宽容模式的日志一般以permissive=1结尾,强制模式会以permissive=0结尾: // 宽容模式avc:denied { accept } for pid=1430comm="abc"lport=40777scontext=u:r:abcservice:s0tcontext=u:r:abcservice:s0tclass=tcp_socketpermissive=1// 强制模式avc:denied { accept } for pid=1430comm="abc"lport=40777sc...
# network-related classes class socket #socket class tcp_socket class udp_socket ... class binder #Android平台特有的binder class zygote #Android平台特有的zygote 格式为:common common_name { permission_name ... } common定义的perm set能被另外一种perm set命令class所继承 如: common file { ioctl ...
7、修改test_abc.te 增加test_abc的相关权限,编译版本,重新进行验证: #=== test_abc === allow test_abc self:capability dac_override; allow test_abc self:tcp_socket create; 8、解决/system不能root的问题: E:\source\dual_os>adb root restarting adbd as root E:\source\dual_os>adb remount W...
*** Plugin catchall (1.41 confidence) suggests *** If you believe that httpd should be allowed name_bind access on the port 888 tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by ...
IPv4: Attempt to release TCP socket in state 10 000000005911e463 BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI CPU: 0 PID: 9 Comm: ksoftirqd/0 Kdump: loaded Tainted: G W --- - - 4.18.0-147.32.1.el8_1.x86_64 #1 Ha...
: type=avc msg=audit(1225948455.061:294): avc: denied { name_bind } for pid=4997 comm="httpd" src=9876 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket 要允许 httpd 侦听没有为 http_port_t 端口类型列出的端口...
二进制文件:/usr/sbin/httpd→httpd_exec_t配置文件:/etc/httpd→httpd_config_t日志文件:/var/log/httpd→httpd_log_t内容目录:/var/www/html→httpd_sys_content_t启动脚本:/usr/lib/systemd/system/httpd.service→httpd_unit_file_t进程:/usr/sbin/httpd→httpd_t端口:80/tcp,443/tcp→httpd_t和httpd...
allow corenet_unlabeled_type unlabeled_t:tcp_socket recvfrom; allow corenet_unlabeled_type unlabeled_t:udp_socket recvfrom; allow domain unlabeled_t:packet { recv send }; sesearch -A -s <进程type> 命令可以查询<type类型的进程>能够读取的<文件type>。
file-related classesclassfilesystemclassfile#代表普通文件classdir#代表目录classfd#代表文件描述符classlnk_file#代表链接文件classchr_file#代表字符设备文件network-related classesclasssocket#socketclasstcp_socketclassudp_socket...classbinder#Android 平台特有的 binderclasszygote#Android 平台特有的 zygote 3.2 ...
tclass=tcp_socket httpd服务无法启动 使用ausearch命令查看SELinux相关日志 日志显示SELinux已经拒绝(denied)启动httpd服务 现在允许httpd监听12345端口 ~]#semanage port-a-t http_port_t-p tcp12345~]#semanage port-l | grep httpd http_port_t tcp12345,80,81,443,488,8008,8009,8443,9000 ...