Skip to content

hongfeiyucode/sepolicy-inject-pro

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
libs
libs
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
sepolicy-inject.c
sepolicy-inject.c
 
 

Repository files navigation

Sepolicy Inject Pro

Install

sudo apt install libsepol1 libsepol1-dev gcc sepol-utils
git clone 
cd sepolicy-inject
make

Introduce

Injecting a rule:

./sepolicy-inject -s shell -t system -c file -p read -P sepolicy
./sepolicy-inject -s <source type> -t <target type> -c <class> -p <permission> -P <policy file>
allow <source type>  <target type>:<class>  <permission>

Injecting multiple permissions:

./sepolicy-inject -s shell -t system -c file -p read,write,open -P sepolicy
./sepolicy-inject -s <source type> -t <target type> -c <class> -p <permissions> -P <policy file>

Add a type_attribute to a domain:

./sepolicy-inject -s su -a mlstrustedsubject -P sepolicy
./sepolicy-inject -s <type> -a <attribute> -P <policy file>
typeattribute <type> <attribute>

Injecting a permissive domain:

./sepolicy-inject -Z shell -P sepolicy
./sepolicy-inject -Z <type_to_make_permissive> -P <policy file>

Change a permissive domain to non-permissive:

./sepolicy-inject -z shell -P sepolicy 
./sepolicy-inject -z <type_to_make_nonpermissive> -P <policy file>

Test a SELinux type exists:

./sepolicy-inject -e -s shell -P sepolicy

Test a SELinux class exists:

./sepolicy-inject -e -c service_manager -P sepolicy

Add a transition:

./sepolicy-inject -s su_daemon -f device -c file -t su_device -P sepolicy

Add a filename transition:

./sepolicy-inject -s su_daemon -f device -c file -g "socket" -t su_device -P sepolicy

All options can add -o <output file> to output to another file

Add auto allow patch support

The patch will work like this:

./sepolicy-inject --auto -P sepolicy

This will allow all possible transition (just like selinux disabled)

./sepolicy-inject --auto -s su -P sepolicy

This will allow all transitions from su to any type

./sepolicy-inject --auto -t su -P sepolicy

This will allow all transitions from any type to su

./sepolicy-inject --auto -c file -P sepolicy

This will allow any transitions involving the class file

./sepolicy-inject --auto -s su -t system_data_file -P sepolicy

This will allow all transitions from su to system_data_file

Delete

Add --not option to add a DENY rule (or rather delete allow)

TODO

  • permissive $domain;
  • unconfined_domain($domain)
  • 遍历 permissive $domain;
  • 遍历 unconfined_domain($domain)
  • 删除功能
  • 删除哪些多余,重复,矛盾的语句。确保文件小于之前
  • 输入文件,文件内容为allow语句,可以直接删除文件中所有allow语句

About

sepolicy-inject工具的改进

Resources

Readme

License

GPL-3.0 license
Activity

Stars

8 stars

Watchers

3 watching

Forks

2 forks
Report repository

Releases 1

修改功能完成 Latest
Mar 7, 2017

Packages

No packages published

Languages