Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to use the sesearch command of Linux". Interested friends may wish to have a look at it. The method introduced in this paper is simple, fast and practical. Now let the editor take you to learn how to use the sesearch command of Linux.

The Linux common command sesearch is used to search the SELinux security policy rule set, and the command comes from the package: yum install setools-console.

Syntax sesearch [OPTIONS] RULE_TYPE [RULE_TYPE...] [EXPRESSION] [POLICY...] Option-d,-- direct does not search the attributes of type-R,-- regex uses regular expressions to match-n,-- linenum displays the line number of each available rule-S,-- semantic search semantics (semantically) rules alternative syntax (syntactically) rules-C -- show_cond displays conditional expressions for conditional rules-- h,-- help help information-- V,-- version version number RULE_TYPES:-A,-- allow allows (allow) rules-- neverallow never allows (neverallow) rules-- auditallow audit (auditallow) rules-D -- dontaudit's rule of not auditing-- T,-- type type_trans, type_member, and type_change (I don't know why this is either. To be replenished! )-- rules allowed by the role_allow role-- role_tans role_transition rules-- range_trans range_transition rules-- all all rules Whether it is: type, class, or perms (seinfo can obtain class, type values) EXPRESSIONS:-s NAME,-- source=NAME has rules of type and attribute value of NAME as source (concept of process body)-t NAME,-- target=NAME has rules of type and attribute value of NAME as target (file) The concept of port and other types)-- role_source=NAME has a rule with a role value of NAME as the source-- role_target=NAME has a rule with a role value of NAME as the target-c NAME,-- class=NAME has a rule with a class value of NAME as an object class (the object class)-p P1 [, P2J.],-- perm=P1 [, P2J.] Rule with specific permissions-b NAME,-- bool=NAME conditional rule instance # 1 with NAME value in the expression. Show all allow rules [root@tim ~] # sesearch-- allow Found 101724 semantic av rules: allow logrotate_t systemd_passwd_var_run_t: sock_file {ioctl read write create getattr setattr lock... Allow dmidecode_t virtd_t: fd use; allow ssh_keygen_t anaconda_t: fd use; allow logadm_t systemd_passwd_var_run_t: sock_file {ioctl read write create getattr setattr lock app... Allow unconfined_dbusd_t unconfined_dbusd_t: x_device {getattr setattr use read write getfocus setfo... . # 2. Display the rules that allow (--allow) access in the httpd_t (- s xx) domain (- d means only directly manage search results) [root@tim ~] # sesearch-s httpd_t-- allow-d Found 1294 semantic av rules: allow httpd_t system_dbusd_t: unix_stream_socket connectto; allow httpd_t dirsrv_config_t: file {ioctl read write create getattr setattr lock append unlink link rename op... Allow httpd_t dirsrv_config_t: dir {ioctl read write create getattr setattr lock unlink link rename add_name r... Allow httpd_t httpd_squirrelmail_t: file {ioctl read write create getattr setattr lock append unlink link rena... . # 3. Display the rules that allow (--allow) access to the httpd_sys_script_exec_t (- t xx) type [root@tim ~] # sesearch-t httpd_sys_script_exec_t-- allow-d Found 11 semantic av rules: allow httpd_sys_script_t httpd_sys_script_exec_t: file {ioctl read getattr lock execute execute_no_trans entryp... Allow httpd_sys_script_t httpd_sys_script_exec_t: dir {ioctl read getattr lock search open}; allow httpd_sys_script_exec_t httpd_sys_script_exec_t: filesystem associate; allow openshift_domain httpd_sys_script_exec_t: file {ioctl read getattr lock execute execute_no_trans open}; allow openshift_domain httpd_sys_script_exec_t: dir {getattr search open};. # 4. Show rules that can write (- p write) shadow_t type files (- c file) [root@tim ~] # sesearch-t shadow_t-c file-p write-- allow Found 11 semantic av rules: allow updpwd_t shadow_t: file {ioctl read write create getattr setattr lock append unlink link rename open}; allow yppasswdd_t shadow_t: file {ioctl read write create getattr setattr lock relabelfrom relabelto append unl... Allow pegasus_openlmi_account_t shadow_t: file {ioctl read write create getattr setattr lock relabelfrom relabe... Allow files_unconfined_type file_type: file {ioctl read write create getattr setattr lock relabelfrom relabelto... Allow sysadm_passwd_t shadow_t: file {ioctl read write create getattr setattr lock relabelfrom relabelto append... . # 5. Show conditional rules with binary samba_enable_home_dirs (- b xx) switches [root@tim ~] # sesearch-b samba_enable_home_dirs-- allow-d Found 23 semantic av rules: allow smbd_t home_root_t: dir {ioctl read getattr lock search open}; allow smbd_t home_root_t: lnk_file {read getattr}; allow smbd_t user_home_type: file {ioctl read write create getattr setattr lock append unlink link rename open. Allow smbd_t user_home_type: dir {ioctl read write create getattr setattr lock unlink link rename add_name remov... Allow smbd_t user_home_type: lnk_file {ioctl read write create getattr setattr lock append unlink link rename}; at this point, I believe you have a better understanding of "how to use Linux's sesearch command". You might as well do it! Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.