[11] SELinux – sesearch
16 marca 2022Przeszukaj politykę SELinux, używając polecenia [sesearch].
[1] Oto kilka przykładów użycia [sesearch].
Jeśli polecenie [sesearch] nie występuje w systemie, zainstaluj je za pomocą [dnf install setools-console].
# wyświetl wszystkie dozwolone reguły (wyświetlanych jest wiele reguł) [root@vlsr01 ~]# sesearch --allow allow NetworkManager_etc_rw_t NetworkManager_etc_rw_t:filesystem associate; allow NetworkManager_etc_t NetworkManager_etc_t:filesystem associate; allow NetworkManager_exec_t NetworkManager_exec_t:filesystem associate; allow NetworkManager_initrc_exec_t NetworkManager_initrc_exec_t:filesystem associate; allow NetworkManager_log_t NetworkManager_log_t:filesystem associate; . . . . . # reguły wyświetlania, do których domena [httpd_t] ma dostęp [root@vlsr01 ~]# sesearch -s httpd_t --allow allow corenet_unlabeled_type unlabeled_t:association { recvfrom sendto }; allow corenet_unlabeled_type unlabeled_t:dccp_socket recvfrom; allow corenet_unlabeled_type unlabeled_t:peer recv; allow corenet_unlabeled_type unlabeled_t:rawip_socket recvfrom; . . . . . # wyświetl dozwolone reguły, do których domena można uzyskać dostęp, do typu [httpd_sys_script_exec_t] [root@vlsr01 ~]# sesearch -t httpd_sys_script_exec_t --allow allow NetworkManager_ssh_t file_type:filesystem getattr; allow NetworkManager_t file_type:filesystem getattr; allow abrt_dump_oops_t exec_type:file getattr; allow abrt_dump_oops_t file_type:filesystem getattr; allow abrt_dump_oops_t non_security_file_type:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink write }; . . . . . # wyświetl dozwolone reguły, które domeny mogą zapisywać w plikach typu [shadow_t] [root@vlsr01 ~]# sesearch -t shadow_t -c file -p write --allow | head allow cockpit_session_t shadow_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; allow files_unconfined_type file_type:file { append audit_access create execute execute_no_trans getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write }; allow groupadd_t shadow_t:file { append create getattr ioctl link lock open read relabelfrom relabelto rename setattr unlink write }; allow passwd_t shadow_t:file { append create getattr ioctl link lock map open read relabelfrom relabelto rename setattr unlink write }; allow pegasus_openlmi_account_t shadow_t:file { append create getattr ioctl link lock open read relabelfrom relabelto rename setattr unlink write }; . . . . . # wyświetl zdefiniowane reguły dla wartości logicznej [samba_enable_home_dirs] [root@vlsr01 ~]# sesearch -b samba_enable_home_dirs --allow | head allow smbd_t home_root_t:dir { getattr ioctl lock open read search }; [ samba_enable_home_dirs ]:True allow smbd_t home_root_t:lnk_file { getattr read }; [ samba_enable_home_dirs ]:True allow smbd_t httpd_user_content_t:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink write }; [ samba_enable_home_dirs ]:True allow smbd_t httpd_user_content_t:dir { add_name getattr ioctl lock open read remove_name search write }; [ samba_enable_home_dirs ]:True allow smbd_t httpd_user_content_t:dir { add_name getattr ioctl lock open read remove_name search write }; [ samba_enable_home_dirs ]:True . . . . .