简介:
sepolicy generate命令用于生成初始SELinux策略模块模板。
sepolicy generate还会创建一个RPM规范文件,该文件可用于构建RPM软件包,该软件包将策略软件包文件(NAME.pp)和接口文件(NAME.if)安装到正确的位置,将SELinux策略安装到内核中。
当
sepolicy generate执行时,将产生以下文件:
NAME.te –键入执行文件
该文件定义了特定域的所有类型和规则。
policy_module(example,1.0.0) # a non-base module name must match the file name
########################################
#
# Declarations
#
type myapp_t;
type myapp_exec_t;
domain_type(myapp_t)
domain_entry_file(myapp_t, myapp_exec_t)
type myapp_log_t;
logging_log_file(myapp_log_t)
type myapp_tmp_t;
files_tmp_file(myapp_tmp_t)
########################################
#
# Myapp local policy
#
allow myapp_t myapp_log_t:file { read_file_perms append_file_perms };
allow myapp_t myapp_tmp_t:file manage_file_perms;
files_tmp_filetrans(myapp_t,myapp_tmp_t,file)
NAME.if –接口文件
该文件定义系统的默认文件上下文。它采用在文件中创建的文件类型
NAME.te,并将文件路径与这些类型相关联。实用程序(例如restorecon和rpm)使用这些路径来编写标签。
## <summary>Myapp example policy</summary>
## <desc>
## <p>
## More descriptive text about myapp. The desc
## tag can also use p, ul, and ol
## html tags for formatting.
## </p>
## <p>
## This policy supports the following myapp features:
## <ul>
## <li>Feature A</li>
## <li>Feature B</li>
## <li>Feature C</li>
## </ul>
## </p>
## </desc>
#
########################################
## <summary>
## Execute a domain transition to run myapp.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`myapp_domtrans',`
gen_require(`
type myapp_t, myapp_exec_t;
')
domtrans_pattern($1,myapp_exec_t,myapp_t)
')
########################################
## <summary>
## Read myapp log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to read the log files.
## </summary>
## </param>
#
interface(`myapp_read_log',`
gen_require(`
type myapp_log_t;
')
logging_search_logs($1)
allow $1 myapp_log_t:file read_file_perms;
')
NAME_selinux.spec – RPM规格文件
该文件是RPM规范文件,它安装SELinux策略并设置标签。该文件还将安装接口文件和描述该策略的手册页。您可以使用该命令生成手册页。
sepolicy manpage -d NAME
# vim: sw=4:ts=4:et
%define selinux_policyver 3.14.3-20
Name: test_selinux
Version: 1.0
Release: 1%{?dist}
Summary: SELinux policy module for test
Group: System Environment/Base
License: GPLv2+
# This is an example. You will need to change it.
URL: http://HOSTNAME
Source0: test.pp
Source1: test.if
Source2: test_selinux.8
Source3: test_u
Requires: policycoreutils, libselinux-utils
Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils
Requires(postun): policycoreutils
BuildArch: noarch
%description
This package installs and sets up the SELinux policy security module for test.
%install
install -d %{buildroot}%{_datadir}/selinux/packages
install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages
install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib
install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/
install -d %{buildroot}%{_mandir}/man8/
install -m 644 %{SOURCE2} %{buildroot}%{_mandir}/man8/test_selinux.8
install -d %{buildroot}/etc/selinux/targeted/contexts/users/
install -m 644 %{SOURCE3} %{buildroot}/etc/selinux/targeted/contexts/users/test_u
%post
semodule -n -i %{_datadir}/selinux/packages/test.pp
if /usr/sbin/selinuxenabled ; then
/usr/sbin/load_policy
/usr/sbin/semanage user -a -R test_r test_u
fi;
exit 0
%postun
if [ $1 -eq 0 ]; then
semodule -n -r test
if /usr/sbin/selinuxenabled ; then
/usr/sbin/load_policy
/usr/sbin/semanage user -d test_u
fi;
fi;
exit 0
NAME.sh –帮助程序外壳脚本
该脚本有助于在系统上编译,安装和修复标签。它还根据已安装的策略生成手册页,编译并构建适合于在其他系统上安装的RPM软件包。
#!/bin/sh -e
DIRNAME=`dirname $0`
cd $DIRNAME
USAGE="$0 [ --update ]"
if [ `id -u` != 0 ]; then
echo 'You must be root to run this script'
exit 1
fi
if [ $# -eq 1 ]; then
if [ "$1" = "--update" ] ; then
time=`ls -l --time-style="+%x %X" test.te | awk '{ printf "%s %s", $6, $7 }'`
rules=`ausearch --start $time -m avc --raw -se test`
if [ x"$rules" != "x" ] ; then
echo "Found avc's to update policy with"
echo -e "$rules" | audit2allow -R
echo "Do you want these changes added to policy [y/n]?"
read ANS
if [ "$ANS" = "y" -o "$ANS" = "Y" ] ; then
echo "Updating policy"
echo -e "$rules" | audit2allow -R >> test.te
# Fall though and rebuild policy
else
exit 0
fi
else
echo "No new avcs found"
exit 0
fi
else
echo -e $USAGE
exit 1
fi
elif [ $# -ge 2 ] ; then
echo -e $USAGE
exit 1
fi
echo "Building and Loading Policy"
set -x
make -f /usr/share/selinux/devel/Makefile test.pp || exit
/usr/sbin/semodule -i test.pp
# Generate a man page off the installed module
sepolicy manpage -p . -d test_t
# Adding SELinux user test_u
/usr/sbin/semanage user -a -R "test_r user_r system_r" test_u
cat > test_u << _EOF
test_r:test_t test_r:test_t
system_r:crond_t test_r:test_t
system_r:initrc_su_t test_r:test_t
system_r:local_login_t test_r:test_t
system_r:remote_login_t test_r:test_t
system_r:sshd_t test_r:test_t
system_r:xdm_t test_r:test_t
_EOF
if [ ! -f /etc/selinux/targeted/contexts/users/test_u ]; then
cp test_u /etc/selinux/targeted/contexts/users/
fi
# Generate a rpm package for the newly generated policy
pwd=$(pwd)
rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_builddir ${pwd}" --define "_srcrpmdir ${pwd}" --define "_rpmdir ${pwd}" --define "_buildrootdir ${pwd}/.build" -ba test_selinux.spec
编译及安装
sh test.sh
扫一扫
936
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
