fedroa 20 了解selinux的最新变化

[root@localhost ~]# uname -a
Linux localhost.localdomain 3.11.10-301.fc20.x86_64 #1 SMP Thu Dec 5 14:01:17 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

[root@localhost ~]# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

查看当前规则库的主要信息：

[root@localhost ~]# seinfo

Statistics for policy file: /sys/fs/selinux/policy
Policy Version & Type: v.28 (binary, mls)

   Classes:            83    Permissions:       255
   Sensitivities:       1    Categories:       1024
   Types:            4285    Attributes:        349
   Users:               8    Roles:              14
   Booleans:          265    Cond. Expr.:       318
   Allow:           93097    Neverallow:          0
   Auditallow:        120    Dontaudit:        7685
   Type_trans:      14773    Type_change:        74
   Type_member:        27    Role allow:         29
   Role_trans:        738    Range_trans:      5006
   Constraints:        98    Validatetrans:       0
   Initial SIDs:       27    Fs_use:             26
   Genfscon:           91    Portcon:           528
   Netifcon:            0    Nodecon:             0
   Permissives:         7    Polcap:              2

查看policy定义的所有selinux用户

[root@localhost ~]# seinfo --user

Users: 8
   sysadm_u
   system_u
   xguest_u
   root
   guest_u
   staff_u
   user_u
   unconfined_u

查看system_u 用户的角色及mls range

[root@localhost ~]# seinfo --user=system_u -x
   system_u
      default level: s0
      range: s0 - s0:c0.c1023
      roles:
         object_r
         system_r
         unconfined_r

查看selinux的manager

[root@localhost ~]# semanage user -l

                标记中        MLS/       MLS/                          
SELinux 用户      前缀         MCS 级别     MCS 范围                         SELinux 角色

guest_u         user       s0         s0                             guest_r
root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
system_u        user       s0         s0-s0:c0.c1023                 system_r unconfined_r
unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r
user_u          user       s0         s0                             user_r
xguest_u        user       s0         s0                             xguest_r

查看按照pp的条目

[root@localhost ~]# semodule -l |wc -l
363

查看seliunxfs伪文件系统标签。

[root@localhost fs]# seinfo --genfscon=selinuxfs
   genfscon selinuxfs /      system_u:object_r:security_t:s0 
[root@localhost fs]# ll -Z selinux/
-rw-rw-rw-. root root system_u:object_r:security_t:s0  access
dr-xr-xr-x. root root system_u:object_r:security_t:s0  avc
dr-xr-xr-x. root root system_u:object_r:security_t:s0  booleans
-rw-r--r--. root root system_u:object_r:security_t:s0  checkreqprot
dr-xr-xr-x. root root system_u:object_r:security_t:s0  class
--w-------. root root system_u:object_r:security_t:s0  commit_pending_bools
-rw-rw-rw-. root root system_u:object_r:security_t:s0  context
-rw-rw-rw-. root root system_u:object_r:security_t:s0  create
-r--r--r--. root root system_u:object_r:security_t:s0  deny_unknown
--w-------. root root system_u:object_r:security_t:s0  disable
-rw-r--r--. root root system_u:object_r:security_t:s0  enforce
dr-xr-xr-x. root root system_u:object_r:security_t:s0  initial_contexts
-rw-------. root root system_u:object_r:security_t:s0  load
-rw-rw-rw-. root root system_u:object_r:security_t:s0  member
-r--r--r--. root root system_u:object_r:security_t:s0  mls
crw-rw-rw-. root root system_u:object_r:null_device_t:s0 null
-r--r--r--. root root system_u:object_r:security_t:s0  policy
dr-xr-xr-x. root root system_u:object_r:security_t:s0  policy_capabilities
-r--r--r--. root root system_u:object_r:security_t:s0  policyvers
-r--r--r--. root root system_u:object_r:security_t:s0  reject_unknown
-rw-rw-rw-. root root system_u:object_r:security_t:s0  relabel
-r--r--r--. root root system_u:object_r:security_t:s0  status
-rw-rw-rw-. root root system_u:object_r:security_t:s0  user

查看selinux安全上下文对应的sid

[root@localhost fs]# seinfo --initialsid -x

Initial SID: 27
             devnull:  system_u:object_r:null_device_t:s0
         scmp_packet:  system_u:object_r:unlabeled_t:s0
              policy:  system_u:object_r:unlabeled_t:s0
                kmod:  system_u:object_r:unlabeled_t:s0
          sysctl_dev:  system_u:object_r:unlabeled_t:s0
           sysctl_vm:  system_u:object_r:unlabeled_t:s0
     sysctl_net_unix:  system_u:object_r:unlabeled_t:s0
          sysctl_net:  system_u:object_r:unlabeled_t:s0
       sysctl_kernel:  system_u:object_r:unlabeled_t:s0
           sysctl_fs:  system_u:object_r:unlabeled_t:s0
              sysctl:  system_u:object_r:sysctl_t:s0
     sysctl_modprobe:  system_u:object_r:unlabeled_t:s0
          tcp_socket:  system_u:object_r:unlabeled_t:s0
         icmp_socket:  system_u:object_r:unlabeled_t:s0
         igmp_packet:  system_u:object_r:unlabeled_t:s0
                node:  system_u:object_r:node_t:s0
              netmsg:  system_u:object_r:netlabel_peer_t:s0
               netif:  system_u:object_r:netif_t:s0
                port:  system_u:object_r:port_t:s0
          any_socket:  system_u:object_r:unlabeled_t:s0
                init:  system_u:object_r:unlabeled_t:s0
         file_labels:  system_u:object_r:unlabeled_t:s0
                file:  system_u:object_r:file_t:s0
                  fs:  system_u:object_r:fs_t:s0
           unlabeled:  system_u:object_r:unlabeled_t:s0
            security:  system_u:object_r:security_t:s0
              kernel:  system_u:system_r:kernel_t:s0

fedroa 20 了解selinux的最新变化

Published by admin

发表评论取消回复

Published by admin

发表评论 取消回复

发表评论取消回复