Linux的sesearch命令怎么使用
导读:本文共2656字符,通常情况下阅读需要9分钟。同时您也可以点击右侧朗读,来听本文内容。按键盘←(左) →(右) 方向键可以翻页。
摘要: Linux常用命令sesearch用于搜索SELinux安全策略规则集,命令来自包:yum install setools-console。语法sesearch[OPTIONS]RULE_TYPE[RULE_TYPE...][EXPRESSION][POLICY...]选项-d,--direct不搜索type的属性•-R,--regex使用正... ...
音频解说
目录
(为您整理了一些要点),点击可以直达。
语法
sesearch[OPTIONS]RULE_TYPE[RULE_TYPE...][EXPRESSION][POLICY...]
选项
-d,--direct不搜索type的属性•-R,--regex使用正则表达式进行匹配•-n,--linenum显示每条可用规则的行号•-S,--semantic搜索语义(semantically)规则替代语法(syntactically)规则•-C,--show_cond显示条件规则的条件表达式•-h,--help帮助信息•-V,--version版本号RULE_TYPES:-A,--allow允许(allow)的规则--neverallow从不允许(neverallow)的规则--auditallow审计(auditallow)的规则-D,--dontaudit不审计的规则-T,--typetype_trans,type_member,和type_change(我也不懂这个干啥,待补充!)--role_allow角色允许的规则--role_tansrole_transition规则--range_transrange_transition规则--all所有规则,不论是:type,class,或perms(seinfo可获取class,type值)EXPRESSIONS:-sNAME,--source=NAME具有类型、属性值为NAME的规则作为源头(进程主体的概念)-tNAME,--target=NAME具有类型、属性值为NAME的规则作为目标(文件,端口等类型的概念)--role_source=NAME具有角色值为NAME的规则作为源头--role_target=NAME具有角色值为NAME的规则作为目标-cNAME,--class=NAME具有class值为NAME的规则作为对象类(theobjectclass)-pP1[,P2,...],--perm=P1[,P2,...]具有特定权限的规则-bNAME,--bool=NAME具有NAME值在表达式中的条件规则
实例
#1.显示所有allow的规则[root@tim~]#sesearch--allowFound101724semanticavrules:allowlogrotate_tsystemd_passwd_var_run_t:sock_file{ioctlreadwritecreategetattrsetattrlock...allowdmidecode_tvirtd_t:fduse;allowssh_keygen_tanaconda_t:fduse;allowlogadm_tsystemd_passwd_var_run_t:sock_file{ioctlreadwritecreategetattrsetattrlockapp...allowunconfined_dbusd_tunconfined_dbusd_t:x_device{getattrsetattrusereadwritegetfocussetfo........#2.显示httpd_t(-sxx)域允许(--allow)访问的规则(-d含义是只显示直接管理搜索结果)[root@tim~]#sesearch-shttpd_t--allow-dFound1294semanticavrules:allowhttpd_tsystem_dbusd_t:unix_stream_socketconnectto;allowhttpd_tdirsrv_config_t:file{ioctlreadwritecreategetattrsetattrlockappendunlinklinkrenameop...allowhttpd_tdirsrv_config_t:dir{ioctlreadwritecreategetattrsetattrlockunlinklinkrenameadd_namer...allowhttpd_thttpd_squirrelmail_t:file{ioctlreadwritecreategetattrsetattrlockappendunlinklinkrena........#3.显示允许(--allow)访问httpd_sys_script_exec_t(-txx)类型的规则[root@tim~]#sesearch-thttpd_sys_script_exec_t--allow-dFound11semanticavrules:allowhttpd_sys_script_thttpd_sys_script_exec_t:file{ioctlreadgetattrlockexecuteexecute_no_transentryp...allowhttpd_sys_script_thttpd_sys_script_exec_t:dir{ioctlreadgetattrlocksearchopen};allowhttpd_sys_script_exec_thttpd_sys_script_exec_t:filesystemassociate;allowopenshift_domainhttpd_sys_script_exec_t:file{ioctlreadgetattrlockexecuteexecute_no_transopen};allowopenshift_domainhttpd_sys_script_exec_t:dir{getattrsearchopen};.....#4.显示能够写(-pwrite)shadow_t类型文件(-cfile)的规则[root@tim~]#sesearch-tshadow_t-cfile-pwrite--allowFound11semanticavrules:allowupdpwd_tshadow_t:file{ioctlreadwritecreategetattrsetattrlockappendunlinklinkrenameopen};allowyppasswdd_tshadow_t:file{ioctlreadwritecreategetattrsetattrlockrelabelfromrelabeltoappendunl...allowpegasus_openlmi_account_tshadow_t:file{ioctlreadwritecreategetattrsetattrlockrelabelfromrelabe...allowfiles_unconfined_typefile_type:file{ioctlreadwritecreategetattrsetattrlockrelabelfromrelabelto...allowsysadm_passwd_tshadow_t:file{ioctlreadwritecreategetattrsetattrlockrelabelfromrelabeltoappend........#5.显示含二元值samba_enable_home_dirs(-bxx)开关的条件规则[root@tim~]#sesearch-bsamba_enable_home_dirs--allow-dFound23semanticavrules:allowsmbd_thome_root_t:dir{ioctlreadgetattrlocksearchopen};allowsmbd_thome_root_t:lnk_file{readgetattr};allowsmbd_tuser_home_type:file{ioctlreadwritecreategetattrsetattrlockappendunlinklinkrenameopen...allowsmbd_tuser_home_type:dir{ioctlreadwritecreategetattrsetattrlockunlinklinkrenameadd_nameremov...allowsmbd_tuser_home_type:lnk_file{ioctlreadwritecreategetattrsetattrlockappendunlinklinkrename}; </div> <div class="zixun-tj-product adv-bottom"></div> </div> </div> <div class="prve-next-news">本文:
Linux的sesearch命令怎么使用的详细内容,希望对您有所帮助,信息来源于网络。