* Selinux context type is same for root & normal user both
@ 2021-01-04 10:55 Ashish Mishra
2021-01-04 12:16 ` Dominick Grift
0 siblings, 1 reply; 19+ messages in thread
From: Ashish Mishra @ 2021-01-04 10:55 UTC (permalink / raw)
To: SElinux list, Paul Moore
Hi Group members ,
I am trying to get SELINUX being added in our custom BSP .
I am able to reach till i have selinux-refpolicy installed on target &
the getenforce / setenforce commands are working.
I can verify them using log messages in /var/log/audit.log
Below is the observation ( problem ) which i am observing w.r.t context type of
selinux .
a) File created as root has "system_u:object_r:root_t"
b) File created as testuser also has "system_u:object_r:root_t"
but i was expecting something "unconfined_u:object_r:user_home_t"
Can members please provide any input as to what might be the cause of this
or any pointers to debug the same.
I am using TEMPFS as a file system .
Thanks ,
Ashish
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Selinux context type is same for root & normal user both
2021-01-04 10:55 Selinux context type is same for root & normal user both Ashish Mishra
@ 2021-01-04 12:16 ` Dominick Grift
2021-01-04 12:39 ` Ashish Mishra
0 siblings, 1 reply; 19+ messages in thread
From: Dominick Grift @ 2021-01-04 12:16 UTC (permalink / raw)
To: Ashish Mishra; +Cc: SElinux list, Paul Moore
Ashish Mishra <ashishm@mvista.com> writes:
> Hi Group members ,
>
> I am trying to get SELINUX being added in our custom BSP .
>
> I am able to reach till i have selinux-refpolicy installed on target &
> the getenforce / setenforce commands are working.
> I can verify them using log messages in /var/log/audit.log
>
> Below is the observation ( problem ) which i am observing w.r.t context type of
> selinux .
> a) File created as root has "system_u:object_r:root_t"
"root" is a hybrid user (system processes are often associated with
root identity as well a the root login user) When a system process
associated with "system_u" creates a "file" in a directory with type
root_t (and there is no type transition rule telling selinux to
transition to default_t) then the file ends up with
system_u:object_r:root_t"
if the file was created by a "real" login user, then the label of the
file indicates that the context associated with the root login user was
wrong because generally the root login user shouldnt be associated with
"system_u"
> b) File created as testuser also has "system_u:object_r:root_t"
provided that the "testuser" identity is not a identity for system
services, than this indicates that both the processes creating the file
as well as the target directory of the file are mislabeled.
ensure that your login users are associated with the expected contexts,
and also ensure that your filesystems are labeled according to the policy
> but i was expecting something "unconfined_u:object_r:user_home_t"
>
> Can members please provide any input as to what might be the cause of this
> or any pointers to debug the same.
>
> I am using TEMPFS as a file system .
>
> Thanks ,
> Ashish
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Selinux context type is same for root & normal user both
2021-01-04 12:16 ` Dominick Grift
@ 2021-01-04 12:39 ` Ashish Mishra
2021-01-04 12:51 ` Dominick Grift
0 siblings, 1 reply; 19+ messages in thread
From: Ashish Mishra @ 2021-01-04 12:39 UTC (permalink / raw)
To: Dominick Grift; +Cc: SElinux list, Paul Moore
Hi Dominick ,
Thanks for inputs .
a) This is an embedded board which logs in by default as a ROOT user.
Any pointers as to where can i look to debug the cause due to
which context is "system_u"
b) Apologies , but can you please help method / approach / debug
points by which
-> I can evaluate the expected contexts for root & testuser
-> I can see that the labels are created using ls -alZ .
Is there any other method / debug point to check filesystems
are labeled according to the policy.
( as i am using standard refpolicy to create an default policy
on board )
Thanks ,
Ashish
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Selinux context type is same for root & normal user both
2021-01-04 12:39 ` Ashish Mishra
@ 2021-01-04 12:51 ` Dominick Grift
2021-01-06 13:35 ` Ashish Mishra
` (2 more replies)
0 siblings, 3 replies; 19+ messages in thread
From: Dominick Grift @ 2021-01-04 12:51 UTC (permalink / raw)
To: Ashish Mishra; +Cc: SElinux list, Paul Moore
Ashish Mishra <ashishm@mvista.com> writes:
> Hi Dominick ,
>
> Thanks for inputs .
>
> a) This is an embedded board which logs in by default as a ROOT user.
> Any pointers as to where can i look to debug the cause due to
> which context is "system_u"
Lack of PAM support or misconfigurated PAM config (pam_selinux needs to
be present in the appropriate PAM stacks)
>
> b) Apologies , but can you please help method / approach / debug
> points by which
> -> I can evaluate the expected contexts for root & testuser
> -> I can see that the labels are created using ls -alZ .
> Is there any other method / debug point to check filesystems
> are labeled according to the policy.
> ( as i am using standard refpolicy to create an default policy
> on board )
You start by determining the current context of the login user (id -Z
will print the context of the current shell). Then you determine the
context of the directory in which the file is created (ls -dZ)
With this information you can query:
sesearch -T -s "type returned by id -Z" | grep "type returned by ls -dZ"
That should return any existing "type_transition" rules where the type
of the user is the source and the type of the destination directory is a target
>
>
> Thanks ,
> Ashish
The question is whether you want/need IBAC/RBAC on an embedded device
with only one user (root)
In my policy for OpenWrt (which is a embedded wireless router firmare) i
do not use IBAC/RBAC either and i just add a rule that say's when the
login program (sshd) executes a shell then assume that this is a login
user shell and automatically transition from the sshd context to a specified
user context)
On embedded devices "modular reference policy" does not make sense to
use (these devices generally do not have the resources to compile/link
policy at runtime) IMHO and the "monolithic reference policy" does not work well with
PAM and users.
But, yes, if you want modular refpolicy on a multi-user system then you
probably want PAM
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Selinux context type is same for root & normal user both
2021-01-04 12:51 ` Dominick Grift
@ 2021-01-06 13:35 ` Ashish Mishra
2021-01-06 13:52 ` Dominick Grift
2021-01-06 14:25 ` Ashish Mishra
2021-01-06 14:27 ` Ashish Mishra
2 siblings, 1 reply; 19+ messages in thread
From: Ashish Mishra @ 2021-01-06 13:35 UTC (permalink / raw)
To: Dominick Grift; +Cc: SElinux list, Paul Moore
Hi Dominick ,
Thanks for the inputs above.
1) w.r.t Monolithic , i am trying refpolicy with monolithic design as suggested.
2) I am debugging on the lines you suggested , and prima facie looks like the
busybox login is being executed here which takes
system_u:object_r:root_t as context
3) Can you please let me know which stable source code for
a) policycoreutils-python ( to get semanage on target )
b) setools-console ( to get seinfo / sesearch on target )
Please note that we have integrated userland libraries and tools
projects from https://github.com/SELinuxProject/selinux
But the above mentioned binaries are not present on target.
Request to please let me know input / feedback if i am missing any
obvious things here
Thanks ,
Ashish
On Mon, Jan 4, 2021 at 6:21 PM Dominick Grift
<dominick.grift@defensec.nl> wrote:
>
> Ashish Mishra <ashishm@mvista.com> writes:
>
> > Hi Dominick ,
> >
> > Thanks for inputs .
> >
> > a) This is an embedded board which logs in by default as a ROOT user.
> > Any pointers as to where can i look to debug the cause due to
> > which context is "system_u"
>
> Lack of PAM support or misconfigurated PAM config (pam_selinux needs to
> be present in the appropriate PAM stacks)
>
> >
> > b) Apologies , but can you please help method / approach / debug
> > points by which
> > -> I can evaluate the expected contexts for root & testuser
> > -> I can see that the labels are created using ls -alZ .
> > Is there any other method / debug point to check filesystems
> > are labeled according to the policy.
> > ( as i am using standard refpolicy to create an default policy
> > on board )
>
> You start by determining the current context of the login user (id -Z
> will print the context of the current shell). Then you determine the
> context of the directory in which the file is created (ls -dZ)
>
> With this information you can query:
>
> sesearch -T -s "type returned by id -Z" | grep "type returned by ls -dZ"
>
> That should return any existing "type_transition" rules where the type
> of the user is the source and the type of the destination directory is a target
>
> >
> >
> > Thanks ,
> > Ashish
>
> The question is whether you want/need IBAC/RBAC on an embedded device
> with only one user (root)
>
> In my policy for OpenWrt (which is a embedded wireless router firmare) i
> do not use IBAC/RBAC either and i just add a rule that say's when the
> login program (sshd) executes a shell then assume that this is a login
> user shell and automatically transition from the sshd context to a specified
> user context)
>
> On embedded devices "modular reference policy" does not make sense to
> use (these devices generally do not have the resources to compile/link
> policy at runtime) IMHO and the "monolithic reference policy" does not work well with
> PAM and users.
>
> But, yes, if you want modular refpolicy on a multi-user system then you
> probably want PAM
>
> --
> gpg --locate-keys dominick.grift@defensec.nl
> Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
> https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
> Dominick Grift
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Selinux context type is same for root & normal user both
2021-01-06 13:35 ` Ashish Mishra
@ 2021-01-06 13:52 ` Dominick Grift
[not found] ` <CAP2OjcjOEXsWM1H2pkMzhb3y2ss7SCTw8_1Tsb23kUnEDVfx-g@mail.gmail.com>
0 siblings, 1 reply; 19+ messages in thread
From: Dominick Grift @ 2021-01-06 13:52 UTC (permalink / raw)
To: Ashish Mishra; +Cc: SElinux list, Paul Moore
Ashish Mishra <ashishm@mvista.com> writes:
> Hi Dominick ,
>
> Thanks for the inputs above.
>
> 1) w.r.t Monolithic , i am trying refpolicy with monolithic design as suggested.
>
> 2) I am debugging on the lines you suggested , and prima facie looks like the
> busybox login is being executed here which takes
> system_u:object_r:root_t as context
I do not understand what you mean by that. Context
"system_u:object_r:root_t" is a "file" context and I do not understand
where you get that from.
Busybox is a shell with built-in modules AFAIK. It should be labeled
"u:object_r:shell_exec_t" IMHO
>
> 3) Can you please let me know which stable source code for
> a) policycoreutils-python ( to get semanage on target )
> b) setools-console ( to get seinfo / sesearch on target )
> Please note that we have integrated userland libraries and tools
> projects from https://github.com/SELinuxProject/selinux
> But the above mentioned binaries are not present on target.
https://github.com/SELinuxProject/selinux/releases/download/20200710/selinux-python-3.1.tar.gz
https://github.com/SELinuxProject/setools/releases/download/4.3.0/setools-4.3.0.tar.bz2
>
> Request to please let me know input / feedback if i am missing any
> obvious things here
Its hard to say. There are quite a few variables and I am not sure
exactly what the current state of your work is and where you want to go
(ie what your goals and requirements are)
I guess you should determine what the login programs used are and then
to address those to ensure that login user shells are labeled the way
you want them labeled.
It is probably best to enclose avc denials for any challenge you face.
>
> Thanks ,
> Ashish
>
>
>
>
>
>
>
> On Mon, Jan 4, 2021 at 6:21 PM Dominick Grift
> <dominick.grift@defensec.nl> wrote:
>>
>> Ashish Mishra <ashishm@mvista.com> writes:
>>
>> > Hi Dominick ,
>> >
>> > Thanks for inputs .
>> >
>> > a) This is an embedded board which logs in by default as a ROOT user.
>> > Any pointers as to where can i look to debug the cause due to
>> > which context is "system_u"
>>
>> Lack of PAM support or misconfigurated PAM config (pam_selinux needs to
>> be present in the appropriate PAM stacks)
>>
>> >
>> > b) Apologies , but can you please help method / approach / debug
>> > points by which
>> > -> I can evaluate the expected contexts for root & testuser
>> > -> I can see that the labels are created using ls -alZ .
>> > Is there any other method / debug point to check filesystems
>> > are labeled according to the policy.
>> > ( as i am using standard refpolicy to create an default policy
>> > on board )
>>
>> You start by determining the current context of the login user (id -Z
>> will print the context of the current shell). Then you determine the
>> context of the directory in which the file is created (ls -dZ)
>>
>> With this information you can query:
>>
>> sesearch -T -s "type returned by id -Z" | grep "type returned by ls -dZ"
>>
>> That should return any existing "type_transition" rules where the type
>> of the user is the source and the type of the destination directory is a target
>>
>> >
>> >
>> > Thanks ,
>> > Ashish
>>
>> The question is whether you want/need IBAC/RBAC on an embedded device
>> with only one user (root)
>>
>> In my policy for OpenWrt (which is a embedded wireless router firmare) i
>> do not use IBAC/RBAC either and i just add a rule that say's when the
>> login program (sshd) executes a shell then assume that this is a login
>> user shell and automatically transition from the sshd context to a specified
>> user context)
>>
>> On embedded devices "modular reference policy" does not make sense to
>> use (these devices generally do not have the resources to compile/link
>> policy at runtime) IMHO and the "monolithic reference policy" does not work well with
>> PAM and users.
>>
>> But, yes, if you want modular refpolicy on a multi-user system then you
>> probably want PAM
>>
>> --
>> gpg --locate-keys dominick.grift@defensec.nl
>> Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
>> https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
>> Dominick Grift
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Selinux context type is same for root & normal user both
2021-01-04 12:51 ` Dominick Grift
2021-01-06 13:35 ` Ashish Mishra
@ 2021-01-06 14:25 ` Ashish Mishra
2021-01-06 14:27 ` Ashish Mishra
2 siblings, 0 replies; 19+ messages in thread
From: Ashish Mishra @ 2021-01-06 14:25 UTC (permalink / raw)
To: Dominick Grift; +Cc: SElinux list, Paul Moore
[-- Attachment #1: Type: text/plain, Size: 2925 bytes --]
Hi Dominick ,
1) Thanks for pointers .
I will look at the suggestion for login programs.
2) The major discrepancy which i am observing is all the folder and files across
filesystem have same context "system_u:object_r:root_t"
Like /etc , /var , /bin , /root etc all folders & files have
this same context .
Attached is the context log for the folder.
Any feedback / pointer on point-2 will be helpful .
I will evaluate the point-1 as suggested .
Thanks for sharing valuable info.
Ashish
On Mon, Jan 4, 2021 at 6:21 PM Dominick Grift
<dominick.grift@defensec.nl> wrote:
>
> Ashish Mishra <ashishm@mvista.com> writes:
>
> > Hi Dominick ,
> >
> > Thanks for inputs .
> >
> > a) This is an embedded board which logs in by default as a ROOT user.
> > Any pointers as to where can i look to debug the cause due to
> > which context is "system_u"
>
> Lack of PAM support or misconfigurated PAM config (pam_selinux needs to
> be present in the appropriate PAM stacks)
>
> >
> > b) Apologies , but can you please help method / approach / debug
> > points by which
> > -> I can evaluate the expected contexts for root & testuser
> > -> I can see that the labels are created using ls -alZ .
> > Is there any other method / debug point to check filesystems
> > are labeled according to the policy.
> > ( as i am using standard refpolicy to create an default policy
> > on board )
>
> You start by determining the current context of the login user (id -Z
> will print the context of the current shell). Then you determine the
> context of the directory in which the file is created (ls -dZ)
>
> With this information you can query:
>
> sesearch -T -s "type returned by id -Z" | grep "type returned by ls -dZ"
>
> That should return any existing "type_transition" rules where the type
> of the user is the source and the type of the destination directory is a target
>
> >
> >
> > Thanks ,
> > Ashish
>
> The question is whether you want/need IBAC/RBAC on an embedded device
> with only one user (root)
>
> In my policy for OpenWrt (which is a embedded wireless router firmare) i
> do not use IBAC/RBAC either and i just add a rule that say's when the
> login program (sshd) executes a shell then assume that this is a login
> user shell and automatically transition from the sshd context to a specified
> user context)
>
> On embedded devices "modular reference policy" does not make sense to
> use (these devices generally do not have the resources to compile/link
> policy at runtime) IMHO and the "monolithic reference policy" does not work well with
> PAM and users.
>
> But, yes, if you want modular refpolicy on a multi-user system then you
> probably want PAM
>
> --
> gpg --locate-keys dominick.grift@defensec.nl
> Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
> https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
> Dominick Grift
[-- Attachment #2: secontext-for-folders.txt --]
[-- Type: text/plain, Size: 32285 bytes --]
home # ps -Z
PID CONTEXT STAT COMMAND
1 system_u:system_r:kernel_t S init
2 system_u:system_r:kernel_t SW [kthreadd]
3 system_u:system_r:kernel_t SW [ksoftirqd/0]
4 system_u:system_r:kernel_t SW [kworker/0:0]
5 system_u:system_r:kernel_t SW< [kworker/0:0H]
6 system_u:system_r:kernel_t SW [kworker/u8:0]
7 system_u:system_r:kernel_t SW [rcu_sched]
8 system_u:system_r:kernel_t SW [rcu_bh]
9 system_u:system_r:kernel_t SW [migration/0]
10 system_u:system_r:kernel_t SW< [lru-add-drain]
11 system_u:system_r:kernel_t SW [cpuhp/0]
12 system_u:system_r:kernel_t SW [kdevtmpfs]
13 system_u:system_r:kernel_t SW< [netns]
14 system_u:system_r:kernel_t SW [oom_reaper]
15 system_u:system_r:kernel_t SW [kworker/u8:1]
124 system_u:system_r:kernel_t SW< [writeback]
126 system_u:system_r:kernel_t SW [kcompactd0]
127 system_u:system_r:kernel_t SW< [bioset]
129 system_u:system_r:kernel_t SW< [kblockd]
151 system_u:system_r:kernel_t SW [kworker/0:1]
167 system_u:system_r:kernel_t SW [kswapd0]
168 system_u:system_r:kernel_t SW< [vmstat]
787 system_u:system_r:kernel_t SW< [ipv6_addrconf]
798 system_u:system_r:kernel_t S syslogd
805 system_u:system_r:kernel_t S< auditd
808 system_u:system_r:kernel_t SW [kauditd]
859 system_u:system_r:kernel_t R /bin/sm_manager
861 system_u:system_r:kernel_t S /bin/sh
880 system_u:system_r:kernel_t R ps -Z
/home #
/home #
/home #
/home # ls
test testfile
/home # cd
~ # ls
bin etc lib lxc proc share usr
dev home lib64 mnt root sys var
drivers init linuxrc mnth sbin tmp
~ # cd /etc/
/etc # ls
audisp gshadow mtab selinux udhcpd.conf
audit host.conf pam.d sestatus.conf xattr.conf
default hosts passwd shadow
environment inittab protocols subgid
fstab libaudit.conf rc.d subuid
group lxc security sysconfig
/etc # cd
~ # ls
bin etc lib lxc proc share usr
dev home lib64 mnt root sys var
drivers init linuxrc mnth sbin tmp
~ #
~ #
~ # ls -alZ bin/
drwxr-xr-x 2 root root system_u:object_r:root_t 1620 Jan 4 23:29 .
drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 arch -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 ash -> /bin/busybox
-rwxr-xr-x 1 root root system_u:object_r:root_t 1267040 Jan 4 23:29 bash
-rwxr-xr-x 1 root root system_u:object_r:root_t 1593984 Jan 4 23:29 busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 cat -> /bin/busybox
-rwxr-xr-x 1 root root system_u:object_r:root_t 7664 Jan 4 23:29 cav_sh
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 chattr -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 chgrp -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 chmod -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 chown -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 cp -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 cttyhack -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 date -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 dd -> /bin/busybox
-rwxr-xr-x 1 root root system_u:object_r:root_t 200 Jan 4 23:29 delete_smapp.sh
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 df -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 dmesg -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 echo -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 egrep -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 false -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 fatattr -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 fdflush -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 fgrep -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 fsync -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 getopt -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 grep -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 gunzip -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 gzip -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 ionice -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 iostat -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 kill -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 link -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 linux32 -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 linux64 -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 ln -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 login -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 ls -> /bin/busybox
-rwxr-xr-x 1 root root system_u:object_r:root_t 7736 Jan 4 23:29 lsmod
-rwxr-xr-x 1 root root system_u:object_r:root_t 128952 Jan 4 23:29 lspci
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mkdir -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mknod -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mktemp -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 more -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mount -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mountpoint -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mv -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 nice -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 nuke -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 pidof -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 pipe_progress -> /bin/busybox
~ # ls -alZ etc
drwxr-xr-x 11 root root system_u:object_r:root_t 560 Jan 6 12:37 .
drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
drwxr-xr-x 3 root root system_u:object_r:root_t 100 Jan 4 23:07 audisp
drwxr-xr-x 2 root root system_u:object_r:root_t 80 Jan 4 23:07 audit
drwxr-xr-x 2 root root system_u:object_r:root_t 60 Jan 4 23:17 default
-rw-r--r-- 1 root root system_u:object_r:root_t 97 Jan 4 23:17 environment
-rw-r--r-- 1 root root system_u:object_r:root_t 330 Jan 4 23:09 fstab
-rw-r--r-- 1 root root system_u:object_r:root_t 21 Jan 4 23:09 group
-rw-r--r-- 1 root root system_u:object_r:root_t 9 Jan 4 23:09 gshadow
-rw-r--r-- 1 root root system_u:object_r:root_t 17 Jan 4 23:09 host.conf
-rw-r--r-- 1 root root system_u:object_r:root_t 20 Jan 4 23:09 hosts
-rw-r--r-- 1 root root system_u:object_r:root_t 55 Jan 4 23:09 inittab
-rw-r----- 1 root root system_u:object_r:root_t 191 Jan 4 23:07 libaudit.conf
drwxr-xr-x 2 root root system_u:object_r:root_t 60 Jan 4 23:17 lxc
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mtab -> /proc/mounts
drwxr-xr-x 2 root root system_u:object_r:root_t 40 Jan 4 23:08 pam.d
-rw-r--r-- 1 root root system_u:object_r:root_t 70 Jan 4 23:09 passwd
-rw-r--r-- 1 root root system_u:object_r:root_t 6108 Jan 4 23:09 protocols
drwxr-xr-x 3 root root system_u:object_r:root_t 60 Jan 4 23:07 rc.d
drwxr-xr-x 4 root root system_u:object_r:root_t 260 Jan 4 23:18 security
drwxr-xr-x 3 root root system_u:object_r:root_t 100 Jan 4 23:29 selinux
-rw-r--r-- 1 root root system_u:object_r:root_t 216 Jan 4 23:08 sestatus.conf
-rw-r--r-- 1 root root system_u:object_r:root_t 12 Jan 4 23:09 shadow
-rw-r--r-- 1 root root system_u:object_r:root_t 19 Jan 6 12:37 subgid
-rw-r--r-- 1 root root system_u:object_r:root_t 19 Jan 6 12:37 subuid
drwxr-xr-x 2 root root system_u:object_r:root_t 60 Jan 4 23:07 sysconfig
-rw-r--r-- 1 root root system_u:object_r:root_t 3048 Jan 4 23:09 udhcpd.conf
-rw-r--r-- 1 root root system_u:object_r:root_t 642 Jan 4 23:13 xattr.conf
~ # ls
bin etc lib lxc proc share usr
dev home lib64 mnt root sys var
drivers init linuxrc mnth sbin tmp
~ # ^C
~ # ls -alZ bin
drwxr-xr-x 2 root root system_u:object_r:root_t 1620 Jan 4 23:29 .
drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 arch -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 ash -> /bin/busybox
-rwxr-xr-x 1 root root system_u:object_r:root_t 1267040 Jan 4 23:29 bash
-rwxr-xr-x 1 root root system_u:object_r:root_t 1593984 Jan 4 23:29 busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 cat -> /bin/busybox
-rwxr-xr-x 1 root root system_u:object_r:root_t 7664 Jan 4 23:29 cav_sh
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 chattr -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 chgrp -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 chmod -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 chown -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 cp -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 cttyhack -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 date -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 dd -> /bin/busybox
-rwxr-xr-x 1 root root system_u:object_r:root_t 200 Jan 4 23:29 delete_smapp.sh
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 df -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 dmesg -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 echo -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 egrep -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 false -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 fatattr -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 fdflush -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 fgrep -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 fsync -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 getopt -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 grep -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 gunzip -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 gzip -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 ionice -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 iostat -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 kill -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 link -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 linux32 -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 linux64 -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 ln -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 login -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 ls -> /bin/busybox
-rwxr-xr-x 1 root root system_u:object_r:root_t 7736 Jan 4 23:29 lsmod
-rwxr-xr-x 1 root root system_u:object_r:root_t 128952 Jan 4 23:29 lspci
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mkdir -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mknod -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mktemp -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 more -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mount -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mountpoint -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mv -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 nice -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 nuke -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 pidof -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 pipe_progress -> /bin/busybox
-rwxr-xr-x 1 root root system_u:object_r:root_t 13397 Jan 4 23:29 pow_test
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 printenv -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 ps -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 pwd -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 resume -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 rev -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 rm -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 rmdir -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 sed -> /bin/busybox
-rwxr-xr-x 1 root root system_u:object_r:root_t 61160 Jan 4 23:29 setpci
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 setpriv -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 sh -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 sleep -> /bin/busybox
-rwxr-xr-x 1 root root system_u:object_r:root_t 298279 Jan 4 23:29 sm_manager
-rwxr-xr-x 1 root root system_u:object_r:root_t 781 Jan 4 23:29 smapp_manage.sh
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 stat -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 stty -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 su -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 sync -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 tar -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 touch -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 true -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 umount -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 uname -> /bin/busybox
-rwxr-xr-x 1 root root system_u:object_r:root_t 1340 Jan 4 23:29 upgrade_smapp.sh
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 usleep -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 vi -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 watch -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 zcat -> /bin/busybox
~ # ls -alZ etc
drwxr-xr-x 11 root root system_u:object_r:root_t 560 Jan 6 12:37 .
drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
drwxr-xr-x 3 root root system_u:object_r:root_t 100 Jan 4 23:07 audisp
drwxr-xr-x 2 root root system_u:object_r:root_t 80 Jan 4 23:07 audit
drwxr-xr-x 2 root root system_u:object_r:root_t 60 Jan 4 23:17 default
-rw-r--r-- 1 root root system_u:object_r:root_t 97 Jan 4 23:17 environment
-rw-r--r-- 1 root root system_u:object_r:root_t 330 Jan 4 23:09 fstab
-rw-r--r-- 1 root root system_u:object_r:root_t 21 Jan 4 23:09 group
-rw-r--r-- 1 root root system_u:object_r:root_t 9 Jan 4 23:09 gshadow
-rw-r--r-- 1 root root system_u:object_r:root_t 17 Jan 4 23:09 host.conf
-rw-r--r-- 1 root root system_u:object_r:root_t 20 Jan 4 23:09 hosts
-rw-r--r-- 1 root root system_u:object_r:root_t 55 Jan 4 23:09 inittab
-rw-r----- 1 root root system_u:object_r:root_t 191 Jan 4 23:07 libaudit.conf
drwxr-xr-x 2 root root system_u:object_r:root_t 60 Jan 4 23:17 lxc
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mtab -> /proc/mounts
drwxr-xr-x 2 root root system_u:object_r:root_t 40 Jan 4 23:08 pam.d
-rw-r--r-- 1 root root system_u:object_r:root_t 70 Jan 4 23:09 passwd
-rw-r--r-- 1 root root system_u:object_r:root_t 6108 Jan 4 23:09 protocols
drwxr-xr-x 3 root root system_u:object_r:root_t 60 Jan 4 23:07 rc.d
drwxr-xr-x 4 root root system_u:object_r:root_t 260 Jan 4 23:18 security
drwxr-xr-x 3 root root system_u:object_r:root_t 100 Jan 4 23:29 selinux
-rw-r--r-- 1 root root system_u:object_r:root_t 216 Jan 4 23:08 sestatus.conf
-rw-r--r-- 1 root root system_u:object_r:root_t 12 Jan 4 23:09 shadow
-rw-r--r-- 1 root root system_u:object_r:root_t 19 Jan 6 12:37 subgid
-rw-r--r-- 1 root root system_u:object_r:root_t 19 Jan 6 12:37 subuid
drwxr-xr-x 2 root root system_u:object_r:root_t 60 Jan 4 23:07 sysconfig
-rw-r--r-- 1 root root system_u:object_r:root_t 3048 Jan 4 23:09 udhcpd.conf
-rw-r--r-- 1 root root system_u:object_r:root_t 642 Jan 4 23:13 xattr.conf
~ # ls -alZ lib
drwxr-xr-x 3 root root system_u:object_r:root_t 60 Jan 4 23:07 .
drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
drwxr-xr-x 3 root root system_u:object_r:root_t 60 Jan 4 23:07 modules
~ # ls -alZ li
lib/ lib64/ linuxrc
~ # ls -alZ li
lib/ lib64/ linuxrc
~ # ls -alZ li64
ls: li64: No such file or directory
~ # ls -alZ lib64
drwxr-xr-x 3 root root system_u:object_r:root_t 1320 Jan 4 23:29 .
drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
-r-xr-xr-x 1 root root system_u:object_r:root_t 210624 Jan 4 23:29 ld-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 10 Jan 4 23:29 ld.so.1 -> ld-2.16.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 67824 Jan 4 23:29 libBrokenLocale-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 23 Jan 4 23:29 libBrokenLocale.so.1 -> libBrokenLocale-2.16.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 71182 Jan 4 23:29 libSegFault.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 68768 Jan 4 23:29 libanl-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 14 Jan 4 23:29 libanl.so.1 -> libanl-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 16 Jan 4 23:29 libasan.so.0 -> libasan.so.0.0.0
-r-xr-xr-x 1 root root system_u:object_r:root_t 215896 Jan 4 23:29 libasan.so.0.0.0
lrwxrwxrwx 1 root root system_u:object_r:root_t 18 Jan 4 23:29 libatomic.so.1 -> libatomic.so.1.0.0
-r-xr-xr-x 1 root root system_u:object_r:root_t 35056 Jan 4 23:29 libatomic.so.1.0.0
-r-xr-xr-x 1 root root system_u:object_r:root_t 1946544 Jan 4 23:29 libc-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:29 libc.so.6 -> libc-2.16.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 200408 Jan 4 23:29 libcidn-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 15 Jan 4 23:29 libcidn.so.1 -> libcidn-2.16.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 69416 Jan 4 23:29 libcrypt-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 16 Jan 4 23:29 libcrypt.so.1 -> libcrypt-2.16.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 68920 Jan 4 23:29 libdl-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 13 Jan 4 23:29 libdl.so.2 -> libdl-2.16.so
-r--r--r-- 1 root root system_u:object_r:root_t 161643 Jan 4 23:29 libgcc_s.so.1
lrwxrwxrwx 1 root root system_u:object_r:root_t 16 Jan 4 23:29 libgomp.so.1 -> libgomp.so.1.0.0
-r-xr-xr-x 1 root root system_u:object_r:root_t 87728 Jan 4 23:29 libgomp.so.1.0.0
-r-xr-xr-x 1 root root system_u:object_r:root_t 1006288 Jan 4 23:29 libm-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:29 libm.so.6 -> libm-2.16.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 73221 Jan 4 23:29 libmemusage.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 19 Jan 4 23:29 libmudflap.so.0 -> libmudflap.so.0.0.0
-r-xr-xr-x 1 root root system_u:object_r:root_t 209120 Jan 4 23:29 libmudflap.so.0.0.0
lrwxrwxrwx 1 root root system_u:object_r:root_t 21 Jan 4 23:29 libmudflapth.so.0 -> libmudflapth.so.0.0.0
-r-xr-xr-x 1 root root system_u:object_r:root_t 209592 Jan 4 23:29 libmudflapth.so.0.0.0
-r-xr-xr-x 1 root root system_u:object_r:root_t 140688 Jan 4 23:29 libnsl-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 14 Jan 4 23:29 libnsl.so.1 -> libnsl-2.16.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 70352 Jan 4 23:29 libnss_compat-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 21 Jan 4 23:29 libnss_compat.so.2 -> libnss_compat-2.16.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 71056 Jan 4 23:29 libnss_db-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 17 Jan 4 23:29 libnss_db.so.2 -> libnss_db-2.16.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 68520 Jan 4 23:29 libnss_dns-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 18 Jan 4 23:29 libnss_dns.so.2 -> libnss_dns-2.16.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 72024 Jan 4 23:29 libnss_files-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 20 Jan 4 23:29 libnss_files.so.2 -> libnss_files-2.16.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 69248 Jan 4 23:29 libnss_hesiod-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 21 Jan 4 23:29 libnss_hesiod.so.2 -> libnss_hesiod-2.16.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 70800 Jan 4 23:29 libnss_nis-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 18 Jan 4 23:29 libnss_nis.so.2 -> libnss_nis-2.16.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 71040 Jan 4 23:29 libnss_nisplus-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 22 Jan 4 23:29 libnss_nisplus.so.2 -> libnss_nisplus-2.16.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 70402 Jan 4 23:29 libpcprofile.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 143640 Jan 4 23:29 libpthread-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 18 Jan 4 23:29 libpthread.so.0 -> libpthread-2.16.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 138480 Jan 4 23:29 libresolv-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 17 Jan 4 23:29 libresolv.so.2 -> libresolv-2.16.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 71296 Jan 4 23:29 librt-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 13 Jan 4 23:29 librt.so.1 -> librt-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 15 Jan 4 23:29 libssp.so.0 -> libssp.so.0.0.0
-r-xr-xr-x 1 root root system_u:object_r:root_t 11488 Jan 4 23:29 libssp.so.0.0.0
lrwxrwxrwx 1 root root system_u:object_r:root_t 19 Jan 4 23:29 libstdc++.so.6 -> libstdc++.so.6.0.17
-r-xr-xr-x 1 root root system_u:object_r:root_t 1198520 Jan 4 23:29 libstdc++.so.6.0.17
-rw-r--r-- 1 root root system_u:object_r:root_t 2436 Jan 4 23:29 libstdc++.so.6.0.17-gdb.py
-r-xr-xr-x 1 root root system_u:object_r:root_t 70256 Jan 4 23:29 libthread_db-1.0.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 19 Jan 4 23:29 libthread_db.so.1 -> libthread_db-1.0.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 17 Jan 4 23:29 libubsan.so.0 -> libubsan.so.0.0.0
-r-xr-xr-x 1 root root system_u:object_r:root_t 606176 Jan 4 23:29 libubsan.so.0.0.0
-r-xr-xr-x 1 root root system_u:object_r:root_t 68344 Jan 4 23:29 libutil-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 15 Jan 4 23:29 libutil.so.1 -> libutil-2.16.so
drwxr-xr-x 2 root root system_u:object_r:root_t 1440 Jan 4 23:29 octeon2
~ # ls -alZ drivers
drwxr-xr-x 2 root root system_u:object_r:root_t 60 Jan 4 23:29 .
drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
-rw-r--r-- 1 root root system_u:object_r:root_t 14558 Jan 4 23:29 pow_drv.ko
~ #
~ #
~ # ls -alZ tmp
drwxr-xr-x 2 root root system_u:object_r:root_t 40 Jan 4 23:09 .
drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
~ #
~ #
~ #
~ # ls /
bin etc lib lxc proc share usr
dev home lib64 mnt root sys var
drivers init linuxrc mnth sbin tmp
~ # ls -alZ var/
drwxr-xr-x 6 root root system_u:object_r:root_t 120 Jan 6 12:37 .
drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
drwxr-xr-x 3 root root system_u:object_r:root_t 60 Jan 4 23:17 cache
drwxr-xr-x 4 root root system_u:object_r:root_t 80 Jan 4 23:17 lib
drwxr-xr-x 3 root root system_u:object_r:root_t 80 Jan 6 12:37 log
drwxr-xr-x 4 root root system_u:object_r:root_t 140 Jan 6 12:37 run
~ #
CTRL-A Z for help |115200 8N1 | NOR | Minicom 2.6.2 | VT102 | Offline
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Selinux context type is same for root & normal user both
2021-01-04 12:51 ` Dominick Grift
2021-01-06 13:35 ` Ashish Mishra
2021-01-06 14:25 ` Ashish Mishra
@ 2021-01-06 14:27 ` Ashish Mishra
2021-01-06 14:41 ` Dominick Grift
2 siblings, 1 reply; 19+ messages in thread
From: Ashish Mishra @ 2021-01-06 14:27 UTC (permalink / raw)
To: Dominick Grift; +Cc: SElinux list, Paul Moore
[-- Attachment #1: Type: text/plain, Size: 512 bytes --]
Hi Dominick ,
1) Thanks for pointers .
I will look at the suggestion for login programs.
2) The major discrepancy which i am observing is all the folder and files across
filesystem have same context "system_u:object_r:root_t"
Like /etc , /var , /bin , /root etc all folders & files have
this same context .
Attached is the context log for the folder.
Any feedback / pointer on point-2 will be helpful .
I will evaluate the point-1 as suggested .
Thanks for sharing valuable info.
Ashish
[-- Attachment #2: secontext-for-folders.txt --]
[-- Type: text/plain, Size: 32285 bytes --]
home # ps -Z
PID CONTEXT STAT COMMAND
1 system_u:system_r:kernel_t S init
2 system_u:system_r:kernel_t SW [kthreadd]
3 system_u:system_r:kernel_t SW [ksoftirqd/0]
4 system_u:system_r:kernel_t SW [kworker/0:0]
5 system_u:system_r:kernel_t SW< [kworker/0:0H]
6 system_u:system_r:kernel_t SW [kworker/u8:0]
7 system_u:system_r:kernel_t SW [rcu_sched]
8 system_u:system_r:kernel_t SW [rcu_bh]
9 system_u:system_r:kernel_t SW [migration/0]
10 system_u:system_r:kernel_t SW< [lru-add-drain]
11 system_u:system_r:kernel_t SW [cpuhp/0]
12 system_u:system_r:kernel_t SW [kdevtmpfs]
13 system_u:system_r:kernel_t SW< [netns]
14 system_u:system_r:kernel_t SW [oom_reaper]
15 system_u:system_r:kernel_t SW [kworker/u8:1]
124 system_u:system_r:kernel_t SW< [writeback]
126 system_u:system_r:kernel_t SW [kcompactd0]
127 system_u:system_r:kernel_t SW< [bioset]
129 system_u:system_r:kernel_t SW< [kblockd]
151 system_u:system_r:kernel_t SW [kworker/0:1]
167 system_u:system_r:kernel_t SW [kswapd0]
168 system_u:system_r:kernel_t SW< [vmstat]
787 system_u:system_r:kernel_t SW< [ipv6_addrconf]
798 system_u:system_r:kernel_t S syslogd
805 system_u:system_r:kernel_t S< auditd
808 system_u:system_r:kernel_t SW [kauditd]
859 system_u:system_r:kernel_t R /bin/sm_manager
861 system_u:system_r:kernel_t S /bin/sh
880 system_u:system_r:kernel_t R ps -Z
/home #
/home #
/home #
/home # ls
test testfile
/home # cd
~ # ls
bin etc lib lxc proc share usr
dev home lib64 mnt root sys var
drivers init linuxrc mnth sbin tmp
~ # cd /etc/
/etc # ls
audisp gshadow mtab selinux udhcpd.conf
audit host.conf pam.d sestatus.conf xattr.conf
default hosts passwd shadow
environment inittab protocols subgid
fstab libaudit.conf rc.d subuid
group lxc security sysconfig
/etc # cd
~ # ls
bin etc lib lxc proc share usr
dev home lib64 mnt root sys var
drivers init linuxrc mnth sbin tmp
~ #
~ #
~ # ls -alZ bin/
drwxr-xr-x 2 root root system_u:object_r:root_t 1620 Jan 4 23:29 .
drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 arch -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 ash -> /bin/busybox
-rwxr-xr-x 1 root root system_u:object_r:root_t 1267040 Jan 4 23:29 bash
-rwxr-xr-x 1 root root system_u:object_r:root_t 1593984 Jan 4 23:29 busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 cat -> /bin/busybox
-rwxr-xr-x 1 root root system_u:object_r:root_t 7664 Jan 4 23:29 cav_sh
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 chattr -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 chgrp -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 chmod -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 chown -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 cp -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 cttyhack -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 date -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 dd -> /bin/busybox
-rwxr-xr-x 1 root root system_u:object_r:root_t 200 Jan 4 23:29 delete_smapp.sh
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 df -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 dmesg -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 echo -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 egrep -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 false -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 fatattr -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 fdflush -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 fgrep -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 fsync -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 getopt -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 grep -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 gunzip -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 gzip -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 ionice -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 iostat -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 kill -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 link -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 linux32 -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 linux64 -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 ln -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 login -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 ls -> /bin/busybox
-rwxr-xr-x 1 root root system_u:object_r:root_t 7736 Jan 4 23:29 lsmod
-rwxr-xr-x 1 root root system_u:object_r:root_t 128952 Jan 4 23:29 lspci
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mkdir -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mknod -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mktemp -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 more -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mount -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mountpoint -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mv -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 nice -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 nuke -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 pidof -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 pipe_progress -> /bin/busybox
~ # ls -alZ etc
drwxr-xr-x 11 root root system_u:object_r:root_t 560 Jan 6 12:37 .
drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
drwxr-xr-x 3 root root system_u:object_r:root_t 100 Jan 4 23:07 audisp
drwxr-xr-x 2 root root system_u:object_r:root_t 80 Jan 4 23:07 audit
drwxr-xr-x 2 root root system_u:object_r:root_t 60 Jan 4 23:17 default
-rw-r--r-- 1 root root system_u:object_r:root_t 97 Jan 4 23:17 environment
-rw-r--r-- 1 root root system_u:object_r:root_t 330 Jan 4 23:09 fstab
-rw-r--r-- 1 root root system_u:object_r:root_t 21 Jan 4 23:09 group
-rw-r--r-- 1 root root system_u:object_r:root_t 9 Jan 4 23:09 gshadow
-rw-r--r-- 1 root root system_u:object_r:root_t 17 Jan 4 23:09 host.conf
-rw-r--r-- 1 root root system_u:object_r:root_t 20 Jan 4 23:09 hosts
-rw-r--r-- 1 root root system_u:object_r:root_t 55 Jan 4 23:09 inittab
-rw-r----- 1 root root system_u:object_r:root_t 191 Jan 4 23:07 libaudit.conf
drwxr-xr-x 2 root root system_u:object_r:root_t 60 Jan 4 23:17 lxc
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mtab -> /proc/mounts
drwxr-xr-x 2 root root system_u:object_r:root_t 40 Jan 4 23:08 pam.d
-rw-r--r-- 1 root root system_u:object_r:root_t 70 Jan 4 23:09 passwd
-rw-r--r-- 1 root root system_u:object_r:root_t 6108 Jan 4 23:09 protocols
drwxr-xr-x 3 root root system_u:object_r:root_t 60 Jan 4 23:07 rc.d
drwxr-xr-x 4 root root system_u:object_r:root_t 260 Jan 4 23:18 security
drwxr-xr-x 3 root root system_u:object_r:root_t 100 Jan 4 23:29 selinux
-rw-r--r-- 1 root root system_u:object_r:root_t 216 Jan 4 23:08 sestatus.conf
-rw-r--r-- 1 root root system_u:object_r:root_t 12 Jan 4 23:09 shadow
-rw-r--r-- 1 root root system_u:object_r:root_t 19 Jan 6 12:37 subgid
-rw-r--r-- 1 root root system_u:object_r:root_t 19 Jan 6 12:37 subuid
drwxr-xr-x 2 root root system_u:object_r:root_t 60 Jan 4 23:07 sysconfig
-rw-r--r-- 1 root root system_u:object_r:root_t 3048 Jan 4 23:09 udhcpd.conf
-rw-r--r-- 1 root root system_u:object_r:root_t 642 Jan 4 23:13 xattr.conf
~ # ls
bin etc lib lxc proc share usr
dev home lib64 mnt root sys var
drivers init linuxrc mnth sbin tmp
~ # ^C
~ # ls -alZ bin
drwxr-xr-x 2 root root system_u:object_r:root_t 1620 Jan 4 23:29 .
drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 arch -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 ash -> /bin/busybox
-rwxr-xr-x 1 root root system_u:object_r:root_t 1267040 Jan 4 23:29 bash
-rwxr-xr-x 1 root root system_u:object_r:root_t 1593984 Jan 4 23:29 busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 cat -> /bin/busybox
-rwxr-xr-x 1 root root system_u:object_r:root_t 7664 Jan 4 23:29 cav_sh
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 chattr -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 chgrp -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 chmod -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 chown -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 cp -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 cttyhack -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 date -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 dd -> /bin/busybox
-rwxr-xr-x 1 root root system_u:object_r:root_t 200 Jan 4 23:29 delete_smapp.sh
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 df -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 dmesg -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 echo -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 egrep -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 false -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 fatattr -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 fdflush -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 fgrep -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 fsync -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 getopt -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 grep -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 gunzip -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 gzip -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 ionice -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 iostat -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 kill -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 link -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 linux32 -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 linux64 -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 ln -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 login -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 ls -> /bin/busybox
-rwxr-xr-x 1 root root system_u:object_r:root_t 7736 Jan 4 23:29 lsmod
-rwxr-xr-x 1 root root system_u:object_r:root_t 128952 Jan 4 23:29 lspci
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mkdir -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mknod -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mktemp -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 more -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mount -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mountpoint -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mv -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 nice -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 nuke -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 pidof -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 pipe_progress -> /bin/busybox
-rwxr-xr-x 1 root root system_u:object_r:root_t 13397 Jan 4 23:29 pow_test
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 printenv -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 ps -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 pwd -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 resume -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 rev -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 rm -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 rmdir -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 sed -> /bin/busybox
-rwxr-xr-x 1 root root system_u:object_r:root_t 61160 Jan 4 23:29 setpci
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 setpriv -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 sh -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 sleep -> /bin/busybox
-rwxr-xr-x 1 root root system_u:object_r:root_t 298279 Jan 4 23:29 sm_manager
-rwxr-xr-x 1 root root system_u:object_r:root_t 781 Jan 4 23:29 smapp_manage.sh
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 stat -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 stty -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 su -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 sync -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 tar -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 touch -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 true -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 umount -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 uname -> /bin/busybox
-rwxr-xr-x 1 root root system_u:object_r:root_t 1340 Jan 4 23:29 upgrade_smapp.sh
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 usleep -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 vi -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 watch -> /bin/busybox
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 zcat -> /bin/busybox
~ # ls -alZ etc
drwxr-xr-x 11 root root system_u:object_r:root_t 560 Jan 6 12:37 .
drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
drwxr-xr-x 3 root root system_u:object_r:root_t 100 Jan 4 23:07 audisp
drwxr-xr-x 2 root root system_u:object_r:root_t 80 Jan 4 23:07 audit
drwxr-xr-x 2 root root system_u:object_r:root_t 60 Jan 4 23:17 default
-rw-r--r-- 1 root root system_u:object_r:root_t 97 Jan 4 23:17 environment
-rw-r--r-- 1 root root system_u:object_r:root_t 330 Jan 4 23:09 fstab
-rw-r--r-- 1 root root system_u:object_r:root_t 21 Jan 4 23:09 group
-rw-r--r-- 1 root root system_u:object_r:root_t 9 Jan 4 23:09 gshadow
-rw-r--r-- 1 root root system_u:object_r:root_t 17 Jan 4 23:09 host.conf
-rw-r--r-- 1 root root system_u:object_r:root_t 20 Jan 4 23:09 hosts
-rw-r--r-- 1 root root system_u:object_r:root_t 55 Jan 4 23:09 inittab
-rw-r----- 1 root root system_u:object_r:root_t 191 Jan 4 23:07 libaudit.conf
drwxr-xr-x 2 root root system_u:object_r:root_t 60 Jan 4 23:17 lxc
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mtab -> /proc/mounts
drwxr-xr-x 2 root root system_u:object_r:root_t 40 Jan 4 23:08 pam.d
-rw-r--r-- 1 root root system_u:object_r:root_t 70 Jan 4 23:09 passwd
-rw-r--r-- 1 root root system_u:object_r:root_t 6108 Jan 4 23:09 protocols
drwxr-xr-x 3 root root system_u:object_r:root_t 60 Jan 4 23:07 rc.d
drwxr-xr-x 4 root root system_u:object_r:root_t 260 Jan 4 23:18 security
drwxr-xr-x 3 root root system_u:object_r:root_t 100 Jan 4 23:29 selinux
-rw-r--r-- 1 root root system_u:object_r:root_t 216 Jan 4 23:08 sestatus.conf
-rw-r--r-- 1 root root system_u:object_r:root_t 12 Jan 4 23:09 shadow
-rw-r--r-- 1 root root system_u:object_r:root_t 19 Jan 6 12:37 subgid
-rw-r--r-- 1 root root system_u:object_r:root_t 19 Jan 6 12:37 subuid
drwxr-xr-x 2 root root system_u:object_r:root_t 60 Jan 4 23:07 sysconfig
-rw-r--r-- 1 root root system_u:object_r:root_t 3048 Jan 4 23:09 udhcpd.conf
-rw-r--r-- 1 root root system_u:object_r:root_t 642 Jan 4 23:13 xattr.conf
~ # ls -alZ lib
drwxr-xr-x 3 root root system_u:object_r:root_t 60 Jan 4 23:07 .
drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
drwxr-xr-x 3 root root system_u:object_r:root_t 60 Jan 4 23:07 modules
~ # ls -alZ li
lib/ lib64/ linuxrc
~ # ls -alZ li
lib/ lib64/ linuxrc
~ # ls -alZ li64
ls: li64: No such file or directory
~ # ls -alZ lib64
drwxr-xr-x 3 root root system_u:object_r:root_t 1320 Jan 4 23:29 .
drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
-r-xr-xr-x 1 root root system_u:object_r:root_t 210624 Jan 4 23:29 ld-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 10 Jan 4 23:29 ld.so.1 -> ld-2.16.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 67824 Jan 4 23:29 libBrokenLocale-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 23 Jan 4 23:29 libBrokenLocale.so.1 -> libBrokenLocale-2.16.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 71182 Jan 4 23:29 libSegFault.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 68768 Jan 4 23:29 libanl-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 14 Jan 4 23:29 libanl.so.1 -> libanl-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 16 Jan 4 23:29 libasan.so.0 -> libasan.so.0.0.0
-r-xr-xr-x 1 root root system_u:object_r:root_t 215896 Jan 4 23:29 libasan.so.0.0.0
lrwxrwxrwx 1 root root system_u:object_r:root_t 18 Jan 4 23:29 libatomic.so.1 -> libatomic.so.1.0.0
-r-xr-xr-x 1 root root system_u:object_r:root_t 35056 Jan 4 23:29 libatomic.so.1.0.0
-r-xr-xr-x 1 root root system_u:object_r:root_t 1946544 Jan 4 23:29 libc-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:29 libc.so.6 -> libc-2.16.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 200408 Jan 4 23:29 libcidn-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 15 Jan 4 23:29 libcidn.so.1 -> libcidn-2.16.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 69416 Jan 4 23:29 libcrypt-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 16 Jan 4 23:29 libcrypt.so.1 -> libcrypt-2.16.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 68920 Jan 4 23:29 libdl-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 13 Jan 4 23:29 libdl.so.2 -> libdl-2.16.so
-r--r--r-- 1 root root system_u:object_r:root_t 161643 Jan 4 23:29 libgcc_s.so.1
lrwxrwxrwx 1 root root system_u:object_r:root_t 16 Jan 4 23:29 libgomp.so.1 -> libgomp.so.1.0.0
-r-xr-xr-x 1 root root system_u:object_r:root_t 87728 Jan 4 23:29 libgomp.so.1.0.0
-r-xr-xr-x 1 root root system_u:object_r:root_t 1006288 Jan 4 23:29 libm-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:29 libm.so.6 -> libm-2.16.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 73221 Jan 4 23:29 libmemusage.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 19 Jan 4 23:29 libmudflap.so.0 -> libmudflap.so.0.0.0
-r-xr-xr-x 1 root root system_u:object_r:root_t 209120 Jan 4 23:29 libmudflap.so.0.0.0
lrwxrwxrwx 1 root root system_u:object_r:root_t 21 Jan 4 23:29 libmudflapth.so.0 -> libmudflapth.so.0.0.0
-r-xr-xr-x 1 root root system_u:object_r:root_t 209592 Jan 4 23:29 libmudflapth.so.0.0.0
-r-xr-xr-x 1 root root system_u:object_r:root_t 140688 Jan 4 23:29 libnsl-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 14 Jan 4 23:29 libnsl.so.1 -> libnsl-2.16.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 70352 Jan 4 23:29 libnss_compat-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 21 Jan 4 23:29 libnss_compat.so.2 -> libnss_compat-2.16.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 71056 Jan 4 23:29 libnss_db-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 17 Jan 4 23:29 libnss_db.so.2 -> libnss_db-2.16.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 68520 Jan 4 23:29 libnss_dns-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 18 Jan 4 23:29 libnss_dns.so.2 -> libnss_dns-2.16.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 72024 Jan 4 23:29 libnss_files-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 20 Jan 4 23:29 libnss_files.so.2 -> libnss_files-2.16.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 69248 Jan 4 23:29 libnss_hesiod-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 21 Jan 4 23:29 libnss_hesiod.so.2 -> libnss_hesiod-2.16.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 70800 Jan 4 23:29 libnss_nis-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 18 Jan 4 23:29 libnss_nis.so.2 -> libnss_nis-2.16.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 71040 Jan 4 23:29 libnss_nisplus-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 22 Jan 4 23:29 libnss_nisplus.so.2 -> libnss_nisplus-2.16.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 70402 Jan 4 23:29 libpcprofile.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 143640 Jan 4 23:29 libpthread-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 18 Jan 4 23:29 libpthread.so.0 -> libpthread-2.16.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 138480 Jan 4 23:29 libresolv-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 17 Jan 4 23:29 libresolv.so.2 -> libresolv-2.16.so
-r-xr-xr-x 1 root root system_u:object_r:root_t 71296 Jan 4 23:29 librt-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 13 Jan 4 23:29 librt.so.1 -> librt-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 15 Jan 4 23:29 libssp.so.0 -> libssp.so.0.0.0
-r-xr-xr-x 1 root root system_u:object_r:root_t 11488 Jan 4 23:29 libssp.so.0.0.0
lrwxrwxrwx 1 root root system_u:object_r:root_t 19 Jan 4 23:29 libstdc++.so.6 -> libstdc++.so.6.0.17
-r-xr-xr-x 1 root root system_u:object_r:root_t 1198520 Jan 4 23:29 libstdc++.so.6.0.17
-rw-r--r-- 1 root root system_u:object_r:root_t 2436 Jan 4 23:29 libstdc++.so.6.0.17-gdb.py
-r-xr-xr-x 1 root root system_u:object_r:root_t 70256 Jan 4 23:29 libthread_db-1.0.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 19 Jan 4 23:29 libthread_db.so.1 -> libthread_db-1.0.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 17 Jan 4 23:29 libubsan.so.0 -> libubsan.so.0.0.0
-r-xr-xr-x 1 root root system_u:object_r:root_t 606176 Jan 4 23:29 libubsan.so.0.0.0
-r-xr-xr-x 1 root root system_u:object_r:root_t 68344 Jan 4 23:29 libutil-2.16.so
lrwxrwxrwx 1 root root system_u:object_r:root_t 15 Jan 4 23:29 libutil.so.1 -> libutil-2.16.so
drwxr-xr-x 2 root root system_u:object_r:root_t 1440 Jan 4 23:29 octeon2
~ # ls -alZ drivers
drwxr-xr-x 2 root root system_u:object_r:root_t 60 Jan 4 23:29 .
drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
-rw-r--r-- 1 root root system_u:object_r:root_t 14558 Jan 4 23:29 pow_drv.ko
~ #
~ #
~ # ls -alZ tmp
drwxr-xr-x 2 root root system_u:object_r:root_t 40 Jan 4 23:09 .
drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
~ #
~ #
~ #
~ # ls /
bin etc lib lxc proc share usr
dev home lib64 mnt root sys var
drivers init linuxrc mnth sbin tmp
~ # ls -alZ var/
drwxr-xr-x 6 root root system_u:object_r:root_t 120 Jan 6 12:37 .
drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
drwxr-xr-x 3 root root system_u:object_r:root_t 60 Jan 4 23:17 cache
drwxr-xr-x 4 root root system_u:object_r:root_t 80 Jan 4 23:17 lib
drwxr-xr-x 3 root root system_u:object_r:root_t 80 Jan 6 12:37 log
drwxr-xr-x 4 root root system_u:object_r:root_t 140 Jan 6 12:37 run
~ #
CTRL-A Z for help |115200 8N1 | NOR | Minicom 2.6.2 | VT102 | Offline
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Selinux context type is same for root & normal user both
[not found] ` <CAP2OjcjOEXsWM1H2pkMzhb3y2ss7SCTw8_1Tsb23kUnEDVfx-g@mail.gmail.com>
@ 2021-01-06 14:30 ` Dominick Grift
2021-01-06 14:55 ` Ashish Mishra
0 siblings, 1 reply; 19+ messages in thread
From: Dominick Grift @ 2021-01-06 14:30 UTC (permalink / raw)
To: Ashish Mishra; +Cc: SElinux list, Paul Moore
Ashish Mishra <ashishm@mvista.com> writes:
> HI Dominick ,
>
> 1) Thanks for pointers .
> I will look at the suggestion for login programs.
I think I understand a little bit what your issue might be now, and if
correct then I believe the focus should be on initial labeling of the filesystem.
>
> 2) The major discrepancy which i am observing is all the folder and files across
> filesystem have same context "system_u:object_r:root_t"
> Like /etc , /var , /bin , /root etc all folders & files have this same context .
> Attached is the context log for the folder.
I see, i guess that is rootfs and that it is not labeled initially.
In OpenWrt generally a (readonly) squashfs us used (to boot from) with
overlayfs. The squashfs is labeled at built-time and the root directory of the overlay as well.
I guess that if you want to use rootfs, that you would have to address
initial labeling somehow.
It might help if you tell us a bit about the filesystems used in your
system.
>
> Any feedback / pointer on point-2 will be helpful .
> I will evaluate the point-1 as suggested .
>
> Thanks for sharing valuable info.
> Ashish
>
>
> On Wed, Jan 6, 2021 at 7:22 PM Dominick Grift <dominick.grift@defensec.nl> wrote:
>
> Ashish Mishra <ashishm@mvista.com> writes:
>
> > Hi Dominick ,
> >
> > Thanks for the inputs above.
> >
> > 1) w.r.t Monolithic , i am trying refpolicy with monolithic design as suggested.
> >
> > 2) I am debugging on the lines you suggested , and prima facie looks like the
> > busybox login is being executed here which takes
> > system_u:object_r:root_t as context
>
> I do not understand what you mean by that. Context
> "system_u:object_r:root_t" is a "file" context and I do not understand
> where you get that from.
>
> Busybox is a shell with built-in modules AFAIK. It should be labeled
> "u:object_r:shell_exec_t" IMHO
>
> >
> > 3) Can you please let me know which stable source code for
> > a) policycoreutils-python ( to get semanage on target )
> > b) setools-console ( to get seinfo / sesearch on target )
> > Please note that we have integrated userland libraries and tools
> > projects from https://github.com/SELinuxProject/selinux
> > But the above mentioned binaries are not present on target.
>
> https://github.com/SELinuxProject/selinux/releases/download/20200710/selinux-python-3.1.tar.gz
> https://github.com/SELinuxProject/setools/releases/download/4.3.0/setools-4.3.0.tar.bz2
>
> >
> > Request to please let me know input / feedback if i am missing any
> > obvious things here
>
> Its hard to say. There are quite a few variables and I am not sure
> exactly what the current state of your work is and where you want to go
> (ie what your goals and requirements are)
>
> I guess you should determine what the login programs used are and then
> to address those to ensure that login user shells are labeled the way
> you want them labeled.
>
> It is probably best to enclose avc denials for any challenge you face.
>
> >
> > Thanks ,
> > Ashish
> >
> >
> >
> >
> >
> >
> >
> > On Mon, Jan 4, 2021 at 6:21 PM Dominick Grift
> > <dominick.grift@defensec.nl> wrote:
> >>
> >> Ashish Mishra <ashishm@mvista.com> writes:
> >>
> >> > Hi Dominick ,
> >> >
> >> > Thanks for inputs .
> >> >
> >> > a) This is an embedded board which logs in by default as a ROOT user.
> >> > Any pointers as to where can i look to debug the cause due to
> >> > which context is "system_u"
> >>
> >> Lack of PAM support or misconfigurated PAM config (pam_selinux needs to
> >> be present in the appropriate PAM stacks)
> >>
> >> >
> >> > b) Apologies , but can you please help method / approach / debug
> >> > points by which
> >> > -> I can evaluate the expected contexts for root & testuser
> >> > -> I can see that the labels are created using ls -alZ .
> >> > Is there any other method / debug point to check filesystems
> >> > are labeled according to the policy.
> >> > ( as i am using standard refpolicy to create an default policy
> >> > on board )
> >>
> >> You start by determining the current context of the login user (id -Z
> >> will print the context of the current shell). Then you determine the
> >> context of the directory in which the file is created (ls -dZ)
> >>
> >> With this information you can query:
> >>
> >> sesearch -T -s "type returned by id -Z" | grep "type returned by ls -dZ"
> >>
> >> That should return any existing "type_transition" rules where the type
> >> of the user is the source and the type of the destination directory is a target
> >>
> >> >
> >> >
> >> > Thanks ,
> >> > Ashish
> >>
> >> The question is whether you want/need IBAC/RBAC on an embedded device
> >> with only one user (root)
> >>
> >> In my policy for OpenWrt (which is a embedded wireless router firmare) i
> >> do not use IBAC/RBAC either and i just add a rule that say's when the
> >> login program (sshd) executes a shell then assume that this is a login
> >> user shell and automatically transition from the sshd context to a specified
> >> user context)
> >>
> >> On embedded devices "modular reference policy" does not make sense to
> >> use (these devices generally do not have the resources to compile/link
> >> policy at runtime) IMHO and the "monolithic reference policy" does not work well with
> >> PAM and users.
> >>
> >> But, yes, if you want modular refpolicy on a multi-user system then you
> >> probably want PAM
> >>
> >> --
> >> gpg --locate-keys dominick.grift@defensec.nl
> >> Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
> >> https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
> >> Dominick Grift
>
> --
> gpg --locate-keys dominick.grift@defensec.nl
> Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
> https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
> Dominick Grift
>
>
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Selinux context type is same for root & normal user both
2021-01-06 14:27 ` Ashish Mishra
@ 2021-01-06 14:41 ` Dominick Grift
2021-01-06 14:45 ` Dominick Grift
0 siblings, 1 reply; 19+ messages in thread
From: Dominick Grift @ 2021-01-06 14:41 UTC (permalink / raw)
To: Ashish Mishra; +Cc: SElinux list, Paul Moore
Ashish Mishra <ashishm@mvista.com> writes:
> Hi Dominick ,
>
> 1) Thanks for pointers .
> I will look at the suggestion for login programs.
>
> 2) The major discrepancy which i am observing is all the folder and files across
> filesystem have same context "system_u:object_r:root_t"
> Like /etc , /var , /bin , /root etc all folders & files have
> this same context .
> Attached is the context log for the folder.
Can you also enclose the output of the `mount` command? It might help to
give us an idea of your filesystem requirements
>
> Any feedback / pointer on point-2 will be helpful .
> I will evaluate the point-1 as suggested .
>
> Thanks for sharing valuable info.
> Ashish
>
> home # ps -Z
> PID CONTEXT STAT COMMAND
> 1 system_u:system_r:kernel_t S init
> 2 system_u:system_r:kernel_t SW [kthreadd]
> 3 system_u:system_r:kernel_t SW [ksoftirqd/0]
> 4 system_u:system_r:kernel_t SW [kworker/0:0]
> 5 system_u:system_r:kernel_t SW< [kworker/0:0H]
> 6 system_u:system_r:kernel_t SW [kworker/u8:0]
> 7 system_u:system_r:kernel_t SW [rcu_sched]
> 8 system_u:system_r:kernel_t SW [rcu_bh]
> 9 system_u:system_r:kernel_t SW [migration/0]
> 10 system_u:system_r:kernel_t SW< [lru-add-drain]
> 11 system_u:system_r:kernel_t SW [cpuhp/0]
> 12 system_u:system_r:kernel_t SW [kdevtmpfs]
> 13 system_u:system_r:kernel_t SW< [netns]
> 14 system_u:system_r:kernel_t SW [oom_reaper]
> 15 system_u:system_r:kernel_t SW [kworker/u8:1]
> 124 system_u:system_r:kernel_t SW< [writeback]
> 126 system_u:system_r:kernel_t SW [kcompactd0]
> 127 system_u:system_r:kernel_t SW< [bioset]
> 129 system_u:system_r:kernel_t SW< [kblockd]
> 151 system_u:system_r:kernel_t SW [kworker/0:1]
> 167 system_u:system_r:kernel_t SW [kswapd0]
> 168 system_u:system_r:kernel_t SW< [vmstat]
> 787 system_u:system_r:kernel_t SW< [ipv6_addrconf]
> 798 system_u:system_r:kernel_t S syslogd
> 805 system_u:system_r:kernel_t S< auditd
> 808 system_u:system_r:kernel_t SW [kauditd]
> 859 system_u:system_r:kernel_t R /bin/sm_manager
> 861 system_u:system_r:kernel_t S /bin/sh
> 880 system_u:system_r:kernel_t R ps -Z
> /home #
> /home #
> /home #
> /home # ls
> test testfile
> /home # cd
> ~ # ls
> bin etc lib lxc proc share usr
> dev home lib64 mnt root sys var
> drivers init linuxrc mnth sbin tmp
> ~ # cd /etc/
> /etc # ls
> audisp gshadow mtab selinux udhcpd.conf
> audit host.conf pam.d sestatus.conf xattr.conf
> default hosts passwd shadow
> environment inittab protocols subgid
> fstab libaudit.conf rc.d subuid
> group lxc security sysconfig
> /etc # cd
> ~ # ls
> bin etc lib lxc proc share usr
> dev home lib64 mnt root sys var
> drivers init linuxrc mnth sbin tmp
> ~ #
> ~ #
> ~ # ls -alZ bin/
> drwxr-xr-x 2 root root system_u:object_r:root_t 1620 Jan 4 23:29 .
> drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 arch -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 ash -> /bin/busybox
> -rwxr-xr-x 1 root root system_u:object_r:root_t 1267040 Jan 4 23:29 bash
> -rwxr-xr-x 1 root root system_u:object_r:root_t 1593984 Jan 4 23:29 busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 cat -> /bin/busybox
> -rwxr-xr-x 1 root root system_u:object_r:root_t 7664 Jan 4 23:29 cav_sh
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 chattr -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 chgrp -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 chmod -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 chown -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 cp -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 cttyhack -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 date -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 dd -> /bin/busybox
> -rwxr-xr-x 1 root root system_u:object_r:root_t 200 Jan 4 23:29 delete_smapp.sh
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 df -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 dmesg -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 echo -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 egrep -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 false -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 fatattr -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 fdflush -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 fgrep -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 fsync -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 getopt -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 grep -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 gunzip -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 gzip -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 ionice -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 iostat -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 kill -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 link -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 linux32 -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 linux64 -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 ln -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 login -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 ls -> /bin/busybox
> -rwxr-xr-x 1 root root system_u:object_r:root_t 7736 Jan 4 23:29 lsmod
> -rwxr-xr-x 1 root root system_u:object_r:root_t 128952 Jan 4 23:29 lspci
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mkdir -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mknod -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mktemp -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 more -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mount -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mountpoint -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mv -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 nice -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 nuke -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 pidof -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 pipe_progress -> /bin/busybox
> ~ # ls -alZ etc
> drwxr-xr-x 11 root root system_u:object_r:root_t 560 Jan 6 12:37 .
> drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
> drwxr-xr-x 3 root root system_u:object_r:root_t 100 Jan 4 23:07 audisp
> drwxr-xr-x 2 root root system_u:object_r:root_t 80 Jan 4 23:07 audit
> drwxr-xr-x 2 root root system_u:object_r:root_t 60 Jan 4 23:17 default
> -rw-r--r-- 1 root root system_u:object_r:root_t 97 Jan 4 23:17 environment
> -rw-r--r-- 1 root root system_u:object_r:root_t 330 Jan 4 23:09 fstab
> -rw-r--r-- 1 root root system_u:object_r:root_t 21 Jan 4 23:09 group
> -rw-r--r-- 1 root root system_u:object_r:root_t 9 Jan 4 23:09 gshadow
> -rw-r--r-- 1 root root system_u:object_r:root_t 17 Jan 4 23:09 host.conf
> -rw-r--r-- 1 root root system_u:object_r:root_t 20 Jan 4 23:09 hosts
> -rw-r--r-- 1 root root system_u:object_r:root_t 55 Jan 4 23:09 inittab
> -rw-r----- 1 root root system_u:object_r:root_t 191 Jan 4 23:07 libaudit.conf
> drwxr-xr-x 2 root root system_u:object_r:root_t 60 Jan 4 23:17 lxc
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mtab -> /proc/mounts
> drwxr-xr-x 2 root root system_u:object_r:root_t 40 Jan 4 23:08 pam.d
> -rw-r--r-- 1 root root system_u:object_r:root_t 70 Jan 4 23:09 passwd
> -rw-r--r-- 1 root root system_u:object_r:root_t 6108 Jan 4 23:09 protocols
> drwxr-xr-x 3 root root system_u:object_r:root_t 60 Jan 4 23:07 rc.d
> drwxr-xr-x 4 root root system_u:object_r:root_t 260 Jan 4 23:18 security
> drwxr-xr-x 3 root root system_u:object_r:root_t 100 Jan 4 23:29 selinux
> -rw-r--r-- 1 root root system_u:object_r:root_t 216 Jan 4 23:08 sestatus.conf
> -rw-r--r-- 1 root root system_u:object_r:root_t 12 Jan 4 23:09 shadow
> -rw-r--r-- 1 root root system_u:object_r:root_t 19 Jan 6 12:37 subgid
> -rw-r--r-- 1 root root system_u:object_r:root_t 19 Jan 6 12:37 subuid
> drwxr-xr-x 2 root root system_u:object_r:root_t 60 Jan 4 23:07 sysconfig
> -rw-r--r-- 1 root root system_u:object_r:root_t 3048 Jan 4 23:09 udhcpd.conf
> -rw-r--r-- 1 root root system_u:object_r:root_t 642 Jan 4 23:13 xattr.conf
> ~ # ls
> bin etc lib lxc proc share usr
> dev home lib64 mnt root sys var
> drivers init linuxrc mnth sbin tmp
> ~ # ^C
> ~ # ls -alZ bin
> drwxr-xr-x 2 root root system_u:object_r:root_t 1620 Jan 4 23:29 .
> drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 arch -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 ash -> /bin/busybox
> -rwxr-xr-x 1 root root system_u:object_r:root_t 1267040 Jan 4 23:29 bash
> -rwxr-xr-x 1 root root system_u:object_r:root_t 1593984 Jan 4 23:29 busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 cat -> /bin/busybox
> -rwxr-xr-x 1 root root system_u:object_r:root_t 7664 Jan 4 23:29 cav_sh
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 chattr -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 chgrp -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 chmod -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 chown -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 cp -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 cttyhack -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 date -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 dd -> /bin/busybox
> -rwxr-xr-x 1 root root system_u:object_r:root_t 200 Jan 4 23:29 delete_smapp.sh
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 df -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 dmesg -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 echo -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 egrep -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 false -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 fatattr -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 fdflush -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 fgrep -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 fsync -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 getopt -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 grep -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 gunzip -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 gzip -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 ionice -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 iostat -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 kill -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 link -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 linux32 -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 linux64 -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 ln -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 login -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 ls -> /bin/busybox
> -rwxr-xr-x 1 root root system_u:object_r:root_t 7736 Jan 4 23:29 lsmod
> -rwxr-xr-x 1 root root system_u:object_r:root_t 128952 Jan 4 23:29 lspci
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mkdir -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mknod -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mktemp -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 more -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mount -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mountpoint -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mv -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 nice -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 nuke -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 pidof -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 pipe_progress -> /bin/busybox
> -rwxr-xr-x 1 root root system_u:object_r:root_t 13397 Jan 4 23:29 pow_test
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 printenv -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 ps -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 pwd -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 resume -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 rev -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 rm -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 rmdir -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 sed -> /bin/busybox
> -rwxr-xr-x 1 root root system_u:object_r:root_t 61160 Jan 4 23:29 setpci
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 setpriv -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 sh -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 sleep -> /bin/busybox
> -rwxr-xr-x 1 root root system_u:object_r:root_t 298279 Jan 4 23:29 sm_manager
> -rwxr-xr-x 1 root root system_u:object_r:root_t 781 Jan 4 23:29 smapp_manage.sh
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 stat -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 stty -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 su -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 sync -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 tar -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 touch -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 true -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 umount -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 uname -> /bin/busybox
> -rwxr-xr-x 1 root root system_u:object_r:root_t 1340 Jan 4 23:29 upgrade_smapp.sh
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 usleep -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 vi -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 watch -> /bin/busybox
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 zcat -> /bin/busybox
> ~ # ls -alZ etc
> drwxr-xr-x 11 root root system_u:object_r:root_t 560 Jan 6 12:37 .
> drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
> drwxr-xr-x 3 root root system_u:object_r:root_t 100 Jan 4 23:07 audisp
> drwxr-xr-x 2 root root system_u:object_r:root_t 80 Jan 4 23:07 audit
> drwxr-xr-x 2 root root system_u:object_r:root_t 60 Jan 4 23:17 default
> -rw-r--r-- 1 root root system_u:object_r:root_t 97 Jan 4 23:17 environment
> -rw-r--r-- 1 root root system_u:object_r:root_t 330 Jan 4 23:09 fstab
> -rw-r--r-- 1 root root system_u:object_r:root_t 21 Jan 4 23:09 group
> -rw-r--r-- 1 root root system_u:object_r:root_t 9 Jan 4 23:09 gshadow
> -rw-r--r-- 1 root root system_u:object_r:root_t 17 Jan 4 23:09 host.conf
> -rw-r--r-- 1 root root system_u:object_r:root_t 20 Jan 4 23:09 hosts
> -rw-r--r-- 1 root root system_u:object_r:root_t 55 Jan 4 23:09 inittab
> -rw-r----- 1 root root system_u:object_r:root_t 191 Jan 4 23:07 libaudit.conf
> drwxr-xr-x 2 root root system_u:object_r:root_t 60 Jan 4 23:17 lxc
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mtab -> /proc/mounts
> drwxr-xr-x 2 root root system_u:object_r:root_t 40 Jan 4 23:08 pam.d
> -rw-r--r-- 1 root root system_u:object_r:root_t 70 Jan 4 23:09 passwd
> -rw-r--r-- 1 root root system_u:object_r:root_t 6108 Jan 4 23:09 protocols
> drwxr-xr-x 3 root root system_u:object_r:root_t 60 Jan 4 23:07 rc.d
> drwxr-xr-x 4 root root system_u:object_r:root_t 260 Jan 4 23:18 security
> drwxr-xr-x 3 root root system_u:object_r:root_t 100 Jan 4 23:29 selinux
> -rw-r--r-- 1 root root system_u:object_r:root_t 216 Jan 4 23:08 sestatus.conf
> -rw-r--r-- 1 root root system_u:object_r:root_t 12 Jan 4 23:09 shadow
> -rw-r--r-- 1 root root system_u:object_r:root_t 19 Jan 6 12:37 subgid
> -rw-r--r-- 1 root root system_u:object_r:root_t 19 Jan 6 12:37 subuid
> drwxr-xr-x 2 root root system_u:object_r:root_t 60 Jan 4 23:07 sysconfig
> -rw-r--r-- 1 root root system_u:object_r:root_t 3048 Jan 4 23:09 udhcpd.conf
> -rw-r--r-- 1 root root system_u:object_r:root_t 642 Jan 4 23:13 xattr.conf
> ~ # ls -alZ lib
> drwxr-xr-x 3 root root system_u:object_r:root_t 60 Jan 4 23:07 .
> drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
> drwxr-xr-x 3 root root system_u:object_r:root_t 60 Jan 4 23:07 modules
> ~ # ls -alZ li
> lib/ lib64/ linuxrc
> ~ # ls -alZ li
> lib/ lib64/ linuxrc
> ~ # ls -alZ li64
> ls: li64: No such file or directory
> ~ # ls -alZ lib64
> drwxr-xr-x 3 root root system_u:object_r:root_t 1320 Jan 4 23:29 .
> drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
> -r-xr-xr-x 1 root root system_u:object_r:root_t 210624 Jan 4 23:29 ld-2.16.so
> lrwxrwxrwx 1 root root system_u:object_r:root_t 10 Jan 4 23:29 ld.so.1 -> ld-2.16.so
> -r-xr-xr-x 1 root root system_u:object_r:root_t 67824 Jan 4 23:29 libBrokenLocale-2.16.so
> lrwxrwxrwx 1 root root system_u:object_r:root_t 23 Jan 4 23:29 libBrokenLocale.so.1 -> libBrokenLocale-2.16.so
> -r-xr-xr-x 1 root root system_u:object_r:root_t 71182 Jan 4 23:29 libSegFault.so
> -r-xr-xr-x 1 root root system_u:object_r:root_t 68768 Jan 4 23:29 libanl-2.16.so
> lrwxrwxrwx 1 root root system_u:object_r:root_t 14 Jan 4 23:29 libanl.so.1 -> libanl-2.16.so
> lrwxrwxrwx 1 root root system_u:object_r:root_t 16 Jan 4 23:29 libasan.so.0 -> libasan.so.0.0.0
> -r-xr-xr-x 1 root root system_u:object_r:root_t 215896 Jan 4 23:29 libasan.so.0.0.0
> lrwxrwxrwx 1 root root system_u:object_r:root_t 18 Jan 4 23:29 libatomic.so.1 -> libatomic.so.1.0.0
> -r-xr-xr-x 1 root root system_u:object_r:root_t 35056 Jan 4 23:29 libatomic.so.1.0.0
> -r-xr-xr-x 1 root root system_u:object_r:root_t 1946544 Jan 4 23:29 libc-2.16.so
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:29 libc.so.6 -> libc-2.16.so
> -r-xr-xr-x 1 root root system_u:object_r:root_t 200408 Jan 4 23:29 libcidn-2.16.so
> lrwxrwxrwx 1 root root system_u:object_r:root_t 15 Jan 4 23:29 libcidn.so.1 -> libcidn-2.16.so
> -r-xr-xr-x 1 root root system_u:object_r:root_t 69416 Jan 4 23:29 libcrypt-2.16.so
> lrwxrwxrwx 1 root root system_u:object_r:root_t 16 Jan 4 23:29 libcrypt.so.1 -> libcrypt-2.16.so
> -r-xr-xr-x 1 root root system_u:object_r:root_t 68920 Jan 4 23:29 libdl-2.16.so
> lrwxrwxrwx 1 root root system_u:object_r:root_t 13 Jan 4 23:29 libdl.so.2 -> libdl-2.16.so
> -r--r--r-- 1 root root system_u:object_r:root_t 161643 Jan 4 23:29 libgcc_s.so.1
> lrwxrwxrwx 1 root root system_u:object_r:root_t 16 Jan 4 23:29 libgomp.so.1 -> libgomp.so.1.0.0
> -r-xr-xr-x 1 root root system_u:object_r:root_t 87728 Jan 4 23:29 libgomp.so.1.0.0
> -r-xr-xr-x 1 root root system_u:object_r:root_t 1006288 Jan 4 23:29 libm-2.16.so
> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:29 libm.so.6 -> libm-2.16.so
> -r-xr-xr-x 1 root root system_u:object_r:root_t 73221 Jan 4 23:29 libmemusage.so
> lrwxrwxrwx 1 root root system_u:object_r:root_t 19 Jan 4 23:29 libmudflap.so.0 -> libmudflap.so.0.0.0
> -r-xr-xr-x 1 root root system_u:object_r:root_t 209120 Jan 4 23:29 libmudflap.so.0.0.0
> lrwxrwxrwx 1 root root system_u:object_r:root_t 21 Jan 4 23:29 libmudflapth.so.0 -> libmudflapth.so.0.0.0
> -r-xr-xr-x 1 root root system_u:object_r:root_t 209592 Jan 4 23:29 libmudflapth.so.0.0.0
> -r-xr-xr-x 1 root root system_u:object_r:root_t 140688 Jan 4 23:29 libnsl-2.16.so
> lrwxrwxrwx 1 root root system_u:object_r:root_t 14 Jan 4 23:29 libnsl.so.1 -> libnsl-2.16.so
> -r-xr-xr-x 1 root root system_u:object_r:root_t 70352 Jan 4 23:29 libnss_compat-2.16.so
> lrwxrwxrwx 1 root root system_u:object_r:root_t 21 Jan 4 23:29 libnss_compat.so.2 -> libnss_compat-2.16.so
> -r-xr-xr-x 1 root root system_u:object_r:root_t 71056 Jan 4 23:29 libnss_db-2.16.so
> lrwxrwxrwx 1 root root system_u:object_r:root_t 17 Jan 4 23:29 libnss_db.so.2 -> libnss_db-2.16.so
> -r-xr-xr-x 1 root root system_u:object_r:root_t 68520 Jan 4 23:29 libnss_dns-2.16.so
> lrwxrwxrwx 1 root root system_u:object_r:root_t 18 Jan 4 23:29 libnss_dns.so.2 -> libnss_dns-2.16.so
> -r-xr-xr-x 1 root root system_u:object_r:root_t 72024 Jan 4 23:29 libnss_files-2.16.so
> lrwxrwxrwx 1 root root system_u:object_r:root_t 20 Jan 4 23:29 libnss_files.so.2 -> libnss_files-2.16.so
> -r-xr-xr-x 1 root root system_u:object_r:root_t 69248 Jan 4 23:29 libnss_hesiod-2.16.so
> lrwxrwxrwx 1 root root system_u:object_r:root_t 21 Jan 4 23:29 libnss_hesiod.so.2 -> libnss_hesiod-2.16.so
> -r-xr-xr-x 1 root root system_u:object_r:root_t 70800 Jan 4 23:29 libnss_nis-2.16.so
> lrwxrwxrwx 1 root root system_u:object_r:root_t 18 Jan 4 23:29 libnss_nis.so.2 -> libnss_nis-2.16.so
> -r-xr-xr-x 1 root root system_u:object_r:root_t 71040 Jan 4 23:29 libnss_nisplus-2.16.so
> lrwxrwxrwx 1 root root system_u:object_r:root_t 22 Jan 4 23:29 libnss_nisplus.so.2 -> libnss_nisplus-2.16.so
> -r-xr-xr-x 1 root root system_u:object_r:root_t 70402 Jan 4 23:29 libpcprofile.so
> -r-xr-xr-x 1 root root system_u:object_r:root_t 143640 Jan 4 23:29 libpthread-2.16.so
> lrwxrwxrwx 1 root root system_u:object_r:root_t 18 Jan 4 23:29 libpthread.so.0 -> libpthread-2.16.so
> -r-xr-xr-x 1 root root system_u:object_r:root_t 138480 Jan 4 23:29 libresolv-2.16.so
> lrwxrwxrwx 1 root root system_u:object_r:root_t 17 Jan 4 23:29 libresolv.so.2 -> libresolv-2.16.so
> -r-xr-xr-x 1 root root system_u:object_r:root_t 71296 Jan 4 23:29 librt-2.16.so
> lrwxrwxrwx 1 root root system_u:object_r:root_t 13 Jan 4 23:29 librt.so.1 -> librt-2.16.so
> lrwxrwxrwx 1 root root system_u:object_r:root_t 15 Jan 4 23:29 libssp.so.0 -> libssp.so.0.0.0
> -r-xr-xr-x 1 root root system_u:object_r:root_t 11488 Jan 4 23:29 libssp.so.0.0.0
> lrwxrwxrwx 1 root root system_u:object_r:root_t 19 Jan 4 23:29 libstdc++.so.6 -> libstdc++.so.6.0.17
> -r-xr-xr-x 1 root root system_u:object_r:root_t 1198520 Jan 4 23:29 libstdc++.so.6.0.17
> -rw-r--r-- 1 root root system_u:object_r:root_t 2436 Jan 4 23:29 libstdc++.so.6.0.17-gdb.py
> -r-xr-xr-x 1 root root system_u:object_r:root_t 70256 Jan 4 23:29 libthread_db-1.0.so
> lrwxrwxrwx 1 root root system_u:object_r:root_t 19 Jan 4 23:29 libthread_db.so.1 -> libthread_db-1.0.so
> lrwxrwxrwx 1 root root system_u:object_r:root_t 17 Jan 4 23:29 libubsan.so.0 -> libubsan.so.0.0.0
> -r-xr-xr-x 1 root root system_u:object_r:root_t 606176 Jan 4 23:29 libubsan.so.0.0.0
> -r-xr-xr-x 1 root root system_u:object_r:root_t 68344 Jan 4 23:29 libutil-2.16.so
> lrwxrwxrwx 1 root root system_u:object_r:root_t 15 Jan 4 23:29 libutil.so.1 -> libutil-2.16.so
> drwxr-xr-x 2 root root system_u:object_r:root_t 1440 Jan 4 23:29 octeon2
> ~ # ls -alZ drivers
> drwxr-xr-x 2 root root system_u:object_r:root_t 60 Jan 4 23:29 .
> drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
> -rw-r--r-- 1 root root system_u:object_r:root_t 14558 Jan 4 23:29 pow_drv.ko
> ~ #
> ~ #
> ~ # ls -alZ tmp
> drwxr-xr-x 2 root root system_u:object_r:root_t 40 Jan 4 23:09 .
> drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
> ~ #
> ~ #
> ~ #
> ~ # ls /
> bin etc lib lxc proc share usr
> dev home lib64 mnt root sys var
> drivers init linuxrc mnth sbin tmp
> ~ # ls -alZ var/
> drwxr-xr-x 6 root root system_u:object_r:root_t 120 Jan 6 12:37 .
> drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
> drwxr-xr-x 3 root root system_u:object_r:root_t 60 Jan 4 23:17 cache
> drwxr-xr-x 4 root root system_u:object_r:root_t 80 Jan 4 23:17 lib
> drwxr-xr-x 3 root root system_u:object_r:root_t 80 Jan 6 12:37 log
> drwxr-xr-x 4 root root system_u:object_r:root_t 140 Jan 6 12:37 run
> ~ #
> CTRL-A Z for help |115200 8N1 | NOR | Minicom 2.6.2 | VT102 | Offline
>
>
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Selinux context type is same for root & normal user both
2021-01-06 14:41 ` Dominick Grift
@ 2021-01-06 14:45 ` Dominick Grift
0 siblings, 0 replies; 19+ messages in thread
From: Dominick Grift @ 2021-01-06 14:45 UTC (permalink / raw)
To: Ashish Mishra; +Cc: SElinux list, Paul Moore
Dominick Grift <dominick.grift@defensec.nl> writes:
> Ashish Mishra <ashishm@mvista.com> writes:
>
>> Hi Dominick ,
>>
>> 1) Thanks for pointers .
>> I will look at the suggestion for login programs.
>>
>> 2) The major discrepancy which i am observing is all the folder and files across
>> filesystem have same context "system_u:object_r:root_t"
>> Like /etc , /var , /bin , /root etc all folders & files have
>> this same context .
>> Attached is the context log for the folder.
>
> Can you also enclose the output of the `mount` command? It might help to
> give us an idea of your filesystem requirements
It is probably not a good idea (and not needed) to have auditd on these types of systems
by the way
>
>
>>
>> Any feedback / pointer on point-2 will be helpful .
>> I will evaluate the point-1 as suggested .
>>
>> Thanks for sharing valuable info.
>> Ashish
>>
>> home # ps -Z
>> PID CONTEXT STAT COMMAND
>> 1 system_u:system_r:kernel_t S init
>> 2 system_u:system_r:kernel_t SW [kthreadd]
>> 3 system_u:system_r:kernel_t SW [ksoftirqd/0]
>> 4 system_u:system_r:kernel_t SW [kworker/0:0]
>> 5 system_u:system_r:kernel_t SW< [kworker/0:0H]
>> 6 system_u:system_r:kernel_t SW [kworker/u8:0]
>> 7 system_u:system_r:kernel_t SW [rcu_sched]
>> 8 system_u:system_r:kernel_t SW [rcu_bh]
>> 9 system_u:system_r:kernel_t SW [migration/0]
>> 10 system_u:system_r:kernel_t SW< [lru-add-drain]
>> 11 system_u:system_r:kernel_t SW [cpuhp/0]
>> 12 system_u:system_r:kernel_t SW [kdevtmpfs]
>> 13 system_u:system_r:kernel_t SW< [netns]
>> 14 system_u:system_r:kernel_t SW [oom_reaper]
>> 15 system_u:system_r:kernel_t SW [kworker/u8:1]
>> 124 system_u:system_r:kernel_t SW< [writeback]
>> 126 system_u:system_r:kernel_t SW [kcompactd0]
>> 127 system_u:system_r:kernel_t SW< [bioset]
>> 129 system_u:system_r:kernel_t SW< [kblockd]
>> 151 system_u:system_r:kernel_t SW [kworker/0:1]
>> 167 system_u:system_r:kernel_t SW [kswapd0]
>> 168 system_u:system_r:kernel_t SW< [vmstat]
>> 787 system_u:system_r:kernel_t SW< [ipv6_addrconf]
>> 798 system_u:system_r:kernel_t S syslogd
>> 805 system_u:system_r:kernel_t S< auditd
>> 808 system_u:system_r:kernel_t SW [kauditd]
>> 859 system_u:system_r:kernel_t R /bin/sm_manager
>> 861 system_u:system_r:kernel_t S /bin/sh
>> 880 system_u:system_r:kernel_t R ps -Z
>> /home #
>> /home #
>> /home #
>> /home # ls
>> test testfile
>> /home # cd
>> ~ # ls
>> bin etc lib lxc proc share usr
>> dev home lib64 mnt root sys var
>> drivers init linuxrc mnth sbin tmp
>> ~ # cd /etc/
>> /etc # ls
>> audisp gshadow mtab selinux udhcpd.conf
>> audit host.conf pam.d sestatus.conf xattr.conf
>> default hosts passwd shadow
>> environment inittab protocols subgid
>> fstab libaudit.conf rc.d subuid
>> group lxc security sysconfig
>> /etc # cd
>> ~ # ls
>> bin etc lib lxc proc share usr
>> dev home lib64 mnt root sys var
>> drivers init linuxrc mnth sbin tmp
>> ~ #
>> ~ #
>> ~ # ls -alZ bin/
>> drwxr-xr-x 2 root root system_u:object_r:root_t 1620 Jan 4 23:29 .
>> drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 arch -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 ash -> /bin/busybox
>> -rwxr-xr-x 1 root root system_u:object_r:root_t 1267040 Jan 4 23:29 bash
>> -rwxr-xr-x 1 root root system_u:object_r:root_t 1593984 Jan 4 23:29 busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 cat -> /bin/busybox
>> -rwxr-xr-x 1 root root system_u:object_r:root_t 7664 Jan 4 23:29 cav_sh
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09
> chattr -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 chgrp
> -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 chmod
> -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 chown
> -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 cp -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09
> cttyhack -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 date -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 dd -> /bin/busybox
>> -rwxr-xr-x 1 root root system_u:object_r:root_t 200 Jan 4 23:29 delete_smapp.sh
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 df -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 dmesg
> -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 echo -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 egrep
> -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 false
> -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09
> fatattr -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09
> fdflush -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 fgrep
> -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 fsync
> -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09
> getopt -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 grep -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09
> gunzip -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 gzip -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09
> ionice -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09
> iostat -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 kill -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 link -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09
> linux32 -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09
> linux64 -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 ln -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 login
> -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 ls -> /bin/busybox
>> -rwxr-xr-x 1 root root system_u:object_r:root_t 7736 Jan 4 23:29 lsmod
>> -rwxr-xr-x 1 root root system_u:object_r:root_t 128952 Jan 4 23:29 lspci
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mkdir
> -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mknod
> -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09
> mktemp -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 more -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mount
> -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09
> mountpoint -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mv -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 nice -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 nuke -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 pidof
> -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09
> pipe_progress -> /bin/busybox
>> ~ # ls -alZ etc
>> drwxr-xr-x 11 root root system_u:object_r:root_t 560 Jan 6 12:37 .
>> drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
>> drwxr-xr-x 3 root root system_u:object_r:root_t 100 Jan 4 23:07 audisp
>> drwxr-xr-x 2 root root system_u:object_r:root_t 80 Jan 4 23:07 audit
>> drwxr-xr-x 2 root root system_u:object_r:root_t 60 Jan 4 23:17 default
>> -rw-r--r-- 1 root root system_u:object_r:root_t 97 Jan 4 23:17 environment
>> -rw-r--r-- 1 root root system_u:object_r:root_t 330 Jan 4 23:09 fstab
>> -rw-r--r-- 1 root root system_u:object_r:root_t 21 Jan 4 23:09 group
>> -rw-r--r-- 1 root root system_u:object_r:root_t 9 Jan 4 23:09 gshadow
>> -rw-r--r-- 1 root root system_u:object_r:root_t 17 Jan 4 23:09 host.conf
>> -rw-r--r-- 1 root root system_u:object_r:root_t 20 Jan 4 23:09 hosts
>> -rw-r--r-- 1 root root system_u:object_r:root_t 55 Jan 4 23:09 inittab
>> -rw-r----- 1 root root system_u:object_r:root_t 191 Jan 4 23:07 libaudit.conf
>> drwxr-xr-x 2 root root system_u:object_r:root_t 60 Jan 4 23:17 lxc
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mtab -> /proc/mounts
>> drwxr-xr-x 2 root root system_u:object_r:root_t 40 Jan 4 23:08 pam.d
>> -rw-r--r-- 1 root root system_u:object_r:root_t 70 Jan 4 23:09 passwd
>> -rw-r--r-- 1 root root system_u:object_r:root_t 6108 Jan 4 23:09 protocols
>> drwxr-xr-x 3 root root system_u:object_r:root_t 60 Jan 4 23:07 rc.d
>> drwxr-xr-x 4 root root system_u:object_r:root_t 260 Jan 4 23:18 security
>> drwxr-xr-x 3 root root system_u:object_r:root_t 100 Jan 4 23:29 selinux
>> -rw-r--r-- 1 root root system_u:object_r:root_t 216 Jan 4 23:08 sestatus.conf
>> -rw-r--r-- 1 root root system_u:object_r:root_t 12 Jan 4 23:09 shadow
>> -rw-r--r-- 1 root root system_u:object_r:root_t 19 Jan 6 12:37 subgid
>> -rw-r--r-- 1 root root system_u:object_r:root_t 19 Jan 6 12:37 subuid
>> drwxr-xr-x 2 root root system_u:object_r:root_t 60 Jan 4 23:07 sysconfig
>> -rw-r--r-- 1 root root system_u:object_r:root_t 3048 Jan 4 23:09 udhcpd.conf
>> -rw-r--r-- 1 root root system_u:object_r:root_t 642 Jan 4 23:13 xattr.conf
>> ~ # ls
>> bin etc lib lxc proc share usr
>> dev home lib64 mnt root sys var
>> drivers init linuxrc mnth sbin tmp
>> ~ # ^C
>> ~ # ls -alZ bin
>> drwxr-xr-x 2 root root system_u:object_r:root_t 1620 Jan 4 23:29 .
>> drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 arch -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 ash -> /bin/busybox
>> -rwxr-xr-x 1 root root system_u:object_r:root_t 1267040 Jan 4 23:29 bash
>> -rwxr-xr-x 1 root root system_u:object_r:root_t 1593984 Jan 4 23:29 busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 cat -> /bin/busybox
>> -rwxr-xr-x 1 root root system_u:object_r:root_t 7664 Jan 4 23:29 cav_sh
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09
> chattr -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 chgrp
> -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 chmod
> -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 chown
> -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 cp -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09
> cttyhack -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 date -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 dd -> /bin/busybox
>> -rwxr-xr-x 1 root root system_u:object_r:root_t 200 Jan 4 23:29 delete_smapp.sh
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 df -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 dmesg
> -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 echo -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 egrep
> -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 false
> -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09
> fatattr -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09
> fdflush -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 fgrep
> -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 fsync
> -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09
> getopt -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 grep -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09
> gunzip -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 gzip -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09
> ionice -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09
> iostat -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 kill -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 link -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09
> linux32 -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09
> linux64 -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 ln -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 login
> -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 ls -> /bin/busybox
>> -rwxr-xr-x 1 root root system_u:object_r:root_t 7736 Jan 4 23:29 lsmod
>> -rwxr-xr-x 1 root root system_u:object_r:root_t 128952 Jan 4 23:29 lspci
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mkdir
> -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mknod
> -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09
> mktemp -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 more -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mount
> -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09
> mountpoint -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mv -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 nice -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 nuke -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 pidof
> -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09
> pipe_progress -> /bin/busybox
>> -rwxr-xr-x 1 root root system_u:object_r:root_t 13397 Jan 4 23:29 pow_test
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09
> printenv -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 ps -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 pwd -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09
> resume -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 rev -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 rm -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 rmdir
> -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 sed -> /bin/busybox
>> -rwxr-xr-x 1 root root system_u:object_r:root_t 61160 Jan 4 23:29 setpci
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09
> setpriv -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 sh -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 sleep
> -> /bin/busybox
>> -rwxr-xr-x 1 root root system_u:object_r:root_t 298279 Jan 4 23:29 sm_manager
>> -rwxr-xr-x 1 root root system_u:object_r:root_t 781 Jan 4 23:29 smapp_manage.sh
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 stat -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 stty -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 su -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 sync -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 tar -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 touch
> -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 true -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09
> umount -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 uname
> -> /bin/busybox
>> -rwxr-xr-x 1 root root system_u:object_r:root_t 1340 Jan 4 23:29 upgrade_smapp.sh
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09
> usleep -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 vi -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 watch
> -> /bin/busybox
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 zcat -> /bin/busybox
>> ~ # ls -alZ etc
>> drwxr-xr-x 11 root root system_u:object_r:root_t 560 Jan 6 12:37 .
>> drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
>> drwxr-xr-x 3 root root system_u:object_r:root_t 100 Jan 4 23:07 audisp
>> drwxr-xr-x 2 root root system_u:object_r:root_t 80 Jan 4 23:07 audit
>> drwxr-xr-x 2 root root system_u:object_r:root_t 60 Jan 4 23:17 default
>> -rw-r--r-- 1 root root system_u:object_r:root_t 97 Jan 4 23:17 environment
>> -rw-r--r-- 1 root root system_u:object_r:root_t 330 Jan 4 23:09 fstab
>> -rw-r--r-- 1 root root system_u:object_r:root_t 21 Jan 4 23:09 group
>> -rw-r--r-- 1 root root system_u:object_r:root_t 9 Jan 4 23:09 gshadow
>> -rw-r--r-- 1 root root system_u:object_r:root_t 17 Jan 4 23:09 host.conf
>> -rw-r--r-- 1 root root system_u:object_r:root_t 20 Jan 4 23:09 hosts
>> -rw-r--r-- 1 root root system_u:object_r:root_t 55 Jan 4 23:09 inittab
>> -rw-r----- 1 root root system_u:object_r:root_t 191 Jan 4 23:07 libaudit.conf
>> drwxr-xr-x 2 root root system_u:object_r:root_t 60 Jan 4 23:17 lxc
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:09 mtab -> /proc/mounts
>> drwxr-xr-x 2 root root system_u:object_r:root_t 40 Jan 4 23:08 pam.d
>> -rw-r--r-- 1 root root system_u:object_r:root_t 70 Jan 4 23:09 passwd
>> -rw-r--r-- 1 root root system_u:object_r:root_t 6108 Jan 4 23:09 protocols
>> drwxr-xr-x 3 root root system_u:object_r:root_t 60 Jan 4 23:07 rc.d
>> drwxr-xr-x 4 root root system_u:object_r:root_t 260 Jan 4 23:18 security
>> drwxr-xr-x 3 root root system_u:object_r:root_t 100 Jan 4 23:29 selinux
>> -rw-r--r-- 1 root root system_u:object_r:root_t 216 Jan 4 23:08 sestatus.conf
>> -rw-r--r-- 1 root root system_u:object_r:root_t 12 Jan 4 23:09 shadow
>> -rw-r--r-- 1 root root system_u:object_r:root_t 19 Jan 6 12:37 subgid
>> -rw-r--r-- 1 root root system_u:object_r:root_t 19 Jan 6 12:37 subuid
>> drwxr-xr-x 2 root root system_u:object_r:root_t 60 Jan 4 23:07 sysconfig
>> -rw-r--r-- 1 root root system_u:object_r:root_t 3048 Jan 4 23:09 udhcpd.conf
>> -rw-r--r-- 1 root root system_u:object_r:root_t 642 Jan 4 23:13 xattr.conf
>> ~ # ls -alZ lib
>> drwxr-xr-x 3 root root system_u:object_r:root_t 60 Jan 4 23:07 .
>> drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
>> drwxr-xr-x 3 root root system_u:object_r:root_t 60 Jan 4 23:07 modules
>> ~ # ls -alZ li
>> lib/ lib64/ linuxrc
>> ~ # ls -alZ li
>> lib/ lib64/ linuxrc
>> ~ # ls -alZ li64
>> ls: li64: No such file or directory
>> ~ # ls -alZ lib64
>> drwxr-xr-x 3 root root system_u:object_r:root_t 1320 Jan 4 23:29 .
>> drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
>> -r-xr-xr-x 1 root root system_u:object_r:root_t 210624 Jan 4 23:29 ld-2.16.so
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 10 Jan 4 23:29
> ld.so.1 -> ld-2.16.so
>> -r-xr-xr-x 1 root root system_u:object_r:root_t 67824 Jan 4 23:29
> libBrokenLocale-2.16.so
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 23 Jan 4 23:29
> libBrokenLocale.so.1 -> libBrokenLocale-2.16.so
>> -r-xr-xr-x 1 root root system_u:object_r:root_t 71182 Jan 4 23:29 libSegFault.so
>> -r-xr-xr-x 1 root root system_u:object_r:root_t 68768 Jan 4 23:29 libanl-2.16.so
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 14 Jan 4 23:29
> libanl.so.1 -> libanl-2.16.so
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 16 Jan 4 23:29
> libasan.so.0 -> libasan.so.0.0.0
>> -r-xr-xr-x 1 root root system_u:object_r:root_t 215896 Jan 4 23:29 libasan.so.0.0.0
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 18 Jan 4 23:29
> libatomic.so.1 -> libatomic.so.1.0.0
>> -r-xr-xr-x 1 root root system_u:object_r:root_t 35056 Jan 4 23:29 libatomic.so.1.0.0
>> -r-xr-xr-x 1 root root system_u:object_r:root_t 1946544 Jan 4 23:29 libc-2.16.so
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:29
> libc.so.6 -> libc-2.16.so
>> -r-xr-xr-x 1 root root system_u:object_r:root_t 200408 Jan 4 23:29 libcidn-2.16.so
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 15 Jan 4 23:29
> libcidn.so.1 -> libcidn-2.16.so
>> -r-xr-xr-x 1 root root system_u:object_r:root_t 69416 Jan 4 23:29 libcrypt-2.16.so
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 16 Jan 4 23:29
> libcrypt.so.1 -> libcrypt-2.16.so
>> -r-xr-xr-x 1 root root system_u:object_r:root_t 68920 Jan 4 23:29 libdl-2.16.so
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 13 Jan 4 23:29
> libdl.so.2 -> libdl-2.16.so
>> -r--r--r-- 1 root root system_u:object_r:root_t 161643 Jan 4 23:29 libgcc_s.so.1
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 16 Jan 4 23:29
> libgomp.so.1 -> libgomp.so.1.0.0
>> -r-xr-xr-x 1 root root system_u:object_r:root_t 87728 Jan 4 23:29 libgomp.so.1.0.0
>> -r-xr-xr-x 1 root root system_u:object_r:root_t 1006288 Jan 4 23:29 libm-2.16.so
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 12 Jan 4 23:29
> libm.so.6 -> libm-2.16.so
>> -r-xr-xr-x 1 root root system_u:object_r:root_t 73221 Jan 4 23:29 libmemusage.so
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 19 Jan 4 23:29
> libmudflap.so.0 -> libmudflap.so.0.0.0
>> -r-xr-xr-x 1 root root system_u:object_r:root_t 209120 Jan 4 23:29 libmudflap.so.0.0.0
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 21 Jan 4 23:29
> libmudflapth.so.0 -> libmudflapth.so.0.0.0
>> -r-xr-xr-x 1 root root system_u:object_r:root_t 209592 Jan 4 23:29
> libmudflapth.so.0.0.0
>> -r-xr-xr-x 1 root root system_u:object_r:root_t 140688 Jan 4 23:29 libnsl-2.16.so
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 14 Jan 4 23:29
> libnsl.so.1 -> libnsl-2.16.so
>> -r-xr-xr-x 1 root root system_u:object_r:root_t 70352 Jan 4 23:29
> libnss_compat-2.16.so
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 21 Jan 4 23:29
> libnss_compat.so.2 -> libnss_compat-2.16.so
>> -r-xr-xr-x 1 root root system_u:object_r:root_t 71056 Jan 4 23:29 libnss_db-2.16.so
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 17 Jan 4 23:29
> libnss_db.so.2 -> libnss_db-2.16.so
>> -r-xr-xr-x 1 root root system_u:object_r:root_t 68520 Jan 4 23:29 libnss_dns-2.16.so
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 18 Jan 4 23:29
> libnss_dns.so.2 -> libnss_dns-2.16.so
>> -r-xr-xr-x 1 root root system_u:object_r:root_t 72024 Jan 4 23:29 libnss_files-2.16.so
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 20 Jan 4 23:29
> libnss_files.so.2 -> libnss_files-2.16.so
>> -r-xr-xr-x 1 root root system_u:object_r:root_t 69248 Jan 4 23:29
> libnss_hesiod-2.16.so
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 21 Jan 4 23:29
> libnss_hesiod.so.2 -> libnss_hesiod-2.16.so
>> -r-xr-xr-x 1 root root system_u:object_r:root_t 70800 Jan 4 23:29 libnss_nis-2.16.so
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 18 Jan 4 23:29
> libnss_nis.so.2 -> libnss_nis-2.16.so
>> -r-xr-xr-x 1 root root system_u:object_r:root_t 71040 Jan 4 23:29
> libnss_nisplus-2.16.so
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 22 Jan 4 23:29
> libnss_nisplus.so.2 -> libnss_nisplus-2.16.so
>> -r-xr-xr-x 1 root root system_u:object_r:root_t 70402 Jan 4 23:29 libpcprofile.so
>> -r-xr-xr-x 1 root root system_u:object_r:root_t 143640 Jan 4 23:29 libpthread-2.16.so
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 18 Jan 4 23:29
> libpthread.so.0 -> libpthread-2.16.so
>> -r-xr-xr-x 1 root root system_u:object_r:root_t 138480 Jan 4 23:29 libresolv-2.16.so
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 17 Jan 4 23:29
> libresolv.so.2 -> libresolv-2.16.so
>> -r-xr-xr-x 1 root root system_u:object_r:root_t 71296 Jan 4 23:29 librt-2.16.so
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 13 Jan 4 23:29
> librt.so.1 -> librt-2.16.so
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 15 Jan 4 23:29
> libssp.so.0 -> libssp.so.0.0.0
>> -r-xr-xr-x 1 root root system_u:object_r:root_t 11488 Jan 4 23:29 libssp.so.0.0.0
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 19 Jan 4 23:29
> libstdc++.so.6 -> libstdc++.so.6.0.17
>> -r-xr-xr-x 1 root root system_u:object_r:root_t 1198520 Jan 4 23:29 libstdc++.so.6.0.17
>> -rw-r--r-- 1 root root system_u:object_r:root_t 2436 Jan 4 23:29
> libstdc++.so.6.0.17-gdb.py
>> -r-xr-xr-x 1 root root system_u:object_r:root_t 70256 Jan 4 23:29 libthread_db-1.0.so
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 19 Jan 4 23:29
> libthread_db.so.1 -> libthread_db-1.0.so
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 17 Jan 4 23:29
> libubsan.so.0 -> libubsan.so.0.0.0
>> -r-xr-xr-x 1 root root system_u:object_r:root_t 606176 Jan 4 23:29 libubsan.so.0.0.0
>> -r-xr-xr-x 1 root root system_u:object_r:root_t 68344 Jan 4 23:29 libutil-2.16.so
>> lrwxrwxrwx 1 root root system_u:object_r:root_t 15 Jan 4 23:29
> libutil.so.1 -> libutil-2.16.so
>> drwxr-xr-x 2 root root system_u:object_r:root_t 1440 Jan 4 23:29 octeon2
>> ~ # ls -alZ drivers
>> drwxr-xr-x 2 root root system_u:object_r:root_t 60 Jan 4 23:29 .
>> drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
>> -rw-r--r-- 1 root root system_u:object_r:root_t 14558 Jan 4 23:29 pow_drv.ko
>> ~ #
>> ~ #
>> ~ # ls -alZ tmp
>> drwxr-xr-x 2 root root system_u:object_r:root_t 40 Jan 4 23:09 .
>> drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
>> ~ #
>> ~ #
>> ~ #
>> ~ # ls /
>> bin etc lib lxc proc share usr
>> dev home lib64 mnt root sys var
>> drivers init linuxrc mnth sbin tmp
>> ~ # ls -alZ var/
>> drwxr-xr-x 6 root root system_u:object_r:root_t 120 Jan 6 12:37 .
>> drwxr-xr-x 20 root root system_u:object_r:root_t 460 Jan 6 12:38 ..
>> drwxr-xr-x 3 root root system_u:object_r:root_t 60 Jan 4 23:17 cache
>> drwxr-xr-x 4 root root system_u:object_r:root_t 80 Jan 4 23:17 lib
>> drwxr-xr-x 3 root root system_u:object_r:root_t 80 Jan 6 12:37 log
>> drwxr-xr-x 4 root root system_u:object_r:root_t 140 Jan 6 12:37 run
>> ~ #
>> CTRL-A Z for help |115200 8N1 | NOR | Minicom 2.6.2 | VT102 |
> Offline
>>
>>
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Selinux context type is same for root & normal user both
2021-01-06 14:30 ` Dominick Grift
@ 2021-01-06 14:55 ` Ashish Mishra
2021-01-06 15:04 ` Dominick Grift
0 siblings, 1 reply; 19+ messages in thread
From: Ashish Mishra @ 2021-01-06 14:55 UTC (permalink / raw)
To: Dominick Grift; +Cc: SElinux list, Paul Moore
Hi Dominick ,
Thanks for your valuable time and inputs .
As a background w.r.t ROOTFS :
a) We had an custom SDK which is a basic makefile based SDK .
b) The rootfs was RAMFS based .
For selinux we switched from RAMFS to TEMPFS
c) It was not having SELINUX , so we added refpolicy & selinux-userland
Expectation was we will get working selinux context & policy.
I have the policy but the context is being the same for each file
and folder .
d) The setup is being evaluated for tempfs ( INITRAMFS-as -TEMPFS +
SELINUX ) w.r.t output of mount command :
~ # mount
rootfs on / type rootfs (rw,seclabel,size=253620k,nr_inodes=63405)
sysfs on /sys type sysfs (rw,seclabel,relatime)
selinuxfs on /sys/fs/selinux type selinuxfs (rw,nosuid,noexec,relatime)
nodev on /dev type devtmpfs
(rw,seclabel,relatime,size=253620k,nr_inodes=63405,mode=755)
none on /proc type proc (rw,relatime)
none on /dev/shm type tmpfs (rw,seclabel,relatime)
none on /dev/pts type devpts (rw,seclabel,relatime,mode=600,ptmxmode=000)
none on /sys/kernel/debug type debugfs (rw,seclabel,relatime)
none on /mnth type hugetlbfs (rw,seclabel,relatime)
cgroup on /sys/fs/cgroup type tmpfs (rw,seclabel,relatime,mode=755)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,relatime,cpuset)
cgroup on /sys/fs/cgroup/cpu type cgroup (rw,relatime,cpu)
cgroup on /sys/fs/cgroup/cpuacct type cgroup (rw,relatime,cpuacct)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,relatime,blkio)
cgroup on /sys/fs/cgroup/memory type cgroup (rw,relatime,memory)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,relatime,devices)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,relatime,freezer)
cgroup on /sys/fs/cgroup/net_cls type cgroup (rw,relatime,net_cls)
cgroup on /sys/fs/cgroup/net_prio type cgroup (rw,relatime,net_prio)
cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,relatime,hugetlb)
cgroup on /sys/fs/cgroup/pids type cgroup (rw,relatime,pids)
cgroup on /sys/fs/cgroup/debug type cgroup (rw,relatime,debug)
cgroups on /sys/fs/cgroup/unified type cgroup2 (rw,relatime)
Thanks ,
Ashish
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Selinux context type is same for root & normal user both
2021-01-06 14:55 ` Ashish Mishra
@ 2021-01-06 15:04 ` Dominick Grift
2021-01-06 15:20 ` Ashish Mishra
0 siblings, 1 reply; 19+ messages in thread
From: Dominick Grift @ 2021-01-06 15:04 UTC (permalink / raw)
To: Ashish Mishra; +Cc: SElinux list, Paul Moore
Ashish Mishra <ashishm@mvista.com> writes:
> Hi Dominick ,
> Thanks for your valuable time and inputs .
>
> As a background w.r.t ROOTFS :
> a) We had an custom SDK which is a basic makefile based SDK .
>
> b) The rootfs was RAMFS based .
> For selinux we switched from RAMFS to TEMPFS
>
> c) It was not having SELINUX , so we added refpolicy & selinux-userland
> Expectation was we will get working selinux context & policy.
> I have the policy but the context is being the same for each file
> and folder .
You also have to address labeling. If your filesystem is ram-based
(volatile) then I
suspect you will have to address labeling at runtime (ie run
setfiles/restorecon to label the filesystem). The point is that
your filesystem is currently not labeled according to the reference
policy.
>
> d) The setup is being evaluated for tempfs ( INITRAMFS-as -TEMPFS +
> SELINUX ) w.r.t output of mount command :
> ~ # mount
> rootfs on / type rootfs (rw,seclabel,size=253620k,nr_inodes=63405)
> sysfs on /sys type sysfs (rw,seclabel,relatime)
> selinuxfs on /sys/fs/selinux type selinuxfs (rw,nosuid,noexec,relatime)
> nodev on /dev type devtmpfs
> (rw,seclabel,relatime,size=253620k,nr_inodes=63405,mode=755)
> none on /proc type proc (rw,relatime)
> none on /dev/shm type tmpfs (rw,seclabel,relatime)
> none on /dev/pts type devpts (rw,seclabel,relatime,mode=600,ptmxmode=000)
> none on /sys/kernel/debug type debugfs (rw,seclabel,relatime)
> none on /mnth type hugetlbfs (rw,seclabel,relatime)
> cgroup on /sys/fs/cgroup type tmpfs (rw,seclabel,relatime,mode=755)
> cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,relatime,cpuset)
> cgroup on /sys/fs/cgroup/cpu type cgroup (rw,relatime,cpu)
> cgroup on /sys/fs/cgroup/cpuacct type cgroup (rw,relatime,cpuacct)
> cgroup on /sys/fs/cgroup/blkio type cgroup (rw,relatime,blkio)
> cgroup on /sys/fs/cgroup/memory type cgroup (rw,relatime,memory)
> cgroup on /sys/fs/cgroup/devices type cgroup (rw,relatime,devices)
> cgroup on /sys/fs/cgroup/freezer type cgroup (rw,relatime,freezer)
> cgroup on /sys/fs/cgroup/net_cls type cgroup (rw,relatime,net_cls)
> cgroup on /sys/fs/cgroup/net_prio type cgroup (rw,relatime,net_prio)
> cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,relatime,hugetlb)
> cgroup on /sys/fs/cgroup/pids type cgroup (rw,relatime,pids)
> cgroup on /sys/fs/cgroup/debug type cgroup (rw,relatime,debug)
> cgroups on /sys/fs/cgroup/unified type cgroup2 (rw,relatime)
>
>
> Thanks ,
> Ashish
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Selinux context type is same for root & normal user both
2021-01-06 15:04 ` Dominick Grift
@ 2021-01-06 15:20 ` Ashish Mishra
2021-01-06 15:39 ` Dominick Grift
0 siblings, 1 reply; 19+ messages in thread
From: Ashish Mishra @ 2021-01-06 15:20 UTC (permalink / raw)
To: Dominick Grift; +Cc: SElinux list, Paul Moore
Hi Dominick ,
Will look at the re-labelling as you suggested.
Is there any doc / blog / implementation etc to understand the
sequence and commands to do this.
To understand this step in a better way.
We are working with such a setup freshly so any inputs / guidance will
be helpful.
Thanks for your time & inputs for this long thread .
Thanks ,
Ashish
On Wed, Jan 6, 2021 at 8:34 PM Dominick Grift
<dominick.grift@defensec.nl> wrote:
>
> Ashish Mishra <ashishm@mvista.com> writes:
>
> > Hi Dominick ,
> > Thanks for your valuable time and inputs .
> >
> > As a background w.r.t ROOTFS :
> > a) We had an custom SDK which is a basic makefile based SDK .
> >
> > b) The rootfs was RAMFS based .
> > For selinux we switched from RAMFS to TEMPFS
> >
> > c) It was not having SELINUX , so we added refpolicy & selinux-userland
> > Expectation was we will get working selinux context & policy.
> > I have the policy but the context is being the same for each file
> > and folder .
>
> You also have to address labeling. If your filesystem is ram-based
> (volatile) then I
> suspect you will have to address labeling at runtime (ie run
> setfiles/restorecon to label the filesystem). The point is that
> your filesystem is currently not labeled according to the reference
> policy.
>
> >
> > d) The setup is being evaluated for tempfs ( INITRAMFS-as -TEMPFS +
> > SELINUX ) w.r.t output of mount command :
> > ~ # mount
> > rootfs on / type rootfs (rw,seclabel,size=253620k,nr_inodes=63405)
> > sysfs on /sys type sysfs (rw,seclabel,relatime)
> > selinuxfs on /sys/fs/selinux type selinuxfs (rw,nosuid,noexec,relatime)
> > nodev on /dev type devtmpfs
> > (rw,seclabel,relatime,size=253620k,nr_inodes=63405,mode=755)
> > none on /proc type proc (rw,relatime)
> > none on /dev/shm type tmpfs (rw,seclabel,relatime)
> > none on /dev/pts type devpts (rw,seclabel,relatime,mode=600,ptmxmode=000)
> > none on /sys/kernel/debug type debugfs (rw,seclabel,relatime)
> > none on /mnth type hugetlbfs (rw,seclabel,relatime)
> > cgroup on /sys/fs/cgroup type tmpfs (rw,seclabel,relatime,mode=755)
> > cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,relatime,cpuset)
> > cgroup on /sys/fs/cgroup/cpu type cgroup (rw,relatime,cpu)
> > cgroup on /sys/fs/cgroup/cpuacct type cgroup (rw,relatime,cpuacct)
> > cgroup on /sys/fs/cgroup/blkio type cgroup (rw,relatime,blkio)
> > cgroup on /sys/fs/cgroup/memory type cgroup (rw,relatime,memory)
> > cgroup on /sys/fs/cgroup/devices type cgroup (rw,relatime,devices)
> > cgroup on /sys/fs/cgroup/freezer type cgroup (rw,relatime,freezer)
> > cgroup on /sys/fs/cgroup/net_cls type cgroup (rw,relatime,net_cls)
> > cgroup on /sys/fs/cgroup/net_prio type cgroup (rw,relatime,net_prio)
> > cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,relatime,hugetlb)
> > cgroup on /sys/fs/cgroup/pids type cgroup (rw,relatime,pids)
> > cgroup on /sys/fs/cgroup/debug type cgroup (rw,relatime,debug)
> > cgroups on /sys/fs/cgroup/unified type cgroup2 (rw,relatime)
> >
> >
> > Thanks ,
> > Ashish
>
> --
> gpg --locate-keys dominick.grift@defensec.nl
> Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
> https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
> Dominick Grift
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Selinux context type is same for root & normal user both
2021-01-06 15:20 ` Ashish Mishra
@ 2021-01-06 15:39 ` Dominick Grift
2021-01-06 16:00 ` Ondrej Mosnacek
0 siblings, 1 reply; 19+ messages in thread
From: Dominick Grift @ 2021-01-06 15:39 UTC (permalink / raw)
To: Ashish Mishra; +Cc: SElinux list, Paul Moore
Ashish Mishra <ashishm@mvista.com> writes:
> Hi Dominick ,
>
> Will look at the re-labelling as you suggested.
> Is there any doc / blog / implementation etc to understand the
> sequence and commands to do this.
> To understand this step in a better way.
>
> We are working with such a setup freshly so any inputs / guidance will
> be helpful.
>
> Thanks for your time & inputs for this long thread .
For docs i would suggest selinuxproject.org and
https://github.com/SELinuxProject/selinux-notebook/blob/main/src/toc.md
For implementations i would suggest looking at how OpenWrt implemented
SELinux as this is a very simple implementation and the target seems to
be relatively similar to yours with the exception that OpenWrt does not
use a volatile root but instead uses a read-only squashfs and a overlay.
You can also look at Fedora CoreOS for inspiration, and Googles SEAndroid.
Implementing meaningful SELinux for exotic use cases like yours is not
trivial though IMHO. Using reference policy as a base-policy might not
be optimal for your use-case (to say the least) and it would probably be easier to create a
policy from scratch instead in the longer run.
>
> Thanks ,
> Ashish
>
>
>
>
>
>
>
>
>
>
> On Wed, Jan 6, 2021 at 8:34 PM Dominick Grift
> <dominick.grift@defensec.nl> wrote:
>>
>> Ashish Mishra <ashishm@mvista.com> writes:
>>
>> > Hi Dominick ,
>> > Thanks for your valuable time and inputs .
>> >
>> > As a background w.r.t ROOTFS :
>> > a) We had an custom SDK which is a basic makefile based SDK .
>> >
>> > b) The rootfs was RAMFS based .
>> > For selinux we switched from RAMFS to TEMPFS
>> >
>> > c) It was not having SELINUX , so we added refpolicy & selinux-userland
>> > Expectation was we will get working selinux context & policy.
>> > I have the policy but the context is being the same for each file
>> > and folder .
>>
>> You also have to address labeling. If your filesystem is ram-based
>> (volatile) then I
>> suspect you will have to address labeling at runtime (ie run
>> setfiles/restorecon to label the filesystem). The point is that
>> your filesystem is currently not labeled according to the reference
>> policy.
>>
>> >
>> > d) The setup is being evaluated for tempfs ( INITRAMFS-as -TEMPFS +
>> > SELINUX ) w.r.t output of mount command :
>> > ~ # mount
>> > rootfs on / type rootfs (rw,seclabel,size=253620k,nr_inodes=63405)
>> > sysfs on /sys type sysfs (rw,seclabel,relatime)
>> > selinuxfs on /sys/fs/selinux type selinuxfs (rw,nosuid,noexec,relatime)
>> > nodev on /dev type devtmpfs
>> > (rw,seclabel,relatime,size=253620k,nr_inodes=63405,mode=755)
>> > none on /proc type proc (rw,relatime)
>> > none on /dev/shm type tmpfs (rw,seclabel,relatime)
>> > none on /dev/pts type devpts (rw,seclabel,relatime,mode=600,ptmxmode=000)
>> > none on /sys/kernel/debug type debugfs (rw,seclabel,relatime)
>> > none on /mnth type hugetlbfs (rw,seclabel,relatime)
>> > cgroup on /sys/fs/cgroup type tmpfs (rw,seclabel,relatime,mode=755)
>> > cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,relatime,cpuset)
>> > cgroup on /sys/fs/cgroup/cpu type cgroup (rw,relatime,cpu)
>> > cgroup on /sys/fs/cgroup/cpuacct type cgroup (rw,relatime,cpuacct)
>> > cgroup on /sys/fs/cgroup/blkio type cgroup (rw,relatime,blkio)
>> > cgroup on /sys/fs/cgroup/memory type cgroup (rw,relatime,memory)
>> > cgroup on /sys/fs/cgroup/devices type cgroup (rw,relatime,devices)
>> > cgroup on /sys/fs/cgroup/freezer type cgroup (rw,relatime,freezer)
>> > cgroup on /sys/fs/cgroup/net_cls type cgroup (rw,relatime,net_cls)
>> > cgroup on /sys/fs/cgroup/net_prio type cgroup (rw,relatime,net_prio)
>> > cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,relatime,hugetlb)
>> > cgroup on /sys/fs/cgroup/pids type cgroup (rw,relatime,pids)
>> > cgroup on /sys/fs/cgroup/debug type cgroup (rw,relatime,debug)
>> > cgroups on /sys/fs/cgroup/unified type cgroup2 (rw,relatime)
>> >
>> >
>> > Thanks ,
>> > Ashish
>>
>> --
>> gpg --locate-keys dominick.grift@defensec.nl
>> Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
>> https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
>> Dominick Grift
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Selinux context type is same for root & normal user both
2021-01-06 15:39 ` Dominick Grift
@ 2021-01-06 16:00 ` Ondrej Mosnacek
2021-01-06 16:16 ` Ashish Mishra
0 siblings, 1 reply; 19+ messages in thread
From: Ondrej Mosnacek @ 2021-01-06 16:00 UTC (permalink / raw)
To: Dominick Grift; +Cc: Ashish Mishra, SElinux list, Paul Moore
On Wed, Jan 6, 2021 at 4:40 PM Dominick Grift
<dominick.grift@defensec.nl> wrote:
> Ashish Mishra <ashishm@mvista.com> writes:
>
> > Hi Dominick ,
> >
> > Will look at the re-labelling as you suggested.
> > Is there any doc / blog / implementation etc to understand the
> > sequence and commands to do this.
> > To understand this step in a better way.
> >
> > We are working with such a setup freshly so any inputs / guidance will
> > be helpful.
> >
> > Thanks for your time & inputs for this long thread .
>
> For docs i would suggest selinuxproject.org and
> https://github.com/SELinuxProject/selinux-notebook/blob/main/src/toc.md
>
> For implementations i would suggest looking at how OpenWrt implemented
> SELinux as this is a very simple implementation and the target seems to
> be relatively similar to yours with the exception that OpenWrt does not
> use a volatile root but instead uses a read-only squashfs and a overlay.
>
> You can also look at Fedora CoreOS for inspiration, and Googles SEAndroid.
>
> Implementing meaningful SELinux for exotic use cases like yours is not
> trivial though IMHO. Using reference policy as a base-policy might not
> be optimal for your use-case (to say the least) and it would probably be easier to create a
> policy from scratch instead in the longer run.
Well said. I'll just add that you'll at the very least need to remove
the "genfscon" rule for "rootfs" from your policy and replace it with
an appropriate "fs_use_xattr" one to be able to relabel the root
filesystem. (Assuming it uses tmpfs under the hood (or supports
xattrs), otherwise you may need to mount tmpfs somewhere and chroot
into it at the beginning of your init script. Or something like
that...)
--
Ondrej Mosnacek
Software Engineer, Platform Security - SELinux kernel
Red Hat, Inc.
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Selinux context type is same for root & normal user both
2021-01-06 16:00 ` Ondrej Mosnacek
@ 2021-01-06 16:16 ` Ashish Mishra
2021-01-06 16:39 ` Dominick Grift
0 siblings, 1 reply; 19+ messages in thread
From: Ashish Mishra @ 2021-01-06 16:16 UTC (permalink / raw)
To: Ondrej Mosnacek; +Cc: Dominick Grift, SElinux list, Paul Moore
Hi Dominick / Ondrej ,
Thanks for valuable inputs , I will try to evaluate them .
Ashish
On Wed, Jan 6, 2021 at 9:30 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> On Wed, Jan 6, 2021 at 4:40 PM Dominick Grift
> <dominick.grift@defensec.nl> wrote:
> > Ashish Mishra <ashishm@mvista.com> writes:
> >
> > > Hi Dominick ,
> > >
> > > Will look at the re-labelling as you suggested.
> > > Is there any doc / blog / implementation etc to understand the
> > > sequence and commands to do this.
> > > To understand this step in a better way.
> > >
> > > We are working with such a setup freshly so any inputs / guidance will
> > > be helpful.
> > >
> > > Thanks for your time & inputs for this long thread .
> >
> > For docs i would suggest selinuxproject.org and
> > https://github.com/SELinuxProject/selinux-notebook/blob/main/src/toc.md
> >
> > For implementations i would suggest looking at how OpenWrt implemented
> > SELinux as this is a very simple implementation and the target seems to
> > be relatively similar to yours with the exception that OpenWrt does not
> > use a volatile root but instead uses a read-only squashfs and a overlay.
> >
> > You can also look at Fedora CoreOS for inspiration, and Googles SEAndroid.
> >
> > Implementing meaningful SELinux for exotic use cases like yours is not
> > trivial though IMHO. Using reference policy as a base-policy might not
> > be optimal for your use-case (to say the least) and it would probably be easier to create a
> > policy from scratch instead in the longer run.
>
> Well said. I'll just add that you'll at the very least need to remove
> the "genfscon" rule for "rootfs" from your policy and replace it with
> an appropriate "fs_use_xattr" one to be able to relabel the root
> filesystem. (Assuming it uses tmpfs under the hood (or supports
> xattrs), otherwise you may need to mount tmpfs somewhere and chroot
> into it at the beginning of your init script. Or something like
> that...)
>
> --
> Ondrej Mosnacek
> Software Engineer, Platform Security - SELinux kernel
> Red Hat, Inc.
>
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Selinux context type is same for root & normal user both
2021-01-06 16:16 ` Ashish Mishra
@ 2021-01-06 16:39 ` Dominick Grift
2021-01-07 7:35 ` Ashish Mishra
0 siblings, 1 reply; 19+ messages in thread
From: Dominick Grift @ 2021-01-06 16:39 UTC (permalink / raw)
To: Ashish Mishra; +Cc: Ondrej Mosnacek, SElinux list, Paul Moore
Ashish Mishra <ashishm@mvista.com> writes:
> Hi Dominick / Ondrej ,
>
> Thanks for valuable inputs , I will try to evaluate them .
>
> Ashish
We have a IRC channel on chat.freenode.net where we can have casual and
more interactive conversations if youre interested in that
https://freenode.net/kb/answer/chat
>
> On Wed, Jan 6, 2021 at 9:30 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>>
>> On Wed, Jan 6, 2021 at 4:40 PM Dominick Grift
>> <dominick.grift@defensec.nl> wrote:
>> > Ashish Mishra <ashishm@mvista.com> writes:
>> >
>> > > Hi Dominick ,
>> > >
>> > > Will look at the re-labelling as you suggested.
>> > > Is there any doc / blog / implementation etc to understand the
>> > > sequence and commands to do this.
>> > > To understand this step in a better way.
>> > >
>> > > We are working with such a setup freshly so any inputs / guidance will
>> > > be helpful.
>> > >
>> > > Thanks for your time & inputs for this long thread .
>> >
>> > For docs i would suggest selinuxproject.org and
>> > https://github.com/SELinuxProject/selinux-notebook/blob/main/src/toc.md
>> >
>> > For implementations i would suggest looking at how OpenWrt implemented
>> > SELinux as this is a very simple implementation and the target seems to
>> > be relatively similar to yours with the exception that OpenWrt does not
>> > use a volatile root but instead uses a read-only squashfs and a overlay.
>> >
>> > You can also look at Fedora CoreOS for inspiration, and Googles SEAndroid.
>> >
>> > Implementing meaningful SELinux for exotic use cases like yours is not
>> > trivial though IMHO. Using reference policy as a base-policy might not
>> > be optimal for your use-case (to say the least) and it would probably be easier to create a
>> > policy from scratch instead in the longer run.
>>
>> Well said. I'll just add that you'll at the very least need to remove
>> the "genfscon" rule for "rootfs" from your policy and replace it with
>> an appropriate "fs_use_xattr" one to be able to relabel the root
>> filesystem. (Assuming it uses tmpfs under the hood (or supports
>> xattrs), otherwise you may need to mount tmpfs somewhere and chroot
>> into it at the beginning of your init script. Or something like
>> that...)
>>
>> --
>> Ondrej Mosnacek
>> Software Engineer, Platform Security - SELinux kernel
>> Red Hat, Inc.
>>
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Selinux context type is same for root & normal user both
2021-01-06 16:39 ` Dominick Grift
@ 2021-01-07 7:35 ` Ashish Mishra
0 siblings, 0 replies; 19+ messages in thread
From: Ashish Mishra @ 2021-01-07 7:35 UTC (permalink / raw)
To: Dominick Grift; +Cc: Ondrej Mosnacek, SElinux list, Paul Moore
Thanks Dominick ,
This will be helpful , i will try to use IRC also
Thanks ,
Ashish
On Wed, Jan 6, 2021 at 10:09 PM Dominick Grift
<dominick.grift@defensec.nl> wrote:
>
> Ashish Mishra <ashishm@mvista.com> writes:
>
> > Hi Dominick / Ondrej ,
> >
> > Thanks for valuable inputs , I will try to evaluate them .
> >
> > Ashish
>
> We have a IRC channel on chat.freenode.net where we can have casual and
> more interactive conversations if youre interested in that
>
> https://freenode.net/kb/answer/chat
>
> >
> > On Wed, Jan 6, 2021 at 9:30 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> >>
> >> On Wed, Jan 6, 2021 at 4:40 PM Dominick Grift
> >> <dominick.grift@defensec.nl> wrote:
> >> > Ashish Mishra <ashishm@mvista.com> writes:
> >> >
> >> > > Hi Dominick ,
> >> > >
> >> > > Will look at the re-labelling as you suggested.
> >> > > Is there any doc / blog / implementation etc to understand the
> >> > > sequence and commands to do this.
> >> > > To understand this step in a better way.
> >> > >
> >> > > We are working with such a setup freshly so any inputs / guidance will
> >> > > be helpful.
> >> > >
> >> > > Thanks for your time & inputs for this long thread .
> >> >
> >> > For docs i would suggest selinuxproject.org and
> >> > https://github.com/SELinuxProject/selinux-notebook/blob/main/src/toc.md
> >> >
> >> > For implementations i would suggest looking at how OpenWrt implemented
> >> > SELinux as this is a very simple implementation and the target seems to
> >> > be relatively similar to yours with the exception that OpenWrt does not
> >> > use a volatile root but instead uses a read-only squashfs and a overlay.
> >> >
> >> > You can also look at Fedora CoreOS for inspiration, and Googles SEAndroid.
> >> >
> >> > Implementing meaningful SELinux for exotic use cases like yours is not
> >> > trivial though IMHO. Using reference policy as a base-policy might not
> >> > be optimal for your use-case (to say the least) and it would probably be easier to create a
> >> > policy from scratch instead in the longer run.
> >>
> >> Well said. I'll just add that you'll at the very least need to remove
> >> the "genfscon" rule for "rootfs" from your policy and replace it with
> >> an appropriate "fs_use_xattr" one to be able to relabel the root
> >> filesystem. (Assuming it uses tmpfs under the hood (or supports
> >> xattrs), otherwise you may need to mount tmpfs somewhere and chroot
> >> into it at the beginning of your init script. Or something like
> >> that...)
> >>
> >> --
> >> Ondrej Mosnacek
> >> Software Engineer, Platform Security - SELinux kernel
> >> Red Hat, Inc.
> >>
>
> --
> gpg --locate-keys dominick.grift@defensec.nl
> Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
> https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
> Dominick Grift
^ permalink raw reply [flat|nested] 19+ messages in thread
end of thread, other threads:[~2021-01-07 7:36 UTC | newest]
Thread overview: 19+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-04 10:55 Selinux context type is same for root & normal user both Ashish Mishra
2021-01-04 12:16 ` Dominick Grift
2021-01-04 12:39 ` Ashish Mishra
2021-01-04 12:51 ` Dominick Grift
2021-01-06 13:35 ` Ashish Mishra
2021-01-06 13:52 ` Dominick Grift
[not found] ` <CAP2OjcjOEXsWM1H2pkMzhb3y2ss7SCTw8_1Tsb23kUnEDVfx-g@mail.gmail.com>
2021-01-06 14:30 ` Dominick Grift
2021-01-06 14:55 ` Ashish Mishra
2021-01-06 15:04 ` Dominick Grift
2021-01-06 15:20 ` Ashish Mishra
2021-01-06 15:39 ` Dominick Grift
2021-01-06 16:00 ` Ondrej Mosnacek
2021-01-06 16:16 ` Ashish Mishra
2021-01-06 16:39 ` Dominick Grift
2021-01-07 7:35 ` Ashish Mishra
2021-01-06 14:25 ` Ashish Mishra
2021-01-06 14:27 ` Ashish Mishra
2021-01-06 14:41 ` Dominick Grift
2021-01-06 14:45 ` Dominick Grift
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.