2013-06-28 03:42:09 +02:00
|
|
|
Injects allow rules into binary SELinux kernel policies
|
|
|
|
|
|
2013-07-17 04:10:12 +02:00
|
|
|
Injecting a rule:
|
2013-06-28 17:23:25 +02:00
|
|
|
$ ./sepolicy-inject -s shell -t system -c file -p read -P sepolicy -o sepolicy2
|
2013-06-28 03:42:09 +02:00
|
|
|
libsepol.policydb_index_others: security: 1 users, 2 roles, 518 types, 14 bools
|
|
|
|
|
libsepol.policydb_index_others: security: 1 sens, 1024 cats
|
|
|
|
|
libsepol.policydb_index_others: security: 84 classes, 4539 rules, 162 cond rules
|
|
|
|
|
|
2013-06-28 17:23:25 +02:00
|
|
|
$ sesearch -A -s shell -t system -c file sepolicy
|
2013-06-28 03:42:09 +02:00
|
|
|
Found 1 semantic av rules:
|
|
|
|
|
allow appdomain domain : file { ioctl read getattr lock open } ;
|
|
|
|
|
|
2013-06-28 17:23:25 +02:00
|
|
|
$ sesearch -A -s shell -t system -c file sepolicy2
|
2013-06-28 03:42:09 +02:00
|
|
|
Found 2 semantic av rules:
|
|
|
|
|
allow shell system : file read ;
|
|
|
|
|
allow appdomain domain : file { ioctl read getattr lock open } ;
|
|
|
|
|
|
2013-07-17 04:10:12 +02:00
|
|
|
Injecting a permissive domain:
|
|
|
|
|
$ ./sepolicy-inject -Z shell -P sepolicy -o sepolicy2
|
|
|
|
|
|
|
|
|
|
$ seinfo sepolicy | grep Permissive
|
|
|
|
|
Permissives: 0 Polcap: 2
|
|
|
|
|
|
|
|
|
|
$ seinfo sepolicy2 | grep Permissive
|
|
|
|
|
Permissives: 1 Polcap: 2
|
|
|
|
|
|
2015-06-07 23:00:43 +02:00
|
|
|
Change a permissive domain to non-permissive:
|
|
|
|
|
$ ./sepolicy-inject -z shell -P sepolicy -o sepolicy2
|
|
|
|
|
|
2013-06-28 17:23:25 +02:00
|
|
|
|
|
|
|
|
TODO:
|
|
|
|
|
|
|
|
|
|
Insert multiple rules at the same time
|
|
|
|
|
Remove rules
|
|
|
|
|
Use attributes
|
|
|
|
|
|
