我需要知道运行系统当前规则中与se
linux类型相关的所有内容:
>允许,allowaudit,dontaudit规则.
>使用类型标记上下文的文件.
>过渡.
……以及任何其他信息.
是否有任何可用于查询该信息的命令,或者我是否应该下载所有与selinux相关的“src”软件包,过滤掉未使用的模块并为该信息grep每个文件?必须有一种更简单的方法来做到这一点.
解决方法
获取此信息的一些命令是(示例使用httpd_log_t):
> seinfo
- # seinfo -x --type=httpd_log_t /etc/selinux/default/policy/policy.26
- httpd_log_t
- file_type
- non_security_file_type
- logfile
>搜索
- # sesearch --dontaudit -t httpd_log_t /etc/selinux/default/policy/policy.26 | head
- Found 35 semantic av rules:
- dontaudit run_init_t file_type : dir { getattr search open } ;
- dontaudit staff_t non_security_file_type : file getattr ;
- dontaudit staff_t non_security_file_type : dir { ioctl read getattr lock search open } ;
- dontaudit staff_t non_security_file_type : lnk_file getattr ;
- dontaudit staff_t non_security_file_type : sock_file getattr ;
- dontaudit staff_t non_security_file_type : fifo_file getattr ;
- dontaudit unconfined_t non_security_file_type : file getattr ;
- dontaudit unconfined_t non_security_file_type : dir { ioctl read getattr lock search open } ;
- dontaudit unconfined_t non_security_file_type : lnk_file getattr ;
> semanage
- # semanage fcontext -l | grep httpd_log_t
- /etc/httpd/logs all files system_u:object_r:httpd_log_t:s0
- /var/log/apache(2)?(/.*)? all files system_u:object_r:httpd_log_t:s0
- /var/log/apache-ssl(2)?(/.*)? all files system_u:object_r:httpd_log_t:s0
- /var/log/cacti(/.*)? all files system_u:object_r:httpd_log_t:s0
- /var/log/cgiwrap\.log.* regular file system_u:object_r:httpd_log_t:s0
- /var/log/horde2(/.*)? all files system_u:object_r:httpd_log_t:s0
- /var/log/httpd(/.*)? all files system_u:object_r:httpd_log_t:s0
- /var/log/lighttpd(/.*)? all files system_u:object_r:httpd_log_t:s0
- /var/log/piranha(/.*)? all files system_u:object_r:httpd_log_t:s0
- /var/www(/.*)?/logs(/.*)? all files system_u:object_r:httpd_log_t:s0
参考文献:RHEL6 SELinux manual
