CentOS Stream 9
Sponsored Link

SELinux : sesearch 基本操作
2022/03/11
 
[sesearch] コマンドを利用することで、SELinux ポリシー設定の検索をすることができます。
[1] [sesearch] コマンドの使用例です。
コマンドが存在しない場合は [dnf install setools-console] でインストール可能です。
# 許可されているルールを全て表示 (大量に出力される)

[root@dlp ~]#
sesearch --allow

allow NetworkManager_etc_rw_t NetworkManager_etc_rw_t:filesystem associate;
allow NetworkManager_etc_t NetworkManager_etc_t:filesystem associate;
allow NetworkManager_exec_t NetworkManager_exec_t:filesystem associate;
allow NetworkManager_initrc_exec_t NetworkManager_initrc_exec_t:filesystem associate;
allow NetworkManager_log_t NetworkManager_log_t:filesystem associate;
allow NetworkManager_ssh_t NetworkManager_ssh_t:anon_inode { create getattr ioctl read write };
allow NetworkManager_ssh_t NetworkManager_ssh_t:association sendto;
allow NetworkManager_ssh_t NetworkManager_ssh_t:capability { dac_read_search setgid setuid };
allow NetworkManager_ssh_t NetworkManager_ssh_t:dbus send_msg;
allow NetworkManager_ssh_t NetworkManager_ssh_t:dir { getattr ioctl lock open read search };
.....
.....

# [httpd_t] ドメインがアクセス許可されているルールを表示

[root@dlp ~]#
sesearch -s httpd_t --allow

allow corenet_unlabeled_type unlabeled_t:association { recvfrom sendto };
allow corenet_unlabeled_type unlabeled_t:dccp_socket recvfrom;
allow corenet_unlabeled_type unlabeled_t:peer recv;
allow corenet_unlabeled_type unlabeled_t:rawip_socket recvfrom;
allow corenet_unlabeled_type unlabeled_t:tcp_socket recvfrom;
allow corenet_unlabeled_type unlabeled_t:udp_socket recvfrom;
allow daemon abrt_t:unix_stream_socket connectto;
allow daemon abrt_var_run_t:sock_file { append getattr open write };
allow daemon auth_port_t:tcp_socket name_connect; [ daemons_use_tcp_wrapper ]:True
allow daemon cluster_conf_t:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write }; [ daemons_enable_cluster_mode ]:True
.....
.....

# [httpd_sys_script_exec_t] タイプにアクセス許可されているルールを表示

[root@dlp ~]#
sesearch -t httpd_sys_script_exec_t --allow

allow NetworkManager_ssh_t file_type:filesystem getattr;
allow NetworkManager_t file_type:filesystem getattr;
allow abrt_dump_oops_t file_type:filesystem getattr;
allow abrt_dump_oops_t non_security_file_type:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write };
allow abrt_dump_oops_t non_security_file_type:file { append create getattr ioctl link lock map open read rename setattr unlink watch watch_reads write };
allow abrt_dump_oops_t non_security_file_type:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write };
allow abrt_helper_t exec_type:dir { getattr open search };
allow abrt_helper_t exec_type:file { getattr ioctl lock open read };
allow abrt_helper_t file_type:filesystem getattr;
allow abrt_t exec_type:file { execute execute_no_trans ioctl lock map open read };
.....
.....

# [shadow_t] タイプのファイルに書き込みアクセス許可されているルールを表示

[root@dlp ~]#
sesearch -t shadow_t -c file -p write --allow

allow cockpit_session_t shadow_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write };
allow files_unconfined_type file_type:file { append audit_access create execute execute_no_trans getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink watch watch_mount watch_reads watch_sb watch_with_perm write };
allow groupadd_t shadow_t:file { append create getattr ioctl link lock open read relabelfrom relabelto rename setattr unlink watch watch_reads write };
allow passwd_t shadow_t:file { append create getattr ioctl link lock map open read relabelfrom relabelto rename setattr unlink watch watch_reads write };
allow pegasus_openlmi_account_t shadow_t:file { append create getattr ioctl link lock open read relabelfrom relabelto rename setattr unlink watch watch_reads write };
allow sysadm_passwd_t shadow_t:file { append create getattr ioctl link lock open read relabelfrom relabelto rename setattr unlink watch watch_reads write };
allow updpwd_t shadow_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write };
allow useradd_t shadow_t:file { append create getattr ioctl link lock open read relabelfrom relabelto rename setattr unlink watch watch_reads write };
allow yppasswdd_t shadow_t:file { append create getattr ioctl link lock open read relabelfrom relabelto rename setattr unlink watch watch_reads write };
.....
.....

# ブール値 [samba_enable_home_dirs] で定義されているルールを表示

[root@dlp ~]#
sesearch -b samba_enable_home_dirs --allow

allow smbd_t httpd_user_content_t:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write }; [ samba_enable_home_dirs ]:True
allow smbd_t httpd_user_content_t:dir { add_name getattr ioctl lock open read remove_name search write }; [ samba_enable_home_dirs ]:True
allow smbd_t httpd_user_content_t:dir { add_name getattr ioctl lock open read remove_name search write }; [ samba_enable_home_dirs ]:True
allow smbd_t httpd_user_content_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; [ samba_enable_home_dirs ]:True
allow smbd_t httpd_user_content_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write }; [ samba_enable_home_dirs ]:True
allow smbd_t user_home_dir_t:dir { add_name ioctl lock read remove_name write }; [ samba_enable_home_dirs ]:True
allow smbd_t user_home_dir_t:dir { add_name ioctl lock read remove_name write }; [ samba_enable_home_dirs ]:True
allow smbd_t user_home_dir_t:dir { add_name ioctl lock read remove_name write }; [ samba_enable_home_dirs ]:True
allow smbd_t user_home_dir_t:dir { add_name ioctl lock read remove_name write }; [ samba_enable_home_dirs ]:True
allow smbd_t user_home_dir_t:dir { add_name ioctl lock read remove_name write }; [ samba_enable_home_dirs ]:True
.....
.....
関連コンテンツ