SELinux: появляются лишние разрешения при создании собственного модуля

Добрый день!

Пытаюсь освоить SELinux в Debian. Все хорошо, но возникает проблема: прописываю в своем модуле новый тип и разрешения к нему, но при установке этого модуля получаю еще уйму лишних разрешений, которые непонятным образом сгенерировались:

# sesearch --allow --target fz_fs_allow_write_t
Found 157 semantic av rules:
   allow dhcpc_t file_type : filesystem getattr ; 
   allow staff_t file_type : filesystem getattr ; 
   allow xdm_t file_type : filesystem getattr ; 
   allow clvmd_t file_type : filesystem getattr ; 
   allow mount_t file_type : filesystem { mount unmount relabelto } ; 
   allow mount_t file_type : dir { getattr search open } ; 
   allow crond_t file_type : filesystem getattr ; 
   allow setfiles_t file_type : file { getattr relabelfrom relabelto } ; 
   allow logrotate_t file_type : dir { getattr search open } ; 
   allow setfiles_t file_type : dir { ioctl read getattr lock relabelfrom relabelto search open } ; 
   allow setfiles_t file_type : lnk_file { getattr relabelfrom relabelto } ; 
   allow setfiles_t file_type : chr_file { getattr relabelfrom } ; 
   allow setfiles_t file_type : blk_file { getattr relabelfrom } ; 
   allow setfiles_t file_type : sock_file { getattr relabelfrom relabelto } ; 
   allow setfiles_t file_type : fifo_file { getattr relabelfrom relabelto } ; 
   allow initrc_t file_type : filesystem getattr ; 
   allow dpkg_t file_type : filesystem getattr ; 
   allow cupsd_t file_type : filesystem getattr ; 
   allow nfsd_t file_type : filesystem getattr ; 
   allow initrc_t file_type : file getattr ; 
   allow unconfined_java_t file_type : file execmod ; 
   allow initrc_t file_type : dir { ioctl read getattr lock search open } ; 
   allow initrc_t file_type : lnk_file getattr ; 
   allow initrc_t file_type : sock_file getattr ; 
   allow initrc_t file_type : fifo_file getattr ; 
   allow ftpd_t file_type : filesystem getattr ; 
   allow nmbd_t file_type : filesystem getattr ; 
   allow udev_t file_type : filesystem getattr ; 
   allow cronjob_t file_type : filesystem getattr ; 
   allow winbind_t file_type : filesystem getattr ; 
   allow dpkg_script_t fz_fs_allow_write_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow dpkg_script_t fz_fs_allow_write_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; 
   allow dpkg_script_t fz_fs_allow_write_t : lnk_file { read write create getattr setattr unlink link rename } ; 
   allow dpkg_script_t fz_fs_allow_write_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow dpkg_script_t fz_fs_allow_write_t : fifo_file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow files_unconfined_type file_type : filesystem { mount remount unmount getattr relabelfrom relabelto transition associate quotamod quotaget } ; 
   allow hald_acl_t file_type : filesystem getattr ; 
   allow user_t file_type : filesystem getattr ; 
   allow portmap_t file_type : filesystem getattr ; 
   allow files_unconfined_type file_type : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton execute_no_trans entrypoint open } ; 
   allow files_unconfined_type file_type : dir { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton add_name remove_name reparent search rmdir open } ; 
   allow files_unconfined_type file_type : lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton } ; 
   allow files_unconfined_type file_type : chr_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton execute_no_trans entrypoint open } ; 
   allow files_unconfined_type file_type : blk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton open } ; 
   allow files_unconfined_type file_type : sock_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton open } ; 
   allow files_unconfined_type file_type : fifo_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton open } ; 
   allow sysadm_t fz_fs_allow_write_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ; 
   allow sysadm_t fz_fs_allow_write_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent search rmdir open } ; 
   allow sysadm_t fz_fs_allow_write_t : lnk_file { read write create getattr setattr relabelfrom relabelto unlink link rename } ; 
   allow sysadm_t fz_fs_allow_write_t : chr_file { getattr relabelfrom } ; 
   allow sysadm_t fz_fs_allow_write_t : blk_file { getattr relabelfrom } ; 
   allow sysadm_t fz_fs_allow_write_t : sock_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ; 
   allow sysadm_t fz_fs_allow_write_t : fifo_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ; 
   allow NetworkManager_t file_type : filesystem getattr ; 
   allow hald_t file_type : filesystem getattr ; 
   allow pppd_t file_type : filesystem getattr ; 
   allow hald_t file_type : file getattr ; 
   allow hald_t file_type : dir { getattr search open } ; 
   allow hald_t file_type : lnk_file getattr ; 
   allow hplip_t file_type : filesystem getattr ; 
   allow pptp_t file_type : filesystem getattr ; 
   allow system_dbusd_t file_type : filesystem getattr ; 
   allow tmpreaper_t file_type : file getattr ; 
   allow devicekit_disk_t file_type : file getattr ; 
   allow tmpreaper_t file_type : dir { getattr search open } ; 
   allow devicekit_disk_t file_type : dir { ioctl read getattr lock search open } ; 
   allow tmpreaper_t file_type : lnk_file getattr ; 
   allow devicekit_disk_t file_type : lnk_file getattr ; 
   allow devicekit_disk_t file_type : sock_file getattr ; 
   allow httpd_t file_type : filesystem getattr ; 
   allow ptal_t file_type : filesystem getattr ; 
   allow inetd_t file_type : filesystem getattr ; 
   allow fsadm_t file_type : dir { getattr search open } ; 
   allow sysadm_t file_type : filesystem getattr ; 
   allow system_cronjob_t file_type : filesystem getattr ; 
   allow auditd_t file_type : filesystem getattr ; 
   allow apmd_t file_type : filesystem getattr ; 
   allow system_cronjob_t file_type : file getattr ; 
   allow system_cronjob_t file_type : dir { ioctl read getattr lock search open } ; 
   allow system_cronjob_t file_type : lnk_file getattr ; 
   allow system_cronjob_t file_type : sock_file getattr ; 
   allow system_cronjob_t file_type : fifo_file getattr ; 
   allow apt_t file_type : filesystem getattr ; 
   allow klogd_t file_type : filesystem getattr ; 
   allow rpcd_t file_type : filesystem getattr ; 
   allow rpcd_t file_type : dir { getattr search open } ; 
   allow pam_console_t file_type : filesystem getattr ; 
   allow syslogd_t file_type : filesystem getattr ; 
   allow auditctl_t file_type : file getattr ; 
   allow auditctl_t file_type : dir { getattr search open } ; 
   allow auditctl_t file_type : lnk_file getattr ; 
   allow fz_fs_allow_write_t fz_fs_allow_write_t : filesystem associate ; 
   allow avahi_t file_type : filesystem getattr ; 
   allow lpd_t file_type : filesystem getattr ; 
   allow smbd_t file_type : filesystem getattr ; 
   allow restorecond_t fz_fs_allow_write_t : file { ioctl read getattr lock relabelfrom relabelto open } ; 
   allow restorecond_t fz_fs_allow_write_t : dir { ioctl read getattr lock relabelfrom relabelto search open } ; 
   allow restorecond_t fz_fs_allow_write_t : lnk_file { getattr relabelfrom relabelto } ; 
   allow restorecond_t fz_fs_allow_write_t : chr_file { getattr relabelfrom } ; 
   allow restorecond_t fz_fs_allow_write_t : blk_file { getattr relabelfrom } ; 
   allow restorecond_t fz_fs_allow_write_t : sock_file { getattr relabelfrom relabelto } ; 
   allow restorecond_t fz_fs_allow_write_t : fifo_file { getattr relabelfrom relabelto } ; 
   allow ssh_t file_type : filesystem getattr ; 
   allow dpkg_t fz_fs_allow_write_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ; 
   allow dpkg_t fz_fs_allow_write_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent search rmdir open } ; 
   allow dpkg_t fz_fs_allow_write_t : lnk_file { read write create getattr setattr relabelfrom relabelto unlink link rename } ; 
   allow dpkg_t fz_fs_allow_write_t : chr_file { getattr relabelfrom } ; 
   allow dpkg_t fz_fs_allow_write_t : blk_file { getattr relabelfrom } ; 
   allow dpkg_t fz_fs_allow_write_t : sock_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ; 
   allow dpkg_t fz_fs_allow_write_t : fifo_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ; 
   allow cupsd_config_t file_type : filesystem getattr ; 
   allow ftpd_t fz_fs_allow_write_t : dir write ; 
   allow nfsd_t file_type : dir { ioctl read getattr lock search open } ; 
   allow nfsd_t file_type : sock_file getattr ; 
   allow nfsd_t file_type : fifo_file getattr ; 
   allow files_unconfined_type file_type : file execmod ; 
   allow sftpd_t fz_fs_allow_write_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow sftpd_t fz_fs_allow_write_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; 
   allow sftpd_t fz_fs_allow_write_t : lnk_file { read write create getattr setattr unlink link rename } ; 
   allow sftpd_t fz_fs_allow_write_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow sftpd_t fz_fs_allow_write_t : fifo_file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow smbd_t fz_fs_allow_write_t : file { ioctl read getattr lock open } ; 
   allow smbd_t fz_fs_allow_write_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow smbd_t fz_fs_allow_write_t : dir { ioctl read getattr lock search open } ; 
   allow smbd_t fz_fs_allow_write_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; 
   allow smbd_t fz_fs_allow_write_t : lnk_file { read write create getattr setattr unlink link rename } ; 
   allow smbd_t fz_fs_allow_write_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow smbd_t fz_fs_allow_write_t : fifo_file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow kernel_t fz_fs_allow_write_t : file { ioctl read getattr lock open } ; 
   allow kernel_t fz_fs_allow_write_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow mount_t fz_fs_allow_write_t : file { ioctl read getattr lock open } ; 
   allow kernel_t fz_fs_allow_write_t : dir { ioctl read getattr lock search open } ; 
   allow kernel_t fz_fs_allow_write_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; 
   allow mount_t fz_fs_allow_write_t : dir { ioctl read getattr lock search open } ; 
   allow kernel_t fz_fs_allow_write_t : lnk_file { read getattr } ; 
   allow kernel_t fz_fs_allow_write_t : lnk_file { read write create getattr setattr unlink link rename } ; 
   allow kernel_t fz_fs_allow_write_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow kernel_t fz_fs_allow_write_t : fifo_file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow nfsd_t fz_fs_allow_write_t : file { ioctl read getattr lock open } ; 
   allow nfsd_t fz_fs_allow_write_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow nfsd_t fz_fs_allow_write_t : dir { ioctl read getattr lock search open } ; 
   allow nfsd_t fz_fs_allow_write_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; 
   allow nfsd_t fz_fs_allow_write_t : lnk_file { read write create getattr setattr unlink link rename } ; 
   allow nfsd_t fz_fs_allow_write_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow nfsd_t fz_fs_allow_write_t : fifo_file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow ftpd_t fz_fs_allow_write_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow nmbd_t fz_fs_allow_write_t : file { ioctl read getattr lock open } ; 
   allow nmbd_t fz_fs_allow_write_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow ftpd_t fz_fs_allow_write_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; 
   allow nmbd_t fz_fs_allow_write_t : dir { ioctl read getattr lock search open } ; 
   allow nmbd_t fz_fs_allow_write_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; 
   allow ftpd_t fz_fs_allow_write_t : lnk_file { read write create getattr setattr unlink link rename } ; 
   allow nmbd_t fz_fs_allow_write_t : lnk_file { read write create getattr setattr unlink link rename } ; 
   allow ftpd_t fz_fs_allow_write_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow nmbd_t fz_fs_allow_write_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow ftpd_t fz_fs_allow_write_t : fifo_file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow nmbd_t fz_fs_allow_write_t : fifo_file { ioctl read write create getattr setattr lock append unlink link rename open } ;

Откуда берутся эти allow, и как же от них избавиться?

debian, selinux

Sodds
(10.03.14 00:40:36 MSK)

6 комментариев

Ограничение доступа к объектам при помощи SELinux

Здравствуйте! Моя задача: ограничить доступ к объекту (начал с самого простого - файла) конкретному приложению. Самое оптимальное решение на мой взгляд - определить новый тип и разрешения в новом модуле, например:

module fz_fs_allow 1.0.0;
require {
attribute file_type;
type gdm_t;
class file read;
class file write;
};

type fz_fs_allow_all_t, file_type;
type fz_fs_allow_read_t, file_type;
type fz_fs_allow_write_t, file_type;
type fz_fs_deny_all_t, file_type;

allow gdm_t fz_fs_allow_all_t:file { read write };
allow gdm_t fz_fs_allow_read_t:file { read };
allow gdm_t fz_fs_allow_write_t:file { write };

Далее модуль собираю, загружаю, делаю semanafe fcontext на файл (устанавливаю тип для него fz_fs_allow_write_t). Теперь к этому файлу должна быть разрешена только запись, но почему-то не прокатывает, и разрешено все. в логах ничего по этому поводу, сам se работает. Может, кто-то имел опыт администрирования всего этого дела? начинаю грешить на ubuntu.

selinux, ubuntu

Sodds
(05.03.14 13:53:21 MSK)

23 комментария

Сообщения Sodds

SELinux: появляются лишние разрешения при создании собственного модуля

Ограничение доступа к объектам при помощи SELinux