• selinux misc

    selinux misc

    selinux class definition in te file

    system/sepolicy/private/access_vectors

    7#
8# Define a common prefix for file access vectors.
9#
10
11common file
12{
13    ioctl
14    read
15    write
16    create
17    getattr
18    setattr
19    lock
20    relabelfrom
21    relabelto
22    append
23    map
24    unlink
25    link
26    rename
27    execute
28    quotaon
29    mounton
30}
    158class dir
159inherits file
160{
161    add_name
162    remove_name
163    reparent
164    search
165    rmdir
166    open
167    audit_access
168    execmod
169}
170
171class file
172inherits file
173{
174    execute_no_trans
175    entrypoint
176    execmod
177    open
178    audit_access
179}
180
181class lnk_file
182inherits file
183{
184    open
185    audit_access
186    execmod
187}
188
189class chr_file
190inherits file
191{
192    execute_no_trans
193    entrypoint
194    execmod
195    open
196    audit_access
197}

    perf_event class

    class perf_event {
        open
        cpu
        kernel
        tracepoint
        read
        write
}

    macro definitions

    system/sepolicy/prebuilts/api/29.0/public]$ ls *macro*
global_macros  ioctl_macros  neverallow_macros  te_macros

    比如在global_macros里define了:

    file:

    define(`x_file_perms', `{ getattr execute execute_no_trans map }')
define(`r_file_perms', `{ getattr open read ioctl lock map }')
define(`w_file_perms', `{ open append write lock map }')
define(`rx_file_perms', `{ r_file_perms x_file_perms }')
define(`ra_file_perms', `{ r_file_perms append }')
define(`rw_file_perms', `{ r_file_perms w_file_perms }')
define(`rwx_file_perms', `{ rw_file_perms x_file_perms }')
define(`create_file_perms', `{ create rename setattr unlink rw_file_perms }')

     dir:

    define(`r_dir_perms', `{ open getattr read search ioctl lock }')
define(`w_dir_perms', `{ open search write add_name remove_name lock }')
define(`ra_dir_perms', `{ r_dir_perms add_name write }')
define(`rw_dir_perms', `{ r_dir_perms w_dir_perms }')
define(`create_dir_perms', `{ create reparent rename rmdir setattr rw_dir_perms }')

    audit2allow

    [ 45.806087] type=1400 audit(1632056806.209:79): avc: denied { cpu } for comm="kworker/1:0" scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=perf_event permissive=0

    将上述selinux denial log保存至一个文本文档,再执行如下的cmd,输出结果如下,将输出结果添加至kernel.te即可:

    audit2allow < selinux_denial.log

    #============= kernel ==============
allow kernel self:perf_event cpu;

    sepolicy-analyze tool

    这个tool的帮助信息如下:

    out/host/linux-x86/vts/android-vts/testcases/sepolicy-analyze
out/host/linux-x86/vts/android-vts/testcases/sepolicy-analyze must be called on a policy file with a component and the appropriate arguments specified
out/host/linux-x86/vts/android-vts/testcases/sepolicy-analyze <policy-file>:
        dups
        neverallow [-w|--warn] [-d|--debug] [-n|--neverallows <neverallow-rules>] | [-f|--file <neverallow-file>]
        permissive
        typecmp [-d|--diff] [-e|--equiv]
        booleans
        attribute

    示例1

    out/host/linux-x86/vts/android-vts/testcases/sepolicy-analyze out/target/product/test_product/vendor/etc/selinux/precompiled_sepolicy attribute super_block_device_type
    super_block_device

    上面这条命令表示拥有super_block_device_type attribute的context为super_block_device,可以在如下文件里看到super_block_device context附加上了super_block_device_type attribute:

    system/sepolicy/public/device.te
type super_block_device, super_block_device_type, dev_type;

    上面type命令的格式是:

    type some_contexts, some_attribute1, [some_attribute2];

    含义表示define一个some_contexts,给它附加上some_attribute1, [some_attribute2] attribute

    实例2:

    下面cmd表示列出拥有coredomain attribute的context,可以看到拥有此attribute的context有很多:

    out/host/linux-x86/vts/android-vts/testcases/sepolicy-analyze  out/target/product/test_product/vendor/etc/selinux/precompiled_sepolicy  attribute coredomain
adbd
apexd
app_zygote
ashmemd
audioserver
blkid
blkid_untrusted
bluetooth
bootanim
bootstat
bufferhubd
cameraserver
charger
clatd
crash_dump
dhcp
dnsmasq
drmserver
    ...

    示例3:

    下面cmd表示列出precompiled_sepolicy file里包含的所有attribute:

    out/host/linux-x86/vts/android-vts/testcases/sepolicy-analyze  out/target/product/test_product/vendor/etc/selinux/precompiled_sepolicy  attribute --list
pdx_display_manager_endpoint_socket_type
pdx_display_screenshot_endpoint_socket_type
file_type
hal_screenrecord_mediatek_server
exec_type
hal_usb_server
property_type
binderservicedomain
node_type
hal_broadcastradio_server
proc_type
port_type
pdx_channel_socket_type
hal_tv_mtkdmservice_server

     

    如下cmd,可以看出halserverdomain attribute关联到了hal_wifi_supplicant_default type

    out/host/linux-x86/vts/android-vts/testcases/sepolicy-analyze  out/target/product/test_product/vendor/etc/selinux/precompiled_sepolicy  attribute halserverdomain |grep hal_wifi_supplicant_default
hal_wifi_supplicant_default

    看下这个attribute是在哪里define的,在attributes文件里define:

    system/sepolicy/prebuilts/api/29.0/public/attributes

    # All HAL servers
attribute halserverdomain;

    看下hal_wifi_supplicant_default type是在哪里关联halserverdomain attribute的。

    system/sepolicy/vendor/hal_wifi_supplicant_default.te

    hal_server_domain(hal_wifi_supplicant_default, hal_wifi_supplicant)

    看下hal_server_domain是怎么define的:

    system/sepolicy/prebuilts/api/29.0/public/te_macros

    define(`hal_server_domain', `
typeattribute $1 halserverdomain;
typeattribute $1 $2_server;
typeattribute $1 $2;
')

    在上面的define里,可以看到type $1(hal_wifi_supplicant_default)关联了halserverdomain attribute

    看下hal_wifi_supplicant_default type是在哪里define的,在如下位置:

    system/sepolicy/vendor/hal_wifi_supplicant_default.te
type hal_wifi_supplicant_default, domain;

    te文件里排除一个domain

    在domain前面加上一个-表示排除这个domain,下面一行表示domain对block_device是neverallow,除了kernel、init、recovery等:

    neverallow { domain -kernel -init -recovery -vold -uncrypt -emsd -rild -radio_config} block_device:blk_file { open read write };

    typeattribute

    在一个地方define type(context),在另外一个地方将这个type关联attribute,如下typeattribute是将httpd_user_content_t type关联file_type、httpdcontent两个attribute:

    type httpd_user_content_t; 
typeattribute httpd_user_content_t file_type, httpdcontent;

     可以同时define一个type并同时关联attribute:

    define httpd_user_content_t type,并关联file_type、httpdcontent两个attribute:

    type httpd_user_content_t file_type, httpdcontent;

    attribute definition

    system/sepolicy/public/attributes

    

    attribute dev_type;
    

    # All types used for processes.
    attribute domain;
    


    attribute fs_type;

# All types used     for context= mounts.
attribute contextmount_type;

# All types used for files that can exist on a labeled fs.
# Do not use for pseudo file types.
# On change, update CHECK_FC_ASSERT_ATTRS
# definition in tools/checkfc.c.
attribute file_type;

# All types used for domain entry points.
attribute exec_type;

# All types used for /data files.
attribute data_file_type;
    

    










     
    


    

    
    
          
    • 

          
  • 

            相关阅读:
    
            
              作业一:淘宝的创新点
                
    asp.net面试题130道
                
    windows7系统下怎么将“我的电脑”图标添加到任务栏
                
    用jquery控制html控件
                
    C# windows窗口项目
                
    无法从命令行或调试器启动服务,必须首先安装Windows服务(使用installutil.exe),然后用ServerExplorer、Windows服务器管理工具或NET START命令启动它
                
    c#用反射动态获取类型
                
    C# 提取逗号分割的字符串
                
    搜索框动态匹配——前端方式(只在页面加载时从后端获取一次数据)(推荐)
                
    汉字转拼音的代码——(js版)
                
                    
          
    • 
          
  • 
            原文地址:https://www.cnblogs.com/aspirs/p/15475931.html
          
    • 

        

      



      
      

        

        

      

    

  


  

  
Copyright © 2020-2023 
  润新知