policycoreutils: sestatus: Updated sestatus and man pages.
sestatus has been modified to present additional information: SELinux root directory, MLS flag and the deny_unknow flag. The man page has been updated to reflect these changes and an sestatus.conf(5) man page has also been added. Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
This commit is contained in:
parent
aed37210a3
commit
3e870d7c9b
|
@ -15,9 +15,11 @@ sestatus: sestatus.o
|
||||||
|
|
||||||
install: all
|
install: all
|
||||||
[ -d $(MANDIR)/man8 ] || mkdir -p $(MANDIR)/man8
|
[ -d $(MANDIR)/man8 ] || mkdir -p $(MANDIR)/man8
|
||||||
|
[ -d $(MANDIR)/man5 ] || mkdir -p $(MANDIR)/man5
|
||||||
-mkdir -p $(SBINDIR)
|
-mkdir -p $(SBINDIR)
|
||||||
install -m 755 sestatus $(SBINDIR)
|
install -m 755 sestatus $(SBINDIR)
|
||||||
install -m 644 sestatus.8 $(MANDIR)/man8
|
install -m 644 sestatus.8 $(MANDIR)/man8
|
||||||
|
install -m 644 sestatus.conf.5 $(MANDIR)/man5
|
||||||
-mkdir -p $(ETCDIR)
|
-mkdir -p $(ETCDIR)
|
||||||
install -m 644 sestatus.conf $(ETCDIR)
|
install -m 644 sestatus.conf $(ETCDIR)
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
.TH "sestatus" "8" "2005111103" "" ""
|
.TH "sestatus" "8" "26 Nov 2011" "Security Enhanced Linux" "SELinux command line documentation"
|
||||||
.SH "NAME"
|
.SH "NAME"
|
||||||
sestatus \- SELinux status tool
|
sestatus \- SELinux status tool
|
||||||
|
|
||||||
|
@ -12,38 +12,66 @@ This tool is used to get the status of a system running SELinux.
|
||||||
This manual page describes the
|
This manual page describes the
|
||||||
.BR sestatus
|
.BR sestatus
|
||||||
program.
|
program.
|
||||||
.br
|
.sp
|
||||||
This tool is used to get the status of a system running SELinux. It displays data about whether SELinux is enabled, disabled, the loaded policy and whether it is in enforcing or permissive mode. It can also be used to display the security context of files and processes listed in the /etc/sestatus.conf file.
|
This tool is used to get the status of a system running SELinux. It displays data about whether SELinux is enabled or disabled, location of key directories, and the loaded policy with its status as shown in the example:
|
||||||
|
.RS
|
||||||
> sestatus
|
> sestatus
|
||||||
.br
|
.br
|
||||||
SELinux status: enabled
|
SELinux status: enabled
|
||||||
.br
|
.br
|
||||||
SELinuxfs mount: /selinux
|
SELinuxfs mount: /selinux
|
||||||
.br
|
.br
|
||||||
Current Mode: permissive
|
SELinux root directory: /etc/selinux
|
||||||
.br
|
.br
|
||||||
Policy version: 16
|
Loaded policy name: targeted
|
||||||
|
.br
|
||||||
|
Current mode: permissive
|
||||||
|
.br
|
||||||
|
Mode from config file: enforcing
|
||||||
|
.br
|
||||||
|
Policy MLS status: enabled
|
||||||
|
.br
|
||||||
|
Policy deny_unknown status: allow
|
||||||
|
.br
|
||||||
|
Max kernel policy version: 26
|
||||||
|
.RE
|
||||||
|
.sp
|
||||||
|
\fBsestatus\fR can also be used to display:
|
||||||
|
.RS
|
||||||
|
.IP "-" 4
|
||||||
|
The security context of files and processes listed in the \fI/etc/sestatus.conf\fR file. The format of this file is described in \fBsestatus.conf\fR(5).
|
||||||
|
.IP "-" 4
|
||||||
|
The status of booleans.
|
||||||
|
.RE
|
||||||
|
|
||||||
.SH "OPTIONS"
|
.SH "OPTIONS"
|
||||||
.TP
|
|
||||||
|
|
||||||
.B \-v
|
.B \-v
|
||||||
.P
|
.RS
|
||||||
Checks the contexts of a files , and a processes listed in the /etc/sestatus.conf file. It also checks the context of the target, in cases of
|
Displays the contexts of files and processes listed in the \fI/etc/sestatus.conf\fR file. It also checks whether the file is a symbolic link, if so then the context of the target file is also shown.
|
||||||
symlinks.
|
.sp
|
||||||
|
The following contexts will always be displayed:
|
||||||
|
.RS
|
||||||
|
The current process context
|
||||||
|
.br
|
||||||
|
The init process context
|
||||||
|
.br
|
||||||
|
The controlling terminal file context
|
||||||
|
.RE
|
||||||
|
.RE
|
||||||
|
.sp
|
||||||
.B \-b
|
.B \-b
|
||||||
.P
|
.RS
|
||||||
Display the current state of booleans.
|
Display the current state of booleans.
|
||||||
|
.RE
|
||||||
|
|
||||||
.SH "FILES"
|
.SH "FILES"
|
||||||
/etc/sestatus.conf
|
.I /etc/sestatus.conf
|
||||||
|
|
||||||
.SH "AUTHOR"
|
.SH "AUTHOR"
|
||||||
This man page was written by Daniel Walsh <dwalsh@redhat.com>.
|
This man page was written by Daniel Walsh <dwalsh@redhat.com>.
|
||||||
.br
|
.br
|
||||||
The program was written by Chris PeBenito <pebenito@gentoo.org>
|
The program was written by Chris PeBenito <pebenito@gentoo.org>
|
||||||
|
|
||||||
|
.SH "SEE ALSO"
|
||||||
|
.BR selinux "(8), " sestatus.conf "(5)
|
||||||
|
|
||||||
|
|
|
@ -172,8 +172,8 @@ void printf_tab(const char *outp)
|
||||||
int main(int argc, char **argv)
|
int main(int argc, char **argv)
|
||||||
{
|
{
|
||||||
/* these vars are reused several times */
|
/* these vars are reused several times */
|
||||||
int rc, opt, i, c;
|
int rc, opt, i, c, size;
|
||||||
char *context;
|
char *context, *root_path;
|
||||||
|
|
||||||
/* files that need context checks */
|
/* files that need context checks */
|
||||||
char *fc[MAX_CHECK];
|
char *fc[MAX_CHECK];
|
||||||
|
@ -193,9 +193,10 @@ int main(int argc, char **argv)
|
||||||
int show_bools = 0;
|
int show_bools = 0;
|
||||||
|
|
||||||
/* policy */
|
/* policy */
|
||||||
const char *pol_name;
|
const char *pol_name, *root_dir;
|
||||||
char *pol_path;
|
char *pol_path;
|
||||||
|
|
||||||
|
|
||||||
while (1) {
|
while (1) {
|
||||||
opt = getopt(argc, argv, "vb");
|
opt = getopt(argc, argv, "vb");
|
||||||
if (opt == -1)
|
if (opt == -1)
|
||||||
|
@ -210,8 +211,8 @@ int main(int argc, char **argv)
|
||||||
default:
|
default:
|
||||||
/* invalid option */
|
/* invalid option */
|
||||||
printf("\nUsage: %s [OPTION]\n\n", basename(argv[0]));
|
printf("\nUsage: %s [OPTION]\n\n", basename(argv[0]));
|
||||||
printf
|
printf(" -v Verbose check of process and file contexts.\n");
|
||||||
(" -v Verbose check of process and file contexts.\n");
|
printf(" -b Display current state of booleans.\n");
|
||||||
printf("\nWithout options, show SELinux status.\n");
|
printf("\nWithout options, show SELinux status.\n");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
@ -242,6 +243,35 @@ int main(int argc, char **argv)
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
printf_tab("SELinux root directory:");
|
||||||
|
if ((root_dir = selinux_path()) != NULL) {
|
||||||
|
/* The path has a trailing '/' so remove it */
|
||||||
|
size = strlen(root_dir);
|
||||||
|
root_path = malloc(size);
|
||||||
|
if (!root_path) {
|
||||||
|
printf("malloc error (%s)\n", strerror(errno));
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
memset(root_path, 0, size);
|
||||||
|
strncpy(root_path, root_dir, (size-1)) ;
|
||||||
|
printf("%s\n", root_path);
|
||||||
|
free(root_path);
|
||||||
|
} else {
|
||||||
|
printf("error (%s)\n", strerror(errno));
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Dump all the path information */
|
||||||
|
printf_tab("Loaded policy name:");
|
||||||
|
pol_path = strdup(selinux_policy_root());
|
||||||
|
if (pol_path) {
|
||||||
|
pol_name = basename(pol_path);
|
||||||
|
puts(pol_name);
|
||||||
|
free(pol_path);
|
||||||
|
} else {
|
||||||
|
printf("error (%s)\n", strerror(errno));
|
||||||
|
}
|
||||||
|
|
||||||
printf_tab("Current mode:");
|
printf_tab("Current mode:");
|
||||||
rc = security_getenforce();
|
rc = security_getenforce();
|
||||||
switch (rc) {
|
switch (rc) {
|
||||||
|
@ -273,23 +303,41 @@ int main(int argc, char **argv)
|
||||||
printf("error (%s)\n", strerror(errno));
|
printf("error (%s)\n", strerror(errno));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
printf_tab("Policy MLS status:");
|
||||||
|
rc = is_selinux_mls_enabled();
|
||||||
|
switch (rc) {
|
||||||
|
case 0:
|
||||||
|
printf("disabled\n");
|
||||||
|
break;
|
||||||
|
case 1:
|
||||||
|
printf("enabled\n");
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
printf("error (%s)\n", strerror(errno));
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
printf_tab("Policy deny_unknown status:");
|
||||||
|
rc = security_deny_unknown();
|
||||||
|
switch (rc) {
|
||||||
|
case 0:
|
||||||
|
printf("allowed\n");
|
||||||
|
break;
|
||||||
|
case 1:
|
||||||
|
printf("denied\n");
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
printf("error (%s)\n", strerror(errno));
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
rc = security_policyvers();
|
rc = security_policyvers();
|
||||||
printf_tab("Policy version:");
|
printf_tab("Max kernel policy version:");
|
||||||
if (rc < 0)
|
if (rc < 0)
|
||||||
printf("unknown (%s)\n", strerror(errno));
|
printf("unknown (%s)\n", strerror(errno));
|
||||||
else
|
else
|
||||||
printf("%d\n", rc);
|
printf("%d\n", rc);
|
||||||
|
|
||||||
/* Dump all the path information */
|
|
||||||
printf_tab("Policy from config file:");
|
|
||||||
pol_path = strdup(selinux_policy_root());
|
|
||||||
if (pol_path) {
|
|
||||||
pol_name = basename(pol_path);
|
|
||||||
puts(pol_name);
|
|
||||||
free(pol_path);
|
|
||||||
} else {
|
|
||||||
printf("error (%s)\n", strerror(errno));
|
|
||||||
}
|
|
||||||
|
|
||||||
if (show_bools) {
|
if (show_bools) {
|
||||||
/* show booleans */
|
/* show booleans */
|
||||||
|
@ -374,7 +422,7 @@ int main(int argc, char **argv)
|
||||||
printf("\nFile contexts:\n");
|
printf("\nFile contexts:\n");
|
||||||
|
|
||||||
/* controlling term */
|
/* controlling term */
|
||||||
printf_tab("Controlling term:");
|
printf_tab("Controlling terminal:");
|
||||||
if (lgetfilecon(cterm, &context) >= 0) {
|
if (lgetfilecon(cterm, &context) >= 0) {
|
||||||
printf("%s\n", context);
|
printf("%s\n", context);
|
||||||
freecon(context);
|
freecon(context);
|
||||||
|
|
|
@ -0,0 +1,94 @@
|
||||||
|
.TH "sestatus.conf" "5" "26-Nov-2011" "Security Enhanced Linux" "sestatus configuration file"
|
||||||
|
|
||||||
|
.SH "NAME"
|
||||||
|
sestatus.conf \- The \fBsestatus\fR(8) configuration file.
|
||||||
|
|
||||||
|
.SH "DESCRIPTION"
|
||||||
|
The \fIsestatus.conf\fR file is used by the \fBsestatus\fR(8) command with the \fB\-v\fR option to determine what file and process security contexts should be displayed.
|
||||||
|
.sp
|
||||||
|
The fully qualified path name of the configuration file is:
|
||||||
|
.RS
|
||||||
|
\fI/etc/sestatus.conf\fR
|
||||||
|
.RE
|
||||||
|
.RE
|
||||||
|
.sp
|
||||||
|
The file consists of two optional sections as described in the \fBFILE FORMAT\fR section. Whether these exist or not, the following will always be displayed:
|
||||||
|
.RS
|
||||||
|
The current process context
|
||||||
|
.br
|
||||||
|
The init process context
|
||||||
|
.br
|
||||||
|
The controlling terminal file context
|
||||||
|
.RE
|
||||||
|
|
||||||
|
.SH "FILE FORMAT"
|
||||||
|
The format consists of two optional sections as follows:
|
||||||
|
.RS
|
||||||
|
.B [files]
|
||||||
|
.br
|
||||||
|
.I file_name
|
||||||
|
.br
|
||||||
|
.I [file_name]
|
||||||
|
.br
|
||||||
|
.I ...
|
||||||
|
.sp
|
||||||
|
.B [process]
|
||||||
|
.br
|
||||||
|
.I executable_file_name
|
||||||
|
.br
|
||||||
|
.I [executable_file_name]
|
||||||
|
.br
|
||||||
|
.I ...
|
||||||
|
.RE
|
||||||
|
.sp
|
||||||
|
Where:
|
||||||
|
.RS
|
||||||
|
.B [files]
|
||||||
|
.RS
|
||||||
|
The start of the file list block.
|
||||||
|
.RE
|
||||||
|
.I file_name
|
||||||
|
.RS
|
||||||
|
One or more fully qualified file names, each on a new line will that will have its context displayed. If the file does not exist, then it is ignored. If the file is a symbolic link, then \fBsestatus -v\fR will also display the target file context.
|
||||||
|
.RE
|
||||||
|
.sp
|
||||||
|
.B [process]
|
||||||
|
.RS
|
||||||
|
The start of the process list block.
|
||||||
|
.RE
|
||||||
|
.I executable_file_name
|
||||||
|
.RS
|
||||||
|
One or more fully qualified executable file names that should it be an active process, have its context displayed. Each entry is on a new line.
|
||||||
|
.RE
|
||||||
|
.RE
|
||||||
|
|
||||||
|
.SH "EXAMPLE"
|
||||||
|
# /etc/sestatus.conf
|
||||||
|
.br
|
||||||
|
[files]
|
||||||
|
.br
|
||||||
|
/etc/passwd
|
||||||
|
.br
|
||||||
|
/etc/shadow
|
||||||
|
.br
|
||||||
|
/bin/bash
|
||||||
|
.br
|
||||||
|
/bin/login
|
||||||
|
.br
|
||||||
|
/lib/libc.so.6
|
||||||
|
.br
|
||||||
|
/lib/ld-linux.so.2
|
||||||
|
.br
|
||||||
|
/lib/ld.so.1
|
||||||
|
.sp
|
||||||
|
[process]
|
||||||
|
.br
|
||||||
|
/sbin/mingetty
|
||||||
|
.br
|
||||||
|
/sbin/agetty
|
||||||
|
.br
|
||||||
|
/usr/sbin/sshd
|
||||||
|
.RE
|
||||||
|
|
||||||
|
.SH "SEE ALSO"
|
||||||
|
.BR selinux "(8), " sestatus "(8) "
|
Loading…
Reference in New Issue