Différences

Ci-dessous, les différences entre deux révisions de la page.

--- systeme:selinux [2020/01/19 21:53] – [runcon] root
+++ systeme:selinux [2020/02/21 18:36] (Version actuelle) – [sepolicy network] root
@@ Ligne 613: / Ligne 613: @@
 $ semanage fcontext -l
 </xtermrtf>
+  * Pour vérifier le contexte:
+<xtermrtf>
+$ matchpathcon -V /var/www/html/*
+/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
+/var/www/html/file2 verified.
+/var/www/html/file3 verified.
+</xtermrtf>
 ==== Booléen ====
 Les booléens permettent de modifier une politique SELinux, sans avoir la moindre connaissance ou compétence sur le sujet de la rédaction de politiques. L'activation ou la désactivation d'un booléen ne requiert pas la compilation ou le rechargement d'un module.
@@ Ligne 792: / Ligne 801: @@
 Voir https://www.youtube.com/watch?v=2i1jFRHE7Wg&t=5660
+==== sepolicy transition ====
+Interroger la stratégie SELinux pour voir si un domaine de traitement source peut transitionner vers un domaine de traitement cible:
+<xtermrtf>
+$ sepolicy transition -s httpd_t
+</xtermrtf>
+==== sepolicy network ====
+Interroger les stratégies SELinux relatives aux information réseau:
+<xtermrtf>
+$ sepolicy network -p 22
+: tcp ssh_port_t 22
+: udp reserved_port_t 1-511
+: tcp reserved_port_t 1-511
+: sctp reserved_port_t 1-511
+</xtermrtf>
+==== sepolicy booleans ====
+Interroger la stratégie SELinux pour voir les descriptions des booléens:
+<xtermrtf>
+$ sepolicy booleans -a
+$ sepolicy booleans -b user_ping
+</xtermrtf>
+==== sepolicy communicate ====
+Interroger la stratégie SELinux pour voir si les domaines peuvent communiquer ensemble:
+<xtermrtf>
+$ sepolicy communicate -s syslogd_t -t httpd_t -c file
+</xtermrtf>
 ====== auditd ======
@@ Ligne 804: / Ligne 842: @@
 $ auditctl -l
 </xtermrtf>
+====== Scripts ======
+Download and extract and set the variable **POLICY_LOCATION**.
+Add to your ''~/.bashrc'':
+<code bash>
+POLICY_LOCATION="~/refpolicy/";
+# sefindif - Find interface definitions that have a string that matches the
+# given regular expression
+sefindif() {
+  REGEXP="$1";
+  pushd ${POLICY_LOCATION}/policy/modules > /dev/null 2>&1;
+  for FILE in */*.if;
+  do
+    awk "/(interface\(|template\()/ { NAME=\$NF; P=0 }; /${REGEXP}/ { if (P==0) {P=1; print NAME}; print };" ${FILE} | sed -e "s:^:${FILE}\: :g";
+  done
+  popd > /dev/null 2>&1;
+}
+# seshowif - Show the interface definition
+seshowif() {
+  INTERFACE="$1";
+  pushd ${POLICY_LOCATION}/policy/modules > /dev/null 2>&1;
+  for FILE in */*.if;
+  do
+    grep -A 9999 "\(interface(\`${INTERFACE}'\|template(\`${INTERFACE}'\)" ${FILE} | grep -B 9999 -m 1 "^')";
+  done
+  popd > /dev/null 2>&1;
+}
+# sefinddef - Find macro definitions that have a string that matches the given
+# regular expression
+sefinddef() {
+  REGEXP="$1";
+  grep -H "define(\`.*${REGEXP}.*" ${POLICY_LOCATION}/policy/support/* | sed -e 's:.*\/\([^(]*\):\1:g'
+}
+# seshowdef - Show the macro definition
+seshowdef() {
+  MACRONAME="$1";
+  pushd ${POLICY_LOCATION}/policy/support > /dev/null 2>&1;
+  for FILE in *.spt;
+  do
+    grep -A 9999 "define(\`${MACRONAME}'" ${FILE} | grep -B 999 -m 1 "')";
+  done
+  popd > /dev/null 2>&1;
+}
+# sefindcon - Find macro definitions for constrains
+sefindcon() {
+  awk "/(interface\(|template\()/ { NAME=\$NF; P=0 }; /${REGEXP}/ { if (P==0) {P=1; print NAME}; print };" ${POLICY_LOCATION}/policy/constraints | sed -e "s:^:${FILE}\: :g";
+}
+# selist - List all templates/interfaces in the order allowed by refpolicy
+selist() {
+  pushd ${POLICY_LOCATION}/policy/modules > /dev/null 2>&1;
+  (
+  egrep '^(interface|template)' kernel/kernel.if | awk -F'`' '{print $2}' | sed -e "s:',::g" | sed -e "s:$: (kernel, kernel):g" | sort;
+  egrep '^(interface|template)' kernel/*.if | grep -v 'kernel/kernel.if' | awk -F'`' '{print $2}' | sed -e "s:',::g" | sed -e "s:$: (kernel, other):g" | sort;
+  egrep '^(interface|template)' system/*.if | awk -F'`' '{print $2}' | sed -e "s:',::g" | sed -e "s:$: (system):g" | sort;
+  egrep '^(interface|template)' admin/*.if apps/*.if roles/*.if services/*.if contrib/*.if | awk -F'`' '{print $2}' | sed -e "s:',::g" | sort;
+  ) | nl | sed -e "s:$: :g";
+  popd > /dev/null 2>&1;
+}
+</code>
+<xtermrtf>
+$ sefindif 'filetrans.*postfix_etc'
+services/postfix.if: interface(`postfix_config_filetrans',`
+services/postfix.if: 	filetrans_pattern($1, postfix_etc_t, $2, $3, $4)
+</xtermrtf>
+<xtermrtf>
+$ seshowif systemd_tmpfilesd_managed
+interface(`systemd_tmpfilesd_managed',`
+	gen_require(`
+		type systemd_tmpfiles_t;
+	')
+	allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
+')
+</xtermrtf>
+<xtermrtf>
+$ sefinddef 'socket.*create'
+obj_perm_sets.spt:define(`create_socket_perms', `{ create rw_socket_perms }')
+obj_perm_sets.spt:define(`create_stream_socket_perms', `{ create_socket_perms listen accept }')
+obj_perm_sets.spt:define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
+obj_perm_sets.spt:define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
+obj_perm_sets.spt:define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
+obj_perm_sets.spt:define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }')
+obj_perm_sets.spt:define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
+</xtermrtf>
+<xtermrtf>
+$ seshowdef manage_files_pattern
+define(`manage_files_pattern',`
+        allow $1 $2:dir rw_dir_perms;
+        allow $1 $3:file manage_file_perms;
+')
+</xtermrtf>