newrole -r role_r -t domain_t
(there is usually only a single domain allowed for a given role, the -t
parameter can thus often be left out). This command authenticates you by asking you to type your password. This feature forbids programs to automatically switch roles. Such changes can only happen if they are explicitly allowed in the SELinux policy.
ssh
is labeled with ssh_exec_t
, and when the program starts, it automatically switches to the ssh_t
domain). This automatic domain transition mechanism makes it possible to grant only the rights required by each program. It is a fundamental principle of SELinux.
apt install selinux-basics selinux-policy-default auditd
command will automatically install the packages required to configure an SELinux system.
unconfined
module (modules management is detailed further in this section).
fixfiles relabel
命令手工启动。
selinux=1 security=selinux
parameter to the Linux kernel. The audit=1
parameter enables SELinux logging which records all the denied operations. Finally, the enforcing=1
parameter brings the rules into application: without it SELinux works in its default permissive mode where denied actions are logged but still executed. You should thus modify the GRUB bootloader configuration file to append the desired parameters. One easy way to do this is to modify the GRUB_CMDLINE_LINUX
variable in /etc/default/grub
and to run update-grub
. SELinux will be active after a reboot.
selinux-activate
脚本自动化这些操作并强制标识(避免无标识的文件在 SELinux 未生效或正在标识的时候被创建)。
semodule
命令可以实现该目的。还必须用 semanage
命令,定义每个用户可用的角色。
/etc/selinux/default/
的配置。不像其他配置文件,可以在 /etc/
中的其他配置文件,这些文件不能手工修改。应当使用相应的程序来修改。
/usr/share/selinux/default/
directory. To enable one of these modules in the current configuration, you should use semodule -i module.pp.bz2
. The pp.bz2 extension stands for policy package (compressed with bzip2).
semodule -r module
. Finally, the semodule -l
command lists the modules which are currently installed. It also outputs their version numbers. Modules can be selectively enabled with semodule -e
and disabled with semodule -d
.
#
semodule -i /usr/share/selinux/default/abrt.pp.bz2
libsemanage.semanage_direct_install_info: abrt module will be disabled after install as there is a disabled instance of this module present in the system. #
semodule -l
accountsd acct [...]
#
semodule -e abrt
#
semodule -d accountsd
#
semodule -l
abrt acct [...]
#
semodule -r abrt
libsemanage.semanage_direct_remove_key: abrt module at priority 100 is now active.
semodule
立即加载新配置,除非使用了 -n
选项。需要注意的是在当前配置默认启用的程序(由在 /etc/selinux/config
文件中的 SELINUXTYPE
变量指明),可以使用 -s
选项来修改和储存其他的。注意不同版本支持的选项可能不同。
semanage
命令配置。
-a
to add, -d
to delete, -m
to modify, -l
to list, and -t
to indicate a type (or domain).
semanage login -l
列出当用户身份和 SELinux 身份之间的映射。没有指明登记项的用户会使用 __default__
登记项。 semanage login -a -s user_u user
命令会关联 user_u 身份到指定用户。semanage login -d user
会移除赋予用户的映射登记项。
#
semanage login -a -s user_u rhertzog
#
semanage login -l
Login Name SELinux User MLS/MCS Range Service __default__ unconfined_u s0-s0:c0.c1023 * rhertzog user_u s0 * root unconfined_u s0-s0:c0.c1023 * #
semanage login -d rhertzog
semanage user -l
列出 SELinux 用户身份和允许的角色之间的映射。添加一个新的身份需要定义相应的角色和用于给个人文件赋予类型的标识前缀(/home/user/*
)。前缀必须从 user
,staff
,和 sysadm
之间挑选。staff
前缀生成 staff_home_dir_t
类型文件。创建新的用户身份使用 semanage user -a -R roles -P prefix identity
。使用 semanage user -d identity
移除用户身份。
#
semanage user -a -R 'staff_r user_r' -P staff test_u
#
semanage user -l
Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles root sysadm s0 s0-s0:c0.c1023 staff_r sysadm_r system_r staff_u staff s0 s0-s0:c0.c1023 staff_r sysadm_r sysadm_u sysadm s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r test_u staff s0 s0 staff_r user_r unconfined_u unconfined s0 s0-s0:c0.c1023 system_r unconfined_r user_u user s0 s0 user_r #
semanage user -d test_u
/srv/www/
里面的文件,就要执行 semanage fcontext -a -t httpd_sys_content_t "/srv/www(/.*)?"
和 restorecon -R /srv/www/
。前者注册新的标识规则,后者根据当前标识规则重置文件类型。
semanage port -m -t http_port_t -p tcp 8080
.
getsebool
utility can be used to inspect those options (getsebool boolean
displays one option, and getsebool -a
them all). The setsebool boolean value
command changes the current value of a Boolean option. The -P
option makes the change permanent, it means that the new value becomes the default and will be kept across reboots. The example below grants web servers an access to home directories (this is useful when users have personal websites in ~/public_html/
).
#
getsebool httpd_enable_homedirs
httpd_enable_homedirs --> off #
setsebool -P httpd_enable_homedirs on
#
getsebool httpd_enable_homedirs
httpd_enable_homedirs --> on
/usr/share/doc/selinux-policy-doc/html/
)和可用于创建新规则的模板示例文件。安装这些文件并更深入的研究:
$
cp /usr/share/doc/selinux-policy-doc/Makefile.example Makefile
$
cp /usr/share/doc/selinux-policy-doc/example.fc ./
$
cp /usr/share/doc/selinux-policy-doc/example.if ./
$
cp /usr/share/doc/selinux-policy-doc/example.te ./
.te
file is the most important one. It defines the rules. The .fc
file defines the “file contexts”, that is the types assigned to files related to this module. The data within the .fc
file are used during the file labeling step. Finally, the .if
file defines the interface of the module: it is a set of “public functions” that other modules can use to properly interact with the module that you're creating.
myapp_domtrans
)控制谁可以执行程序。第二个(myapp_read_log
)授予程序日志文件的读权限。
.te
文件。因此必须声明所有使用的类型(使用 gen_require
宏),并使用标准指令授予权限。也可以使用其他模块提供的接口。如何表示这些权限将在下节给出更详细的解释。
例 14.3. example.if
文件
## <summary>Myapp example policy</summary> ## <desc> ## <p> ## More descriptive text about myapp. The desc ## tag can also use p, ul, and ol ## html tags for formatting. ## </p> ## <p> ## This policy supports the following myapp features: ## <ul> ## <li>Feature A</li> ## <li>Feature B</li> ## <li>Feature C</li> ## </ul> ## </p> ## </desc> # ######################################## ## <summary> ## Execute a domain transition to run myapp. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed to transition. ## </summary> ## </param> # interface(`myapp_domtrans',` gen_require(` type myapp_t, myapp_exec_t; ') domtrans_pattern($1,myapp_exec_t,myapp_t) ') ######################################## ## <summary> ## Read myapp log files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed to read the log files. ## </summary> ## </param> # interface(`myapp_read_log',` gen_require(` type myapp_log_t; ') logging_search_logs($1) allow $1 myapp_log_t:file read_file_perms; ')
example.te
文件:
policy_module(example,1.0.0) # a non-base module name must match the file name ######################################## # # Declarations # type myapp_t; type myapp_exec_t; domain_type(myapp_t) domain_entry_file(myapp_t, myapp_exec_t) type myapp_log_t; logging_log_file(myapp_log_t) type myapp_tmp_t; files_tmp_file(myapp_tmp_t) ######################################## # # Myapp local policy # allow myapp_t myapp_log_t:file { read_file_perms append_file_perms }; allow myapp_t myapp_tmp_t:file manage_file_perms; files_tmp_filetrans(myapp_t,myapp_tmp_t,file)
模块必须通过名字和版本号标识。此指令是必须的。
| |
如果模块引入了新类型,它们必须使用类似的指令声明。不要害怕需要创建的类型过多,这总胜过赋予过多无用权限。
| |
这些接口定义 myapp_t 类型为进程域,它可以被标识为 myapp_exec_t 的可执行程序使用。这隐式地给这些对象添加 exec_type 属性,反过来允许其他模块授予权限执行这些程序:例如,userdomain 模块允许具有 user_t ,staff_t ,和 sysadm_t 域的进程执行。其他受限域将无权运行,除非规则赋予它们类似的权限(在此例中,dpkg 和域 dpkg_t )。
| |
logging_log_file is an interface provided by the reference policy. It indicates that files labeled with the given type are log files which ought to benefit from the associated rules (for example, granting rights to logrotate so that it can manipulate them).
| |
allow 指令是授予操作权限的基本指令。第一个参数是允许执行操作的进程域。第二个定义前面的域进程可以操作的对象。参数的形式是:“type:class”此处 type 是 SELinux 类型,class 描述对象(文件,目录,套接字,fifo,等等)属性。最后的参数描述许可权限(即允许的操作)。
Permissions are defined as the set of allowed operations and follow this template: { operation1 operation2 } . However, you can also use macros representing the most useful permissions. The /usr/share/selinux/devel/include/support/obj_perm_sets.spt lists them.
The following web page provides a relatively exhaustive list of object classes, and permissions that can be granted.
|
avc: denied { read write } for pid=1876 comm="syslogd" name="xconsole" dev=tmpfs ino=5510 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=fifo_file permissive=1
表 14.1. SELinux 追踪记录分析
消息 | 描述 |
---|---|
avc: denied | 一个操作被拒绝。 |
{ read write } | 该操作需要 读-read 和 写-write 许可。 |
pid=1876 | 进程号为1876的进程执行的操作(或者试图执行)。 |
comm="syslogd" | 该进程是 syslogd 程序的一个实例。 |
name="xconsole" | The target object was named xconsole . Sometimes you can also have a “path” variable — with the full path — instead. |
dev=tmpfs | The device hosting the target object is a tmpfs (an in-memory filesystem). For a real disk, you could see the partition hosting the object (for example, “sda3”). |
ino=5510 | 对象的节点(inode)号码是5510。 |
scontext=system_u:system_r:syslogd_t:s0 | 这是执行操作进程的安全上下文。 |
tcontext=system_u:object_r:device_t:s0 | 这是执行操作对象的安全上下文。 |
tclass=fifo_file | 目标对象是一个 FIFO 文件。 |
allow syslogd_t device_t:fifo_file { read write }
. This process can be automated, and it is exactly what the audit2allow
command (of the policycoreutils package) offers. This approach is only useful if the various objects are already correctly labeled according to what must be confined. In any case, you will have to carefully review the generated rules and validate them according to your knowledge of the application. Effectively, this approach tends to grant more rights than are really required. The proper solution is often to create new types and to grant rights on those types only. It also happens that a denied operation isn't fatal to the application, in which case it might be better to just add a “dontaudit
” rule to avoid the log entry despite the effective denial.
example.if
, example.fc
, and example.te
) match your expectations for the new rules, rename them to myapp.extension
and run make NAME=devel
to generate a module in the myapp.pp
file (you can immediately load it with semodule -i myapp.pp
). If several modules are defined, make
will create all the corresponding .pp
files.