{"id":425,"date":"2013-12-30T06:27:11","date_gmt":"2013-12-30T06:27:11","guid":{"rendered":"http:\/\/www.selinuxplus.com\/?p=425"},"modified":"2013-12-30T06:27:11","modified_gmt":"2013-12-30T06:27:11","slug":"fedroa-20-%e4%ba%86%e8%a7%a3selinux%e7%9a%84%e6%9c%80%e6%96%b0%e5%8f%98%e5%8c%96","status":"publish","type":"post","link":"http:\/\/www.selinuxplus.com\/?p=425","title":{"rendered":"fedroa 20 \u4e86\u89e3selinux\u7684\u6700\u65b0\u53d8\u5316"},"content":{"rendered":"\n<pre class=\"lang:default decode:true \" >\r\n[root@localhost ~]# uname -a\r\nLinux localhost.localdomain 3.11.10-301.fc20.x86_64 #1 SMP Thu Dec 5 14:01:17 UTC 2013 x86_64 x86_64 x86_64 GNU\/Linux\r\n<\/pre>\n<pre class=\"lang:default decode:true \" >[root@localhost ~]# id -Z\r\nunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023<\/pre>\n<p>\u67e5\u770b\u5f53\u524d\u89c4\u5219\u5e93\u7684\u4e3b\u8981\u4fe1\u606f\uff1a<\/p>\n<pre class=\"lang:default decode:true \" >[root@localhost ~]# seinfo\r\n\r\nStatistics for policy file: \/sys\/fs\/selinux\/policy\r\nPolicy Version &amp; Type: v.28 (binary, mls)\r\n\r\n   Classes:            83    Permissions:       255\r\n   Sensitivities:       1    Categories:       1024\r\n   Types:            4285    Attributes:        349\r\n   Users:               8    Roles:              14\r\n   Booleans:          265    Cond. Expr.:       318\r\n   Allow:           93097    Neverallow:          0\r\n   Auditallow:        120    Dontaudit:        7685\r\n   Type_trans:      14773    Type_change:        74\r\n   Type_member:        27    Role allow:         29\r\n   Role_trans:        738    Range_trans:      5006\r\n   Constraints:        98    Validatetrans:       0\r\n   Initial SIDs:       27    Fs_use:             26\r\n   Genfscon:           91    Portcon:           528\r\n   Netifcon:            0    Nodecon:             0\r\n   Permissives:         7    Polcap:              2<\/pre>\n<p>\u67e5\u770bpolicy\u5b9a\u4e49\u7684\u6240\u6709selinux\u7528\u6237<\/p>\n<pre class=\"lang:default decode:true \" >[root@localhost ~]# seinfo --user\r\n\r\nUsers: 8\r\n   sysadm_u\r\n   system_u\r\n   xguest_u\r\n   root\r\n   guest_u\r\n   staff_u\r\n   user_u\r\n   unconfined_u<\/pre>\n<p>\u67e5\u770bsystem_u \u7528\u6237\u7684\u89d2\u8272\u53camls range<\/p>\n<pre class=\"lang:default decode:true \" >[root@localhost ~]# seinfo --user=system_u -x\r\n   system_u\r\n      default level: s0\r\n      range: s0 - s0:c0.c1023\r\n      roles:\r\n         object_r\r\n         system_r\r\n         unconfined_r<\/pre>\n<p>\u67e5\u770bselinux\u7684manager<\/p>\n<pre class=\"lang:default decode:true \" >[root@localhost ~]# semanage user -l\r\n\r\n                \u6807\u8bb0\u4e2d        MLS\/       MLS\/                          \r\nSELinux \u7528\u6237      \u524d\u7f00         MCS \u7ea7\u522b     MCS \u8303\u56f4                         SELinux \u89d2\u8272\r\n\r\nguest_u         user       s0         s0                             guest_r\r\nroot            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r\r\nstaff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r\r\nsysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r\r\nsystem_u        user       s0         s0-s0:c0.c1023                 system_r unconfined_r\r\nunconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r\r\nuser_u          user       s0         s0                             user_r\r\nxguest_u        user       s0         s0                             xguest_r\r\n<\/pre>\n<p>\u67e5\u770b\u6309\u7167pp\u7684\u6761\u76ee<\/p>\n<pre class=\"lang:default decode:true \" >[root@localhost ~]# semodule -l |wc -l\r\n363\r\n<\/pre>\n<p>\u67e5\u770bseliunxfs\u4f2a\u6587\u4ef6\u7cfb\u7edf\u6807\u7b7e\u3002<\/p>\n<pre class=\"lang:default decode:true \" >[root@localhost fs]# seinfo --genfscon=selinuxfs\r\n   genfscon selinuxfs \/      system_u:object_r:security_t:s0 \r\n[root@localhost fs]# ll -Z selinux\/\r\n-rw-rw-rw-. root root system_u:object_r:security_t:s0  access\r\ndr-xr-xr-x. root root system_u:object_r:security_t:s0  avc\r\ndr-xr-xr-x. root root system_u:object_r:security_t:s0  booleans\r\n-rw-r--r--. root root system_u:object_r:security_t:s0  checkreqprot\r\ndr-xr-xr-x. root root system_u:object_r:security_t:s0  class\r\n--w-------. root root system_u:object_r:security_t:s0  commit_pending_bools\r\n-rw-rw-rw-. root root system_u:object_r:security_t:s0  context\r\n-rw-rw-rw-. root root system_u:object_r:security_t:s0  create\r\n-r--r--r--. root root system_u:object_r:security_t:s0  deny_unknown\r\n--w-------. root root system_u:object_r:security_t:s0  disable\r\n-rw-r--r--. root root system_u:object_r:security_t:s0  enforce\r\ndr-xr-xr-x. root root system_u:object_r:security_t:s0  initial_contexts\r\n-rw-------. root root system_u:object_r:security_t:s0  load\r\n-rw-rw-rw-. root root system_u:object_r:security_t:s0  member\r\n-r--r--r--. root root system_u:object_r:security_t:s0  mls\r\ncrw-rw-rw-. root root system_u:object_r:null_device_t:s0 null\r\n-r--r--r--. root root system_u:object_r:security_t:s0  policy\r\ndr-xr-xr-x. root root system_u:object_r:security_t:s0  policy_capabilities\r\n-r--r--r--. root root system_u:object_r:security_t:s0  policyvers\r\n-r--r--r--. root root system_u:object_r:security_t:s0  reject_unknown\r\n-rw-rw-rw-. root root system_u:object_r:security_t:s0  relabel\r\n-r--r--r--. root root system_u:object_r:security_t:s0  status\r\n-rw-rw-rw-. root root system_u:object_r:security_t:s0  user<\/pre>\n<p>\u67e5\u770bselinux\u5b89\u5168\u4e0a\u4e0b\u6587\u5bf9\u5e94\u7684sid<\/p>\n<pre class=\"lang:default decode:true \" >[root@localhost fs]# seinfo --initialsid -x\r\n\r\nInitial SID: 27\r\n             devnull:  system_u:object_r:null_device_t:s0\r\n         scmp_packet:  system_u:object_r:unlabeled_t:s0\r\n              policy:  system_u:object_r:unlabeled_t:s0\r\n                kmod:  system_u:object_r:unlabeled_t:s0\r\n          sysctl_dev:  system_u:object_r:unlabeled_t:s0\r\n           sysctl_vm:  system_u:object_r:unlabeled_t:s0\r\n     sysctl_net_unix:  system_u:object_r:unlabeled_t:s0\r\n          sysctl_net:  system_u:object_r:unlabeled_t:s0\r\n       sysctl_kernel:  system_u:object_r:unlabeled_t:s0\r\n           sysctl_fs:  system_u:object_r:unlabeled_t:s0\r\n              sysctl:  system_u:object_r:sysctl_t:s0\r\n     sysctl_modprobe:  system_u:object_r:unlabeled_t:s0\r\n          tcp_socket:  system_u:object_r:unlabeled_t:s0\r\n         icmp_socket:  system_u:object_r:unlabeled_t:s0\r\n         igmp_packet:  system_u:object_r:unlabeled_t:s0\r\n                node:  system_u:object_r:node_t:s0\r\n              netmsg:  system_u:object_r:netlabel_peer_t:s0\r\n               netif:  system_u:object_r:netif_t:s0\r\n                port:  system_u:object_r:port_t:s0\r\n          any_socket:  system_u:object_r:unlabeled_t:s0\r\n                init:  system_u:object_r:unlabeled_t:s0\r\n         file_labels:  system_u:object_r:unlabeled_t:s0\r\n                file:  system_u:object_r:file_t:s0\r\n                  fs:  system_u:object_r:fs_t:s0\r\n           unlabeled:  system_u:object_r:unlabeled_t:s0\r\n            security:  system_u:object_r:security_t:s0\r\n              kernel:  system_u:system_r:kernel_t:s0<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>[root@localhost ~]# uname&hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[9],"tags":[179],"_links":{"self":[{"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/posts\/425"}],"collection":[{"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=425"}],"version-history":[{"count":1,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/posts\/425\/revisions"}],"predecessor-version":[{"id":426,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/posts\/425\/revisions\/426"}],"wp:attachment":[{"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=425"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=425"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=425"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}