任意アクセス制御
・ファイルの所有者が任意にアクセス権を変更できる
・rootユーザは任意アクセス制御を無視できる特権を持つ
強制アクセス制御
・ファイルの所有者であっても、SELinux有効な環境ではファイルのアクセス権を変更できない
・OS側でシステムコール呼び出しをフックすることで、すべての資源に対するアクセスをチェックできる
例えば、Apache HTTP サーバーが危険にさらされても、特定の SELinux ポリシールールが
攻撃者の対象ディレクトリ(ex.ユーザーのホームディレクトリ)にあるファイルへのアクセスを
許可するように追加・設定されていなければ、攻撃者はそのファイルを読み出すプロセスを使う
ことはでない。
SELinux全般として、以下のURLが参考になる。
http://hondou.homedns.org/pukiwiki/pukiwiki.php?SL62%20SELinux
http://www.ospn.jp/osc2008-nagoya/secureos-ug.pdf
http://www.linuxmania.jp/selinux_introduction_1.html#g151e794
http://www.slideshare.net/ishikawa84g/hbstudy-28-selinuxhandson
以下の3つにより、アクセス制御が行われる。
・TE(Type Enforcement)
ポリシー本体
・FC(File Context)
どのファイルにどのラベルを設定するかを記述
・IF(Interface)
外部モジュールに公開するインタフェース(マクロ)
<参考>
SELinuxの組み込みルールの有効/無効状態(boolean)を確認するコマンドツール
# getsebool -a
SELinuxの組み込みルールの有効/無効状態(boolean)を設定するコマンドツール
# getsebool samba_enable_home_dirs
samba_enable_home_dirs --> off
# setsebool -P samba_enable_home_dirs on
SELinux CUIツール
# semanage login -l
ログイン名 SELinux ユーザー MLS/MCS 範囲
__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
# semanage user -l
ラベリング MLS/ MLS/
SELinux ユーザー プレフィックス MCS レベル MCS 範囲 SELinux ロール
git_shell_u user s0 s0 git_shell_r
guest_u user s0 s0 guest_r
root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r
user_u user s0 s0 user_r
xguest_u user s0 s0 xguest_r
# semanage port -l
SELinux ポートタイプ プロト ポート番号
afs_bos_port_t udp 7007
afs_client_port_t udp 7001
afs_fs_port_t tcp 2040
afs_fs_port_t udp 7000, 7005
afs_ka_port_t udp 7004
afs_pt_port_t udp 7002
afs_vl_port_t udp 7003
agentx_port_t tcp 705
agentx_port_t udp 705
amanda_port_t tcp 10080-10083
amanda_port_t udp 10080-10082
amavisd_recv_port_t tcp 10024
amavisd_send_port_t tcp 10025
amqp_port_t tcp 5671, 5672
amqp_port_t udp 5671, 5672
aol_port_t tcp 5190-5193
aol_port_t udp 5190-5193
apcupsd_port_t tcp 3551
apcupsd_port_t udp 3551
apertus_ldp_port_t tcp 539
apertus_ldp_port_t udp 539
asterisk_port_t tcp 1720
asterisk_port_t udp 2427, 2727, 4569
audit_port_t tcp 60
auth_port_t tcp 113
bgp_port_t tcp 179, 2605
bgp_port_t udp 179, 2605
boinc_port_t tcp 31416
certmaster_port_t tcp 51235
chronyd_port_t udp 323
clamd_port_t tcp 3310
clockspeed_port_t udp 4041
cluster_port_t tcp 5149, 40040, 50006-50008
cluster_port_t udp 5149, 50006-50008
cma_port_t tcp 1050
cma_port_t udp 1050
cobbler_port_t tcp 25151
commplex_port_t tcp 5000, 5001
commplex_port_t udp 5000, 5001
comsat_port_t udp 512
condor_port_t tcp 9618
condor_port_t udp 9618
ctdb_port_t tcp 4379
ctdb_port_t udp 4379
cvs_port_t tcp 2401
cvs_port_t udp 2401
cyphesis_port_t tcp 6767, 6769, 6780-6799
cyphesis_port_t udp 32771
dbskkd_port_t tcp 1178
dcc_port_t udp 6276, 6277
dccm_port_t tcp 5679
dccm_port_t udp 5679
dhcpc_port_t tcp 68, 546
dhcpc_port_t udp 68, 546
dhcpd_port_t tcp 547, 548, 647, 847, 7911
dhcpd_port_t udp 67, 547, 548, 647, 847
dict_port_t tcp 2628
distccd_port_t tcp 3632
dns_port_t tcp 53
dns_port_t udp 53
dogtag_port_t tcp 7390
dspam_port_t tcp 10026
epmap_port_t tcp 135
epmap_port_t udp 135
festival_port_t tcp 1314
fingerd_port_t tcp 79
flash_port_t tcp 843, 1935
flash_port_t udp 1935
florence_port_t tcp 1228
florence_port_t udp 1228
ftp_data_port_t tcp 20
ftp_port_t tcp 21, 990
ftp_port_t udp 990
gatekeeper_port_t tcp 1721, 7000
gatekeeper_port_t udp 1718, 1719
giftd_port_t tcp 1213
git_port_t tcp 9418
git_port_t udp 9418
glance_port_t tcp 9292
glance_port_t udp 9292
glance_registry_port_t tcp 9191
glance_registry_port_t udp 9191
gopher_port_t tcp 70
gopher_port_t udp 70
gpsd_port_t tcp 2947
hddtemp_port_t tcp 7634
hi_reserved_port_t tcp 512-1023
hi_reserved_port_t udp 512-1023
howl_port_t tcp 5335
howl_port_t udp 5353
hplip_port_t tcp 1782, 2207, 2208, 8290, 50000, 50002, 8292, 9100, 9101, 9102, 9220, 9221, 9222, 9280, 9281, 9282, 9290, 9291
http_cache_port_t tcp 3128, 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
i18n_input_port_t tcp 9010
imaze_port_t tcp 5323
imaze_port_t udp 5323
inetd_child_port_t tcp 1, 7, 9, 13, 19, 37, 512, 543, 544, 891, 892, 2105, 5666
inetd_child_port_t udp 1, 7, 9, 13, 19, 37, 891, 892
innd_port_t tcp 119
ionixnetmon_port_t tcp 7410
ionixnetmon_port_t udp 7410
ipmi_port_t udp 623, 664
ipp_port_t tcp 631, 8610-8614
ipp_port_t udp 631, 8610-8614
ipsecnat_port_t tcp 4500
ipsecnat_port_t udp 4500
ircd_port_t tcp 6667
isakmp_port_t udp 500
iscsi_port_t tcp 3260
isns_port_t tcp 3205
isns_port_t udp 3205
jabber_client_port_t tcp 5222, 5223
jabber_interserver_port_t tcp 5269
jabber_router_port_t tcp 5347
jacorb_port_t tcp 3528, 3529
jboss_debug_port_t tcp 8787
jboss_management_port_t tcp 4712, 4447, 7600, 9123, 9990, 9999, 18001
jboss_management_port_t udp 4712, 9123
jboss_messaging_port_t tcp 5445, 5455
kerberos_admin_port_t tcp 749
kerberos_master_port_t tcp 4444
kerberos_master_port_t udp 4444
kerberos_password_port_t tcp 464
kerberos_password_port_t udp 464
kerberos_port_t tcp 88, 750
kerberos_port_t udp 88, 750
kismet_port_t tcp 2501
kprop_port_t tcp 754
ktalkd_port_t udp 517, 518
l2tp_port_t tcp 1701
l2tp_port_t udp 1701
ldap_port_t tcp 389, 636, 3268
ldap_port_t udp 389, 636
lirc_port_t tcp 8765
lmtp_port_t tcp 24
lmtp_port_t udp 24
luci_port_t tcp 8084
mail_port_t tcp 2000, 3905
matahari_port_t tcp 49000
matahari_port_t udp 49000
memcache_port_t tcp 11211
memcache_port_t udp 11211
milter_port_t tcp 8891, 8893
mmcc_port_t tcp 5050
mmcc_port_t udp 5050
mongod_port_t tcp 27017-27019, 28017-28019
monopd_port_t tcp 1234
movaz_ssc_port_t tcp 5252
mpd_port_t tcp 6600
msnp_port_t tcp 1863
msnp_port_t udp 1863
mssql_port_t tcp 1433, 1434
mssql_port_t udp 1433, 1434
munin_port_t tcp 4949
munin_port_t udp 4949
mysqld_port_t tcp 1186, 3306, 63132-63164
mysqlmanagerd_port_t tcp 2273
nessus_port_t tcp 1241
netport_port_t tcp 3129
netport_port_t udp 3129
netsupport_port_t tcp 5404, 5405
netsupport_port_t udp 5404, 5405
nmbd_port_t udp 137, 138
nodejs_debug_port_t tcp 5858
nodejs_debug_port_t udp 5858
ntop_port_t tcp 3000, 3001
ntop_port_t udp 3000, 3001
ntp_port_t udp 123
ocsp_port_t tcp 9080
openhpid_port_t tcp 4743
openhpid_port_t udp 4743
openvpn_port_t tcp 1194
openvpn_port_t udp 1194
oracle_port_t tcp 1521, 2483, 2484
oracle_port_t udp 1521, 2483, 2484
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
pgpkeyserver_port_t tcp 11371
pgpkeyserver_port_t udp 11371
pingd_port_t tcp 9125
piranha_port_t tcp 3636
pki_ca_port_t tcp 829, 9180, 9701, 9443-9447
pki_kra_port_t tcp 10180, 10701, 10443-10446
pki_ocsp_port_t tcp 11180, 11701, 11443-11446
pki_ra_port_t tcp 12888, 12889
pki_tks_port_t tcp 13180, 13701, 13443-13446
pki_tps_port_t tcp 7888, 7889
pktcable_port_t tcp 2126, 3198
pktcable_port_t udp 2126, 3198
pop_port_t tcp 106, 109, 110, 143, 220, 993, 995, 1109
portmap_port_t tcp 111
portmap_port_t udp 111
postfix_policyd_port_t tcp 10031
postgresql_port_t tcp 5432
postgrey_port_t tcp 60000
prelude_port_t tcp 4690
prelude_port_t udp 4690
presence_port_t tcp 5298
presence_port_t udp 5298
printer_port_t tcp 515
ptal_port_t tcp 5703
pulseaudio_port_t tcp 4713
pulseaudio_port_t udp 4713
puppet_port_t tcp 8140
pxe_port_t udp 4011
pyzor_port_t udp 24441
quantum_port_t tcp 9696
radacct_port_t udp 1646, 1813
radius_port_t udp 1645, 1812
radsec_port_t tcp 2083
razor_port_t tcp 2703
repository_port_t tcp 6363
ricci_modcluster_port_t tcp 16851
ricci_modcluster_port_t udp 16851
ricci_port_t tcp 11111
ricci_port_t udp 11111
rlogind_port_t tcp 513
rndc_port_t tcp 953, 8953
router_port_t tcp 521
router_port_t udp 520, 521
rsh_port_t tcp 514
rsync_port_t tcp 873
rsync_port_t udp 873
rwho_port_t udp 513
sap_port_t tcp 9875
sap_port_t udp 9875
saphostctrl_port_t tcp 1128, 1129
sieve_port_t tcp 4190
sip_port_t tcp 5060, 5061
sip_port_t udp 5060, 5061
sixxsconfig_port_t tcp 3874
sixxsconfig_port_t udp 3874
smbd_port_t tcp 137-139, 445
smtp_port_t tcp 25, 465, 587
snmp_port_t tcp 161-162, 199, 1161
snmp_port_t udp 161-162
soundd_port_t tcp 8000, 9433, 16001
spamd_port_t tcp 783
speech_port_t tcp 8036
squid_port_t tcp 3401, 4827
squid_port_t udp 3401, 4827
ssh_port_t tcp 22
streaming_port_t tcp 1755
streaming_port_t udp 1755
svn_port_t tcp 3690
svn_port_t udp 3690
swat_port_t tcp 901
sype_port_t tcp 9911
sype_port_t udp 9911
syslogd_port_t tcp 6514
syslogd_port_t udp 514, 6514
telnetd_port_t tcp 23
tftp_port_t udp 69
tor_port_t tcp 6969, 9001, 9030, 9051
tor_socks_port_t tcp 9050
traceroute_port_t udp 64000-64010
transproxy_port_t tcp 8081
ups_port_t tcp 3493
uucpd_port_t tcp 540
varnishd_port_t tcp 6081, 6082
virt_migration_port_t tcp 49152-49216
virt_port_t tcp 16509, 16514
virt_port_t udp 16509, 16514
vnc_port_t tcp 5900-5999
wccp_port_t udp 2048
websm_port_t tcp 9090
websm_port_t udp 9090
whois_port_t tcp 43, 4321
whois_port_t udp 43, 4321
winshadow_port_t tcp 3261
winshadow_port_t udp 3261
xdmcp_port_t tcp 177
xdmcp_port_t udp 177
xen_port_t tcp 8002
xfs_port_t tcp 7100
xserver_port_t tcp 6000-6150
zabbix_agent_port_t tcp 10050
zabbix_port_t tcp 10051
zarafa_port_t tcp 236, 237
zebra_port_t tcp 2600-2604, 2606
zebra_port_t udp 2600-2604, 2606
zented_port_t tcp 1229
zented_port_t udp 1229
zope_port_t tcp 8021
# ps -eZ
LABEL PID TTY TIME CMD
system_u:system_r:init_t:s0 1 ? 00:00:01 init
system_u:system_r:kernel_t:s0 2 ? 00:00:00 kthreadd
system_u:system_r:kernel_t:s0 3 ? 00:00:00 migration/0
system_u:system_r:kernel_t:s0 4 ? 00:00:00 ksoftirqd/0
system_u:system_r:kernel_t:s0 5 ? 00:00:00 migration/0
system_u:system_r:kernel_t:s0 6 ? 00:00:00 watchdog/0
system_u:system_r:kernel_t:s0 7 ? 00:00:03 events/0
system_u:system_r:kernel_t:s0 8 ? 00:00:00 cgroup
system_u:system_r:kernel_t:s0 9 ? 00:00:00 khelper
system_u:system_r:kernel_t:s0 10 ? 00:00:00 netns
system_u:system_r:kernel_t:s0 11 ? 00:00:00 async/mgr
system_u:system_r:kernel_t:s0 12 ? 00:00:00 pm
system_u:system_r:kernel_t:s0 13 ? 00:00:00 sync_supers
system_u:system_r:kernel_t:s0 14 ? 00:00:00 bdi-default
system_u:system_r:kernel_t:s0 15 ? 00:00:00 kintegrityd/0
system_u:system_r:kernel_t:s0 16 ? 00:00:00 kblockd/0
system_u:system_r:kernel_t:s0 17 ? 00:00:00 kacpid
system_u:system_r:kernel_t:s0 18 ? 00:00:00 kacpi_notify
system_u:system_r:kernel_t:s0 19 ? 00:00:00 kacpi_hotplug
system_u:system_r:kernel_t:s0 20 ? 00:00:00 ata_aux
system_u:system_r:kernel_t:s0 21 ? 00:00:01 ata_sff/0
system_u:system_r:kernel_t:s0 22 ? 00:00:00 ksuspend_usbd
system_u:system_r:kernel_t:s0 23 ? 00:00:00 khubd
system_u:system_r:kernel_t:s0 24 ? 00:00:00 kseriod
system_u:system_r:kernel_t:s0 25 ? 00:00:00 md/0
system_u:system_r:kernel_t:s0 26 ? 00:00:00 md_misc/0
system_u:system_r:kernel_t:s0 27 ? 00:00:00 linkwatch
system_u:system_r:kernel_t:s0 28 ? 00:00:00 khungtaskd
system_u:system_r:kernel_t:s0 29 ? 00:00:00 kswapd0
system_u:system_r:kernel_t:s0 30 ? 00:00:00 ksmd
system_u:system_r:kernel_t:s0 31 ? 00:00:00 khugepaged
system_u:system_r:kernel_t:s0 32 ? 00:00:00 aio/0
system_u:system_r:kernel_t:s0 33 ? 00:00:00 crypto/0
system_u:system_r:kernel_t:s0 38 ? 00:00:00 kthrotld/0
system_u:system_r:kernel_t:s0 39 ? 00:00:00 pciehpd
system_u:system_r:kernel_t:s0 41 ? 00:00:00 kpsmoused
system_u:system_r:kernel_t:s0 42 ? 00:00:00 usbhid_resumer
system_u:system_r:kernel_t:s0 72 ? 00:00:00 kstriped
system_u:system_r:kernel_t:s0 146 ? 00:00:00 scsi_eh_0
system_u:system_r:kernel_t:s0 147 ? 00:00:00 scsi_eh_1
system_u:system_r:kernel_t:s0 153 ? 00:00:00 mpt_poll_0
system_u:system_r:kernel_t:s0 154 ? 00:00:00 mpt/0
system_u:system_r:kernel_t:s0 171 ? 00:00:00 scsi_eh_2
system_u:system_r:kernel_t:s0 274 ? 00:00:00 jbd2/sda2-8
system_u:system_r:kernel_t:s0 275 ? 00:00:00 ext4-dio-unwrit
system_u:system_r:kernel_t:s0 312 ? 00:00:00 flush-8:0
system_u:system_r:udev_t:s0-s0:c0.c1023 366 ? 00:00:00 udevd
system_u:system_r:kernel_t:s0 788 ? 00:00:00 vmmemctl
system_u:system_r:kernel_t:s0 899 ? 00:00:00 jbd2/sda1-8
system_u:system_r:kernel_t:s0 900 ? 00:00:00 ext4-dio-unwrit
system_u:system_r:kernel_t:s0 944 ? 00:00:00 kauditd
system_u:system_r:initrc_t:s0 1257 ? 00:00:00 vmware-vmblock-
system_u:system_r:initrc_t:s0 1288 ? 00:00:04 vmtoolsd
system_u:system_r:dhcpc_t:s0 1505 ? 00:00:00 dhclient
system_u:system_r:syslogd_t:s0 1623 ? 00:00:00 rsyslogd
system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 1763 ? 00:00:00 dbus-daemon
system_u:system_r:cupsd_t:s0-s0:c0.c1023 1780 ? 00:00:00 cupsd
system_u:system_r:apmd_t:s0 1805 ? 00:00:00 acpid
system_u:system_r:hald_t:s0 1814 ? 00:00:00 hald
system_u:system_r:hald_t:s0 1815 ? 00:00:00 hald-runner
system_u:system_r:hald_t:s0 1856 ? 00:00:00 hald-addon-inpu
system_u:system_r:hald_t:s0 1861 ? 00:00:00 hald-addon-acpi
system_u:system_r:slapd_t:s0 1895 ? 00:00:00 slapd
system_u:system_r:nscd_t:s0 1907 ? 00:00:00 nscd
system_u:system_r:sshd_t:s0-s0:c0.c1023 1933 ? 00:00:00 sshd
system_u:system_r:postfix_master_t:s0 2088 ? 00:00:00 master
system_u:system_r:postfix_qmgr_t:s0 2103 ? 00:00:00 qmgr
system_u:system_r:unconfined_java_t:s0 2156 ? 00:01:35 java
system_u:system_r:abrt_t:s0-s0:c0.c1023 2180 ? 00:00:00 abrtd
system_u:system_r:httpd_t:s0 2188 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0 2197 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0 2198 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0 2199 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0 2200 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0 2201 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0 2202 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0 2203 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0 2204 ? 00:00:00 httpd
system_u:system_r:crond_t:s0-s0:c0.c1023 2205 ? 00:00:00 crond
system_u:system_r:crond_t:s0-s0:c0.c1023 2219 ? 00:00:00 atd
system_u:system_r:xdm_t:s0-s0:c0.c1023 2246 ? 00:00:00 gdm-binary
system_u:system_r:getty_t:s0 2251 tty2 00:00:00 mingetty
system_u:system_r:getty_t:s0 2253 tty3 00:00:00 mingetty
system_u:system_r:getty_t:s0 2255 tty4 00:00:00 mingetty
system_u:system_r:getty_t:s0 2257 tty5 00:00:00 mingetty
system_u:system_r:getty_t:s0 2265 tty6 00:00:00 mingetty
system_u:system_r:udev_t:s0-s0:c0.c1023 2266 ? 00:00:00 udevd
system_u:system_r:udev_t:s0-s0:c0.c1023 2267 ? 00:00:00 udevd
system_u:system_r:xdm_t:s0-s0:c0.c1023 2278 ? 00:00:00 gdm-simple-slav
system_u:system_r:xserver_t:s0-s0:c0.c1023 2286 tty1 00:00:18 Xorg
system_u:system_r:consolekit_t:s0-s0:c0.c1023 2302 ? 00:00:00 console-kit-dae
system_u:system_r:xdm_t:s0-s0:c0.c1023 2372 ? 00:00:00 dbus-launch
system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 2378 ? 00:00:00 devkit-power-
system_u:system_r:policykit_t:s0-s0:c0.c1023 2422 ? 00:00:00 polkitd
system_u:system_r:rtkit_daemon_t:s0-s0:c0.c1023 2433 ? 00:00:00 rtkit-daemon
system_u:system_r:xdm_t:s0-s0:c0.c1023 2439 ? 00:00:00 gdm-session-wor
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2450 ? 00:00:00 gnome-keyr
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2460 ? 00:00:00 gnome-sess
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2468 ? 00:00:00 dbus-launc
unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 2469 ? 00:00:00 dbus
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2499 ? 00:00:00 gconfd-2
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2504 ? 00:00:00 gnome-sett
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2512 ? 00:00:00 seahorse-d
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2514 ? 00:00:00 gvfsd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2527 ? 00:00:00 metacity
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2531 ? 00:00:00 pulseaudio
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2532 ? 00:00:00 gnome-pane
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2539 ? 00:00:00 gconf-help
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2540 ? 00:00:01 nautilus
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2542 ? 00:00:00 bonobo-act
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2553 ? 00:00:00 gvfs-gdu-v
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2554 ? 00:00:00 wnck-apple
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2555 ? 00:00:00 trashapple
system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 2557 ? 00:00:00 udisks-daemon
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2561 ? 00:00:05 vmtoolsd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2562 ? 00:00:00 bluetooth-
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2566 ? 00:00:00 polkit-gno
system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 2570 ? 00:00:01 udisks-daemon
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2571 ? 00:00:00 im-setting
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2573 ? 00:00:00 gpk-update
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2574 ? 00:00:00 gvfsd-tras
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2575 ? 00:00:00 gdu-notifi
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2583 ? 00:00:00 restorecon
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2588 ? 00:00:00 gnome-powe
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2590 ? 00:00:00 gnome-volu
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2596 ? 00:00:00 nm-applet
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2600 ? 00:00:00 python
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2605 ? 00:00:01 gnome-scre
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2628 ? 00:00:00 gvfs-afc-v
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2699 ? 00:00:00 gvfs-gphot
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2791 ? 00:00:00 ibus-daemo
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2794 ? 00:00:00 gconf-im-s
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2795 ? 00:00:00 ibus-gconf
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2797 ? 00:00:00 python
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2799 ? 00:00:00 ibus-x11
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2807 ? 00:00:00 python
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2808 ? 00:00:00 gnote
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2809 ? 00:00:00 notificati
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2810 ? 00:00:00 gdm-user-s
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2812 ? 00:00:00 clock-appl
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2840 ? 00:00:00 gvfsd-burn
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2859 ? 00:00:05 gnome-term
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2867 ? 00:00:00 gnome-pty-
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2868 pts/0 00:00:00 bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2887 pts/0 00:00:00 su
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2893 pts/0 00:00:00 bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2963 pts/1 00:00:00 bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2976 pts/1 00:00:00 su
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2984 pts/1 00:00:00 bash
unconfined_u:system_r:auditd_t:s0 3523 ? 00:00:00 auditd
system_u:system_r:postfix_pickup_t:s0 3714 ? 00:00:00 pickup
system_u:system_r:fprintd_t:s0-s0:c0.c1023 3729 ? 00:00:00 fprintd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3733 pts/1 00:00:00 ps
■ポリシー作成のためのパッケージ
# yum install selinux-policy-devel
Loaded plugins: fastestmirror, priorities, refresh-packagekit, security
Loading mirror speeds from cached hostfile
* base: ftp.iij.ad.jp
* extras: centos.usonyx.net
* jpackage: ftp.heanet.ie
* updates: centos.usonyx.net
212 packages excluded due to repository priority protections
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package selinux-policy.noarch 0:3.7.19-231.el6 will be updated
--> Processing Dependency: selinux-policy = 3.7.19-231.el6 for package: selinux-policy-targeted-3.7.19-231.el6.noarch
--> Processing Dependency: selinux-policy = 3.7.19-231.el6 for package: selinux-policy-targeted-3.7.19-231.el6.noarch
---> Package selinux-policy.noarch 0:3.7.19-279.el6_7.7 will be an update
--> Running transaction check
---> Package selinux-policy-targeted.noarch 0:3.7.19-231.el6 will be updated
---> Package selinux-policy-targeted.noarch 0:3.7.19-279.el6_7.7 will be an update
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Updating:
selinux-policy noarch 3.7.19-279.el6_7.7 updates 882 k
Updating for dependencies:
selinux-policy-targeted noarch 3.7.19-279.el6_7.7 updates 3.1 M
Transaction Summary
================================================================================
Upgrade 2 Package(s)
Total download size: 3.9 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): selinux-policy-3.7.19-279.el6_7.7.noarch.rpm | 882 kB 00:01
(2/2): selinux-policy-targeted-3.7.19-279.el6_7.7.noarch | 3.1 MB 00:03
--------------------------------------------------------------------------------
Total 664 kB/s | 3.9 MB 00:06
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Updating : selinux-policy-3.7.19-279.el6_7.7.noarch 1/4
Updating : selinux-policy-targeted-3.7.19-279.el6_7.7.noarch 2/4
****************
Cleanup : selinux-policy-targeted-3.7.19-231.el6.noarch 3/4
Cleanup : selinux-policy-3.7.19-231.el6.noarch 4/4
Verifying : selinux-policy-targeted-3.7.19-279.el6_7.7.noarch 1/4
Verifying : selinux-policy-3.7.19-279.el6_7.7.noarch 2/4
Verifying : selinux-policy-3.7.19-231.el6.noarch 3/4
Verifying : selinux-policy-targeted-3.7.19-231.el6.noarch 4/4
Updated:
selinux-policy.noarch 0:3.7.19-279.el6_7.7
Dependency Updated:
selinux-policy-targeted.noarch 0:3.7.19-279.el6_7.7
Complete!
■ポリシー表示のためのパッケージ
# yum -y install setools-gui
Loaded plugins: fastestmirror, priorities, refresh-packagekit, security
Loading mirror speeds from cached hostfile
* base: www.ftp.ne.jp
* extras: www.ftp.ne.jp
* jpackage: sunsite.informatik.rwth-aachen.de
* updates: www.ftp.ne.jp
212 packages excluded due to repository priority protections
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package setools-gui.x86_64 0:3.3.7-4.el6 will be installed
--> Processing Dependency: setools-libs-tcl = 3.3.7-4.el6 for package: setools-gui-3.3.7-4.el6.x86_64
--> Processing Dependency: tk >= 8.4.9 for package: setools-gui-3.3.7-4.el6.x86_64
--> Processing Dependency: bwidget >= 1.8 for package: setools-gui-3.3.7-4.el6.x86_64
--> Running transaction check
---> Package bwidget.noarch 0:1.8.0-5.1.el6 will be installed
---> Package setools-libs-tcl.x86_64 0:3.3.7-4.el6 will be installed
---> Package tk.x86_64 1:8.5.7-5.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
setools-gui x86_64 3.3.7-4.el6 base 242 k
Installing for dependencies:
bwidget noarch 1.8.0-5.1.el6 base 166 k
setools-libs-tcl x86_64 3.3.7-4.el6 base 197 k
tk x86_64 1:8.5.7-5.el6 base 1.4 M
Transaction Summary
================================================================================
Install 4 Package(s)
Total download size: 2.0 M
Installed size: 7.0 M
Downloading Packages:
(1/4): bwidget-1.8.0-5.1.el6.noarch.rpm | 166 kB 00:00
(2/4): setools-gui-3.3.7-4.el6.x86_64.rpm | 242 kB 00:00
(3/4): setools-libs-tcl-3.3.7-4.el6.x86_64.rpm | 197 kB 00:00
(4/4): tk-8.5.7-5.el6.x86_64.rpm | 1.4 MB 00:01
--------------------------------------------------------------------------------
Total 893 kB/s | 2.0 MB 00:02
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : 1:tk-8.5.7-5.el6.x86_64 1/4
Installing : bwidget-1.8.0-5.1.el6.noarch 2/4
Installing : setools-libs-tcl-3.3.7-4.el6.x86_64 3/4
Installing : setools-gui-3.3.7-4.el6.x86_64 4/4
Verifying : setools-gui-3.3.7-4.el6.x86_64 1/4
Verifying : 1:tk-8.5.7-5.el6.x86_64 2/4
Verifying : bwidget-1.8.0-5.1.el6.noarch 3/4
Verifying : setools-libs-tcl-3.3.7-4.el6.x86_64 4/4
Installed:
setools-gui.x86_64 0:3.3.7-4.el6
Dependency Installed:
bwidget.noarch 0:1.8.0-5.1.el6 setools-libs-tcl.x86_64 0:3.3.7-4.el6
tk.x86_64 1:8.5.7-5.el6
Complete!
[root@chef-client-selinux Desktop]# yum -y install setools
Loaded plugins: fastestmirror, priorities, refresh-packagekit, security
Loading mirror speeds from cached hostfile
* base: www.ftp.ne.jp
* extras: www.ftp.ne.jp
* jpackage: sunsite.informatik.rwth-aachen.de
* updates: www.ftp.ne.jp
base | 3.7 kB 00:00
extras | 2.9 kB 00:00
jpackage | 1.9 kB 00:00
updates | 3.4 kB 00:00
212 packages excluded due to repository priority protections
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package setools.x86_64 0:3.3.7-4.el6 will be installed
--> Processing Dependency: setools-console = 3.3.7-4.el6 for package: setools-3.3.7-4.el6.x86_64
--> Running transaction check
---> Package setools-console.x86_64 0:3.3.7-4.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
setools x86_64 3.3.7-4.el6 base 11 k
Installing for dependencies:
setools-console x86_64 3.3.7-4.el6 base 328 k
Transaction Summary
================================================================================
Install 2 Package(s)
Total download size: 340 k
Installed size: 872 k
Downloading Packages:
(1/2): setools-3.3.7-4.el6.x86_64.rpm | 11 kB 00:00
(2/2): setools-console-3.3.7-4.el6.x86_64.rpm | 328 kB 00:00
--------------------------------------------------------------------------------
Total 825 kB/s | 340 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : setools-console-3.3.7-4.el6.x86_64 1/2
Installing : setools-3.3.7-4.el6.x86_64 2/2
Verifying : setools-3.3.7-4.el6.x86_64 1/2
Verifying : setools-console-3.3.7-4.el6.x86_64 2/2
Installed:
setools.x86_64 0:3.3.7-4.el6
Dependency Installed:
setools-console.x86_64 0:3.3.7-4.el6
Complete!
# apol
0 件のコメント:
コメントを投稿