1:
expression: use_samba_home_dirs current state: 0
True list:
  allow chroot_user_t [cifs_t] : [lnk_file] { read getattr };
  allow chroot_user_t [cifs_t] : [dir] { getattr open search };
  allow chroot_user_t [cifs_t] : [dir] { ioctl read getattr lock open search };
  allow chroot_user_t [cifs_t] : [file] { ioctl read getattr lock open };
  allow chroot_user_t [cifs_t] : [dir] { getattr open search };
  allow chroot_user_t [cifs_t] : [dir] { ioctl read getattr lock open search };
...
Abgerufen von „http://wiki.ixheim.de/index.php?title=SELinux_Policy&oldid=40030