SELinux refpolicy详解(6)

接前一篇文章:SELinux refpolicy详解(5)

三、refpolicy内容详解

1. README

文件路径:refpolicy源码根目录/README。

文件内容如下:

1) Reference Policy make targets:General Make targets:install-src		Install the policy sources into/etc/selinux/NAME/src/policy, where NAME is defined inthe Makefile.  If not defined, the TYPE, as defined inthe Makefile, is used.  The default NAME is refpolicy.A pre-existing source policy will be moved to/etc/selinux/NAME/src/policy.bak.conf			Regenerate policy.xml, and update/create modules.confand booleans.conf.  This should be done after addingor removing modules, or after running the bare target.If the configuration files exist, their settings willbe preserved.  This must be ran on policy sources thatare checked out from the CVS repository before they canbe used.clean			Delete all temporary files, compiled policies,and file_contexts.  Configuration files are left intact.bare			Do the clean make target and also delete configurationfiles, web page documentation, and policy.xml.html			Regenerate policy.xml and create web page documentationin the doc/html directory.Make targets specific to modular (loadable modules) policies:base			Compile and package the base module.  This is thedefault target for modular policies.modules			Compile and package all Reference Policy modulesconfigured to be built as loadable modules.MODULENAME.pp		Compile and package the MODULENAME Reference Policymodule.all			Compile and package the base module and all ReferencePolicy modules configured to be built as loadablemodules.install			Compile, package, and install the base module andReference Policy modules configured to be built asloadable modules.load			Compile, package, and install the base module andReference Policy modules configured to be built asloadable modules, then insert them into the modulestore.validate		Validate if the configured modules can successfullylink and expand.install-headers		Install the policy headers into /usr/share/selinux/NAME.The headers are sufficient for building a policymodule locally, without requiring the completeReference Policy sources.  The build.conf settingsfor this policy configuration should be set beforeusing this target.build-interface-db	Build the policy interface database with'sepolgen-ifgen'.  This database is required forreference style policy generation by'audit2allow --reference'.Make targets specific to monolithic policies:policy			Compile a policy locally for development and testing.This is the default target for monolithic policies.install			Compile and install the policy and file contexts.load			Compile and install the policy and file contexts, thenload the policy.enableaudit		Remove all dontaudit rules from policy.conf.relabel			Relabel the filesystem.checklabels		Check the labels on the filesystem, and report whena file would be relabeled, but do not change its label.restorelabels		Relabel the filesystem and report each file that isrelabeled.2) Reference Policy Build Options (build.conf)TYPE			String.  Available options are standard, mls, and mcs.For a type enforcement only system, set standard.This optionally enables multi-level security (MLS) ormulti-category security (MCS) features.  This optioncontrols enable_mls, and enable_mcs policy blocks.NAME			String (optional).  Sets the name of the policy; theNAME is used when installing files to e.g.,/etc/selinux/NAME and /usr/share/selinux/NAME.  If notset, the policy type (TYPE) is used.DISTRO			String (optional).  Enable distribution-specific policy.Available options are redhat, gentoo, and debian.This option controls distro_redhat, distro_gentoo, anddistro_debian build option policy blocks.MONOLITHIC		Boolean.  If set, a monolithic policy is built,otherwise a modular policy is built.DIRECT_INITRC		Boolean.  If set, sysadm will be allowed to directlyrun init scripts, instead of requiring the run_inittool.  This is a build option instead of a tunable sincerole transitions do not work in conditional policy.This option controls direct_sysadm_daemon policyblocks.OUTPUT_POLICY		Integer.  Set the version of the policy created whenbuilding a monolithic policy.  This option has no effecton modular policy.UNK_PERMS		String.  Set the kernel behavior for handling ofpermissions defined in the kernel but missing from thepolicy.  The permissions can either be allowed (allow),denied (deny), or the policy loading can be rejected(reject).UBAC			Boolean.  If set, the SELinux user will be usedadditionally for approximate role separation.SYSTEMD			Boolean.  If set, systemd will be assumed to be the initprocess provider.MLS_SENS		Integer.  Set the number of sensitivities in the MLSpolicy.  Ignored on standard and MCS policies.MLS_CATS		Integer.  Set the number of categories in the MLSpolicy.  Ignored on standard and MCS policies.MCS_CATS		Integer.  Set the number of categories in the MCSpolicy.  Ignored on standard and MLS policies.QUIET			Boolean.  If set, the build system will only displaystatus messages and error messages.  This option has noeffect on policy.WERROR			Boolean.  If set, the build system will treat warningsas errors.  If any warnings are encountered, the buildwill fail.3) Reference Policy Files and Directories
All directories relative to the root of the Reference Policy sources directory.Makefile		General rules for building the policy.Rules.modular		Makefile rules specific to building loadable modulepolicies.Rules.monolithic	Makefile rules specific to building monolithic policies.build.conf		Options which influence the building of the policy,such as the policy type and distribution.config/appconfig-*	Application configuration files for all configurationsof the Reference Policy (targeted/strict with or withoutMLS or MCS).  These are used by SELinux-aware programs.config/local.users	The file read by load policy for adding SELinux usersto the policy on the fly.doc/html/*		This contains the contents of the in-policy XMLdocumentation, presented in web page form.doc/policy.dtd		The doc/policy.xml file is validated against this DTD.doc/policy.xml		This file is generated/updated by the conf and html maketargets.  It contains the complete XML documentationincluded in the policy.doc/templates/*		Templates used for documentation web pages.policy/booleans.conf	This file is generated/updated by the conf make target.It contains the booleans in the policy, and theirdefault values.  If tunables are implemented asbooleans, tunables will also be included.  This filewill be installed as the /etc/selinux/NAME/booleansfile.policy/constraints	This file defines additional constraints on permissionsin the form of boolean expressions that must besatisfied in order for specified permissions to begranted.  These constraints are used to further refinethe type enforcement rules and the role allow rules.Typically, these constraints are used to restrictchanges in user identity or role to certain domains.policy/global_booleans	This file defines all booleans that have a global scope,their default value, and documentation.policy/global_tunables	This file defines all tunables that have a global scope,their default value, and documentation.policy/flask/initial_sids  This file has declarations for each initial SID.policy/flask/security_classes  This file has declarations for each security class.policy/flask/access_vectors  This file defines the access vectors.  Commonprefixes for access vectors may be defined at thebeginning of the file.  After the common prefixes aredefined, an access vector may be defined for eachsecurity class.policy/mcs		The multi-category security (MCS) configuration.policy/mls		The multi-level security (MLS) configuration.policy/modules/*	Each directory represents a layer in Reference Policyall of the modules are contained in one of these layers.policy/modules.conf	This file contains a listing of available modules, andhow they will be used when building Reference Policy. Toprevent a module from  being used, set the module to"off".  For monolithic policies, modules set to "base"and "module" will be included in the policy.  Formodular policies, modules set to "base"	will be includedin the base module; those set to "module" will becompiled as individual loadable	modules.policy/support/*	Support macros.policy/users		This file defines the users included in the policy.support/*		Tools used in the build process.4) Building policy modules using Reference Policy headers:The system must first have the Reference Policy headers installed, typically
by the distribution.  Otherwise, the headers can be installed using the
install-headers target from the full Reference Policy sources.To set up a directory to build a local module, one must simply place a .te
file in a directory.  A sample Makefile to use in the directory is the
Makefile.example in the doc directory.  This may be installed in
/usr/share/doc, under the directory for the distribution's policy.
Alternatively, the primary Makefile in the headers directory (typically
/usr/share/selinux/NAME/Makefile) can be called directly, using make's -f
option.Larger projects can set up a structure of layers, just as in Reference
Policy, by creating policy/modules/LAYERNAME directories.  Each layer also
must have a metadata.xml file which is an XML file with a summary tag and
optional desc (long description) tag.  This should describe the purpose of
the layer.Metadata.xml example:<summary>ABC modules for the XYZ components.</summary>Make targets for modules built from headers:MODULENAME.pp		Compile and package the MODULENAME local module.all			Compile and package the modules in the currentdirectory.load			Compile and package the modules in the currentdirectory, then insert them into the module store.refresh			Attempts to reinsert all modules that are currentlyin the module store from the local and system modulepackages.xml			Build a policy.xml from the XML included with thebase policy headers and any XML in the modules inthe current directory.

上一回讲解了README文件的第二部分,本回继续针对于余下步骤一一进行说明和讲解。

(3)Reference Policy Files and Directories(参考策略文件和目录说明)

本小节内容是对于refpolicy源码根目录下的文件和目录所进行的详细讲解。

  • Makefile

构建策略的通用规则(一般规则)。

  • Rules.modular

特定于构建可加载模块策略的Makefile规则。

  • Rules.monolithic

特定于构建单一整体策略的Makefile规则。

  • build.conf

影响策略构建的选项,如策略类型和发布版。

  • config/appconfig-*

参考策略的所有配置的应用程序配置文件(targeted/strict带有或不带MLS or MCS)。这些由SELinux-aware的程序使用。

  • config/local.users

由加载策略所读取的文件,用于将SELinux用户动态添加到策略中。

  • doc/html/*

其中包含以网页形式呈现的策略内(in-policy)XML文档的内容。

  • doc/policy.dtd

doc/policy.xml文件将根据此DTD进行验证。

  • doc/policy.xml

该文件由conf和html make targets生成/更新。其包含策略中包括的完整XML文档。

  • doc/templates/*

用于文档网页的模板。

  • policy/booleans.conf

该文件由conf make target生成/更新。它包含策略中的布尔值及其默认值。

如果tunables被实现为布尔值,那么也将包括tunables。

此文件将作为/etc/selinux/NAME/booleans文件被安装(安装为/etc/selinux/NAME/booleans)。

  • policy/constraints

此文件以布尔表达式的形式定义了权限的附加约束,必须满足这些约束才能授予指定的权限。

这些约束用于进一步细化类型强制规则和角色允许规则。通常,这些约束用于将用户身份(用户标识)或角色的更改限制在某些域中。

  • policy/global_booleans

该文件定义了所有具有全局作用域的布尔值、它们的默认值和文档。

  • policy/global_tunables

该文件定义了所有具有全局作用域的可调参数、它们的默认值和文档。

  • policy/flask/initial_sids

此文件包含每个初始SID的声明。

  • policy/flask/security_classes

此文件包含每个安全类的声明。

  • policy/flask/access_vectors

此文件定义访问向量。

用于访问向量的公共前缀可以在文件的开头定义。在定义了公共前缀之后,可以为每个安全类定义访问向量。

  • policy/mcs

多类别安全(MCS)配置。

  • policy/mls

多级安全(MLS)配置。

  • policy/modules/*

每个目录表示参考策略中的一个层,所有模块都包含在其中一个层中。

  • policy/modules.conf

此文件包含可用模块的列表,以及在构建参考策略时如何使用这些模块。

要防止模块被使用,请将模块设置为“off”。

对于单一整体策略,设置为“base”和“module”的模块将包含在策略中。

对于模块化策略,设置为“base”的模块将包含在基本模块中;而那些设置为“module”的模块将被编译为单独的可加载模块。

  • policy/support/*

支持宏。

  • policy/users

此文件定义包含在策略中的用户。

  • support/*

构建过程中使用的工具。

下一回中继续解析README中的其它选项。

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/news/189163.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

流媒体方案之FFmepeg——实现物联网视频监控项目

目录 前言 一、FFmpeg介绍 二、FFmpeg简易理解 三、FFmpeg的重要概念 四、软硬件准备 五、移植、运行FFmpeg 六、运行FFmpeg 前言 最近想做一个安防相关的项目&#xff0c;所以跟着韦东山老师的视频来学习视频监控方案的相关知识&#xff0c;韦东山老师讲的课非常好&…

ABB YuMi协作式双臂机器人进入工厂,极大缓解劳动力短缺问题

原创 | 文 BFT机器人 日本SUS公司是一家为汽车和其他制造业提供铝框架和压铸铝部件的知名供应商&#xff0c;近年来&#xff0c;由于全球供应链面临严重中断&#xff0c;该公司希望能够寻找一家自动化供应商来帮助其恢复日本静冈县的产品生产。SUS公司表示&#xff0c;由于生产…

HarmonyOS——解决本地模拟器无法选择设备的问题

在使用deveco studio进行鸿蒙开发的时候&#xff0c;可能会遇到本地模拟器已经启动了&#xff0c;但是仍然无法选择本地模拟器中的设备&#xff0c;尤其在MAC环境中尤为常见。 解决办法&#xff1a; 先打开IDE启动本地模拟器&#xff0c;等模拟器启动后&#xff0c;退出IDE重新…

Cpp之旅(学习笔记)第10章 字符串和正则表达式

Cpp之旅&#xff08;学习笔记&#xff09;第10章 字符串和正则表达式 10.1 引言 Cpp标准库提供了 string 类型&#xff0c;使用程序员不必在使用C风格的文本处理方式——通过指针来处理字符数组。Cpp标准库还提供了 string_view 类型&#xff0c;允许程序以容器方式访问字符序…

【代码】基于算术优化算法(AOA)优化参数的随机森林(RF)六分类机器学习预测算法/matlab代码

代码名称&#xff1a;基于算术优化算法&#xff08;AOA&#xff09;优化参数的随机森林&#xff08;RF&#xff09;六分类机器学习预测算法/matlab代码 使用算术优化算法&#xff08;AOA&#xff09;优化分类预测模型的参数&#xff0c;收敛性好&#xff0c;准确率提升明显&am…

数据结构番外—大根堆

文章目录 大根堆 大根堆 这一篇中我会给出一个基于C模板实现的比较完善的heap类&#xff0c;你只需要简单地修改就可以把它变为小根堆 #include <iostream> #include <vector> #include <cmath> using namespace std;template<typename T> class heap…

java第二十五课

Mysql 数据库 设计: 表设计成功 alter table 改表的主键&#xff0c;改约束关系 表&#xff1a;关系表&#xff0c;改一个表&#xff0c;另外一个表 表---->java 代码 增删改查&#xff08;项目中需要的操作&#xff09; 项目:Create databaseCreate table&#xff08;从测试…

每天免费使用ChatGPT网站

我现在开发都是用chatgpt帮我做事情了&#xff0c;工作效率直接翻了好几倍&#xff0c;剩余时间来摸鱼&#xff0c;嘎嘎香~ 1、 ChatGPT 注册送ChatGPT3.5 4.0,每天也能免费使用&#xff0c;赶紧薅 2、 csdn的C知道 csdn新功能 3、文心一言 国内百度大厂的模型 各有优缺…

leetcode27. 移除元素

题目描述 给你一个数组 nums 和一个值 val&#xff0c;你需要 原地 移除所有数值等于 val 的元素&#xff0c;并返回移除后数组的新长度。 不要使用额外的数组空间&#xff0c;你必须仅使用 O(1) 额外空间并 原地 修改输入数组。 元素的顺序可以改变。你不需要考虑数组中超出…

Python 流程控制

目录 程序流程 顺序结构 分支结构 单分支 双分支 多分支 if 嵌套 循环结构 while循环 for 循环 退出循环 循环与分支嵌套 附录 程序流程 程序是由语句构成&#xff0c;而流程控制语句 是用来控制程序中每条语句执行顺序的语句。可以通过控制语句实现更丰富的逻辑…

深入理解VUE组件:父子组件详细说明及应用

文章目录 &#x1f342;引言&#x1f342;什么是父子组件&#x1f342;属性传递&#x1f341;父组件向子组件传递属性&#x1f33f;父组件代码示例&#x1f33f;子组件代码示例 &#x1f341;子组件向父组件传递属性&#x1f33f;子组件代码示例&#x1f33f;父组件代码示例 &a…

后端项目操作数据库增删改查-使用MyBatis配置实现数据操作

一、创建一个数据表对应的实体类 在src/main/java/包名/路径下新建pojo.entity文件夹&#xff0c;如com.luoyang.small.pojo.entity&#xff0c;并在该文件夹下新增实体类java文件&#xff1a;如相册Album.java 该实体类的属性应与数据表的字段对应 数据表样例如下&#xff1a…

PTA 7-192 浪漫的表白

有一个帅小伙一直暗恋一个女孩&#xff0c;但他还是没有勇气向她表白“我爱你”&#xff0c;更别说“某某某&#xff0c;我爱你&#xff0c;如果非要在这份‘爱’上加一个期限的话&#xff0c;那就是一万年”这类肉麻的话&#xff0c;生怕说了后会是“落花有意流水无情”&#…

后端返回图片流前端展示图片

根据后端返回的图片流格式&#xff0c;选用合适方法转换 下面以base64为例 if(res.status 200) {res.data.data.forEach((item,index) > {let Array data:image/png;base64, itemlet blob this.base64toBlob(Array)let url URL.createObjectURL(blob)this.imageList.p…

24年5月软考高项考哪些内容,考试大纲什么的?

信息系统项目管理师属于「计算机技术与软件专业技术资格&#xff08;水平&#xff09;考试」中的高级资格考试。 也称「软考高项」&#xff0c;可以「以考代评」用来评副高级职称。 一、软考备考前期准备 信息系统项目管理师考试科目包括&#xff1a; 《综合知识》、《案例分…

html原生echart柱状图

html原生echart柱状图 <!DOCTYPE html> <html lang"en"> <head><meta charset"UTF-8"><title>Bar Chart Example</title><!-- Include Chart.js library --><script src"https://cdn.jsdelivr.net/npm/…

Linux的基本指令(4)

目录 20.tar指令&#xff08;重要&#xff09;&#xff1a;打包/解包&#xff0c;不打开它&#xff0c;直接看内容 21.bc指令 22.uname –r指令&#xff1a; 23.重要的几个热键[Tab],[ctrl]-c, [ctrl]-d 20.tar指令&#xff08;重要&#xff09;&#xff1a;打包/解包&#…

手机上的记事本怎么打开?安卓手机通用的记事本APP

有不少上班族发现&#xff0c;自己想要在电脑上随手记录一些工作文字内容&#xff0c;直接使用电脑上的记事本工具来编辑文字是比较便捷的。但是如果想要在手机上记录文字内容&#xff0c;就找不到手机上的记事本了。那么手机上的记事本怎么打开&#xff1f;安卓手机通用的记事…

Windows环境 dockertopdesk 部署gitlab

1.在dockertopdesk里搜索 gitlab镜像 (pull)拉取镜像 2.运行镜像到容器 mkdir gitlab gitlab/etc gitlab/log gitlab/opt docker run -id -p 3000:80 -p 9922:22 -v /root/gitlab/etc:/etc/gitlab -v /root/gitlab/log:/var/log/gitlab -v /root/gitlab/opt:/var/opt/gitla…

2023-12-2 AIGC-chatgpt4-功能-记录

摘要: 2023-12-2 AIGC-chatgpt4-功能-记录 英文: ChatGPT-4, as an evolution of OpenAIs language models, has a wide range of capabilities: Language Understanding and Generation: It can understand and generate human-like text, making it useful for conversation…