RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2025-04-26 04:38:01 +00:00
Code Issues Packages Projects Releases Wiki Activity
8bbb51c9db
selinux/libselinux/utils/compute_av.c
Christian Göttsche 1dd0433885 libselinux/utils: improve compute_av output 
Show the more interesting inverse of the auditdeny vector as dontaudit.

Show the inverse of the decided vector, although since Linux v2.6.30
f1c6381a6e33 ("SELinux: remove unused av.decided field") all permissions
are always decided.

    $ compute_av staff_u:staff_r:staff_t:s0 sysadm_u:sysadm_r:sysadm_t:s0 process
    allowed= null
    auditdeny= { fork transition sigchld sigkill sigstop signull ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit 0x80000000 }
    dontaudit= { signal }

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2024-01-25 12:51:06 -05:00

75 lines
1.5 KiB
C
Raw Blame History

#include <unistd.h>
#include <sys/types.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <selinux/selinux.h>
int main(int argc, char **argv)
{
struct av_decision avd;
security_class_t tclass;
int ret;
if (argc != 4) {
fprintf(stderr, "usage: %s scontext tcontext tclass\n",
argv[0]);
exit(1);
}
if (security_check_context(argv[1])) {
fprintf(stderr, "%s: invalid source context '%s'\n", argv[0], argv[1]);
exit(4);
}
if (security_check_context(argv[2])) {
fprintf(stderr, "%s: invalid target context '%s'\n", argv[0], argv[2]);
exit(5);
}
tclass = string_to_security_class(argv[3]);
if (!tclass) {
fprintf(stderr, "%s: invalid class '%s'\n", argv[0], argv[3]);
exit(2);
}
ret = security_compute_av(argv[1], argv[2], tclass, 1, &avd);
if (ret < 0) {
fprintf(stderr, "%s: security_compute_av failed: %s\n", argv[0], strerror(errno));
exit(3);
}
printf("allowed=");
print_access_vector(tclass, avd.allowed);
printf("\n");
if (~avd.decided) {
printf("decided=");
print_access_vector(tclass, avd.decided);
printf("\n");
printf("undecided=");
print_access_vector(tclass, ~avd.decided);
printf("\n");
}
if (avd.auditallow) {
printf("auditallow=");
print_access_vector(tclass, avd.auditallow);
printf("\n");
}
if (~avd.auditdeny) {
printf("auditdeny=");
print_access_vector(tclass, avd.auditdeny);
printf("\n");
printf("dontaudit=");
print_access_vector(tclass, ~avd.auditdeny);
printf("\n");
}
exit(EXIT_SUCCESS);
}
Reference in New Issue View Git Blame Copy Permalink