diff --git a/README.txt b/README.txt index fc51258a4..d04e11542 100644 --- a/README.txt +++ b/README.txt @@ -1,36 +1,28 @@ Injects allow rules into binary SELinux kernel policies Injecting a rule: -$ ./sepolicy-inject -s shell -t system -c file -p read -P sepolicy -o sepolicy2 -libsepol.policydb_index_others: security: 1 users, 2 roles, 518 types, 14 bools -libsepol.policydb_index_others: security: 1 sens, 1024 cats -libsepol.policydb_index_others: security: 84 classes, 4539 rules, 162 cond rules +$ ./sepolicy-inject -s shell -t system -c file -p read -P sepolicy -$ sesearch -A -s shell -t system -c file sepolicy -Found 1 semantic av rules: - allow appdomain domain : file { ioctl read getattr lock open } ; +Injecting multiple permissions: +$ ./sepolicy-inject -s shell -t system -c file -p read,write,open -P sepolicy -$ sesearch -A -s shell -t system -c file sepolicy2 -Found 2 semantic av rules: - allow shell system : file read ; - allow appdomain domain : file { ioctl read getattr lock open } ; +Add a type_attribute to a domain: +$ ./sepolicy-inject -s su -a mlstrustedsubject -P sepolicy Injecting a permissive domain: -$ ./sepolicy-inject -Z shell -P sepolicy -o sepolicy2 - -$ seinfo sepolicy | grep Permissive - Permissives: 0 Polcap: 2 - -$ seinfo sepolicy2 | grep Permissive - Permissives: 1 Polcap: 2 +$ ./sepolicy-inject -Z shell -P sepolicy Change a permissive domain to non-permissive: -$ ./sepolicy-inject -z shell -P sepolicy -o sepolicy2 +$ ./sepolicy-inject -z shell -P sepolicy +Test a SELinux type exists: +$ ./sepolicy-inject -e -s shell -P sepolicy -TODO: +Test a SELinux class exists: +$ ./sepolicy-inject -e -c service_manager -P sepolicy -Insert multiple rules at the same time -Remove rules -Use attributes +Add a transition: +$ ./sepolicy-inject -s su_daemon -f device -c file -t su_device -P sepolicy +Add a filename transition: +$ ./sepolicy-inject -s su_daemon -f device -c file -g "socket" -t su_device -P sepolicy