で示されています。![[hand.right]](images/hand.gif "capability"){kind=small}
報告:
RedHawkのApparmerコンフィグレーションついて(2022.05.13)-
Vesion 8.4.2以前のx86_64/Ubuntu/RedHawkカーネルでは、 CONFIG_SECURITY_APPARMOR はコンフィグレーションされていません。
以下の手順でCONFIG_SECURITY_APPARMORをコンフィグレーションし、customカーネルを作成することで、Apparmorを利用可能になります。
下記GUIから、CONFIG_SECURITY_APPARMORにチェックをし、CONFIG_SECURITY_SELINUXからチェックを外し、コンフィグレーションファイルをSAVEして、終了する。$ sudo -s
[sudo] redhawk84 のパスワード: # cd /lib/modules/`uname -r`/build # ./ccur-config -c
![[ApparmerBefore]](IMAGES/ApparmerBefore.png "ApparmerBefore")
![[ApparmerAfter]](IMAGES/ApparmerAfter.png "ApparmerAfter")
RedHawkカーネルを再コンフィグレーションする。
起動時にgrubの起動メニュー表示するように /etc/default/grub の下記部分を変更する。# make -j 4 bzImage # make -j 4 modules # make -j 4 modules_install # make -j 4 install
変更前
GRUB_TIMEOUT=0
GRUB_TIMEOUT_STYLE=hidden
変更後
GRUB_TIMEOUT=30
GRUB_TIMEOUT_STYLE=menu
GrubのメニューからRedHawk custom カーネルで再起動する。
$ sudo -s
[sudo] redhawk84 のパスワード: # uname -r 5.10.59-rt52-RedHawk-8.4.1-custom # cat /proc/cmdline BOOT_IMAGE=/boot/vmlinuz-5.10.59-rt52-RedHawk-8.4.1-custom root=UUID=c65233cd-a9ba-4bd5-a17d-21fc3a9da949 ro quiet splash vt.handoff=7 # systemctl status apparmor ● apparmor.service - Load AppArmor profiles Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: active (exited) since Tue 2022-05-10 14:46:16 JST; 46s ago Docs: man:apparmor(7) https://gitlab.com/apparmor/apparmor/wikis/home/ Process: 761 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=0/SUCCESS) Main PID: 761 (code=exited, status=0/SUCCESS) 5月 10 14:46:16 redhawk84-PRIMETUNE-2200 systemd[1]: Starting Load AppArmor profiles... 5月 10 14:46:16 redhawk84-PRIMETUNE-2200 apparmor.systemd[761]: Restarting AppArmor 5月 10 14:46:16 redhawk84-PRIMETUNE-2200 apparmor.systemd[761]: Reloading AppArmor profiles 5月 10 14:46:16 redhawk84-PRIMETUNE-2200 apparmor.systemd[777]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd 5月 10 14:46:16 redhawk84-PRIMETUNE-2200 apparmor.systemd[778]: Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox 5月 10 14:46:16 redhawk84-PRIMETUNE-2200 systemd[1]: Finished Load AppArmor profiles. # aa-status apparmor module is loaded. 37 profiles are loaded. 35 profiles are in enforce mode. /snap/snapd/15534/usr/lib/snapd/snap-confine /snap/snapd/15534/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /usr/bin/evince /usr/bin/evince-previewer /usr/bin/evince-previewer//sanitized_helper /usr/bin/evince-thumbnailer /usr/bin/evince//sanitized_helper /usr/bin/man /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/NetworkManager/nm-dhcp-helper /usr/lib/connman/scripts/dhclient-script /usr/lib/cups/backend/cups-pdf /usr/lib/lightdm/lightdm-guest-session /usr/lib/lightdm/lightdm-guest-session//chromium /usr/lib/snapd/snap-confine /usr/lib/snapd/snap-confine//mount-namespace-capture-helper /usr/sbin/cups-browsed /usr/sbin/cupsd /usr/sbin/cupsd//third_party /usr/sbin/tcpdump /{,usr/}sbin/dhclient ippusbxd libreoffice-senddoc libreoffice-soffice//gpg libreoffice-xpdfimport lsb_release man_filter man_groff nvidia_modprobe nvidia_modprobe//kmod snap-update-ns.snap-store snap.snap-store.hook.configure snap.snap-store.snap-store snap.snap-store.ubuntu-software snap.snap-store.ubuntu-software-local-file 2 profiles are in complain mode. libreoffice-oopslash libreoffice-soffice 2 processes have profiles defined. 2 processes are in enforce mode. /usr/sbin/cups-browsed (938) /usr/sbin/cupsd (818) 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.
報告:
RedHawkのセキュリティコンフィグレーションついて(2022.05.11)-
Vesion 8.4.2以前のx86_64/Ubuntu/RedHawkカーネルでは、 CONFIG_SECURITY_APPARMOR 及び CONFIG_SECURITY_TOMOYO は、コンフィグレーションされていません。
このため、Apparmarは、以下の様なステータスを返します。
Vesion 8.4.2以前では、SELinuxパッケージを適用するか、カーネルの再コンフィグレーションを行ってAPPARMERをご利用ください。# aa-status apparmor module is not loaded. # systemctl status apparmor.service ● apparmor.service - Load AppArmor profiles Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: inactive (dead) Condition: start condition failed at Tue 2022-05-10 14:43:57 JST; 33s ago L ConditionSecurity=apparmor was not met Docs: man:apparmor(7) https://gitlab.com/apparmor/apparmor/wikis/home/ May 10 14:43:57 redhawk84-systemd[1]: Condition check resulted in Load AppArmor profiles being skipped.
以下に、SELinuxパッケージを適用する手順を示します。
% sudo apt install selinux-basics selinux-policy-default selinux-policy-dev selinux-policy-src selinux-utils auditd : : % sudo selinux-activate Activating SE Linux Sourcing file `/etc/default/grub' Sourcing file `/etc/default/grub.d/init-select.cfg' Generating grub configuration file ... Found linux image: /boot/vmlinuz-5.13.0-41-generic Found initrd image: /boot/initrd.img-5.13.0-41-generic Found linux image: /boot/vmlinuz-5.13.0-40-generic Found initrd image: /boot/initrd.img-5.13.0-40-generic Found linux image: /boot/vmlinuz-5.10.59-rt52-RedHawk-8.4.1-trace Found initrd image: /boot/initrd.img-5.10.59-rt52-RedHawk-8.4.1-trace Found linux image: /boot/vmlinuz-5.10.59-rt52-RedHawk-8.4.1-debug Found initrd image: /boot/initrd.img-5.10.59-rt52-RedHawk-8.4.1-debug Found linux image: /boot/vmlinuz-5.10.59-rt52-RedHawk-8.4.1 Found initrd image: /boot/initrd.img-5.10.59-rt52-RedHawk-8.4.1 done SE Linux is activated. You may need to reboot now. % sudo reboot 再起動時に、SELinux のラベリングが開始され、その後再度再起動されます。 起動時のメッセージ等の例を示します。 snap以外のエラーが無い事を確認してください % sudo check-selinux-installation % getenforce Permissive % sudo sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: default Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 % sudo dmesg|grep -i selinux [ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-5.10.59-rt52-RedHawk-8.4.1-trace root=UUID=c65233cd-a9ba-4bd5-a17d-21fc3a9da949 ro security=selinux quiet splash [ 0.142070] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-5.10.59-rt52-RedHawk-8.4.1-trace root=UUID=c65233cd-a9ba-4bd5-a17d-21fc3a9da949 ro security=selinux quiet [ 0.303689] SELinux: Initializing. [ 5.300250] SELinux: Permission watch in class filesystem not defined in policy. [ 5.300256] SELinux: Permission watch in class file not defined in policy. [ 5.300257] SELinux: Permission watch_mount in class file not defined in policy. [ 5.300258] SELinux: Permission watch_sb in class file not defined in policy. [ 5.300259] SELinux: Permission watch_with_perm in class file not defined in policy. [ 5.300260] SELinux: Permission watch_reads in class file not defined in policy. [ 5.300263] SELinux: Permission watch in class dir not defined in policy. [ 5.300263] SELinux: Permission watch_mount in class dir not defined in policy. [ 5.300264] SELinux: Permission watch_sb in class dir not defined in policy. [ 5.300265] SELinux: Permission watch_with_perm in class dir not defined in policy. [ 5.300266] SELinux: Permission watch_reads in class dir not defined in policy. [ 5.300269] SELinux: Permission watch in class lnk_file not defined in policy. [ 5.300269] SELinux: Permission watch_mount in class lnk_file not defined in policy. [ 5.300270] SELinux: Permission watch_sb in class lnk_file not defined in policy. [ 5.300271] SELinux: Permission watch_with_perm in class lnk_file not defined in policy. [ 5.300272] SELinux: Permission watch_reads in class lnk_file not defined in policy. [ 5.300274] SELinux: Permission watch in class chr_file not defined in policy. [ 5.300274] SELinux: Permission watch_mount in class chr_file not defined in policy. [ 5.300275] SELinux: Permission watch_sb in class chr_file not defined in policy. [ 5.300276] SELinux: Permission watch_with_perm in class chr_file not defined in policy. [ 5.300277] SELinux: Permission watch_reads in class chr_file not defined in policy. [ 5.300278] SELinux: Permission watch in class blk_file not defined in policy. [ 5.300279] SELinux: Permission watch_mount in class blk_file not defined in policy. [ 5.300280] SELinux: Permission watch_sb in class blk_file not defined in policy. [ 5.300280] SELinux: Permission watch_with_perm in class blk_file not defined in policy. [ 5.300281] SELinux: Permission watch_reads in class blk_file not defined in policy. [ 5.300283] SELinux: Permission watch in class sock_file not defined in policy. [ 5.300283] SELinux: Permission watch_mount in class sock_file not defined in policy. [ 5.300284] SELinux: Permission watch_sb in class sock_file not defined in policy. [ 5.300285] SELinux: Permission watch_with_perm in class sock_file not defined in policy. [ 5.300286] SELinux: Permission watch_reads in class sock_file not defined in policy. [ 5.300287] SELinux: Permission watch in class fifo_file not defined in policy. [ 5.300288] SELinux: Permission watch_mount in class fifo_file not defined in policy. [ 5.300289] SELinux: Permission watch_sb in class fifo_file not defined in policy. [ 5.300289] SELinux: Permission watch_with_perm in class fifo_file not defined in policy. [ 5.300290] SELinux: Permission watch_reads in class fifo_file not defined in policy. [ 5.300325] SELinux: Permission perfmon in class capability2 not defined in policy. [ 5.300326] SELinux: Permission bpf in class capability2 not defined in policy. [ 5.300326] SELinux: Permission checkpoint_restore in class capability2 not defined in policy. [ 5.300332] SELinux: Permission perfmon in class cap2_userns not defined in policy. [ 5.300333] SELinux: Permission bpf in class cap2_userns not defined in policy. [ 5.300334] SELinux: Permission checkpoint_restore in class cap2_userns not defined in policy. [ 5.300359] SELinux: Class perf_event not defined in policy. [ 5.300360] SELinux: Class lockdown not defined in policy. [ 5.300361] SELinux: the above unknown classes and permissions will be allowed [ 5.302369] SELinux: policy capability network_peer_controls=1 [ 5.302371] SELinux: policy capability open_perms=1 [ 5.302372] SELinux: policy capability extended_socket_class=1 [ 5.302373] SELinux: policy capability always_check_network=0 [ 5.302374] SELinux: policy capability cgroup_seclabel=1 [ 5.302375] SELinux: policy capability nnp_nosuid_transition=1 [ 5.302375] SELinux: policy capability genfs_seclabel_symlinks=0 [ 5.335795] audit: type=1403 audit(1652233036.300:2): auid=4294967295 ses=4294967295 lsm=selinux res=1 [ 5.337945] systemd[1]: Successfully loaded SELinux policy in 84.288ms. [ 5.453756] systemd[1]: systemd 245.4-4ubuntu3.17 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid) [ 6.291323] SELinux: security_context_str_to_sid(system_u:object_r:snappy_snap_t:s0) failed for (dev loop7, type squashfs) errno=-22 [ 9.579835] SELinux: security_context_str_to_sid(system_u:object_r:snappy_snap_t:s0) failed for (dev loop12, type squashfs) errno=-22 追加されるパッケージ # dpkg -L selinux-basics selinux-policy-default selinux-policy-dev selinux-policy-src selinux-utils /. /usr /usr/sbin /usr/sbin/check-selinux-installation /usr/sbin/postfix-nochroot /usr/sbin/selinux-activate /usr/sbin/selinux-config-enforcing /usr/sbin/selinux-policy-upgrade /usr/share /usr/share/doc /usr/share/doc/selinux-basics /usr/share/doc/selinux-basics/README /usr/share/doc/selinux-basics/changelog.gz /usr/share/doc/selinux-basics/copyright /usr/share/man /usr/share/man/man8 /usr/share/man/man8/check-selinux-installation.8.gz /usr/share/man/man8/postfix-nochroot.8.gz /usr/share/man/man8/selinux-config-enforcing.8.gz /usr/share/man/man8/selinux-policy-upgrade.8.gz /usr/share/python3 /usr/share/python3/runtime.d /usr/share/python3/runtime.d/selinux-basics.rtupdate /usr/share/selinux-basics /usr/share/selinux-basics/tests /usr/share/selinux-basics/tests/00_selinuxenabled.py /usr/share/selinux-basics/tests/01_verify_init.py /usr/share/selinux-basics/tests/02_verify_slash_selinux.py /usr/share/selinux-basics/tests/10_test_kernel_processes.py /usr/share/selinux-basics/tests/20_old-style-ttys.py /usr/share/selinux-basics/tests/21_pam.py /usr/share/selinux-basics/tests/22_postfix.py /usr/share/selinux-basics/tests/24_fsckfix.py /usr/share/selinux-basics/tests/25_udev_relabel.py /. /etc /etc/selinux /etc/selinux/default /etc/selinux/default/contexts /etc/selinux/default/contexts/customizable_types /etc/selinux/default/contexts/dbus_contexts /etc/selinux/default/contexts/default_contexts /etc/selinux/default/contexts/default_type /etc/selinux/default/contexts/failsafe_context /etc/selinux/default/contexts/files /etc/selinux/default/contexts/files/file_contexts.subs_dist /etc/selinux/default/contexts/files/media /etc/selinux/default/contexts/initrc_context /etc/selinux/default/contexts/lxc_contexts /etc/selinux/default/contexts/openrc_contexts /etc/selinux/default/contexts/removable_context /etc/selinux/default/contexts/securetty_types /etc/selinux/default/contexts/sepgsql_contexts /etc/selinux/default/contexts/userhelper_context /etc/selinux/default/contexts/users /etc/selinux/default/contexts/users/guest_u /etc/selinux/default/contexts/users/root /etc/selinux/default/contexts/users/staff_u /etc/selinux/default/contexts/users/unconfined_u /etc/selinux/default/contexts/users/user_u /etc/selinux/default/contexts/users/xguest_u /etc/selinux/default/contexts/virtual_domain_context /etc/selinux/default/contexts/virtual_image_context /etc/selinux/default/contexts/x_contexts /etc/selinux/default/policy /etc/selinux/default/setrans.conf /usr /usr/share /usr/share/doc /usr/share/doc/selinux-policy-default /usr/share/doc/selinux-policy-default/NEWS.Debian.gz /usr/share/doc/selinux-policy-default/README.Debian /usr/share/doc/selinux-policy-default/changelog.Debian.gz /usr/share/doc/selinux-policy-default/copyright /usr/share/lintian /usr/share/lintian/overrides /usr/share/lintian/overrides/selinux-policy-default /usr/share/selinux /usr/share/selinux/default /usr/share/selinux/default/.basemodules /usr/share/selinux/default/.modules /usr/share/selinux/default/abrt.pp.bz2 /usr/share/selinux/default/accountsd.pp.bz2 /usr/share/selinux/default/acct.pp.bz2 /usr/share/selinux/default/acpi.pp.bz2 /usr/share/selinux/default/ada.pp.bz2 /usr/share/selinux/default/afs.pp.bz2 /usr/share/selinux/default/aiccu.pp.bz2 /usr/share/selinux/default/aide.pp.bz2 /usr/share/selinux/default/aisexec.pp.bz2 /usr/share/selinux/default/alsa.pp.bz2 /usr/share/selinux/default/amanda.pp.bz2 /usr/share/selinux/default/amavis.pp.bz2 /usr/share/selinux/default/amtu.pp.bz2 /usr/share/selinux/default/apache.pp.bz2 /usr/share/selinux/default/apcupsd.pp.bz2 /usr/share/selinux/default/apt.pp.bz2 /usr/share/selinux/default/aptcacher.pp.bz2 /usr/share/selinux/default/arpwatch.pp.bz2 /usr/share/selinux/default/asterisk.pp.bz2 /usr/share/selinux/default/auditadm.pp.bz2 /usr/share/selinux/default/automount.pp.bz2 /usr/share/selinux/default/avahi.pp.bz2 /usr/share/selinux/default/awstats.pp.bz2 /usr/share/selinux/default/backup.pp.bz2 /usr/share/selinux/default/bacula.pp.bz2 /usr/share/selinux/default/base.pp.bz2 /usr/share/selinux/default/bcfg2.pp.bz2 /usr/share/selinux/default/bind.pp.bz2 /usr/share/selinux/default/bird.pp.bz2 /usr/share/selinux/default/bitlbee.pp.bz2 /usr/share/selinux/default/blueman.pp.bz2 /usr/share/selinux/default/bluetooth.pp.bz2 /usr/share/selinux/default/boinc.pp.bz2 /usr/share/selinux/default/bootloader.pp.bz2 /usr/share/selinux/default/brctl.pp.bz2 /usr/share/selinux/default/bugzilla.pp.bz2 /usr/share/selinux/default/cachefilesd.pp.bz2 /usr/share/selinux/default/calamaris.pp.bz2 /usr/share/selinux/default/callweaver.pp.bz2 /usr/share/selinux/default/canna.pp.bz2 /usr/share/selinux/default/ccs.pp.bz2 /usr/share/selinux/default/cdrecord.pp.bz2 /usr/share/selinux/default/certbot.pp.bz2 /usr/share/selinux/default/certmaster.pp.bz2 /usr/share/selinux/default/certmonger.pp.bz2 /usr/share/selinux/default/certwatch.pp.bz2 /usr/share/selinux/default/cfengine.pp.bz2 /usr/share/selinux/default/cgroup.pp.bz2 /usr/share/selinux/default/chromium.pp.bz2 /usr/share/selinux/default/chronyd.pp.bz2 /usr/share/selinux/default/cipe.pp.bz2 /usr/share/selinux/default/clamav.pp.bz2 /usr/share/selinux/default/clock.pp.bz2 /usr/share/selinux/default/clockspeed.pp.bz2 /usr/share/selinux/default/clogd.pp.bz2 /usr/share/selinux/default/cmirrord.pp.bz2 /usr/share/selinux/default/cobbler.pp.bz2 /usr/share/selinux/default/collectd.pp.bz2 /usr/share/selinux/default/colord.pp.bz2 /usr/share/selinux/default/comsat.pp.bz2 /usr/share/selinux/default/condor.pp.bz2 /usr/share/selinux/default/consolekit.pp.bz2 /usr/share/selinux/default/consoletype.pp.bz2 /usr/share/selinux/default/corosync.pp.bz2 /usr/share/selinux/default/couchdb.pp.bz2 /usr/share/selinux/default/courier.pp.bz2 /usr/share/selinux/default/cpucontrol.pp.bz2 /usr/share/selinux/default/cpufreqselector.pp.bz2 /usr/share/selinux/default/cron.pp.bz2 /usr/share/selinux/default/ctdb.pp.bz2 /usr/share/selinux/default/cups.pp.bz2 /usr/share/selinux/default/cvs.pp.bz2 /usr/share/selinux/default/cyphesis.pp.bz2 /usr/share/selinux/default/cyrus.pp.bz2 /usr/share/selinux/default/daemontools.pp.bz2 /usr/share/selinux/default/dante.pp.bz2 /usr/share/selinux/default/dbadm.pp.bz2 /usr/share/selinux/default/dbskk.pp.bz2 /usr/share/selinux/default/dbus.pp.bz2 /usr/share/selinux/default/dcc.pp.bz2 /usr/share/selinux/default/ddclient.pp.bz2 /usr/share/selinux/default/ddcprobe.pp.bz2 /usr/share/selinux/default/denyhosts.pp.bz2 /usr/share/selinux/default/devicekit.pp.bz2 /usr/share/selinux/default/dhcp.pp.bz2 /usr/share/selinux/default/dictd.pp.bz2 /usr/share/selinux/default/dirmngr.pp.bz2 /usr/share/selinux/default/distcc.pp.bz2 /usr/share/selinux/default/djbdns.pp.bz2 /usr/share/selinux/default/dkim.pp.bz2 /usr/share/selinux/default/dmidecode.pp.bz2 /usr/share/selinux/default/dnsmasq.pp.bz2 /usr/share/selinux/default/dnssectrigger.pp.bz2 /usr/share/selinux/default/dovecot.pp.bz2 /usr/share/selinux/default/drbd.pp.bz2 /usr/share/selinux/default/dspam.pp.bz2 /usr/share/selinux/default/entropyd.pp.bz2 /usr/share/selinux/default/evolution.pp.bz2 /usr/share/selinux/default/exim.pp.bz2 /usr/share/selinux/default/fail2ban.pp.bz2 /usr/share/selinux/default/fcoe.pp.bz2 /usr/share/selinux/default/fetchmail.pp.bz2 /usr/share/selinux/default/finger.pp.bz2 /usr/share/selinux/default/firewalld.pp.bz2 /usr/share/selinux/default/firewallgui.pp.bz2 /usr/share/selinux/default/firstboot.pp.bz2 /usr/share/selinux/default/fprintd.pp.bz2 /usr/share/selinux/default/ftp.pp.bz2 /usr/share/selinux/default/games.pp.bz2 /usr/share/selinux/default/gatekeeper.pp.bz2 /usr/share/selinux/default/gdomap.pp.bz2 /usr/share/selinux/default/getty.pp.bz2 /usr/share/selinux/default/gift.pp.bz2 /usr/share/selinux/default/git.pp.bz2 /usr/share/selinux/default/gitosis.pp.bz2 /usr/share/selinux/default/glance.pp.bz2 /usr/share/selinux/default/glusterfs.pp.bz2 /usr/share/selinux/default/gnome.pp.bz2 /usr/share/selinux/default/gnomeclock.pp.bz2 /usr/share/selinux/default/gpg.pp.bz2 /usr/share/selinux/default/gpm.pp.bz2 /usr/share/selinux/default/gpsd.pp.bz2 /usr/share/selinux/default/guest.pp.bz2 /usr/share/selinux/default/hal.pp.bz2 /usr/share/selinux/default/hddtemp.pp.bz2 /usr/share/selinux/default/hostname.pp.bz2 /usr/share/selinux/default/hotplug.pp.bz2 /usr/share/selinux/default/howl.pp.bz2 /usr/share/selinux/default/hypervkvp.pp.bz2 /usr/share/selinux/default/i18n_input.pp.bz2 /usr/share/selinux/default/icecast.pp.bz2 /usr/share/selinux/default/ifplugd.pp.bz2 /usr/share/selinux/default/imaze.pp.bz2 /usr/share/selinux/default/inetd.pp.bz2 /usr/share/selinux/default/inn.pp.bz2 /usr/share/selinux/default/iodine.pp.bz2 /usr/share/selinux/default/ipsec.pp.bz2 /usr/share/selinux/default/iptables.pp.bz2 /usr/share/selinux/default/irc.pp.bz2 /usr/share/selinux/default/ircd.pp.bz2 /usr/share/selinux/default/irqbalance.pp.bz2 /usr/share/selinux/default/iscsi.pp.bz2 /usr/share/selinux/default/isns.pp.bz2 /usr/share/selinux/default/jabber.pp.bz2 /usr/share/selinux/default/java.pp.bz2 /usr/share/selinux/default/jockey.pp.bz2 /usr/share/selinux/default/kdump.pp.bz2 /usr/share/selinux/default/kdumpgui.pp.bz2 /usr/share/selinux/default/kerberos.pp.bz2 /usr/share/selinux/default/kerneloops.pp.bz2 /usr/share/selinux/default/keyboardd.pp.bz2 /usr/share/selinux/default/keystone.pp.bz2 /usr/share/selinux/default/kismet.pp.bz2 /usr/share/selinux/default/ksmtuned.pp.bz2 /usr/share/selinux/default/ktalk.pp.bz2 /usr/share/selinux/default/l2tp.pp.bz2 /usr/share/selinux/default/ldap.pp.bz2 /usr/share/selinux/default/lightsquid.pp.bz2 /usr/share/selinux/default/likewise.pp.bz2 /usr/share/selinux/default/lircd.pp.bz2 /usr/share/selinux/default/livecd.pp.bz2 /usr/share/selinux/default/lldpad.pp.bz2 /usr/share/selinux/default/loadkeys.pp.bz2 /usr/share/selinux/default/lockdev.pp.bz2 /usr/share/selinux/default/logadm.pp.bz2 /usr/share/selinux/default/logrotate.pp.bz2 /usr/share/selinux/default/logwatch.pp.bz2 /usr/share/selinux/default/lpd.pp.bz2 /usr/share/selinux/default/lsm.pp.bz2 /usr/share/selinux/default/lvm.pp.bz2 /usr/share/selinux/default/mailman.pp.bz2 /usr/share/selinux/default/mailscanner.pp.bz2 /usr/share/selinux/default/man2html.pp.bz2 /usr/share/selinux/default/mandb.pp.bz2 /usr/share/selinux/default/mcelog.pp.bz2 /usr/share/selinux/default/mediawiki.pp.bz2 /usr/share/selinux/default/memcached.pp.bz2 /usr/share/selinux/default/memlockd.pp.bz2 /usr/share/selinux/default/milter.pp.bz2 /usr/share/selinux/default/minidlna.pp.bz2 /usr/share/selinux/default/minissdpd.pp.bz2 /usr/share/selinux/default/modemmanager.pp.bz2 /usr/share/selinux/default/mojomojo.pp.bz2 /usr/share/selinux/default/mon.pp.bz2 /usr/share/selinux/default/mongodb.pp.bz2 /usr/share/selinux/default/monit.pp.bz2 /usr/share/selinux/default/mono.pp.bz2 /usr/share/selinux/default/monop.pp.bz2 /usr/share/selinux/default/mozilla.pp.bz2 /usr/share/selinux/default/mpd.pp.bz2 /usr/share/selinux/default/mplayer.pp.bz2 /usr/share/selinux/default/mrtg.pp.bz2 /usr/share/selinux/default/mta.pp.bz2 /usr/share/selinux/default/munin.pp.bz2 /usr/share/selinux/default/mysql.pp.bz2 /usr/share/selinux/default/nagios.pp.bz2 /usr/share/selinux/default/ncftool.pp.bz2 /usr/share/selinux/default/nessus.pp.bz2 /usr/share/selinux/default/netlabel.pp.bz2 /usr/share/selinux/default/netutils.pp.bz2 /usr/share/selinux/default/networkmanager.pp.bz2 /usr/share/selinux/default/nis.pp.bz2 /usr/share/selinux/default/nscd.pp.bz2 /usr/share/selinux/default/nsd.pp.bz2 /usr/share/selinux/default/nslcd.pp.bz2 /usr/share/selinux/default/ntop.pp.bz2 /usr/share/selinux/default/ntp.pp.bz2 /usr/share/selinux/default/numad.pp.bz2 /usr/share/selinux/default/nut.pp.bz2 /usr/share/selinux/default/nx.pp.bz2 /usr/share/selinux/default/oav.pp.bz2 /usr/share/selinux/default/obex.pp.bz2 /usr/share/selinux/default/oddjob.pp.bz2 /usr/share/selinux/default/oident.pp.bz2 /usr/share/selinux/default/openca.pp.bz2 /usr/share/selinux/default/openct.pp.bz2 /usr/share/selinux/default/openhpi.pp.bz2 /usr/share/selinux/default/openvpn.pp.bz2 /usr/share/selinux/default/openvswitch.pp.bz2 /usr/share/selinux/default/pacemaker.pp.bz2 /usr/share/selinux/default/pads.pp.bz2 /usr/share/selinux/default/passenger.pp.bz2 /usr/share/selinux/default/pcmcia.pp.bz2 /usr/share/selinux/default/pcscd.pp.bz2 /usr/share/selinux/default/pegasus.pp.bz2 /usr/share/selinux/default/perdition.pp.bz2 /usr/share/selinux/default/pingd.pp.bz2 /usr/share/selinux/default/pkcs.pp.bz2 /usr/share/selinux/default/plymouthd.pp.bz2 /usr/share/selinux/default/podsleuth.pp.bz2 /usr/share/selinux/default/policykit.pp.bz2 /usr/share/selinux/default/polipo.pp.bz2 /usr/share/selinux/default/portmap.pp.bz2 /usr/share/selinux/default/portreserve.pp.bz2 /usr/share/selinux/default/portslave.pp.bz2 /usr/share/selinux/default/postfix.pp.bz2 /usr/share/selinux/default/postfixpolicyd.pp.bz2 /usr/share/selinux/default/postgresql.pp.bz2 /usr/share/selinux/default/postgrey.pp.bz2 /usr/share/selinux/default/ppp.pp.bz2 /usr/share/selinux/default/prelink.pp.bz2 /usr/share/selinux/default/prelude.pp.bz2 /usr/share/selinux/default/privoxy.pp.bz2 /usr/share/selinux/default/procmail.pp.bz2 /usr/share/selinux/default/psad.pp.bz2 /usr/share/selinux/default/ptchown.pp.bz2 /usr/share/selinux/default/publicfile.pp.bz2 /usr/share/selinux/default/pulseaudio.pp.bz2 /usr/share/selinux/default/puppet.pp.bz2 /usr/share/selinux/default/pwauth.pp.bz2 /usr/share/selinux/default/pxe.pp.bz2 /usr/share/selinux/default/pyicqt.pp.bz2 /usr/share/selinux/default/pyzor.pp.bz2 /usr/share/selinux/default/qemu.pp.bz2 /usr/share/selinux/default/qmail.pp.bz2 /usr/share/selinux/default/qpid.pp.bz2 /usr/share/selinux/default/quantum.pp.bz2 /usr/share/selinux/default/quota.pp.bz2 /usr/share/selinux/default/rabbitmq.pp.bz2 /usr/share/selinux/default/radius.pp.bz2 /usr/share/selinux/default/radvd.pp.bz2 /usr/share/selinux/default/raid.pp.bz2 /usr/share/selinux/default/razor.pp.bz2 /usr/share/selinux/default/rdisc.pp.bz2 /usr/share/selinux/default/readahead.pp.bz2 /usr/share/selinux/default/realmd.pp.bz2 /usr/share/selinux/default/redis.pp.bz2 /usr/share/selinux/default/remotelogin.pp.bz2 /usr/share/selinux/default/resmgr.pp.bz2 /usr/share/selinux/default/rgmanager.pp.bz2 /usr/share/selinux/default/rhcs.pp.bz2 /usr/share/selinux/default/rhsmcertd.pp.bz2 /usr/share/selinux/default/ricci.pp.bz2 /usr/share/selinux/default/rlogin.pp.bz2 /usr/share/selinux/default/rngd.pp.bz2 /usr/share/selinux/default/roundup.pp.bz2 /usr/share/selinux/default/rpc.pp.bz2 /usr/share/selinux/default/rpcbind.pp.bz2 /usr/share/selinux/default/rpm.pp.bz2 /usr/share/selinux/default/rshd.pp.bz2 /usr/share/selinux/default/rssh.pp.bz2 /usr/share/selinux/default/rsync.pp.bz2 /usr/share/selinux/default/rtkit.pp.bz2 /usr/share/selinux/default/rwho.pp.bz2 /usr/share/selinux/default/samba.pp.bz2 /usr/share/selinux/default/sambagui.pp.bz2 /usr/share/selinux/default/samhain.pp.bz2 /usr/share/selinux/default/sanlock.pp.bz2 /usr/share/selinux/default/sasl.pp.bz2 /usr/share/selinux/default/sblim.pp.bz2 /usr/share/selinux/default/screen.pp.bz2 /usr/share/selinux/default/secadm.pp.bz2 /usr/share/selinux/default/sectoolm.pp.bz2 /usr/share/selinux/default/sendmail.pp.bz2 /usr/share/selinux/default/sensord.pp.bz2 /usr/share/selinux/default/setrans.pp.bz2 /usr/share/selinux/default/setroubleshoot.pp.bz2 /usr/share/selinux/default/seunshare.pp.bz2 /usr/share/selinux/default/shibboleth.pp.bz2 /usr/share/selinux/default/shorewall.pp.bz2 /usr/share/selinux/default/shutdown.pp.bz2 /usr/share/selinux/default/slocate.pp.bz2 /usr/share/selinux/default/slpd.pp.bz2 /usr/share/selinux/default/slrnpull.pp.bz2 /usr/share/selinux/default/smartmon.pp.bz2 /usr/share/selinux/default/smokeping.pp.bz2 /usr/share/selinux/default/smoltclient.pp.bz2 /usr/share/selinux/default/smstools.pp.bz2 /usr/share/selinux/default/snmp.pp.bz2 /usr/share/selinux/default/snort.pp.bz2 /usr/share/selinux/default/sosreport.pp.bz2 /usr/share/selinux/default/soundserver.pp.bz2 /usr/share/selinux/default/spamassassin.pp.bz2 /usr/share/selinux/default/squid.pp.bz2 /usr/share/selinux/default/ssh.pp.bz2 /usr/share/selinux/default/sssd.pp.bz2 /usr/share/selinux/default/staff.pp.bz2 /usr/share/selinux/default/stunnel.pp.bz2 /usr/share/selinux/default/su.pp.bz2 /usr/share/selinux/default/sudo.pp.bz2 /usr/share/selinux/default/svnserve.pp.bz2 /usr/share/selinux/default/sxid.pp.bz2 /usr/share/selinux/default/sysstat.pp.bz2 /usr/share/selinux/default/systemtap.pp.bz2 /usr/share/selinux/default/tcpd.pp.bz2 /usr/share/selinux/default/tcsd.pp.bz2 /usr/share/selinux/default/telepathy.pp.bz2 /usr/share/selinux/default/telnet.pp.bz2 /usr/share/selinux/default/tftp.pp.bz2 /usr/share/selinux/default/tgtd.pp.bz2 /usr/share/selinux/default/thunderbird.pp.bz2 /usr/share/selinux/default/timidity.pp.bz2 /usr/share/selinux/default/tmpreaper.pp.bz2 /usr/share/selinux/default/tor.pp.bz2 /usr/share/selinux/default/transproxy.pp.bz2 /usr/share/selinux/default/tripwire.pp.bz2 /usr/share/selinux/default/tuned.pp.bz2 /usr/share/selinux/default/tvtime.pp.bz2 /usr/share/selinux/default/tzdata.pp.bz2 /usr/share/selinux/default/ucspitcp.pp.bz2 /usr/share/selinux/default/ulogd.pp.bz2 /usr/share/selinux/default/uml.pp.bz2 /usr/share/selinux/default/unconfined.pp.bz2 /usr/share/selinux/default/unprivuser.pp.bz2 /usr/share/selinux/default/updfstab.pp.bz2 /usr/share/selinux/default/uptime.pp.bz2 /usr/share/selinux/default/usbmodules.pp.bz2 /usr/share/selinux/default/usbmuxd.pp.bz2 /usr/share/selinux/default/userhelper.pp.bz2 /usr/share/selinux/default/usernetctl.pp.bz2 /usr/share/selinux/default/uucp.pp.bz2 /usr/share/selinux/default/uuidd.pp.bz2 /usr/share/selinux/default/uwimap.pp.bz2 /usr/share/selinux/default/varnishd.pp.bz2 /usr/share/selinux/default/vbetool.pp.bz2 /usr/share/selinux/default/vdagent.pp.bz2 /usr/share/selinux/default/vhostmd.pp.bz2 /usr/share/selinux/default/virt.pp.bz2 /usr/share/selinux/default/vlock.pp.bz2 /usr/share/selinux/default/vmware.pp.bz2 /usr/share/selinux/default/vnstatd.pp.bz2 /usr/share/selinux/default/vpn.pp.bz2 /usr/share/selinux/default/w3c.pp.bz2 /usr/share/selinux/default/watchdog.pp.bz2 /usr/share/selinux/default/wdmd.pp.bz2 /usr/share/selinux/default/webadm.pp.bz2 /usr/share/selinux/default/webalizer.pp.bz2 /usr/share/selinux/default/wine.pp.bz2 /usr/share/selinux/default/wireshark.pp.bz2 /usr/share/selinux/default/wm.pp.bz2 /usr/share/selinux/default/xdg.pp.bz2 /usr/share/selinux/default/xen.pp.bz2 /usr/share/selinux/default/xfs.pp.bz2 /usr/share/selinux/default/xguest.pp.bz2 /usr/share/selinux/default/xprint.pp.bz2 /usr/share/selinux/default/xscreensaver.pp.bz2 /usr/share/selinux/default/xserver.pp.bz2 /usr/share/selinux/default/yam.pp.bz2 /usr/share/selinux/default/zabbix.pp.bz2 /usr/share/selinux/default/zarafa.pp.bz2 /usr/share/selinux/default/zebra.pp.bz2 /usr/share/selinux/default/zosremote.pp.bz2 /var /var/lib /var/lib/selinux /var/lib/selinux/default /. /usr /usr/bin /usr/bin/policygentool /usr/share /usr/share/doc /usr/share/doc/selinux-policy-dev /usr/share/doc/selinux-policy-dev/NEWS.Debian.gz /usr/share/doc/selinux-policy-dev/changelog.Debian.gz /usr/share/doc/selinux-policy-dev/copyright /usr/share/doc/selinux-policy-dev/examples /usr/share/doc/selinux-policy-dev/examples/Makefile /usr/share/doc/selinux-policy-dev/examples/example.fc /usr/share/doc/selinux-policy-dev/examples/example.if /usr/share/doc/selinux-policy-dev/examples/example.te /usr/share/man /usr/share/man/man1 /usr/share/man/man1/policygentool.1.gz /usr/share/selinux /usr/share/selinux/devel /usr/share/selinux/devel/Makefile /usr/share/selinux/devel/include /usr/share/selinux/devel/include/Makefile /usr/share/selinux/devel/include/admin /usr/share/selinux/devel/include/admin/acct.if /usr/share/selinux/devel/include/admin/aide.if /usr/share/selinux/devel/include/admin/alsa.if /usr/share/selinux/devel/include/admin/amanda.if /usr/share/selinux/devel/include/admin/amtu.if /usr/share/selinux/devel/include/admin/anaconda.if /usr/share/selinux/devel/include/admin/apt.if /usr/share/selinux/devel/include/admin/backup.if /usr/share/selinux/devel/include/admin/bacula.if /usr/share/selinux/devel/include/admin/bcfg2.if /usr/share/selinux/devel/include/admin/blueman.if /usr/share/selinux/devel/include/admin/bootloader.if /usr/share/selinux/devel/include/admin/brctl.if /usr/share/selinux/devel/include/admin/certwatch.if /usr/share/selinux/devel/include/admin/cfengine.if /usr/share/selinux/devel/include/admin/chkrootkit.if /usr/share/selinux/devel/include/admin/consoletype.if /usr/share/selinux/devel/include/admin/ddcprobe.if /usr/share/selinux/devel/include/admin/dmesg.if /usr/share/selinux/devel/include/admin/dmidecode.if /usr/share/selinux/devel/include/admin/dphysswapfile.if /usr/share/selinux/devel/include/admin/dpkg.if /usr/share/selinux/devel/include/admin/fakehwclock.if /usr/share/selinux/devel/include/admin/firstboot.if /usr/share/selinux/devel/include/admin/hwloc.if /usr/share/selinux/devel/include/admin/kdump.if /usr/share/selinux/devel/include/admin/kdumpgui.if /usr/share/selinux/devel/include/admin/kismet.if /usr/share/selinux/devel/include/admin/kudzu.if /usr/share/selinux/devel/include/admin/logrotate.if /usr/share/selinux/devel/include/admin/logwatch.if /usr/share/selinux/devel/include/admin/mcelog.if /usr/share/selinux/devel/include/admin/mrtg.if /usr/share/selinux/devel/include/admin/ncftool.if /usr/share/selinux/devel/include/admin/netutils.if /usr/share/selinux/devel/include/admin/passenger.if /usr/share/selinux/devel/include/admin/portage.if /usr/share/selinux/devel/include/admin/prelink.if /usr/share/selinux/devel/include/admin/puppet.if /usr/share/selinux/devel/include/admin/quota.if /usr/share/selinux/devel/include/admin/readahead.if /usr/share/selinux/devel/include/admin/rkhunter.if /usr/share/selinux/devel/include/admin/rpm.if /usr/share/selinux/devel/include/admin/samhain.if /usr/share/selinux/devel/include/admin/sblim.if /usr/share/selinux/devel/include/admin/sectoolm.if /usr/share/selinux/devel/include/admin/shorewall.if /usr/share/selinux/devel/include/admin/shutdown.if /usr/share/selinux/devel/include/admin/smoltclient.if /usr/share/selinux/devel/include/admin/sosreport.if /usr/share/selinux/devel/include/admin/su.if /usr/share/selinux/devel/include/admin/sudo.if /usr/share/selinux/devel/include/admin/sxid.if /usr/share/selinux/devel/include/admin/tboot.if /usr/share/selinux/devel/include/admin/tmpreaper.if /usr/share/selinux/devel/include/admin/tripwire.if /usr/share/selinux/devel/include/admin/tzdata.if /usr/share/selinux/devel/include/admin/updfstab.if /usr/share/selinux/devel/include/admin/usbmodules.if /usr/share/selinux/devel/include/admin/usermanage.if /usr/share/selinux/devel/include/admin/vbetool.if /usr/share/selinux/devel/include/admin/vpn.if /usr/share/selinux/devel/include/admin.xml /usr/share/selinux/devel/include/apps /usr/share/selinux/devel/include/apps/ada.if /usr/share/selinux/devel/include/apps/awstats.if /usr/share/selinux/devel/include/apps/calamaris.if /usr/share/selinux/devel/include/apps/cdrecord.if /usr/share/selinux/devel/include/apps/chromium.if /usr/share/selinux/devel/include/apps/cpufreqselector.if /usr/share/selinux/devel/include/apps/evolution.if /usr/share/selinux/devel/include/apps/firewallgui.if /usr/share/selinux/devel/include/apps/games.if /usr/share/selinux/devel/include/apps/gift.if /usr/share/selinux/devel/include/apps/gitosis.if /usr/share/selinux/devel/include/apps/gnome.if /usr/share/selinux/devel/include/apps/gpg.if /usr/share/selinux/devel/include/apps/irc.if /usr/share/selinux/devel/include/apps/java.if /usr/share/selinux/devel/include/apps/libmtp.if /usr/share/selinux/devel/include/apps/lightsquid.if /usr/share/selinux/devel/include/apps/livecd.if /usr/share/selinux/devel/include/apps/loadkeys.if /usr/share/selinux/devel/include/apps/lockdev.if /usr/share/selinux/devel/include/apps/man2html.if /usr/share/selinux/devel/include/apps/mandb.if /usr/share/selinux/devel/include/apps/mono.if /usr/share/selinux/devel/include/apps/mozilla.if /usr/share/selinux/devel/include/apps/mplayer.if /usr/share/selinux/devel/include/apps/openoffice.if /usr/share/selinux/devel/include/apps/podsleuth.if /usr/share/selinux/devel/include/apps/ptchown.if /usr/share/selinux/devel/include/apps/pulseaudio.if /usr/share/selinux/devel/include/apps/qemu.if /usr/share/selinux/devel/include/apps/rssh.if /usr/share/selinux/devel/include/apps/sambagui.if /usr/share/selinux/devel/include/apps/screen.if /usr/share/selinux/devel/include/apps/seunshare.if /usr/share/selinux/devel/include/apps/sigrok.if /usr/share/selinux/devel/include/apps/slocate.if /usr/share/selinux/devel/include/apps/syncthing.if /usr/share/selinux/devel/include/apps/telepathy.if /usr/share/selinux/devel/include/apps/thunderbird.if /usr/share/selinux/devel/include/apps/tvtime.if /usr/share/selinux/devel/include/apps/uml.if /usr/share/selinux/devel/include/apps/userhelper.if /usr/share/selinux/devel/include/apps/usernetctl.if /usr/share/selinux/devel/include/apps/vlock.if /usr/share/selinux/devel/include/apps/vmware.if /usr/share/selinux/devel/include/apps/webalizer.if /usr/share/selinux/devel/include/apps/wine.if /usr/share/selinux/devel/include/apps/wireshark.if /usr/share/selinux/devel/include/apps/wm.if /usr/share/selinux/devel/include/apps/xscreensaver.if /usr/share/selinux/devel/include/apps/yam.if /usr/share/selinux/devel/include/apps.xml /usr/share/selinux/devel/include/build.conf /usr/share/selinux/devel/include/global_booleans.xml /usr/share/selinux/devel/include/global_tunables.xml /usr/share/selinux/devel/include/kernel /usr/share/selinux/devel/include/kernel/corecommands.if /usr/share/selinux/devel/include/kernel/corenetwork.if /usr/share/selinux/devel/include/kernel/devices.if /usr/share/selinux/devel/include/kernel/domain.if /usr/share/selinux/devel/include/kernel/files.if /usr/share/selinux/devel/include/kernel/filesystem.if /usr/share/selinux/devel/include/kernel/kernel.if /usr/share/selinux/devel/include/kernel/mcs.if /usr/share/selinux/devel/include/kernel/mls.if /usr/share/selinux/devel/include/kernel/selinux.if /usr/share/selinux/devel/include/kernel/storage.if /usr/share/selinux/devel/include/kernel/terminal.if /usr/share/selinux/devel/include/kernel/ubac.if /usr/share/selinux/devel/include/kernel.xml /usr/share/selinux/devel/include/roles /usr/share/selinux/devel/include/roles/auditadm.if /usr/share/selinux/devel/include/roles/dbadm.if /usr/share/selinux/devel/include/roles/guest.if /usr/share/selinux/devel/include/roles/logadm.if /usr/share/selinux/devel/include/roles/secadm.if /usr/share/selinux/devel/include/roles/staff.if /usr/share/selinux/devel/include/roles/sysadm.if /usr/share/selinux/devel/include/roles/unprivuser.if /usr/share/selinux/devel/include/roles/webadm.if /usr/share/selinux/devel/include/roles/xguest.if /usr/share/selinux/devel/include/roles.xml /usr/share/selinux/devel/include/services /usr/share/selinux/devel/include/services/abrt.if /usr/share/selinux/devel/include/services/accountsd.if /usr/share/selinux/devel/include/services/acpi.if /usr/share/selinux/devel/include/services/afs.if /usr/share/selinux/devel/include/services/aiccu.if /usr/share/selinux/devel/include/services/aisexec.if /usr/share/selinux/devel/include/services/amavis.if /usr/share/selinux/devel/include/services/apache.if /usr/share/selinux/devel/include/services/apcupsd.if /usr/share/selinux/devel/include/services/aptcacher.if /usr/share/selinux/devel/include/services/arpwatch.if /usr/share/selinux/devel/include/services/asterisk.if /usr/share/selinux/devel/include/services/automount.if /usr/share/selinux/devel/include/services/avahi.if /usr/share/selinux/devel/include/services/bind.if /usr/share/selinux/devel/include/services/bird.if /usr/share/selinux/devel/include/services/bitlbee.if /usr/share/selinux/devel/include/services/bluetooth.if /usr/share/selinux/devel/include/services/boinc.if /usr/share/selinux/devel/include/services/bugzilla.if /usr/share/selinux/devel/include/services/cachefilesd.if /usr/share/selinux/devel/include/services/callweaver.if /usr/share/selinux/devel/include/services/canna.if /usr/share/selinux/devel/include/services/ccs.if /usr/share/selinux/devel/include/services/certbot.if /usr/share/selinux/devel/include/services/certmaster.if /usr/share/selinux/devel/include/services/certmonger.if /usr/share/selinux/devel/include/services/cgmanager.if /usr/share/selinux/devel/include/services/cgroup.if /usr/share/selinux/devel/include/services/chronyd.if /usr/share/selinux/devel/include/services/cipe.if /usr/share/selinux/devel/include/services/clamav.if /usr/share/selinux/devel/include/services/clockspeed.if /usr/share/selinux/devel/include/services/clogd.if /usr/share/selinux/devel/include/services/cmirrord.if /usr/share/selinux/devel/include/services/cobbler.if /usr/share/selinux/devel/include/services/collectd.if /usr/share/selinux/devel/include/services/colord.if /usr/share/selinux/devel/include/services/comsat.if /usr/share/selinux/devel/include/services/condor.if /usr/share/selinux/devel/include/services/consolekit.if /usr/share/selinux/devel/include/services/corosync.if /usr/share/selinux/devel/include/services/couchdb.if /usr/share/selinux/devel/include/services/courier.if /usr/share/selinux/devel/include/services/cpucontrol.if /usr/share/selinux/devel/include/services/cron.if /usr/share/selinux/devel/include/services/ctdb.if /usr/share/selinux/devel/include/services/cups.if /usr/share/selinux/devel/include/services/cvs.if /usr/share/selinux/devel/include/services/cyphesis.if /usr/share/selinux/devel/include/services/cyrus.if /usr/share/selinux/devel/include/services/dante.if /usr/share/selinux/devel/include/services/dbskk.if /usr/share/selinux/devel/include/services/dbus.if /usr/share/selinux/devel/include/services/dcc.if /usr/share/selinux/devel/include/services/ddclient.if /usr/share/selinux/devel/include/services/denyhosts.if /usr/share/selinux/devel/include/services/devicekit.if /usr/share/selinux/devel/include/services/dhcp.if /usr/share/selinux/devel/include/services/dictd.if /usr/share/selinux/devel/include/services/dirmngr.if /usr/share/selinux/devel/include/services/distcc.if /usr/share/selinux/devel/include/services/djbdns.if /usr/share/selinux/devel/include/services/dkim.if /usr/share/selinux/devel/include/services/dnsmasq.if /usr/share/selinux/devel/include/services/dnssectrigger.if /usr/share/selinux/devel/include/services/dovecot.if /usr/share/selinux/devel/include/services/drbd.if /usr/share/selinux/devel/include/services/dspam.if /usr/share/selinux/devel/include/services/entropyd.if /usr/share/selinux/devel/include/services/exim.if /usr/share/selinux/devel/include/services/fail2ban.if /usr/share/selinux/devel/include/services/fcoe.if /usr/share/selinux/devel/include/services/fetchmail.if /usr/share/selinux/devel/include/services/finger.if /usr/share/selinux/devel/include/services/firewalld.if /usr/share/selinux/devel/include/services/fprintd.if /usr/share/selinux/devel/include/services/ftp.if /usr/share/selinux/devel/include/services/gatekeeper.if /usr/share/selinux/devel/include/services/gdomap.if /usr/share/selinux/devel/include/services/geoclue.if /usr/share/selinux/devel/include/services/git.if /usr/share/selinux/devel/include/services/glance.if /usr/share/selinux/devel/include/services/glusterfs.if /usr/share/selinux/devel/include/services/gnomeclock.if /usr/share/selinux/devel/include/services/gpm.if /usr/share/selinux/devel/include/services/gpsd.if /usr/share/selinux/devel/include/services/gssproxy.if /usr/share/selinux/devel/include/services/hadoop.if /usr/share/selinux/devel/include/services/hal.if /usr/share/selinux/devel/include/services/hddtemp.if /usr/share/selinux/devel/include/services/hostapd.if /usr/share/selinux/devel/include/services/howl.if /usr/share/selinux/devel/include/services/hypervkvp.if /usr/share/selinux/devel/include/services/i18n_input.if /usr/share/selinux/devel/include/services/icecast.if /usr/share/selinux/devel/include/services/ifplugd.if /usr/share/selinux/devel/include/services/imaze.if /usr/share/selinux/devel/include/services/inetd.if /usr/share/selinux/devel/include/services/inn.if /usr/share/selinux/devel/include/services/iodine.if /usr/share/selinux/devel/include/services/ircd.if /usr/share/selinux/devel/include/services/irqbalance.if /usr/share/selinux/devel/include/services/isns.if /usr/share/selinux/devel/include/services/jabber.if /usr/share/selinux/devel/include/services/jockey.if /usr/share/selinux/devel/include/services/kerberos.if /usr/share/selinux/devel/include/services/kerneloops.if /usr/share/selinux/devel/include/services/keyboardd.if /usr/share/selinux/devel/include/services/keystone.if /usr/share/selinux/devel/include/services/ksmtuned.if /usr/share/selinux/devel/include/services/ktalk.if /usr/share/selinux/devel/include/services/l2tp.if /usr/share/selinux/devel/include/services/ldap.if /usr/share/selinux/devel/include/services/likewise.if /usr/share/selinux/devel/include/services/lircd.if /usr/share/selinux/devel/include/services/lldpad.if /usr/share/selinux/devel/include/services/lpd.if /usr/share/selinux/devel/include/services/lsm.if /usr/share/selinux/devel/include/services/mailman.if /usr/share/selinux/devel/include/services/mailscanner.if /usr/share/selinux/devel/include/services/mediawiki.if /usr/share/selinux/devel/include/services/memcached.if /usr/share/selinux/devel/include/services/memlockd.if /usr/share/selinux/devel/include/services/milter.if /usr/share/selinux/devel/include/services/minidlna.if /usr/share/selinux/devel/include/services/minissdpd.if /usr/share/selinux/devel/include/services/modemmanager.if /usr/share/selinux/devel/include/services/mojomojo.if /usr/share/selinux/devel/include/services/mon.if /usr/share/selinux/devel/include/services/mongodb.if /usr/share/selinux/devel/include/services/monit.if /usr/share/selinux/devel/include/services/monop.if /usr/share/selinux/devel/include/services/mpd.if /usr/share/selinux/devel/include/services/mta.if /usr/share/selinux/devel/include/services/munin.if /usr/share/selinux/devel/include/services/mysql.if /usr/share/selinux/devel/include/services/nagios.if /usr/share/selinux/devel/include/services/nessus.if /usr/share/selinux/devel/include/services/networkmanager.if /usr/share/selinux/devel/include/services/nis.if /usr/share/selinux/devel/include/services/nscd.if /usr/share/selinux/devel/include/services/nsd.if /usr/share/selinux/devel/include/services/nslcd.if /usr/share/selinux/devel/include/services/ntop.if /usr/share/selinux/devel/include/services/ntp.if /usr/share/selinux/devel/include/services/numad.if /usr/share/selinux/devel/include/services/nut.if /usr/share/selinux/devel/include/services/nx.if /usr/share/selinux/devel/include/services/oav.if /usr/share/selinux/devel/include/services/obex.if /usr/share/selinux/devel/include/services/oddjob.if /usr/share/selinux/devel/include/services/oident.if /usr/share/selinux/devel/include/services/openca.if /usr/share/selinux/devel/include/services/openct.if /usr/share/selinux/devel/include/services/openhpi.if /usr/share/selinux/devel/include/services/openvpn.if /usr/share/selinux/devel/include/services/openvswitch.if /usr/share/selinux/devel/include/services/pacemaker.if /usr/share/selinux/devel/include/services/pads.if /usr/share/selinux/devel/include/services/pcscd.if /usr/share/selinux/devel/include/services/pegasus.if /usr/share/selinux/devel/include/services/perdition.if /usr/share/selinux/devel/include/services/pingd.if /usr/share/selinux/devel/include/services/pkcs.if /usr/share/selinux/devel/include/services/plymouthd.if /usr/share/selinux/devel/include/services/policykit.if /usr/share/selinux/devel/include/services/polipo.if /usr/share/selinux/devel/include/services/portmap.if /usr/share/selinux/devel/include/services/portreserve.if /usr/share/selinux/devel/include/services/portslave.if /usr/share/selinux/devel/include/services/postfix.if /usr/share/selinux/devel/include/services/postfixpolicyd.if /usr/share/selinux/devel/include/services/postgresql.if /usr/share/selinux/devel/include/services/postgrey.if /usr/share/selinux/devel/include/services/ppp.if /usr/share/selinux/devel/include/services/prelude.if /usr/share/selinux/devel/include/services/privoxy.if /usr/share/selinux/devel/include/services/procmail.if /usr/share/selinux/devel/include/services/psad.if /usr/share/selinux/devel/include/services/publicfile.if /usr/share/selinux/devel/include/services/pwauth.if /usr/share/selinux/devel/include/services/pxe.if /usr/share/selinux/devel/include/services/pyicqt.if /usr/share/selinux/devel/include/services/pyzor.if /usr/share/selinux/devel/include/services/qmail.if /usr/share/selinux/devel/include/services/qpid.if /usr/share/selinux/devel/include/services/quantum.if /usr/share/selinux/devel/include/services/rabbitmq.if /usr/share/selinux/devel/include/services/radius.if /usr/share/selinux/devel/include/services/radvd.if /usr/share/selinux/devel/include/services/razor.if /usr/share/selinux/devel/include/services/rdisc.if /usr/share/selinux/devel/include/services/realmd.if /usr/share/selinux/devel/include/services/redis.if /usr/share/selinux/devel/include/services/remotelogin.if /usr/share/selinux/devel/include/services/resmgr.if /usr/share/selinux/devel/include/services/rgmanager.if /usr/share/selinux/devel/include/services/rhcs.if /usr/share/selinux/devel/include/services/rhgb.if /usr/share/selinux/devel/include/services/rhsmcertd.if /usr/share/selinux/devel/include/services/ricci.if /usr/share/selinux/devel/include/services/rlogin.if /usr/share/selinux/devel/include/services/rngd.if /usr/share/selinux/devel/include/services/roundup.if /usr/share/selinux/devel/include/services/rpc.if /usr/share/selinux/devel/include/services/rpcbind.if /usr/share/selinux/devel/include/services/rshd.if /usr/share/selinux/devel/include/services/rsync.if /usr/share/selinux/devel/include/services/rtkit.if /usr/share/selinux/devel/include/services/rwho.if /usr/share/selinux/devel/include/services/samba.if /usr/share/selinux/devel/include/services/sanlock.if /usr/share/selinux/devel/include/services/sasl.if /usr/share/selinux/devel/include/services/sendmail.if /usr/share/selinux/devel/include/services/sensord.if /usr/share/selinux/devel/include/services/setroubleshoot.if /usr/share/selinux/devel/include/services/shibboleth.if /usr/share/selinux/devel/include/services/slpd.if /usr/share/selinux/devel/include/services/slrnpull.if /usr/share/selinux/devel/include/services/smartmon.if /usr/share/selinux/devel/include/services/smokeping.if /usr/share/selinux/devel/include/services/smstools.if /usr/share/selinux/devel/include/services/snmp.if /usr/share/selinux/devel/include/services/snort.if /usr/share/selinux/devel/include/services/soundserver.if /usr/share/selinux/devel/include/services/spamassassin.if /usr/share/selinux/devel/include/services/speedtouch.if /usr/share/selinux/devel/include/services/squid.if /usr/share/selinux/devel/include/services/ssh.if /usr/share/selinux/devel/include/services/sssd.if /usr/share/selinux/devel/include/services/stunnel.if /usr/share/selinux/devel/include/services/svnserve.if /usr/share/selinux/devel/include/services/sysstat.if /usr/share/selinux/devel/include/services/systemtap.if /usr/share/selinux/devel/include/services/tcpd.if /usr/share/selinux/devel/include/services/tcsd.if /usr/share/selinux/devel/include/services/telnet.if /usr/share/selinux/devel/include/services/tftp.if /usr/share/selinux/devel/include/services/tgtd.if /usr/share/selinux/devel/include/services/timidity.if /usr/share/selinux/devel/include/services/tor.if /usr/share/selinux/devel/include/services/transproxy.if /usr/share/selinux/devel/include/services/tuned.if /usr/share/selinux/devel/include/services/ucspitcp.if /usr/share/selinux/devel/include/services/ulogd.if /usr/share/selinux/devel/include/services/uptime.if /usr/share/selinux/devel/include/services/usbmuxd.if /usr/share/selinux/devel/include/services/uucp.if /usr/share/selinux/devel/include/services/uuidd.if /usr/share/selinux/devel/include/services/uwimap.if /usr/share/selinux/devel/include/services/varnishd.if /usr/share/selinux/devel/include/services/vdagent.if /usr/share/selinux/devel/include/services/vhostmd.if /usr/share/selinux/devel/include/services/virt.if /usr/share/selinux/devel/include/services/vnstatd.if /usr/share/selinux/devel/include/services/w3c.if /usr/share/selinux/devel/include/services/watchdog.if /usr/share/selinux/devel/include/services/wdmd.if /usr/share/selinux/devel/include/services/xfs.if /usr/share/selinux/devel/include/services/xprint.if /usr/share/selinux/devel/include/services/xserver.if /usr/share/selinux/devel/include/services/zabbix.if /usr/share/selinux/devel/include/services/zarafa.if /usr/share/selinux/devel/include/services/zebra.if /usr/share/selinux/devel/include/services/zosremote.if /usr/share/selinux/devel/include/services.xml /usr/share/selinux/devel/include/support /usr/share/selinux/devel/include/support/all_perms.spt /usr/share/selinux/devel/include/support/divert.m4 /usr/share/selinux/devel/include/support/file_patterns.spt /usr/share/selinux/devel/include/support/ipc_patterns.spt /usr/share/selinux/devel/include/support/loadable_module.spt /usr/share/selinux/devel/include/support/misc_macros.spt /usr/share/selinux/devel/include/support/misc_patterns.spt /usr/share/selinux/devel/include/support/mls_mcs_macros.spt /usr/share/selinux/devel/include/support/obj_perm_sets.spt /usr/share/selinux/devel/include/support/policy.dtd /usr/share/selinux/devel/include/support/segenxml.py /usr/share/selinux/devel/include/support/undivert.m4 /usr/share/selinux/devel/include/system /usr/share/selinux/devel/include/system/application.if /usr/share/selinux/devel/include/system/authlogin.if /usr/share/selinux/devel/include/system/clock.if /usr/share/selinux/devel/include/system/daemontools.if /usr/share/selinux/devel/include/system/fstools.if /usr/share/selinux/devel/include/system/getty.if /usr/share/selinux/devel/include/system/hostname.if /usr/share/selinux/devel/include/system/hotplug.if /usr/share/selinux/devel/include/system/init.if /usr/share/selinux/devel/include/system/ipsec.if /usr/share/selinux/devel/include/system/iptables.if /usr/share/selinux/devel/include/system/iscsi.if /usr/share/selinux/devel/include/system/libraries.if /usr/share/selinux/devel/include/system/locallogin.if /usr/share/selinux/devel/include/system/logging.if /usr/share/selinux/devel/include/system/lvm.if /usr/share/selinux/devel/include/system/miscfiles.if /usr/share/selinux/devel/include/system/modutils.if /usr/share/selinux/devel/include/system/mount.if /usr/share/selinux/devel/include/system/netlabel.if /usr/share/selinux/devel/include/system/pcmcia.if /usr/share/selinux/devel/include/system/raid.if /usr/share/selinux/devel/include/system/selinuxutil.if /usr/share/selinux/devel/include/system/setrans.if /usr/share/selinux/devel/include/system/sysnetwork.if /usr/share/selinux/devel/include/system/systemd.if /usr/share/selinux/devel/include/system/udev.if /usr/share/selinux/devel/include/system/unconfined.if /usr/share/selinux/devel/include/system/userdomain.if /usr/share/selinux/devel/include/system/xdg.if /usr/share/selinux/devel/include/system/xen.if /usr/share/selinux/devel/include/system.xml /usr/share/selinux/devel/policy.dtd /usr/share/selinux/devel/policy.xml /. /usr /usr/share /usr/share/doc /usr/share/doc/selinux-policy-src /usr/share/doc/selinux-policy-src/NEWS.Debian.gz /usr/share/doc/selinux-policy-src/changelog.Debian.gz /usr/share/doc/selinux-policy-src/copyright /usr/src /usr/src/selinux-policy-src.tar.gz /. /usr /usr/sbin /usr/sbin/avcstat /usr/sbin/compute_av /usr/sbin/compute_create /usr/sbin/compute_member /usr/sbin/compute_relabel /usr/sbin/compute_user /usr/sbin/getconlist /usr/sbin/getdefaultcon /usr/sbin/getenforce /usr/sbin/getfilecon /usr/sbin/getpidcon /usr/sbin/getsebool /usr/sbin/getseuser /usr/sbin/matchpathcon /usr/sbin/policyvers /usr/sbin/sefcontext_compile /usr/sbin/selabel_digest /usr/sbin/selabel_get_digests_all_partial_matches /usr/sbin/selabel_lookup /usr/sbin/selabel_lookup_best_match /usr/sbin/selabel_partial_match /usr/sbin/selinux_check_access /usr/sbin/selinux_check_securetty_context /usr/sbin/selinuxenabled /usr/sbin/selinuxexeccon /usr/sbin/setenforce /usr/sbin/setfilecon /usr/sbin/togglesebool /usr/sbin/validatetrans /usr/share /usr/share/doc /usr/share/doc/selinux-utils /usr/share/doc/selinux-utils/copyright /usr/share/man /usr/share/man/man5 /usr/share/man/man5/customizable_types.5.gz /usr/share/man/man5/default_contexts.5.gz /usr/share/man/man5/default_type.5.gz /usr/share/man/man5/failsafe_context.5.gz /usr/share/man/man5/removable_context.5.gz /usr/share/man/man5/secolor.conf.5.gz /usr/share/man/man5/securetty_types.5.gz /usr/share/man/man5/selabel_db.5.gz /usr/share/man/man5/selabel_file.5.gz /usr/share/man/man5/selabel_media.5.gz /usr/share/man/man5/selabel_x.5.gz /usr/share/man/man5/service_seusers.5.gz /usr/share/man/man5/seusers.5.gz /usr/share/man/man5/user_contexts.5.gz /usr/share/man/man5/virtual_domain_context.5.gz /usr/share/man/man5/virtual_image_context.5.gz /usr/share/man/man8 /usr/share/man/man8/avcstat.8.gz /usr/share/man/man8/booleans.8.gz /usr/share/man/man8/getenforce.8.gz /usr/share/man/man8/getsebool.8.gz /usr/share/man/man8/matchpathcon.8.gz /usr/share/man/man8/sefcontext_compile.8.gz /usr/share/man/man8/selinux.8.gz /usr/share/man/man8/selinuxenabled.8.gz /usr/share/man/man8/selinuxexeccon.8.gz /usr/share/man/man8/setenforce.8.gz /usr/share/man/man8/togglesebool.8.gz /usr/share/man/ru /usr/share/man/ru/man5 /usr/share/man/ru/man5/customizable_types.5.gz /usr/share/man/ru/man5/default_contexts.5.gz /usr/share/man/ru/man5/default_type.5.gz /usr/share/man/ru/man5/failsafe_context.5.gz /usr/share/man/ru/man5/removable_context.5.gz /usr/share/man/ru/man5/secolor.conf.5.gz /usr/share/man/ru/man5/securetty_types.5.gz /usr/share/man/ru/man5/selabel_db.5.gz /usr/share/man/ru/man5/selabel_file.5.gz /usr/share/man/ru/man5/selabel_media.5.gz /usr/share/man/ru/man5/selabel_x.5.gz /usr/share/man/ru/man5/service_seusers.5.gz /usr/share/man/ru/man5/seusers.5.gz /usr/share/man/ru/man5/user_contexts.5.gz /usr/share/man/ru/man5/virtual_domain_context.5.gz /usr/share/man/ru/man5/virtual_image_context.5.gz /usr/share/man/ru/man8 /usr/share/man/ru/man8/avcstat.8.gz /usr/share/man/ru/man8/booleans.8.gz /usr/share/man/ru/man8/getenforce.8.gz /usr/share/man/ru/man8/getsebool.8.gz /usr/share/man/ru/man8/matchpathcon.8.gz /usr/share/man/ru/man8/sefcontext_compile.8.gz /usr/share/man/ru/man8/selinux.8.gz /usr/share/man/ru/man8/selinuxenabled.8.gz /usr/share/man/ru/man8/selinuxexeccon.8.gz /usr/share/man/ru/man8/setenforce.8.gz /usr/share/man/ru/man8/togglesebool.8.gz /usr/share/doc/selinux-utils/changelog.Debian.gz /usr/share/man/man5/file_contexts.5.gz /usr/share/man/man5/file_contexts.homedirs.5.gz /usr/share/man/man5/file_contexts.local.5.gz /usr/share/man/man5/file_contexts.subs.5.gz /usr/share/man/man5/file_contexts.subs_dist.5.gz /usr/share/man/man5/media.5.gz /usr/share/man/man5/sepgsql_contexts.5.gz /usr/share/man/man5/x_contexts.5.gz /usr/share/man/ru/man5/file_contexts.5.gz /usr/share/man/ru/man5/file_contexts.homedirs.5.gz /usr/share/man/ru/man5/file_contexts.local.5.gz /usr/share/man/ru/man5/file_contexts.subs.5.gz /usr/share/man/ru/man5/file_contexts.subs_dist.5.gz /usr/share/man/ru/man5/media.5.gz /usr/share/man/ru/man5/sepgsql_contexts.5.gz /usr/share/man/ru/man5/x_contexts.5.gz
報告:
一般ユーザに対しての権限付与について(2022.04.26)-
Ubuntu18.04(ARM64)及びUbintu20.04(x86_64)では、pam_capabilityによる権限付機能に制限があります。
(a) Ubuntu18.04(ARM64)でUbuntuウィンドウマネージャを利用する場合。
(b) Ubintu20.04(x86_64)で、Ubuntuウィンドウマネージャ、OpenBoxウィンドウマネージャを利用する場合。
原因
セキュリティ対策のため、PAM(Pluggable Authentication Modules)にsystemdが使われるようになり、ログインセッションは、rootから切り離されました。
このため、(Ubuntu標準の)pam_cap.soや(RedHawk標準の)pam_capability.soの権限付与モジュールは、systemd-user下では動作しなくなりました。
対策
以下に3つの回避策を示します
(1) 従来通り、pam_capability.soを設定した上で、事前に「su $USER」を実行します。
cap_setpcapビット(0000000000000100)がダウンしていることに注意してください。
$ fgrep Cap /proc/self/status CapInh:00000000000000000 CapPrm:0000000000000000 CapEff:0000000000000000000 CapBnd:0000003fffffffff CapAmb:0000000000000000 $ su $USER Password: $ fgrep Cap /proc/self/status CapInh:0000003ffffffeff CapPrm:0000003ffffffeff CapEff:0000003ffffffeff CapBnd:0000003fffffffff CapAmb:0000000000000000
(2) ログイン時のウィンドウマネージャーを変更する
XAVIR RedHawk/Ubuntu18.04には、ディフォルト構成で次の4種類のウィンドウマネージャーがあります。
ログイン時に、歯車マークのアイコンをクリックして、LXDEを選択して下さい。Unity(NG) LXDE(OK) Openbox(OK) Ubuntu(NG)
![[login]](images/lxde.png)
X86_64 RedHawk / Ubuntu20.04では、事前にLXDEウィンドウマネージャをインストール (sudo apt install lxde) しておいて下さい。
(3) 権限付与が必要な実行ファイルに対して、ケーパビリティを設定する。LXDE (OK) Openbox(NG) Ubuntu(NG)
以下に、権限付与が必要なrun(1),shield(1)に対して、ケーパビリティを付与する例を示します。
参考$ getcap /usr/bin/shield $ setcap cap_ipc_lock,cap_sys_rawio,cap_sys_admin,cap_sys_nice,cap_sys_resource+ep /usr/bin/shield unable to set CAP_SETFCAP effective capability: Operation not permitted $ sudo -s [sudo] password for : # setcap cap_ipc_lock,cap_sys_rawio,cap_sys_admin,cap_sys_nice,cap_sys_resource+ep /usr/bin/shield # setcap cap_ipc_lock,cap_sys_rawio,cap_sys_admin,cap_sys_nice,cap_sys_resource+ep /usr/bin/run # exit $ getcap /usr/bin/shield /usr/bin/shield = cap_ipc_lock,cap_sys_rawio,cap_sys_admin,cap_sys_nice,cap_sys_resource+ep $ getcap /usr/bin/run /usr/bin/run = cap_ipc_lock,cap_sys_rawio,cap_sys_admin,cap_sys_nice,cap_sys_resource+ep $ shield -r -a 1-3 -c CPUID irqs ltmrs procs -------------------------------------------------- 0 no no no 1 yes yes yes 2 yes yes yes 3 yes yes yes 4 no no no 5 no no no 6 no no no 7 no no no
RedHawkでは、capability というロールベースの権限付与がpam_capability.soの代りにインストールされています。
詳細は RedHawkLinux_UsersGuide Chapter 13のPluggable Authentication Modules (PAM)部分の説明をご参照ください。
簡単な手順を、以下に示します。
(1) /etc/security/capability.conf
にrtuserで、role(権限)を定義し、rtgroupと言うグループに対して、実行に必要な権限を定義します。
(2) ログインで、この権限付与するために、 /etc/pam.d/common-sessionファイルに"session required pam_capability.so"を追加します。########################################################################### # # sample capability.conf file # # the format is # # role# group # user # # where should be a whitespace or comma-separated list of # capabilities (see /usr/include/linux/capability.h) that will be turned # on in the user's inheritable set. # # matching usernames proceeds in this manner: # 1. if uid == 0, return without modifying capabilities # 2. if username is in the list of users (not '*') apply that role # and return # 3. walk the group list in order and return after FIRST group match # of which username is a memeber # 4. if user '*' declaration exists apply this role and return # 5. clear all capabilities and bail. # # NOTES: # 1. CAP_SETPCAP is always automatically disabled. # ########################################################################### ########################################################################### # ROLES ########################################################################### role admin all # applications that need to bind to reserved (priviledged) ports role bindapp cap_net_bind_service cap_sys_chroot role ntpapp bindapp \ cap_net_broadcast cap_sys_time role poweruser cap_sys_time \ cap_sys_nice \ cap_sys_ptrace \ cap_net_admin \ cap_sys_boot role desktopuser cap_sys_boot cap_sys_time role fbscheduser cap_sys_nice role adauser cap_sys_admin cap_sys_nice cap_sys_rawio cap_ipc_lock role rtuser cap_ipc_lock cap_sys_rawio cap_sys_admin cap_sys_nice cap_sys_resource ########################################################################### # GROUPS ########################################################################### # the 'wheel' group # group wheel admin group rtgroup rtuser ########################################################################### # USERS ########################################################################### # set up these accounts to bind to priviledged ports # user mail bindapp # user apache bindapp # ntp needs to be able to set the time as well # user ntp ntpapp
(3) 権限が必要なユーザに対して、補助グループ (supplementary groups) のリストグループを追加します。# # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # The pam_umask module will set the umask according to the system default in # /etc/login.defs and user settings, solving the problem of different # umask settings with different shells, display managers, remote sessions etc. # See "man pam_umask". session optional pam_umask.so # and here are more per-package modules (the "Additional" block) session required pam_unix.so session optional pam_systemd.so session required pam_capability.so # end of pam-auth-update config
この状態で、再起動すればrtgroupに属しているユーザには権限が付与されます。# usermod -aG rtgroup ユーザ名
なお、以下は上記マニュアルの抜粋です
ssh(1)を介してシステムにログインするユーザーへ割り当るためには、同様に/etc/pam.d/sshdへ追加します
su(1)を介してユーザーが入れ替わるために/etc/security/capability.confファイルに定義さ れたロールを許可するため、
そして入れ替わったユーザーがsu(1)の呼び出しから不適切な ケーパビリティを継承しないことを確実にするため、同様に/etc/pam.d/suへも追加します
sshユーザーが/etc/securityに置かれているものとは異なるcapability.confファイルからロ ール定義を取得するためには以下の行を/etc/pam.d/sshdへ追加します:
session required pam_capability.so conf=/root/ssh-capability.conf
このようにして/root/ssh-capability.confファイルに定義されるロールをsshを介してログ インするユーザーに適用します
![[back]](images/back.gif){kind=small}
Back