我正在开发一个带有 SELinux 的嵌入式发行版。
我遇到这个问题:
root@unknown7:~# socat openssl-listen:7777,reuseaddr, stdio
2022/02/03 13:44:44 socat[2331] E bind(5, {AF=2 0.0.0.0:7777}, 16): Permission denied
虽然audit2allow建议将此行添加到策略中:
allow sysadm_t unreserved_port_t:tcp_socket name_bind;
但这样做会使 SELinux 策略无法编译:
| Compliling mls sysadm.mod module
| policy/modules/roles/sysadm.te:54:ERROR 'unknown type unreserved_port_t' at token ';' on line 25502:
| allow sysadm_t unreserved_port_t:tcp_socket name_bind;
| allow sysadm_t node_t:tcp_socket node_bind;
| [...]/usr/bin/checkmodule: error(s) encountered while parsing configuration
| [...]/tmp/sysroots/x86_64-linux/usr/bin/checkmodule: loading policy configuration from tmp/sysadm.tmp
| make: *** [tmp/sysadm.mod] Error 1
| ERROR: oe_runmake failed
| ERROR: Function failed: do_compile (log file is located at [...]/tmp/work/namc_p2041-fsl-linux/refpolicy-mls/git-r0/temp/log.do_compile.14399)
ERROR: Task 2020 ([...]/sources/meta-selinux/recipes-security/refpolicy/refpolicy-mls_git.bb, do_compile) failed with exit code '1'
NOTE: Tasks Summary: Attempted 3770 tasks of which 3746 didn't need to be rerun and 2 failed.
Waiting for 0 running tasks to finish:
Summary: 2 tasks failed:
[...]sources/meta-selinux/recipes-security/refpolicy/refpolicy-standard_git.bb, do_compile
[...]/QorIQ-SDK-V2.0-20160527-yocto/sources/meta-selinux/recipes-security/refpolicy/refpolicy-mls_git.bb, do_compile
Summary: There were 4 ERROR messages shown, returning a non-zero exit code.
我的问题:
有没有办法用 SELinux 打开所有端口?我知道这首先违背了 SELinux 的原则,但它仅用于开发目的。
有没有办法只打开 unrestricted_port_t,同时保留对其他保留 port_t 的限制?
我只想允许访问少数端口(7777、7778 等)。我该如何在保单中申报?我应该创建新的 .te、.fc、.if 文件吗?