为了演示SELinux在第三方/您自己的开发人员代码的错误检测中的实用程序,这是一个内存保护测试(在此处修改第一个代码示例):
#include <fcntl.h>
#include <stdio.h>
#include <sys/mman.h>
int main (void) {
// open file read-write, get a memory-mapped pointer with private access, write permission
int fd = open ("file_to_test", O_RDWR);
char *p = mmap (NULL, 42, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
p[0] = 'a'; // put something
// Update protection mode; SELinux response depends on sebool: allow_execmod
int r = mprotect (p, 42, PROT_READ | PROT_EXEC);
// Display mprotect result
printf ("mprotect = %d\n", r);
close(fd);
return 0;
}
编译并显示默认值(未捕获)
$ echo "test data" > file_to_test
$ gcc execmod.c
$ ./a.out
mprotect = 0
$ sudo aureport -a
AVC Report
========================================================
# date time comm subj syscall class permission obj event
========================================================
<no events of interest were found>
更改布尔值以解决问题:
$ sudo getsebool allow_execmod
allow_execmod --> on
$ sudo setsebool allow_execmod 0
$ ./a.out
mprotect = -1
$ sudo aureport -a
AVC Report
========================================================
# date time comm subj syscall class permission obj event
========================================================
1. 04/30/2015 12:26:41 a.out unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 10 file execmod unconfined_u:object_r:user_home_t:s0 denied 3612