Dokuwiki

Outils pour utilisateurs

Outils du site

Piste :
systeme:selinux

Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

Les deux révisions précédentesRévision précédente
Prochaine révision		Révision précédente
systeme:selinux [2020/01/21 22:44] – [Context] rootsysteme:selinux [2020/02/21 18:36] (Version actuelle) – [sepolicy network] root
Ligne 810: Ligne 810:
 ==== sepolicy network ==== ==== sepolicy network ====
 Interroger les stratégies SELinux relatives aux information réseau: Interroger les stratégies SELinux relatives aux information réseau:
-</xtermrtf>+<xtermrtf>
 $ sepolicy network -p 22 $ sepolicy network -p 22
 22: tcp ssh_port_t 22 22: tcp ssh_port_t 22
Ligne 842: Ligne 842:
 $ auditctl -l $ auditctl -l
 </xtermrtf> </xtermrtf>
 +
 +
 +====== Scripts ======
 +Download and extract and set the variable **POLICY_LOCATION**.
 +
 +Add to your ''~/.bashrc'':
 +<code bash>
 +POLICY_LOCATION="~/refpolicy/";
 +
 +# sefindif - Find interface definitions that have a string that matches the
 +# given regular expression
 +sefindif() {
 +  REGEXP="$1";
 +  pushd ${POLICY_LOCATION}/policy/modules > /dev/null 2>&1;
 +  for FILE in */*.if;
 +  do
 +    awk "/(interface\(|template\()/ { NAME=\$NF; P=0 }; /${REGEXP}/ { if (P==0) {P=1; print NAME}; print };" ${FILE} | sed -e "s:^:${FILE}\: :g";
 +  done
 +  popd > /dev/null 2>&1;
 +}
 +
 +# seshowif - Show the interface definition
 +seshowif() {
 +  INTERFACE="$1";
 +  pushd ${POLICY_LOCATION}/policy/modules > /dev/null 2>&1;
 +  for FILE in */*.if;
 +  do
 +    grep -A 9999 "\(interface(\`${INTERFACE}'\|template(\`${INTERFACE}'\)" ${FILE} | grep -B 9999 -m 1 "^')";
 +  done
 +  popd > /dev/null 2>&1;
 +}
 +
 +# sefinddef - Find macro definitions that have a string that matches the given
 +# regular expression
 +sefinddef() {
 +  REGEXP="$1";
 +  grep -H "define(\`.*${REGEXP}.*" ${POLICY_LOCATION}/policy/support/* | sed -e 's:.*\/\([^(]*\):\1:g'
 +}
 +
 +# seshowdef - Show the macro definition
 +seshowdef() {
 +  MACRONAME="$1";
 +  pushd ${POLICY_LOCATION}/policy/support > /dev/null 2>&1;
 +  for FILE in *.spt;
 +  do
 +    grep -A 9999 "define(\`${MACRONAME}'" ${FILE} | grep -B 999 -m 1 "')";
 +  done
 +  popd > /dev/null 2>&1;
 +}
 +
 +# sefindcon - Find macro definitions for constrains
 +sefindcon() {
 +  awk "/(interface\(|template\()/ { NAME=\$NF; P=0 }; /${REGEXP}/ { if (P==0) {P=1; print NAME}; print };" ${POLICY_LOCATION}/policy/constraints | sed -e "s:^:${FILE}\: :g";
 +}
 +
 +# selist - List all templates/interfaces in the order allowed by refpolicy
 +selist() {
 +  pushd ${POLICY_LOCATION}/policy/modules > /dev/null 2>&1;
 +  (
 +  egrep '^(interface|template)' kernel/kernel.if | awk -F'`' '{print $2}' | sed -e "s:',::g" | sed -e "s:$: (kernel, kernel):g" | sort;
 +  egrep '^(interface|template)' kernel/*.if | grep -v 'kernel/kernel.if' | awk -F'`' '{print $2}' | sed -e "s:',::g" | sed -e "s:$: (kernel, other):g" | sort;
 +  egrep '^(interface|template)' system/*.if | awk -F'`' '{print $2}' | sed -e "s:',::g" | sed -e "s:$: (system):g" | sort;
 +  egrep '^(interface|template)' admin/*.if apps/*.if roles/*.if services/*.if contrib/*.if | awk -F'`' '{print $2}' | sed -e "s:',::g" | sort;
 +  ) | nl | sed -e "s:$: :g";
 +  popd > /dev/null 2>&1;
 +}
 +</code>
 +
 +<xtermrtf>
 +$ sefindif 'filetrans.*postfix_etc'
 +services/postfix.if: interface(`postfix_config_filetrans',`
 +services/postfix.if: filetrans_pattern($1, postfix_etc_t, $2, $3, $4)
 +</xtermrtf>
 +
 +<xtermrtf>
 +$ seshowif systemd_tmpfilesd_managed   
 +interface(`systemd_tmpfilesd_managed',`
 + gen_require(`
 + type systemd_tmpfiles_t;
 + ')
 +
 + allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
 +')
 +</xtermrtf>
 +
 +<xtermrtf>
 +$ sefinddef 'socket.*create'
 +obj_perm_sets.spt:define(`create_socket_perms', `{ create rw_socket_perms }')
 +obj_perm_sets.spt:define(`create_stream_socket_perms', `{ create_socket_perms listen accept }')
 +obj_perm_sets.spt:define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
 +obj_perm_sets.spt:define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
 +obj_perm_sets.spt:define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
 +obj_perm_sets.spt:define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }')
 +obj_perm_sets.spt:define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
 +</xtermrtf>
 +
 +<xtermrtf>
 +$ seshowdef manage_files_pattern
 +define(`manage_files_pattern',`
 +        allow $1 $2:dir rw_dir_perms;
 +        allow $1 $3:file manage_file_perms;
 +')
 +</xtermrtf>
 +
systeme/selinux.1579646642.txt.gz · Dernière modification : 2020/01/21 22:44 de root