SELinx介绍

Posted on Edited on

SELinux = Security Enhanced Linux

Wiki: Security-Enhanced Linux
Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).
SELinux is a set of kernel modifications and user-space tools that have been added to various Linux distributions.

SELinux起源于美国国安局(NSA)。它的前身是NSA的一个叫Flask的项目,后来,NSA觉得Linux更具发展和普及前景,所以就在Linux系统上重新实现了FLASK,称之为SELinux。

在网络上浏览了不少资料。有几篇写的非常好,罗列在参考文献中,方便读者参考引用。

[1]介绍了SELinux的基本概念,非常值得入门阅读。包括DAC,MAC,TEAC(简称TE),RBAC,以及policy文件的语法

[2]是[1]的姊妹篇,介绍了File Context和MLS的概念,以及编译构建SELinux的步骤。着重于动手部分

[3]本来是一个非常好的从头至尾指导动手构建SELinux的教程,可惜文章中涉及的源码版本过于老了(Linux 2.6,Gentoo 2006版)。编译构建的时候错误不断。只能意会了,可惜可惜。

[4]是一份文档,最新版本是2012年更新的版本,足有444页,完全可以当一本SELinux的入门书籍来阅读。我目前还没看完,但是从目录结构来看,感觉该有的都有值得好好看一看。

[5][6]是一些比较general的知识的帖子,也有可取之处,可以作为参考

[7]阐述了MLS的由来以及基本概念,由MLS开发者公司写的,似乎比较权威

[8]提到了一些代码入口,阅读代码的话可以从其中扩展开去

本文主要注重理清SELinux实现安全防护的思路,不涉及具体语法解释。另外还会再写一篇着重介绍在Linux用户态使能SELinux,并修改或添加SELinux策略

如果需要理解具体语法可以参考文献[1]。以及Android源码为例,可参考链接实现 SELinux。Android系统策略文件(.te)位置在system/sepolicy,device/<manufacturer>/<device-name>/sepolicy

SELinux提供的防护手段

从Wiki SELinux的定义就能看出,SELinux的核心就是提供了一套MAC的权限管理。MAC全称为Mandatory Access Control(个人理解:MACTEAC)。再辅以其他一系列辅助手段,来达到绝对的安全(当然世界上只有相对安全,没有绝对的安全)。本章就逐一介绍这些手段。

DAC vs. MAC

DAC = Discretionary Access Control,也就是Linux系统提供给我们的基本的权限管理,例如如下ls -l输出:

drwx------+ 19 user  staff       608 10 27 10:07 Desktop
drwx------+ 17 user  staff       544  8 16 21:39 Documents
drwx------+ 31 user  staff       992 11 27 19:51 Downloads
  • user就是该文件的拥有者ID(即UID),staff是user的组ID(GID)
  • rwx------就是我们通常说的权限组,每三个字母代表一种权限标记
    • rwx分别表示可读,可写,可执行
    • [1..3] 表示拥有者的权限
    • [4..6] 表示与拥有者同组的用户的权限
    • [7..9] 表示其他用户的权限
    • rwx------换算成8进制,也就是我们常说的700权限,什么644啊,777啊都可以这样换算

Linux基于基本的UID和GID即可以有基本的权限控制。DAC的缺陷在于,他有一个超级用户root,当一旦黑客通过漏洞完成了提权操作,那么所有的这些权限控制就失效了。所以NSA才做了这么一套MAC机制。

MAC的处世哲学非常简单:即任何进程想在SELinux系统中干任何事情,都必须先在安全策略配置文件中赋予权限。凡是没有出现在安全策略配置文件中的权限,进程就没有该权限。[1]

TEAC

TEAC = Type Enforcement Accesc Control,简称TE。

Linux中有两种东西,一种死的(Inactive),一种活的(Active)。死的东西就是文件(Linux哲学,万物皆文件。注意,万不可狭义解释为File),而活的东西就是进程。此处的“死”和“活”是一种比喻,映射到软件层面的意思是:进程能发起动作,例如它能打开文件并操作它。而文件只能被进程操作。[1]

所谓的TEAC就是两个东西的Type要匹配上。Type是啥?

进程的Type

对于进程,看一下ps -Z命令的输出:

LABEL                          USER           PID  PPID     VSZ    RSS WCHAN
u:r:shell:s0                   shell         3097  1427    5752   3024 sigsuspe+
u:r:shell:s0                   shell         3100  3097    7320   3228 0

上面的命令在Android adb shell中运行输出。这个u:r:shell:s0就是一个进程的标签,其中:

  • u:SELinux定义的一个用户,这个用户不同于Linux的系统用户,具体参看后面的用户与角色一节。
  • r:SELinux定义的一个角色(role),在policy描述语言中,可以用role关键字来定义
  • shell:就是我们要的Type了,SELinux中称为Domain,在policy描述语言中,可以用type或者attribute关键字来定义
  • s0:是安全级别,MLS会用到的东西

特别注意:对初学者而言,attribute和type的关系最难理解,因为“attribute”这个关键词实在是没取好名字,很容易产生误解:

实际上,type和attribute位于同一个命名空间,即不能用type命令和attribute命令定义相同名字的东西。
其实,attribute真正的意思应该是类似type(或domain) group这样的概念。比如,将type A和attribute B关联起来,就是说type A属于group B中的一员。

文件的Type

对于文件,可以参考ls -Z的输出:

u:object_r:cgroup:s0           acct
u:object_r:rootfs:s0           bugreports
u:object_r:cache_file:s0       cache
u:object_r:rootfs:s0           charger
u:object_r:configfs:s0         config

u:object_r:rootfs:s0就是一个文件的标签。是不是和进程的非常类似?

  • u: 代表创建这个文件的SELinux user ID。注意是SELinux定义的用户,并不直接对应Linux的用户系统,两者有一个映射关系
  • object_r: 是这个文件的role,所有的文件的role都是object_r
  • rootfs: 就是这个文件的Type
  • s0: 和进程一样,这个也是安全级别,用于MLS的

如何关联这两个Type?

当每一个进程和每一个文件有了Type之后,SELinux就可以匹配两者之间的Type来鉴权。具体的做法,也就是policy文件做的事情——定义规则。下面是一个规则的例子:

allow netd proc:file write

翻译成人类语言就是:允许netd类型的process,使用(访问)type为proc,class为file的文件的write操作。

  • allow是定义规则的动词,类似的还有allowaudit、dontaudit、neverallow等。
  • netd是进程的Type
  • proc是文件的Type
  • file是文件的class,因为不同class的文件有不同的操作类型,例如socket文件和普通文件肯定不同,设备文件和普通文件也一定不同等等。class同policy语言的其他类型一样,也可以在文件中定义,其使用的关键字就是class
  • write是该规则涉及的权限集(PermSet),它可以不只一个,如果是多个权限,则用大括号包起来

总结

所以,整个TE的核心就是,定义一组进程Type和文件Type,以及一组class和class permset,然后用规则文件将它们关联起来

另外值得注意的是,TEAC是一种白名单机制,只有策略文件描述的权限才会生效,否则默认是没有对应的权限。
那么问题来了,既然是白名单机制,那么neverallow有啥用?
neverallow的作用是为了验证allow定义的规则是否完备,当你按照allow的补集定义neverallow规则时,发生了权限错误,那么可以肯定的是allow规则定义出了问题。

RBAC

RBAC = Role Based Access Control, 是对TE的一种补充。准确的说,是在TE之上提供了一层约束,增强了策略文件定义的可操作性,同时提供了Linux系统用户的权限约束实现。

SELinux 并不直接建立用户和 domain 之间的联系,而是通过角色作为桥梁。此举好处如下:

  1. 降低 policy 复杂度:可能有上百个用户和上千种 domain/type,但是不同用户所扮演的不同角色只有 有限几个;role 作为 user 和 type 之间的“中间层”,便于限制 user 的能力; 2. 给不同用户赋予不同的优先级:用户通过扮演某种角色才能获得那种角色的能力。特权角色只能由特 权用户来扮演;[4]

翻译一下,我的理解是:
我们知道TE是SELinux MAC的核心,TE通过比对object type和process type来决定process是否有权限使用这个object。一条TE规则绑定了这两者。假如系统有M个Process,N个Object,那是不是系统的规则数就是M*N个?(M和N可能是很大的数哦)
答案是:规则数并不等于M*N。否则策略文件要写的累死。
解决的方法就是定义role,一个role就对应了若干个type,在策略文件中通过role关键字完成role和type的绑定,例如:

role user_r types user_t;
role user_r types passwd_t;

user_r这个role一下对应了两个type,分别是user_t和passwd_t

user joe roles { user_r };

这条语句就绑定了user joe和role user_r。那么当joe是user_r role的时候,就具备了user_t和passwd_t的标签,那么joe就能访问定义了user_t和passwd_t的TE规则,所指定的资源(object)。

角色是一套Type(进程的Type又称为域Domain)类型的集合

知道了这层关系,那么就可以理解role的操作,包括:

  • 角色转换role_transition
  • 角色控制role_dominance

用户与角色

SELinux有一套用户系统,Linux系统也有一套用户系统。它们之间有什么关系?首先可以确定的是,它们不是直接等价的。例如, 以root用户启动Browser,那么Browser就有root用户的权限,在Linux系统上能干任何事情。而root在SELinux中可能就是一个没权限,没地位,打打酱油的”路人甲“。当然,这一切都由SELinux安全策略的制定者来决定。
SELinux用户和Linux系统用户的映射关系可以通过semanage工具来查看:

[root@zion ~]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *

当一个普通用户登录时,其映射到SELinux过程可以参考文献[5]的介绍。大致流程如下:

PHN2ZyBpZD0iZDgwbjNhbDAweHkiIHdpZHRoPSIxMDAlIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHN0eWxlPSJtYXgtd2lkdGg6IDQ2Mi42Nzk2ODc1cHg7IiB2aWV3Qm94PSIwIDAgNDYyLjY3OTY4NzUgNTYzLjk5Mzc0Mzg5NjQ4NDQiPjxzdHlsZT4KCgojZDgwbjNhbDAweHkgLmxhYmVsIHsKICBmb250LWZhbWlseTogJ3RyZWJ1Y2hldCBtcycsIHZlcmRhbmEsIGFyaWFsOwogIGNvbG9yOiAjMzMzOyB9CgojZDgwbjNhbDAweHkgLm5vZGUgcmVjdCwKI2Q4MG4zYWwwMHh5IC5ub2RlIGNpcmNsZSwKI2Q4MG4zYWwwMHh5IC5ub2RlIGVsbGlwc2UsCiNkODBuM2FsMDB4eSAubm9kZSBwb2x5Z29uIHsKICBmaWxsOiAjRUNFQ0ZGOwogIHN0cm9rZTogIzkzNzBEQjsKICBzdHJva2Utd2lkdGg6IDFweDsgfQoKI2Q4MG4zYWwwMHh5IC5ub2RlLmNsaWNrYWJsZSB7CiAgY3Vyc29yOiBwb2ludGVyOyB9CgojZDgwbjNhbDAweHkgLmFycm93aGVhZFBhdGggewogIGZpbGw6ICMzMzMzMzM7IH0KCiNkODBuM2FsMDB4eSAuZWRnZVBhdGggLnBhdGggewogIHN0cm9rZTogIzMzMzMzMzsKICBzdHJva2Utd2lkdGg6IDEuNXB4OyB9CgojZDgwbjNhbDAweHkgLmVkZ2VMYWJlbCB7CiAgYmFja2dyb3VuZC1jb2xvcjogI2U4ZThlODsgfQoKI2Q4MG4zYWwwMHh5IC5jbHVzdGVyIHJlY3QgewogIGZpbGw6ICNmZmZmZGUgIWltcG9ydGFudDsKICBzdHJva2U6ICNhYWFhMzMgIWltcG9ydGFudDsKICBzdHJva2Utd2lkdGg6IDFweCAhaW1wb3J0YW50OyB9CgojZDgwbjNhbDAweHkgLmNsdXN0ZXIgdGV4dCB7CiAgZmlsbDogIzMzMzsgfQoKI2Q4MG4zYWwwMHh5IGRpdi5tZXJtYWlkVG9vbHRpcCB7CiAgcG9zaXRpb246IGFic29sdXRlOwogIHRleHQtYWxpZ246IGNlbnRlcjsKICBtYXgtd2lkdGg6IDIwMHB4OwogIHBhZGRpbmc6IDJweDsKICBmb250LWZhbWlseTogJ3RyZWJ1Y2hldCBtcycsIHZlcmRhbmEsIGFyaWFsOwogIGZvbnQtc2l6ZTogMTJweDsKICBiYWNrZ3JvdW5kOiAjZmZmZmRlOwogIGJvcmRlcjogMXB4IHNvbGlkICNhYWFhMzM7CiAgYm9yZGVyLXJhZGl1czogMnB4OwogIHBvaW50ZXItZXZlbnRzOiBub25lOwogIHotaW5kZXg6IDEwMDsgfQoKI2Q4MG4zYWwwMHh5IC5hY3RvciB7CiAgc3Ryb2tlOiAjQ0NDQ0ZGOwogIGZpbGw6ICNFQ0VDRkY7IH0KCiNkODBuM2FsMDB4eSB0ZXh0LmFjdG9yIHsKICBmaWxsOiBibGFjazsKICBzdHJva2U6IG5vbmU7IH0KCiNkODBuM2FsMDB4eSAuYWN0b3ItbGluZSB7CiAgc3Ryb2tlOiBncmV5OyB9CgojZDgwbjNhbDAweHkgLm1lc3NhZ2VMaW5lMCB7CiAgc3Ryb2tlLXdpZHRoOiAxLjU7CiAgc3Ryb2tlLWRhc2hhcnJheTogJzIgMic7CiAgc3Ryb2tlOiAjMzMzOyB9CgojZDgwbjNhbDAweHkgLm1lc3NhZ2VMaW5lMSB7CiAgc3Ryb2tlLXdpZHRoOiAxLjU7CiAgc3Ryb2tlLWRhc2hhcnJheTogJzIgMic7CiAgc3Ryb2tlOiAjMzMzOyB9CgojZDgwbjNhbDAweHkgI2Fycm93aGVhZCB7CiAgZmlsbDogIzMzMzsgfQoKI2Q4MG4zYWwwMHh5ICNjcm9zc2hlYWQgcGF0aCB7CiAgZmlsbDogIzMzMyAhaW1wb3J0YW50OwogIHN0cm9rZTogIzMzMyAhaW1wb3J0YW50OyB9CgojZDgwbjNhbDAweHkgLm1lc3NhZ2VUZXh0IHsKICBmaWxsOiAjMzMzOwogIHN0cm9rZTogbm9uZTsgfQoKI2Q4MG4zYWwwMHh5IC5sYWJlbEJveCB7CiAgc3Ryb2tlOiAjQ0NDQ0ZGOwogIGZpbGw6ICNFQ0VDRkY7IH0KCiNkODBuM2FsMDB4eSAubGFiZWxUZXh0IHsKICBmaWxsOiBibGFjazsKICBzdHJva2U6IG5vbmU7IH0KCiNkODBuM2FsMDB4eSAubG9vcFRleHQgewogIGZpbGw6IGJsYWNrOwogIHN0cm9rZTogbm9uZTsgfQoKI2Q4MG4zYWwwMHh5IC5sb29wTGluZSB7CiAgc3Ryb2tlLXdpZHRoOiAyOwogIHN0cm9rZS1kYXNoYXJyYXk6ICcyIDInOwogIHN0cm9rZTogI0NDQ0NGRjsgfQoKI2Q4MG4zYWwwMHh5IC5ub3RlIHsKICBzdHJva2U6ICNhYWFhMzM7CiAgZmlsbDogI2ZmZjVhZDsgfQoKI2Q4MG4zYWwwMHh5IC5ub3RlVGV4dCB7CiAgZmlsbDogYmxhY2s7CiAgc3Ryb2tlOiBub25lOwogIGZvbnQtZmFtaWx5OiAndHJlYnVjaGV0IG1zJywgdmVyZGFuYSwgYXJpYWw7CiAgZm9udC1zaXplOiAxNHB4OyB9CgojZDgwbjNhbDAweHkgLmFjdGl2YXRpb24wIHsKICBmaWxsOiAjZjRmNGY0OwogIHN0cm9rZTogIzY2NjsgfQoKI2Q4MG4zYWwwMHh5IC5hY3RpdmF0aW9uMSB7CiAgZmlsbDogI2Y0ZjRmNDsKICBzdHJva2U6ICM2NjY7IH0KCiNkODBuM2FsMDB4eSAuYWN0aXZhdGlvbjIgewogIGZpbGw6ICNmNGY0ZjQ7CiAgc3Ryb2tlOiAjNjY2OyB9CgoKI2Q4MG4zYWwwMHh5IC5zZWN0aW9uIHsKICBzdHJva2U6IG5vbmU7CiAgb3BhY2l0eTogMC4yOyB9CgojZDgwbjNhbDAweHkgLnNlY3Rpb24wIHsKICBmaWxsOiByZ2JhKDEwMiwgMTAyLCAyNTUsIDAuNDkpOyB9CgojZDgwbjNhbDAweHkgLnNlY3Rpb24yIHsKICBmaWxsOiAjZmZmNDAwOyB9CgojZDgwbjNhbDAweHkgLnNlY3Rpb24xLAojZDgwbjNhbDAweHkgLnNlY3Rpb24zIHsKICBmaWxsOiB3aGl0ZTsKICBvcGFjaXR5OiAwLjI7IH0KCiNkODBuM2FsMDB4eSAuc2VjdGlvblRpdGxlMCB7CiAgZmlsbDogIzMzMzsgfQoKI2Q4MG4zYWwwMHh5IC5zZWN0aW9uVGl0bGUxIHsKICBmaWxsOiAjMzMzOyB9CgojZDgwbjNhbDAweHkgLnNlY3Rpb25UaXRsZTIgewogIGZpbGw6ICMzMzM7IH0KCiNkODBuM2FsMDB4eSAuc2VjdGlvblRpdGxlMyB7CiAgZmlsbDogIzMzMzsgfQoKI2Q4MG4zYWwwMHh5IC5zZWN0aW9uVGl0bGUgewogIHRleHQtYW5jaG9yOiBzdGFydDsKICBmb250LXNpemU6IDExcHg7CiAgdGV4dC1oZWlnaHQ6IDE0cHg7IH0KCgojZDgwbjNhbDAweHkgLmdyaWQgLnRpY2sgewogIHN0cm9rZTogbGlnaHRncmV5OwogIG9wYWNpdHk6IDAuMzsKICBzaGFwZS1yZW5kZXJpbmc6IGNyaXNwRWRnZXM7IH0KCiNkODBuM2FsMDB4eSAuZ3JpZCBwYXRoIHsKICBzdHJva2Utd2lkdGg6IDA7IH0KCgojZDgwbjNhbDAweHkgLnRvZGF5IHsKICBmaWxsOiBub25lOwogIHN0cm9rZTogcmVkOwogIHN0cm9rZS13aWR0aDogMnB4OyB9CgoKCiNkODBuM2FsMDB4eSAudGFzayB7CiAgc3Ryb2tlLXdpZHRoOiAyOyB9CgojZDgwbjNhbDAweHkgLnRhc2tUZXh0IHsKICB0ZXh0LWFuY2hvcjogbWlkZGxlOwogIGZvbnQtc2l6ZTogMTFweDsgfQoKI2Q4MG4zYWwwMHh5IC50YXNrVGV4dE91dHNpZGVSaWdodCB7CiAgZmlsbDogYmxhY2s7CiAgdGV4dC1hbmNob3I6IHN0YXJ0OwogIGZvbnQtc2l6ZTogMTFweDsgfQoKI2Q4MG4zYWwwMHh5IC50YXNrVGV4dE91dHNpZGVMZWZ0IHsKICBmaWxsOiBibGFjazsKICB0ZXh0LWFuY2hvcjogZW5kOwogIGZvbnQtc2l6ZTogMTFweDsgfQoKCiNkODBuM2FsMDB4eSAudGFza1RleHQwLAojZDgwbjNhbDAweHkgLnRhc2tUZXh0MSwKI2Q4MG4zYWwwMHh5IC50YXNrVGV4dDIsCiNkODBuM2FsMDB4eSAudGFza1RleHQzIHsKICBmaWxsOiB3aGl0ZTsgfQoKI2Q4MG4zYWwwMHh5IC50YXNrMCwKI2Q4MG4zYWwwMHh5IC50YXNrMSwKI2Q4MG4zYWwwMHh5IC50YXNrMiwKI2Q4MG4zYWwwMHh5IC50YXNrMyB7CiAgZmlsbDogIzhhOTBkZDsKICBzdHJva2U6ICM1MzRmYmM7IH0KCiNkODBuM2FsMDB4eSAudGFza1RleHRPdXRzaWRlMCwKI2Q4MG4zYWwwMHh5IC50YXNrVGV4dE91dHNpZGUyIHsKICBmaWxsOiBibGFjazsgfQoKI2Q4MG4zYWwwMHh5IC50YXNrVGV4dE91dHNpZGUxLAojZDgwbjNhbDAweHkgLnRhc2tUZXh0T3V0c2lkZTMgewogIGZpbGw6IGJsYWNrOyB9CgoKI2Q4MG4zYWwwMHh5IC5hY3RpdmUwLAojZDgwbjNhbDAweHkgLmFjdGl2ZTEsCiNkODBuM2FsMDB4eSAuYWN0aXZlMiwKI2Q4MG4zYWwwMHh5IC5hY3RpdmUzIHsKICBmaWxsOiAjYmZjN2ZmOwogIHN0cm9rZTogIzUzNGZiYzsgfQoKI2Q4MG4zYWwwMHh5IC5hY3RpdmVUZXh0MCwKI2Q4MG4zYWwwMHh5IC5hY3RpdmVUZXh0MSwKI2Q4MG4zYWwwMHh5IC5hY3RpdmVUZXh0MiwKI2Q4MG4zYWwwMHh5IC5hY3RpdmVUZXh0MyB7CiAgZmlsbDogYmxhY2sgIWltcG9ydGFudDsgfQoKCiNkODBuM2FsMDB4eSAuZG9uZTAsCiNkODBuM2FsMDB4eSAuZG9uZTEsCiNkODBuM2FsMDB4eSAuZG9uZTIsCiNkODBuM2FsMDB4eSAuZG9uZTMgewogIHN0cm9rZTogZ3JleTsKICBmaWxsOiBsaWdodGdyZXk7CiAgc3Ryb2tlLXdpZHRoOiAyOyB9CgojZDgwbjNhbDAweHkgLmRvbmVUZXh0MCwKI2Q4MG4zYWwwMHh5IC5kb25lVGV4dDEsCiNkODBuM2FsMDB4eSAuZG9uZVRleHQyLAojZDgwbjNhbDAweHkgLmRvbmVUZXh0MyB7CiAgZmlsbDogYmxhY2sgIWltcG9ydGFudDsgfQoKCiNkODBuM2FsMDB4eSAuY3JpdDAsCiNkODBuM2FsMDB4eSAuY3JpdDEsCiNkODBuM2FsMDB4eSAuY3JpdDIsCiNkODBuM2FsMDB4eSAuY3JpdDMgewogIHN0cm9rZTogI2ZmODg4ODsKICBmaWxsOiByZWQ7CiAgc3Ryb2tlLXdpZHRoOiAyOyB9CgojZDgwbjNhbDAweHkgLmFjdGl2ZUNyaXQwLAojZDgwbjNhbDAweHkgLmFjdGl2ZUNyaXQxLAojZDgwbjNhbDAweHkgLmFjdGl2ZUNyaXQyLAojZDgwbjNhbDAweHkgLmFjdGl2ZUNyaXQzIHsKICBzdHJva2U6ICNmZjg4ODg7CiAgZmlsbDogI2JmYzdmZjsKICBzdHJva2Utd2lkdGg6IDI7IH0KCiNkODBuM2FsMDB4eSAuZG9uZUNyaXQwLAojZDgwbjNhbDAweHkgLmRvbmVDcml0MSwKI2Q4MG4zYWwwMHh5IC5kb25lQ3JpdDIsCiNkODBuM2FsMDB4eSAuZG9uZUNyaXQzIHsKICBzdHJva2U6ICNmZjg4ODg7CiAgZmlsbDogbGlnaHRncmV5OwogIHN0cm9rZS13aWR0aDogMjsKICBjdXJzb3I6IHBvaW50ZXI7CiAgc2hhcGUtcmVuZGVyaW5nOiBjcmlzcEVkZ2VzOyB9CgojZDgwbjNhbDAweHkgLmRvbmVDcml0VGV4dDAsCiNkODBuM2FsMDB4eSAuZG9uZUNyaXRUZXh0MSwKI2Q4MG4zYWwwMHh5IC5kb25lQ3JpdFRleHQyLAojZDgwbjNhbDAweHkgLmRvbmVDcml0VGV4dDMgewogIGZpbGw6IGJsYWNrICFpbXBvcnRhbnQ7IH0KCiNkODBuM2FsMDB4eSAuYWN0aXZlQ3JpdFRleHQwLAojZDgwbjNhbDAweHkgLmFjdGl2ZUNyaXRUZXh0MSwKI2Q4MG4zYWwwMHh5IC5hY3RpdmVDcml0VGV4dDIsCiNkODBuM2FsMDB4eSAuYWN0aXZlQ3JpdFRleHQzIHsKICBmaWxsOiBibGFjayAhaW1wb3J0YW50OyB9CgojZDgwbjNhbDAweHkgLnRpdGxlVGV4dCB7CiAgdGV4dC1hbmNob3I6IG1pZGRsZTsKICBmb250LXNpemU6IDE4cHg7CiAgZmlsbDogYmxhY2s7IH0KCiNkODBuM2FsMDB4eSBnLmNsYXNzR3JvdXAgdGV4dCB7CiAgZmlsbDogIzkzNzBEQjsKICBzdHJva2U6IG5vbmU7CiAgZm9udC1mYW1pbHk6ICd0cmVidWNoZXQgbXMnLCB2ZXJkYW5hLCBhcmlhbDsKICBmb250LXNpemU6IDEwcHg7IH0KCiNkODBuM2FsMDB4eSBnLmNsYXNzR3JvdXAgcmVjdCB7CiAgZmlsbDogI0VDRUNGRjsKICBzdHJva2U6ICM5MzcwREI7IH0KCiNkODBuM2FsMDB4eSBnLmNsYXNzR3JvdXAgbGluZSB7CiAgc3Ryb2tlOiAjOTM3MERCOwogIHN0cm9rZS13aWR0aDogMTsgfQoKI2Q4MG4zYWwwMHh5IC5jbGFzc0xhYmVsIC5ib3ggewogIHN0cm9rZTogbm9uZTsKICBzdHJva2Utd2lkdGg6IDA7CiAgZmlsbDogI0VDRUNGRjsKICBvcGFjaXR5OiAwLjU7IH0KCiNkODBuM2FsMDB4eSAuY2xhc3NMYWJlbCAubGFiZWwgewogIGZpbGw6ICM5MzcwREI7CiAgZm9udC1zaXplOiAxMHB4OyB9CgojZDgwbjNhbDAweHkgLnJlbGF0aW9uIHsKICBzdHJva2U6ICM5MzcwREI7CiAgc3Ryb2tlLXdpZHRoOiAxOwogIGZpbGw6IG5vbmU7IH0KCiNkODBuM2FsMDB4eSAjY29tcG9zaXRpb25TdGFydCB7CiAgZmlsbDogIzkzNzBEQjsKICBzdHJva2U6ICM5MzcwREI7CiAgc3Ryb2tlLXdpZHRoOiAxOyB9CgojZDgwbjNhbDAweHkgI2NvbXBvc2l0aW9uRW5kIHsKICBmaWxsOiAjOTM3MERCOwogIHN0cm9rZTogIzkzNzBEQjsKICBzdHJva2Utd2lkdGg6IDE7IH0KCiNkODBuM2FsMDB4eSAjYWdncmVnYXRpb25TdGFydCB7CiAgZmlsbDogI0VDRUNGRjsKICBzdHJva2U6ICM5MzcwREI7CiAgc3Ryb2tlLXdpZHRoOiAxOyB9CgojZDgwbjNhbDAweHkgI2FnZ3JlZ2F0aW9uRW5kIHsKICBmaWxsOiAjRUNFQ0ZGOwogIHN0cm9rZTogIzkzNzBEQjsKICBzdHJva2Utd2lkdGg6IDE7IH0KCiNkODBuM2FsMDB4eSAjZGVwZW5kZW5jeVN0YXJ0IHsKICBmaWxsOiAjOTM3MERCOwogIHN0cm9rZTogIzkzNzBEQjsKICBzdHJva2Utd2lkdGg6IDE7IH0KCiNkODBuM2FsMDB4eSAjZGVwZW5kZW5jeUVuZCB7CiAgZmlsbDogIzkzNzBEQjsKICBzdHJva2U6ICM5MzcwREI7CiAgc3Ryb2tlLXdpZHRoOiAxOyB9CgojZDgwbjNhbDAweHkgI2V4dGVuc2lvblN0YXJ0IHsKICBmaWxsOiAjOTM3MERCOwogIHN0cm9rZTogIzkzNzBEQjsKICBzdHJva2Utd2lkdGg6IDE7IH0KCiNkODBuM2FsMDB4eSAjZXh0ZW5zaW9uRW5kIHsKICBmaWxsOiAjOTM3MERCOwogIHN0cm9rZTogIzkzNzBEQjsKICBzdHJva2Utd2lkdGg6IDE7IH0KCiNkODBuM2FsMDB4eSAuY29tbWl0LWlkLAojZDgwbjNhbDAweHkgLmNvbW1pdC1tc2csCiNkODBuM2FsMDB4eSAuYnJhbmNoLWxhYmVsIHsKICBmaWxsOiBsaWdodGdyZXk7CiAgY29sb3I6IGxpZ2h0Z3JleTsgfQoKCgojZDgwbjNhbDAweHkgLmxhYmVsewogIGNvbG9yOiMxOEIxNEU7Cn0KI2Q4MG4zYWwwMHh5IC50ZS1tZC1jb250YWluZXItLWRhcmsgLm5vZGUgcmVjdCB7CiAgZmlsbDogcmVkOwp9CgojZDgwbjNhbDAweHkgLm5vZGUgcmVjdCwKI2Q4MG4zYWwwMHh5IC5ub2RlIGNpcmNsZSwKI2Q4MG4zYWwwMHh5IC5ub2RlIGVsbGlwc2UsCiNkODBuM2FsMDB4eSAubm9kZSBwb2x5Z29uIHsKICBmaWxsOiAjRjlGRkZCOzsKICBzdHJva2U6ICMyREJENjA7CiAgc3Ryb2tlLXdpZHRoOiAxLjVweDsKfQojZDgwbjNhbDAweHkgLmFycm93aGVhZFBhdGh7CiAgZmlsbDogIzJEQkQ2MDsKfQojZDgwbjNhbDAweHkgLmVkZ2VQYXRoIC5wYXRoIHsKICBzdHJva2U6ICMyREJENjA7CiAgc3Ryb2tlLXdpZHRoOiAxcHg7Cn0KI2Q4MG4zYWwwMHh5IC5lZGdlTGFiZWwgewogIGJhY2tncm91bmQtY29sb3I6ICNmZmY7Cn0KI2Q4MG4zYWwwMHh5IC5jbHVzdGVyIHJlY3QgewogIGZpbGw6ICNGOUZGRkIgIWltcG9ydGFudDsKICBzdHJva2U6ICMyREJENjAgIWltcG9ydGFudDsKICBzdHJva2Utd2lkdGg6IDFweCAhaW1wb3J0YW50Owp9CgojZDgwbjNhbDAweHkgLmNsdXN0ZXIgdGV4dCB7CiAgZmlsbDogI0Y5RkZGQjsKfQoKI2Q4MG4zYWwwMHh5IGRpdi5tZXJtYWlkVG9vbHRpcCB7CiAgYmFja2dyb3VuZDogI0Y5RkZGQjsKICBib3JkZXI6IDFweCBzb2xpZCAjMkRCRDYwOwp9CgoKI2Q4MG4zYWwwMHh5IC5hY3RvciB7CiAgc3Ryb2tlOiAjMkRCRDYwOwogIGZpbGw6ICNGOUZGRkI7Cn0KCiNkODBuM2FsMDB4eSB0ZXh0LmFjdG9yIHsKICBmaWxsOiAjMkRCRDYwOwogIHN0cm9rZTogbm9uZTsKfQoKI2Q4MG4zYWwwMHh5IC5hY3Rvci1saW5lIHsKICBzdHJva2U6ICMyREJENjA7Cn0KCiNkODBuM2FsMDB4eSAubWVzc2FnZUxpbmUwIHsKICBzdHJva2Utd2lkdGg6IDEuNTsKICBzdHJva2UtZGFzaGFycmF5OiAnMiAyJzsKICBtYXJrZXItZW5kOiAndXJsKCNhcnJvd2hlYWQpJzsKICBzdHJva2U6ICMyREJENjA7Cn0KCiNkODBuM2FsMDB4eSAubWVzc2FnZUxpbmUxIHsKICBzdHJva2Utd2lkdGg6IDEuNTsKICBzdHJva2UtZGFzaGFycmF5OiAnMiAyJzsKICBzdHJva2U6ICMyREJENjA7Cn0KCiNkODBuM2FsMDB4eSAjYXJyb3doZWFkIHsKICBmaWxsOiAjMkRCRDYwOwp9CgojZDgwbjNhbDAweHkgI2Nyb3NzaGVhZCBwYXRoIHsKICBmaWxsOiAjMkRCRDYwICFpbXBvcnRhbnQ7CiAgc3Ryb2tlOiAjMkRCRDYwICFpbXBvcnRhbnQ7Cn0KCiNkODBuM2FsMDB4eSAubWVzc2FnZVRleHQgewogIGZpbGw6ICMyREJENjA7CiAgc3Ryb2tlOiBub25lOwp9CgojZDgwbjNhbDAweHkgLmxhYmVsQm94IHsKICBzdHJva2U6ICMyREJENjA7CiAgZmlsbDogI0Y5RkZGQjsKfQoKI2Q4MG4zYWwwMHh5IC5sYWJlbFRleHQgewogIGZpbGw6ICMyREJENjA7CiAgc3Ryb2tlOiAjMkRCRDYwOwp9CgojZDgwbjNhbDAweHkgLmxvb3BUZXh0IHsKICBmaWxsOiAjMkRCRDYwOwogIHN0cm9rZTogIzJEQkQ2MDsKfQoKI2Q4MG4zYWwwMHh5IC5sb29wTGluZSB7CiAgc3Ryb2tlLXdpZHRoOiAyOwogIHN0cm9rZS1kYXNoYXJyYXk6ICcyIDInOwogIG1hcmtlci1lbmQ6ICd1cmwoI2Fycm93aGVhZCknOwogIHN0cm9rZTogIzJEQkQ2MDsKfQoKI2Q4MG4zYWwwMHh5IC5ub3RlIHsKICBzdHJva2U6ICMyREJENjA7CiAgZmlsbDogI0Y5RkZGQjsKfQoKI2Q4MG4zYWwwMHh5IC5ub3RlVGV4dCB7CiAgZmlsbDogIzJEQkQ2MDsKICBzdHJva2U6ICMyREJENjA7Cn0KCgojZDgwbjNhbDAweHkgLnNlY3Rpb257CiAgb3BhY2l0eToxOwp9CiNkODBuM2FsMDB4eSAuc2VjdGlvbjAsI2Q4MG4zYWwwMHh5ICAuc2VjdGlvbjIgewogIGZpbGw6ICNFQ0Y3RjA7Cn0KCiNkODBuM2FsMDB4eSAuc2VjdGlvbjEsCiNkODBuM2FsMDB4eSAuc2VjdGlvbjMgewogIGZpbGw6ICNGRkY7Cn0KI2Q4MG4zYWwwMHh5IC50YXNrVGV4dDAsCiNkODBuM2FsMDB4eSAudGFza1RleHQxLAojZDgwbjNhbDAweHkgLnRhc2tUZXh0MiwKI2Q4MG4zYWwwMHh5IC50YXNrVGV4dDMgewogIGZpbGw6ICNmZmY7Cn0KCiNkODBuM2FsMDB4eSAudGFzazAsCiNkODBuM2FsMDB4eSAudGFzazEsCiNkODBuM2FsMDB4eSAudGFzazIsCiNkODBuM2FsMDB4eSAudGFzazMgewogIGZpbGw6ICMyREJENjA7CiAgc3Ryb2tlOiAjMzU5RjVBOwp9Cjwvc3R5bGU+PHN0eWxlPiNkODBuM2FsMDB4eSB7CiAgICBjb2xvcjogcmdiKDI0NCwgMjQ0LCAyNDQpOwogICAgZm9udDogbm9ybWFsIG5vcm1hbCBub3JtYWwgbm9ybWFsIDE0cHgvMjIuMzk5OTk5NjE4NTMwMjczcHggbW9ub3NwYWNlOwogIH08L3N0eWxlPjxnIHRyYW5zZm9ybT0idHJhbnNsYXRlKC0xMiwgLTEyKSI+PGcgY2xhc3M9Im91dHB1dCI+PGcgY2xhc3M9ImNsdXN0ZXJzIj48L2c+PGcgY2xhc3M9ImVkZ2VQYXRocyI+PGcgY2xhc3M9ImVkZ2VQYXRoIiBzdHlsZT0ib3BhY2l0eTogMTsiPjxwYXRoIGNsYXNzPSJwYXRoIiBkPSJNMjU5Ljc4MTI1LDU2LjI4MTI1TDI1OS43ODEyNSw4MS4yODEyNUwyNjAuMjgxMjUsMTA2Ljc4MTI1MzA1MTc1Nzg3IiBtYXJrZXItZW5kPSJ1cmwoI2Fycm93aGVhZDgzNCkiIHN0eWxlPSJzdHJva2U6ICMzMzM7IHN0cm9rZS13aWR0aDogMS41cHg7ZmlsbDpub25lIj48L3BhdGg+PGRlZnM+PG1hcmtlciBpZD0iYXJyb3doZWFkODM0IiB2aWV3Qm94PSIwIDAgMTAgMTAiIHJlZlg9IjkiIHJlZlk9IjUiIG1hcmtlclVuaXRzPSJzdHJva2VXaWR0aCIgbWFya2VyV2lkdGg9IjgiIG1hcmtlckhlaWdodD0iNiIgb3JpZW50PSJhdXRvIj48cGF0aCBkPSJNIDAgMCBMIDEwIDUgTCAwIDEwIHoiIGNsYXNzPSJhcnJvd2hlYWRQYXRoIiBzdHlsZT0ic3Ryb2tlLXdpZHRoOiAxcHg7IHN0cm9rZS1kYXNoYXJyYXk6IDFweCwgMHB4OyI+PC9wYXRoPjwvbWFya2VyPjwvZGVmcz48L2c+PGcgY2xhc3M9ImVkZ2VQYXRoIiBzdHlsZT0ib3BhY2l0eTogMTsiPjxwYXRoIGNsYXNzPSJwYXRoIiBkPSJNMjA1LjkxNzEyMTU1OTc2NzA1LDMyNS4yODU4Njg1MDgwMDkzTDE0Ny40NTMxMjUsNDEyLjI5MDYxODg5NjQ4NDRMMTQ3LjQ1MzEyNSw0NDUuNDMxMjQzODk2NDg0NCIgbWFya2VyLWVuZD0idXJsKCNhcnJvd2hlYWQ4MzUpIiBzdHlsZT0ic3Ryb2tlOiAjMzMzOyBzdHJva2Utd2lkdGg6IDEuNXB4O2ZpbGw6bm9uZSI+PC9wYXRoPjxkZWZzPjxtYXJrZXIgaWQ9ImFycm93aGVhZDgzNSIgdmlld0JveD0iMCAwIDEwIDEwIiByZWZYPSI5IiByZWZZPSI1IiBtYXJrZXJVbml0cz0ic3Ryb2tlV2lkdGgiIG1hcmtlcldpZHRoPSI4IiBtYXJrZXJIZWlnaHQ9IjYiIG9yaWVudD0iYXV0byI+PHBhdGggZD0iTSAwIDAgTCAxMCA1IEwgMCAxMCB6IiBjbGFzcz0iYXJyb3doZWFkUGF0aCIgc3R5bGU9InN0cm9rZS13aWR0aDogMXB4OyBzdHJva2UtZGFzaGFycmF5OiAxcHgsIDBweDsiPjwvcGF0aD48L21hcmtlcj48L2RlZnM+PC9nPjxnIGNsYXNzPSJlZGdlUGF0aCIgc3R5bGU9Im9wYWNpdHk6IDE7Ij48cGF0aCBjbGFzcz0icGF0aCIgZD0iTTMxNC42NDUzODA4NzIyNjE1NywzMjUuMjg1ODcyMTc5NDk2MjdMMzcyLjEwOTM3NSw0MTIuMjkwNjE4ODk2NDg0NEwzNzIuMTA5Mzc1LDQ0NS40MzEyNDM4OTY0ODQ0IiBtYXJrZXItZW5kPSJ1cmwoI2Fycm93aGVhZDgzNikiIHN0eWxlPSJzdHJva2U6ICMzMzM7IHN0cm9rZS13aWR0aDogMS41cHg7ZmlsbDpub25lIj48L3BhdGg+PGRlZnM+PG1hcmtlciBpZD0iYXJyb3doZWFkODM2IiB2aWV3Qm94PSIwIDAgMTAgMTAiIHJlZlg9IjkiIHJlZlk9IjUiIG1hcmtlclVuaXRzPSJzdHJva2VXaWR0aCIgbWFya2VyV2lkdGg9IjgiIG1hcmtlckhlaWdodD0iNiIgb3JpZW50PSJhdXRvIj48cGF0aCBkPSJNIDAgMCBMIDEwIDUgTCAwIDEwIHoiIGNsYXNzPSJhcnJvd2hlYWRQYXRoIiBzdHlsZT0ic3Ryb2tlLXdpZHRoOiAxcHg7IHN0cm9rZS1kYXNoYXJyYXk6IDFweCwgMHB4OyI+PC9wYXRoPjwvbWFya2VyPjwvZGVmcz48L2c+PGcgY2xhc3M9ImVkZ2VQYXRoIiBzdHlsZT0ib3BhY2l0eTogMTsiPjxwYXRoIGNsYXNzPSJwYXRoIiBkPSJNMTQ3LjQ1MzEyNSw0ODEuNzEyNDkzODk2NDg0NEwxNDcuNDUzMTI1LDUwNi43MTI0OTM4OTY0ODQ0TDE0Ny40NTMxMjUsNTMxLjcxMjQ5Mzg5NjQ4NDQiIG1hcmtlci1lbmQ9InVybCgjYXJyb3doZWFkODM3KSIgc3R5bGU9InN0cm9rZTogIzMzMzsgc3Ryb2tlLXdpZHRoOiAxLjVweDtmaWxsOm5vbmUiPjwvcGF0aD48ZGVmcz48bWFya2VyIGlkPSJhcnJvd2hlYWQ4MzciIHZpZXdCb3g9IjAgMCAxMCAxMCIgcmVmWD0iOSIgcmVmWT0iNSIgbWFya2VyVW5pdHM9InN0cm9rZVdpZHRoIiBtYXJrZXJXaWR0aD0iOCIgbWFya2VySGVpZ2h0PSI2IiBvcmllbnQ9ImF1dG8iPjxwYXRoIGQ9Ik0gMCAwIEwgMTAgNSBMIDAgMTAgeiIgY2xhc3M9ImFycm93aGVhZFBhdGgiIHN0eWxlPSJzdHJva2Utd2lkdGg6IDFweDsgc3Ryb2tlLWRhc2hhcnJheTogMXB4LCAwcHg7Ij48L3BhdGg+PC9tYXJrZXI+PC9kZWZzPjwvZz48L2c+PGcgY2xhc3M9ImVkZ2VMYWJlbHMiPjxnIGNsYXNzPSJlZGdlTGFiZWwiIHRyYW5zZm9ybT0iIiBzdHlsZT0ib3BhY2l0eTogMTsiPjxnIHRyYW5zZm9ybT0idHJhbnNsYXRlKDAsMCkiIGNsYXNzPSJsYWJlbCI+PHJlY3Qgcng9IjAiIHJ5PSIwIiB3aWR0aD0iMCIgaGVpZ2h0PSIwIiBzdHlsZT0iZmlsbDojZThlOGU4OyI+PC9yZWN0Pjx0ZXh0Pjx0c3BhbiB4bWw6c3BhY2U9InByZXNlcnZlIiBkeT0iMWVtIiB4PSIxIj48L3RzcGFuPjwvdGV4dD48L2c+PC9nPjxnIGNsYXNzPSJlZGdlTGFiZWwiIHRyYW5zZm9ybT0idHJhbnNsYXRlKDE0Ny40NTMxMjUsNDEyLjI5MDYxODg5NjQ4NDQpIiBzdHlsZT0ib3BhY2l0eTogMTsiPjxnIHRyYW5zZm9ybT0idHJhbnNsYXRlKC00LjIwMzEyNSwtOC4wMDc4MTI1KSIgY2xhc3M9ImxhYmVsIj48cmVjdCByeD0iMCIgcnk9IjAiIHdpZHRoPSI4LjkzNzUiIGhlaWdodD0iMTYuMjgxMjUiIHN0eWxlPSJmaWxsOiNlOGU4ZTg7Ij48L3JlY3Q+PHRleHQ+PHRzcGFuIHhtbDpzcGFjZT0icHJlc2VydmUiIGR5PSIxZW0iIHg9IjEiPk48L3RzcGFuPjwvdGV4dD48L2c+PC9nPjxnIGNsYXNzPSJlZGdlTGFiZWwiIHRyYW5zZm9ybT0idHJhbnNsYXRlKDM3Mi4xMDkzNzUsNDEyLjI5MDYxODg5NjQ4NDQpIiBzdHlsZT0ib3BhY2l0eTogMTsiPjxnIHRyYW5zZm9ybT0idHJhbnNsYXRlKC00LjIwMzEyNSwtOC4wMDc4MTI1KSIgY2xhc3M9ImxhYmVsIj48cmVjdCByeD0iMCIgcnk9IjAiIHdpZHRoPSI4IiBoZWlnaHQ9IjE2LjI4MTI1IiBzdHlsZT0iZmlsbDojZThlOGU4OyI+PC9yZWN0Pjx0ZXh0Pjx0c3BhbiB4bWw6c3BhY2U9InByZXNlcnZlIiBkeT0iMWVtIiB4PSIxIj5ZPC90c3Bhbj48L3RleHQ+PC9nPjwvZz48ZyBjbGFzcz0iZWRnZUxhYmVsIiB0cmFuc2Zvcm09IiIgc3R5bGU9Im9wYWNpdHk6IDE7Ij48ZyB0cmFuc2Zvcm09InRyYW5zbGF0ZSgwLDApIiBjbGFzcz0ibGFiZWwiPjxyZWN0IHJ4PSIwIiByeT0iMCIgd2lkdGg9IjAiIGhlaWdodD0iMCIgc3R5bGU9ImZpbGw6I2U4ZThlODsiPjwvcmVjdD48dGV4dD48dHNwYW4geG1sOnNwYWNlPSJwcmVzZXJ2ZSIgZHk9IjFlbSIgeD0iMSI+PC90c3Bhbj48L3RleHQ+PC9nPjwvZz48L2c+PGcgY2xhc3M9Im5vZGVzIj48ZyBjbGFzcz0ibm9kZSIgaWQ9IkEiIHRyYW5zZm9ybT0idHJhbnNsYXRlKDI1OS43ODEyNSwzOC4xNDA2MjUpIiBzdHlsZT0ib3BhY2l0eTogMTsiPjxyZWN0IHJ4PSIwIiByeT0iMCIgeD0iLTY3LjIwMzEyNSIgeT0iLTE4LjE0MDYyNSIgd2lkdGg9IjEzNC40MDYyNSIgaGVpZ2h0PSIzNi4yODEyNSI+PC9yZWN0PjxnIGNsYXNzPSJsYWJlbCIgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoMCwwKSI+PGcgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoLTU3LjIwMzEyNSwtOC4xNDA2MjUpIj48dGV4dD48dHNwYW4geG1sOnNwYWNlPSJwcmVzZXJ2ZSIgZHk9IjFlbSIgeD0iMSI+TGludXjns7vnu5/nlKjmiLfnmbvlvZU8L3RzcGFuPjwvdGV4dD48L2c+PC9nPjwvZz48ZyBjbGFzcz0ibm9kZSIgaWQ9IkIiIHRyYW5zZm9ybT0idHJhbnNsYXRlKDI1OS43ODEyNSwyNDIuNzE1NjIxOTQ4MjQyMikiIHN0eWxlPSJvcGFjaXR5OiAxOyI+PHBvbHlnb24gcG9pbnRzPSIxMzYuNDM0Mzc1MDAwMDAwMDIsMCAyNzIuODY4NzUwMDAwMDAwMDMsLTEzNi40MzQzNzUwMDAwMDAwMiAxMzYuNDM0Mzc1MDAwMDAwMDIsLTI3Mi44Njg3NTAwMDAwMDAwMyAwLC0xMzYuNDM0Mzc1MDAwMDAwMDIiIHJ4PSI1IiByeT0iNSIgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoLTEzNi40MzQzNzUwMDAwMDAwMiwxMzYuNDM0Mzc1MDAwMDAwMDIpIj48L3BvbHlnb24+PGcgY2xhc3M9ImxhYmVsIiB0cmFuc2Zvcm09InRyYW5zbGF0ZSgwLDApIj48ZyB0cmFuc2Zvcm09InRyYW5zbGF0ZSgtMTIzLjQ1MzEyNSwtOC4xNDA2MjUpIj48dGV4dD48dHNwYW4geG1sOnNwYWNlPSJwcmVzZXJ2ZSIgZHk9IjFlbSIgeD0iMSI+57O757uf5paH5Lu25piv5ZCm5o+P6L+w5LqG55So5oi36Ze055qE5pig5bCE5YWz57O777yfPC90c3Bhbj48L3RleHQ+PC9nPjwvZz48L2c+PGcgY2xhc3M9Im5vZGUiIGlkPSJDIiB0cmFuc2Zvcm09InRyYW5zbGF0ZSgxNDcuNDUzMTI1LDQ2My41NzE4Njg4OTY0ODQ0KSIgc3R5bGU9Im9wYWNpdHk6IDE7Ij48cmVjdCByeD0iMCIgcnk9IjAiIHg9Ii04MC4wODU5Mzc1IiB5PSItMTguMTQwNjI1IiB3aWR0aD0iMTYwLjE3MTg3NSIgaGVpZ2h0PSIzNi4yODEyNSI+PC9yZWN0PjxnIGNsYXNzPSJsYWJlbCIgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoMCwwKSI+PGcgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoLTcwLjA4NTkzNzUsLTguMTQwNjI1KSI+PHRleHQ+PHRzcGFuIHhtbDpzcGFjZT0icHJlc2VydmUiIGR5PSIxZW0iIHg9IjEiPueUqOaIt+aYoOWwhOS4ul9fZGVmYXVsdF9fPC90c3Bhbj48L3RleHQ+PC9nPjwvZz48L2c+PGcgY2xhc3M9Im5vZGUiIGlkPSJEIiB0cmFuc2Zvcm09InRyYW5zbGF0ZSgzNzIuMTA5Mzc1LDQ2My41NzE4Njg4OTY0ODQ0KSIgc3R5bGU9Im9wYWNpdHk6IDE7Ij48cmVjdCByeD0iMCIgcnk9IjAiIHg9Ii05NC41NzAzMTI1IiB5PSItMTguMTQwNjI1IiB3aWR0aD0iMTg5LjE0MDYyNSIgaGVpZ2h0PSIzNi4yODEyNSI+PC9yZWN0PjxnIGNsYXNzPSJsYWJlbCIgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoMCwwKSI+PGcgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoLTg0LjU3MDMxMjUsLTguMTQwNjI1KSI+PHRleHQ+PHRzcGFuIHhtbDpzcGFjZT0icHJlc2VydmUiIGR5PSIxZW0iIHg9IjEiPueUqOaIt+ebtOaOpeaYoOWwhOWIsFNFTGludXjnlKjmiLc8L3RzcGFuPjwvdGV4dD48L2c+PC9nPjwvZz48ZyBjbGFzcz0ibm9kZSIgaWQ9IkUiIHRyYW5zZm9ybT0idHJhbnNsYXRlKDE0Ny40NTMxMjUsNTQ5Ljg1MzExODg5NjQ4NDQpIiBzdHlsZT0ib3BhY2l0eTogMTsiPjxyZWN0IHJ4PSIwIiByeT0iMCIgeD0iLTEyNy40NTMxMjUiIHk9Ii0xOC4xNDA2MjUiIHdpZHRoPSIyNTQuOTA2MjUiIGhlaWdodD0iMzYuMjgxMjUiPjwvcmVjdD48ZyBjbGFzcz0ibGFiZWwiIHRyYW5zZm9ybT0idHJhbnNsYXRlKDAsMCkiPjxnIHRyYW5zZm9ybT0idHJhbnNsYXRlKC0xMTcuNDUzMTI1LC04LjE0MDYyNSkiPjx0ZXh0Pjx0c3BhbiB4bWw6c3BhY2U9InByZXNlcnZlIiBkeT0iMWVtIiB4PSIxIj5fX2RlZmF1bHRfX+eUqOaIt+iiq+aYoOWwhOS4unVuY29uZmluZWRfdTwvdHNwYW4+PC90ZXh0PjwvZz48L2c+PC9nPjwvZz48L2c+PC9nPjwvc3ZnPg==

上面提到的系统文件为/etc/selinux/specified-policy/seusers
通过上面的流程也可以看出,SELinux的策略文件并没有专门定义有哪些SELinux用户,而是通过seusers文件中描述的映射关系来表明有哪些SELinux用户。用户再通过role映射到type,最后通过TE系统来确定权限关系。大致关系如下:

PHN2ZyBpZD0iZHE5cHNkaTVid2siIHdpZHRoPSIxMDAlIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHN0eWxlPSJtYXgtd2lkdGg6IDcxMi4wMzEyNXB4OyIgdmlld0JveD0iMCAwIDcxMi4wMzEyNSA1Mi4yODEyNSI+PHN0eWxlPgoKCiNkcTlwc2RpNWJ3ayAubGFiZWwgewogIGZvbnQtZmFtaWx5OiAndHJlYnVjaGV0IG1zJywgdmVyZGFuYSwgYXJpYWw7CiAgY29sb3I6ICMzMzM7IH0KCiNkcTlwc2RpNWJ3ayAubm9kZSByZWN0LAojZHE5cHNkaTVid2sgLm5vZGUgY2lyY2xlLAojZHE5cHNkaTVid2sgLm5vZGUgZWxsaXBzZSwKI2RxOXBzZGk1YndrIC5ub2RlIHBvbHlnb24gewogIGZpbGw6ICNFQ0VDRkY7CiAgc3Ryb2tlOiAjOTM3MERCOwogIHN0cm9rZS13aWR0aDogMXB4OyB9CgojZHE5cHNkaTVid2sgLm5vZGUuY2xpY2thYmxlIHsKICBjdXJzb3I6IHBvaW50ZXI7IH0KCiNkcTlwc2RpNWJ3ayAuYXJyb3doZWFkUGF0aCB7CiAgZmlsbDogIzMzMzMzMzsgfQoKI2RxOXBzZGk1YndrIC5lZGdlUGF0aCAucGF0aCB7CiAgc3Ryb2tlOiAjMzMzMzMzOwogIHN0cm9rZS13aWR0aDogMS41cHg7IH0KCiNkcTlwc2RpNWJ3ayAuZWRnZUxhYmVsIHsKICBiYWNrZ3JvdW5kLWNvbG9yOiAjZThlOGU4OyB9CgojZHE5cHNkaTVid2sgLmNsdXN0ZXIgcmVjdCB7CiAgZmlsbDogI2ZmZmZkZSAhaW1wb3J0YW50OwogIHN0cm9rZTogI2FhYWEzMyAhaW1wb3J0YW50OwogIHN0cm9rZS13aWR0aDogMXB4ICFpbXBvcnRhbnQ7IH0KCiNkcTlwc2RpNWJ3ayAuY2x1c3RlciB0ZXh0IHsKICBmaWxsOiAjMzMzOyB9CgojZHE5cHNkaTVid2sgZGl2Lm1lcm1haWRUb29sdGlwIHsKICBwb3NpdGlvbjogYWJzb2x1dGU7CiAgdGV4dC1hbGlnbjogY2VudGVyOwogIG1heC13aWR0aDogMjAwcHg7CiAgcGFkZGluZzogMnB4OwogIGZvbnQtZmFtaWx5OiAndHJlYnVjaGV0IG1zJywgdmVyZGFuYSwgYXJpYWw7CiAgZm9udC1zaXplOiAxMnB4OwogIGJhY2tncm91bmQ6ICNmZmZmZGU7CiAgYm9yZGVyOiAxcHggc29saWQgI2FhYWEzMzsKICBib3JkZXItcmFkaXVzOiAycHg7CiAgcG9pbnRlci1ldmVudHM6IG5vbmU7CiAgei1pbmRleDogMTAwOyB9CgojZHE5cHNkaTVid2sgLmFjdG9yIHsKICBzdHJva2U6ICNDQ0NDRkY7CiAgZmlsbDogI0VDRUNGRjsgfQoKI2RxOXBzZGk1YndrIHRleHQuYWN0b3IgewogIGZpbGw6IGJsYWNrOwogIHN0cm9rZTogbm9uZTsgfQoKI2RxOXBzZGk1YndrIC5hY3Rvci1saW5lIHsKICBzdHJva2U6IGdyZXk7IH0KCiNkcTlwc2RpNWJ3ayAubWVzc2FnZUxpbmUwIHsKICBzdHJva2Utd2lkdGg6IDEuNTsKICBzdHJva2UtZGFzaGFycmF5OiAnMiAyJzsKICBzdHJva2U6ICMzMzM7IH0KCiNkcTlwc2RpNWJ3ayAubWVzc2FnZUxpbmUxIHsKICBzdHJva2Utd2lkdGg6IDEuNTsKICBzdHJva2UtZGFzaGFycmF5OiAnMiAyJzsKICBzdHJva2U6ICMzMzM7IH0KCiNkcTlwc2RpNWJ3ayAjYXJyb3doZWFkIHsKICBmaWxsOiAjMzMzOyB9CgojZHE5cHNkaTVid2sgI2Nyb3NzaGVhZCBwYXRoIHsKICBmaWxsOiAjMzMzICFpbXBvcnRhbnQ7CiAgc3Ryb2tlOiAjMzMzICFpbXBvcnRhbnQ7IH0KCiNkcTlwc2RpNWJ3ayAubWVzc2FnZVRleHQgewogIGZpbGw6ICMzMzM7CiAgc3Ryb2tlOiBub25lOyB9CgojZHE5cHNkaTVid2sgLmxhYmVsQm94IHsKICBzdHJva2U6ICNDQ0NDRkY7CiAgZmlsbDogI0VDRUNGRjsgfQoKI2RxOXBzZGk1YndrIC5sYWJlbFRleHQgewogIGZpbGw6IGJsYWNrOwogIHN0cm9rZTogbm9uZTsgfQoKI2RxOXBzZGk1YndrIC5sb29wVGV4dCB7CiAgZmlsbDogYmxhY2s7CiAgc3Ryb2tlOiBub25lOyB9CgojZHE5cHNkaTVid2sgLmxvb3BMaW5lIHsKICBzdHJva2Utd2lkdGg6IDI7CiAgc3Ryb2tlLWRhc2hhcnJheTogJzIgMic7CiAgc3Ryb2tlOiAjQ0NDQ0ZGOyB9CgojZHE5cHNkaTVid2sgLm5vdGUgewogIHN0cm9rZTogI2FhYWEzMzsKICBmaWxsOiAjZmZmNWFkOyB9CgojZHE5cHNkaTVid2sgLm5vdGVUZXh0IHsKICBmaWxsOiBibGFjazsKICBzdHJva2U6IG5vbmU7CiAgZm9udC1mYW1pbHk6ICd0cmVidWNoZXQgbXMnLCB2ZXJkYW5hLCBhcmlhbDsKICBmb250LXNpemU6IDE0cHg7IH0KCiNkcTlwc2RpNWJ3ayAuYWN0aXZhdGlvbjAgewogIGZpbGw6ICNmNGY0ZjQ7CiAgc3Ryb2tlOiAjNjY2OyB9CgojZHE5cHNkaTVid2sgLmFjdGl2YXRpb24xIHsKICBmaWxsOiAjZjRmNGY0OwogIHN0cm9rZTogIzY2NjsgfQoKI2RxOXBzZGk1YndrIC5hY3RpdmF0aW9uMiB7CiAgZmlsbDogI2Y0ZjRmNDsKICBzdHJva2U6ICM2NjY7IH0KCgojZHE5cHNkaTVid2sgLnNlY3Rpb24gewogIHN0cm9rZTogbm9uZTsKICBvcGFjaXR5OiAwLjI7IH0KCiNkcTlwc2RpNWJ3ayAuc2VjdGlvbjAgewogIGZpbGw6IHJnYmEoMTAyLCAxMDIsIDI1NSwgMC40OSk7IH0KCiNkcTlwc2RpNWJ3ayAuc2VjdGlvbjIgewogIGZpbGw6ICNmZmY0MDA7IH0KCiNkcTlwc2RpNWJ3ayAuc2VjdGlvbjEsCiNkcTlwc2RpNWJ3ayAuc2VjdGlvbjMgewogIGZpbGw6IHdoaXRlOwogIG9wYWNpdHk6IDAuMjsgfQoKI2RxOXBzZGk1YndrIC5zZWN0aW9uVGl0bGUwIHsKICBmaWxsOiAjMzMzOyB9CgojZHE5cHNkaTVid2sgLnNlY3Rpb25UaXRsZTEgewogIGZpbGw6ICMzMzM7IH0KCiNkcTlwc2RpNWJ3ayAuc2VjdGlvblRpdGxlMiB7CiAgZmlsbDogIzMzMzsgfQoKI2RxOXBzZGk1YndrIC5zZWN0aW9uVGl0bGUzIHsKICBmaWxsOiAjMzMzOyB9CgojZHE5cHNkaTVid2sgLnNlY3Rpb25UaXRsZSB7CiAgdGV4dC1hbmNob3I6IHN0YXJ0OwogIGZvbnQtc2l6ZTogMTFweDsKICB0ZXh0LWhlaWdodDogMTRweDsgfQoKCiNkcTlwc2RpNWJ3ayAuZ3JpZCAudGljayB7CiAgc3Ryb2tlOiBsaWdodGdyZXk7CiAgb3BhY2l0eTogMC4zOwogIHNoYXBlLXJlbmRlcmluZzogY3Jpc3BFZGdlczsgfQoKI2RxOXBzZGk1YndrIC5ncmlkIHBhdGggewogIHN0cm9rZS13aWR0aDogMDsgfQoKCiNkcTlwc2RpNWJ3ayAudG9kYXkgewogIGZpbGw6IG5vbmU7CiAgc3Ryb2tlOiByZWQ7CiAgc3Ryb2tlLXdpZHRoOiAycHg7IH0KCgoKI2RxOXBzZGk1YndrIC50YXNrIHsKICBzdHJva2Utd2lkdGg6IDI7IH0KCiNkcTlwc2RpNWJ3ayAudGFza1RleHQgewogIHRleHQtYW5jaG9yOiBtaWRkbGU7CiAgZm9udC1zaXplOiAxMXB4OyB9CgojZHE5cHNkaTVid2sgLnRhc2tUZXh0T3V0c2lkZVJpZ2h0IHsKICBmaWxsOiBibGFjazsKICB0ZXh0LWFuY2hvcjogc3RhcnQ7CiAgZm9udC1zaXplOiAxMXB4OyB9CgojZHE5cHNkaTVid2sgLnRhc2tUZXh0T3V0c2lkZUxlZnQgewogIGZpbGw6IGJsYWNrOwogIHRleHQtYW5jaG9yOiBlbmQ7CiAgZm9udC1zaXplOiAxMXB4OyB9CgoKI2RxOXBzZGk1YndrIC50YXNrVGV4dDAsCiNkcTlwc2RpNWJ3ayAudGFza1RleHQxLAojZHE5cHNkaTVid2sgLnRhc2tUZXh0MiwKI2RxOXBzZGk1YndrIC50YXNrVGV4dDMgewogIGZpbGw6IHdoaXRlOyB9CgojZHE5cHNkaTVid2sgLnRhc2swLAojZHE5cHNkaTVid2sgLnRhc2sxLAojZHE5cHNkaTVid2sgLnRhc2syLAojZHE5cHNkaTVid2sgLnRhc2szIHsKICBmaWxsOiAjOGE5MGRkOwogIHN0cm9rZTogIzUzNGZiYzsgfQoKI2RxOXBzZGk1YndrIC50YXNrVGV4dE91dHNpZGUwLAojZHE5cHNkaTVid2sgLnRhc2tUZXh0T3V0c2lkZTIgewogIGZpbGw6IGJsYWNrOyB9CgojZHE5cHNkaTVid2sgLnRhc2tUZXh0T3V0c2lkZTEsCiNkcTlwc2RpNWJ3ayAudGFza1RleHRPdXRzaWRlMyB7CiAgZmlsbDogYmxhY2s7IH0KCgojZHE5cHNkaTVid2sgLmFjdGl2ZTAsCiNkcTlwc2RpNWJ3ayAuYWN0aXZlMSwKI2RxOXBzZGk1YndrIC5hY3RpdmUyLAojZHE5cHNkaTVid2sgLmFjdGl2ZTMgewogIGZpbGw6ICNiZmM3ZmY7CiAgc3Ryb2tlOiAjNTM0ZmJjOyB9CgojZHE5cHNkaTVid2sgLmFjdGl2ZVRleHQwLAojZHE5cHNkaTVid2sgLmFjdGl2ZVRleHQxLAojZHE5cHNkaTVid2sgLmFjdGl2ZVRleHQyLAojZHE5cHNkaTVid2sgLmFjdGl2ZVRleHQzIHsKICBmaWxsOiBibGFjayAhaW1wb3J0YW50OyB9CgoKI2RxOXBzZGk1YndrIC5kb25lMCwKI2RxOXBzZGk1YndrIC5kb25lMSwKI2RxOXBzZGk1YndrIC5kb25lMiwKI2RxOXBzZGk1YndrIC5kb25lMyB7CiAgc3Ryb2tlOiBncmV5OwogIGZpbGw6IGxpZ2h0Z3JleTsKICBzdHJva2Utd2lkdGg6IDI7IH0KCiNkcTlwc2RpNWJ3ayAuZG9uZVRleHQwLAojZHE5cHNkaTVid2sgLmRvbmVUZXh0MSwKI2RxOXBzZGk1YndrIC5kb25lVGV4dDIsCiNkcTlwc2RpNWJ3ayAuZG9uZVRleHQzIHsKICBmaWxsOiBibGFjayAhaW1wb3J0YW50OyB9CgoKI2RxOXBzZGk1YndrIC5jcml0MCwKI2RxOXBzZGk1YndrIC5jcml0MSwKI2RxOXBzZGk1YndrIC5jcml0MiwKI2RxOXBzZGk1YndrIC5jcml0MyB7CiAgc3Ryb2tlOiAjZmY4ODg4OwogIGZpbGw6IHJlZDsKICBzdHJva2Utd2lkdGg6IDI7IH0KCiNkcTlwc2RpNWJ3ayAuYWN0aXZlQ3JpdDAsCiNkcTlwc2RpNWJ3ayAuYWN0aXZlQ3JpdDEsCiNkcTlwc2RpNWJ3ayAuYWN0aXZlQ3JpdDIsCiNkcTlwc2RpNWJ3ayAuYWN0aXZlQ3JpdDMgewogIHN0cm9rZTogI2ZmODg4ODsKICBmaWxsOiAjYmZjN2ZmOwogIHN0cm9rZS13aWR0aDogMjsgfQoKI2RxOXBzZGk1YndrIC5kb25lQ3JpdDAsCiNkcTlwc2RpNWJ3ayAuZG9uZUNyaXQxLAojZHE5cHNkaTVid2sgLmRvbmVDcml0MiwKI2RxOXBzZGk1YndrIC5kb25lQ3JpdDMgewogIHN0cm9rZTogI2ZmODg4ODsKICBmaWxsOiBsaWdodGdyZXk7CiAgc3Ryb2tlLXdpZHRoOiAyOwogIGN1cnNvcjogcG9pbnRlcjsKICBzaGFwZS1yZW5kZXJpbmc6IGNyaXNwRWRnZXM7IH0KCiNkcTlwc2RpNWJ3ayAuZG9uZUNyaXRUZXh0MCwKI2RxOXBzZGk1YndrIC5kb25lQ3JpdFRleHQxLAojZHE5cHNkaTVid2sgLmRvbmVDcml0VGV4dDIsCiNkcTlwc2RpNWJ3ayAuZG9uZUNyaXRUZXh0MyB7CiAgZmlsbDogYmxhY2sgIWltcG9ydGFudDsgfQoKI2RxOXBzZGk1YndrIC5hY3RpdmVDcml0VGV4dDAsCiNkcTlwc2RpNWJ3ayAuYWN0aXZlQ3JpdFRleHQxLAojZHE5cHNkaTVid2sgLmFjdGl2ZUNyaXRUZXh0MiwKI2RxOXBzZGk1YndrIC5hY3RpdmVDcml0VGV4dDMgewogIGZpbGw6IGJsYWNrICFpbXBvcnRhbnQ7IH0KCiNkcTlwc2RpNWJ3ayAudGl0bGVUZXh0IHsKICB0ZXh0LWFuY2hvcjogbWlkZGxlOwogIGZvbnQtc2l6ZTogMThweDsKICBmaWxsOiBibGFjazsgfQoKI2RxOXBzZGk1YndrIGcuY2xhc3NHcm91cCB0ZXh0IHsKICBmaWxsOiAjOTM3MERCOwogIHN0cm9rZTogbm9uZTsKICBmb250LWZhbWlseTogJ3RyZWJ1Y2hldCBtcycsIHZlcmRhbmEsIGFyaWFsOwogIGZvbnQtc2l6ZTogMTBweDsgfQoKI2RxOXBzZGk1YndrIGcuY2xhc3NHcm91cCByZWN0IHsKICBmaWxsOiAjRUNFQ0ZGOwogIHN0cm9rZTogIzkzNzBEQjsgfQoKI2RxOXBzZGk1YndrIGcuY2xhc3NHcm91cCBsaW5lIHsKICBzdHJva2U6ICM5MzcwREI7CiAgc3Ryb2tlLXdpZHRoOiAxOyB9CgojZHE5cHNkaTVid2sgLmNsYXNzTGFiZWwgLmJveCB7CiAgc3Ryb2tlOiBub25lOwogIHN0cm9rZS13aWR0aDogMDsKICBmaWxsOiAjRUNFQ0ZGOwogIG9wYWNpdHk6IDAuNTsgfQoKI2RxOXBzZGk1YndrIC5jbGFzc0xhYmVsIC5sYWJlbCB7CiAgZmlsbDogIzkzNzBEQjsKICBmb250LXNpemU6IDEwcHg7IH0KCiNkcTlwc2RpNWJ3ayAucmVsYXRpb24gewogIHN0cm9rZTogIzkzNzBEQjsKICBzdHJva2Utd2lkdGg6IDE7CiAgZmlsbDogbm9uZTsgfQoKI2RxOXBzZGk1YndrICNjb21wb3NpdGlvblN0YXJ0IHsKICBmaWxsOiAjOTM3MERCOwogIHN0cm9rZTogIzkzNzBEQjsKICBzdHJva2Utd2lkdGg6IDE7IH0KCiNkcTlwc2RpNWJ3ayAjY29tcG9zaXRpb25FbmQgewogIGZpbGw6ICM5MzcwREI7CiAgc3Ryb2tlOiAjOTM3MERCOwogIHN0cm9rZS13aWR0aDogMTsgfQoKI2RxOXBzZGk1YndrICNhZ2dyZWdhdGlvblN0YXJ0IHsKICBmaWxsOiAjRUNFQ0ZGOwogIHN0cm9rZTogIzkzNzBEQjsKICBzdHJva2Utd2lkdGg6IDE7IH0KCiNkcTlwc2RpNWJ3ayAjYWdncmVnYXRpb25FbmQgewogIGZpbGw6ICNFQ0VDRkY7CiAgc3Ryb2tlOiAjOTM3MERCOwogIHN0cm9rZS13aWR0aDogMTsgfQoKI2RxOXBzZGk1YndrICNkZXBlbmRlbmN5U3RhcnQgewogIGZpbGw6ICM5MzcwREI7CiAgc3Ryb2tlOiAjOTM3MERCOwogIHN0cm9rZS13aWR0aDogMTsgfQoKI2RxOXBzZGk1YndrICNkZXBlbmRlbmN5RW5kIHsKICBmaWxsOiAjOTM3MERCOwogIHN0cm9rZTogIzkzNzBEQjsKICBzdHJva2Utd2lkdGg6IDE7IH0KCiNkcTlwc2RpNWJ3ayAjZXh0ZW5zaW9uU3RhcnQgewogIGZpbGw6ICM5MzcwREI7CiAgc3Ryb2tlOiAjOTM3MERCOwogIHN0cm9rZS13aWR0aDogMTsgfQoKI2RxOXBzZGk1YndrICNleHRlbnNpb25FbmQgewogIGZpbGw6ICM5MzcwREI7CiAgc3Ryb2tlOiAjOTM3MERCOwogIHN0cm9rZS13aWR0aDogMTsgfQoKI2RxOXBzZGk1YndrIC5jb21taXQtaWQsCiNkcTlwc2RpNWJ3ayAuY29tbWl0LW1zZywKI2RxOXBzZGk1YndrIC5icmFuY2gtbGFiZWwgewogIGZpbGw6IGxpZ2h0Z3JleTsKICBjb2xvcjogbGlnaHRncmV5OyB9CgoKCiNkcTlwc2RpNWJ3ayAubGFiZWx7CiAgY29sb3I6IzE4QjE0RTsKfQojZHE5cHNkaTVid2sgLnRlLW1kLWNvbnRhaW5lci0tZGFyayAubm9kZSByZWN0IHsKICBmaWxsOiByZWQ7Cn0KCiNkcTlwc2RpNWJ3ayAubm9kZSByZWN0LAojZHE5cHNkaTVid2sgLm5vZGUgY2lyY2xlLAojZHE5cHNkaTVid2sgLm5vZGUgZWxsaXBzZSwKI2RxOXBzZGk1YndrIC5ub2RlIHBvbHlnb24gewogIGZpbGw6ICNGOUZGRkI7OwogIHN0cm9rZTogIzJEQkQ2MDsKICBzdHJva2Utd2lkdGg6IDEuNXB4Owp9CiNkcTlwc2RpNWJ3ayAuYXJyb3doZWFkUGF0aHsKICBmaWxsOiAjMkRCRDYwOwp9CiNkcTlwc2RpNWJ3ayAuZWRnZVBhdGggLnBhdGggewogIHN0cm9rZTogIzJEQkQ2MDsKICBzdHJva2Utd2lkdGg6IDFweDsKfQojZHE5cHNkaTVid2sgLmVkZ2VMYWJlbCB7CiAgYmFja2dyb3VuZC1jb2xvcjogI2ZmZjsKfQojZHE5cHNkaTVid2sgLmNsdXN0ZXIgcmVjdCB7CiAgZmlsbDogI0Y5RkZGQiAhaW1wb3J0YW50OwogIHN0cm9rZTogIzJEQkQ2MCAhaW1wb3J0YW50OwogIHN0cm9rZS13aWR0aDogMXB4ICFpbXBvcnRhbnQ7Cn0KCiNkcTlwc2RpNWJ3ayAuY2x1c3RlciB0ZXh0IHsKICBmaWxsOiAjRjlGRkZCOwp9CgojZHE5cHNkaTVid2sgZGl2Lm1lcm1haWRUb29sdGlwIHsKICBiYWNrZ3JvdW5kOiAjRjlGRkZCOwogIGJvcmRlcjogMXB4IHNvbGlkICMyREJENjA7Cn0KCgojZHE5cHNkaTVid2sgLmFjdG9yIHsKICBzdHJva2U6ICMyREJENjA7CiAgZmlsbDogI0Y5RkZGQjsKfQoKI2RxOXBzZGk1YndrIHRleHQuYWN0b3IgewogIGZpbGw6ICMyREJENjA7CiAgc3Ryb2tlOiBub25lOwp9CgojZHE5cHNkaTVid2sgLmFjdG9yLWxpbmUgewogIHN0cm9rZTogIzJEQkQ2MDsKfQoKI2RxOXBzZGk1YndrIC5tZXNzYWdlTGluZTAgewogIHN0cm9rZS13aWR0aDogMS41OwogIHN0cm9rZS1kYXNoYXJyYXk6ICcyIDInOwogIG1hcmtlci1lbmQ6ICd1cmwoI2Fycm93aGVhZCknOwogIHN0cm9rZTogIzJEQkQ2MDsKfQoKI2RxOXBzZGk1YndrIC5tZXNzYWdlTGluZTEgewogIHN0cm9rZS13aWR0aDogMS41OwogIHN0cm9rZS1kYXNoYXJyYXk6ICcyIDInOwogIHN0cm9rZTogIzJEQkQ2MDsKfQoKI2RxOXBzZGk1YndrICNhcnJvd2hlYWQgewogIGZpbGw6ICMyREJENjA7Cn0KCiNkcTlwc2RpNWJ3ayAjY3Jvc3NoZWFkIHBhdGggewogIGZpbGw6ICMyREJENjAgIWltcG9ydGFudDsKICBzdHJva2U6ICMyREJENjAgIWltcG9ydGFudDsKfQoKI2RxOXBzZGk1YndrIC5tZXNzYWdlVGV4dCB7CiAgZmlsbDogIzJEQkQ2MDsKICBzdHJva2U6IG5vbmU7Cn0KCiNkcTlwc2RpNWJ3ayAubGFiZWxCb3ggewogIHN0cm9rZTogIzJEQkQ2MDsKICBmaWxsOiAjRjlGRkZCOwp9CgojZHE5cHNkaTVid2sgLmxhYmVsVGV4dCB7CiAgZmlsbDogIzJEQkQ2MDsKICBzdHJva2U6ICMyREJENjA7Cn0KCiNkcTlwc2RpNWJ3ayAubG9vcFRleHQgewogIGZpbGw6ICMyREJENjA7CiAgc3Ryb2tlOiAjMkRCRDYwOwp9CgojZHE5cHNkaTVid2sgLmxvb3BMaW5lIHsKICBzdHJva2Utd2lkdGg6IDI7CiAgc3Ryb2tlLWRhc2hhcnJheTogJzIgMic7CiAgbWFya2VyLWVuZDogJ3VybCgjYXJyb3doZWFkKSc7CiAgc3Ryb2tlOiAjMkRCRDYwOwp9CgojZHE5cHNkaTVid2sgLm5vdGUgewogIHN0cm9rZTogIzJEQkQ2MDsKICBmaWxsOiAjRjlGRkZCOwp9CgojZHE5cHNkaTVid2sgLm5vdGVUZXh0IHsKICBmaWxsOiAjMkRCRDYwOwogIHN0cm9rZTogIzJEQkQ2MDsKfQoKCiNkcTlwc2RpNWJ3ayAuc2VjdGlvbnsKICBvcGFjaXR5OjE7Cn0KI2RxOXBzZGk1YndrIC5zZWN0aW9uMCwjZHE5cHNkaTVid2sgIC5zZWN0aW9uMiB7CiAgZmlsbDogI0VDRjdGMDsKfQoKI2RxOXBzZGk1YndrIC5zZWN0aW9uMSwKI2RxOXBzZGk1YndrIC5zZWN0aW9uMyB7CiAgZmlsbDogI0ZGRjsKfQojZHE5cHNkaTVid2sgLnRhc2tUZXh0MCwKI2RxOXBzZGk1YndrIC50YXNrVGV4dDEsCiNkcTlwc2RpNWJ3ayAudGFza1RleHQyLAojZHE5cHNkaTVid2sgLnRhc2tUZXh0MyB7CiAgZmlsbDogI2ZmZjsKfQoKI2RxOXBzZGk1YndrIC50YXNrMCwKI2RxOXBzZGk1YndrIC50YXNrMSwKI2RxOXBzZGk1YndrIC50YXNrMiwKI2RxOXBzZGk1YndrIC50YXNrMyB7CiAgZmlsbDogIzJEQkQ2MDsKICBzdHJva2U6ICMzNTlGNUE7Cn0KPC9zdHlsZT48c3R5bGU+I2RxOXBzZGk1YndrIHsKICAgIGNvbG9yOiByZ2IoMjQ0LCAyNDQsIDI0NCk7CiAgICBmb250OiBub3JtYWwgbm9ybWFsIG5vcm1hbCBub3JtYWwgMTRweC8yMi4zOTk5OTk2MTg1MzAyNzNweCBtb25vc3BhY2U7CiAgfTwvc3R5bGU+PGcgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoLTEyLCAtMTIpIj48ZyBjbGFzcz0ib3V0cHV0Ij48ZyBjbGFzcz0iY2x1c3RlcnMiPjwvZz48ZyBjbGFzcz0iZWRnZVBhdGhzIj48ZyBjbGFzcz0iZWRnZVBhdGgiIHN0eWxlPSJvcGFjaXR5OiAxOyI+PHBhdGggY2xhc3M9InBhdGgiIGQ9Ik0xMjcsMzguMTQwNjI1TDE1MiwzOC4xNDA2MjVMMTc3LDM4LjE0MDYyNSIgbWFya2VyLWVuZD0idXJsKCNhcnJvd2hlYWQ4NjApIiBzdHlsZT0ic3Ryb2tlOiAjMzMzOyBzdHJva2Utd2lkdGg6IDEuNXB4O2ZpbGw6bm9uZSI+PC9wYXRoPjxkZWZzPjxtYXJrZXIgaWQ9ImFycm93aGVhZDg2MCIgdmlld0JveD0iMCAwIDEwIDEwIiByZWZYPSI5IiByZWZZPSI1IiBtYXJrZXJVbml0cz0ic3Ryb2tlV2lkdGgiIG1hcmtlcldpZHRoPSI4IiBtYXJrZXJIZWlnaHQ9IjYiIG9yaWVudD0iYXV0byI+PHBhdGggZD0iTSAwIDAgTCAxMCA1IEwgMCAxMCB6IiBjbGFzcz0iYXJyb3doZWFkUGF0aCIgc3R5bGU9InN0cm9rZS13aWR0aDogMXB4OyBzdHJva2UtZGFzaGFycmF5OiAxcHgsIDBweDsiPjwvcGF0aD48L21hcmtlcj48L2RlZnM+PC9nPjxnIGNsYXNzPSJlZGdlUGF0aCIgc3R5bGU9Im9wYWNpdHk6IDE7Ij48cGF0aCBjbGFzcz0icGF0aCIgZD0iTTI3MC4yMzQzNzUsMzguMTQwNjI1TDI5NS4yMzQzNzUsMzguMTQwNjI1TDMyMC4yMzQzNzUsMzguMTQwNjI1IiBtYXJrZXItZW5kPSJ1cmwoI2Fycm93aGVhZDg2MSkiIHN0eWxlPSJzdHJva2U6ICMzMzM7IHN0cm9rZS13aWR0aDogMS41cHg7ZmlsbDpub25lIj48L3BhdGg+PGRlZnM+PG1hcmtlciBpZD0iYXJyb3doZWFkODYxIiB2aWV3Qm94PSIwIDAgMTAgMTAiIHJlZlg9IjkiIHJlZlk9IjUiIG1hcmtlclVuaXRzPSJzdHJva2VXaWR0aCIgbWFya2VyV2lkdGg9IjgiIG1hcmtlckhlaWdodD0iNiIgb3JpZW50PSJhdXRvIj48cGF0aCBkPSJNIDAgMCBMIDEwIDUgTCAwIDEwIHoiIGNsYXNzPSJhcnJvd2hlYWRQYXRoIiBzdHlsZT0ic3Ryb2tlLXdpZHRoOiAxcHg7IHN0cm9rZS1kYXNoYXJyYXk6IDFweCwgMHB4OyI+PC9wYXRoPjwvbWFya2VyPjwvZGVmcz48L2c+PGcgY2xhc3M9ImVkZ2VQYXRoIiBzdHlsZT0ib3BhY2l0eTogMTsiPjxwYXRoIGNsYXNzPSJwYXRoIiBkPSJNMzc5LjEwOTM3NSwzOC4xNDA2MjVMNDA0LjEwOTM3NSwzOC4xNDA2MjVMNDI5LjEwOTM3NSwzOC4xNDA2MjUiIG1hcmtlci1lbmQ9InVybCgjYXJyb3doZWFkODYyKSIgc3R5bGU9InN0cm9rZTogIzMzMzsgc3Ryb2tlLXdpZHRoOiAxLjVweDtmaWxsOm5vbmUiPjwvcGF0aD48ZGVmcz48bWFya2VyIGlkPSJhcnJvd2hlYWQ4NjIiIHZpZXdCb3g9IjAgMCAxMCAxMCIgcmVmWD0iOSIgcmVmWT0iNSIgbWFya2VyVW5pdHM9InN0cm9rZVdpZHRoIiBtYXJrZXJXaWR0aD0iOCIgbWFya2VySGVpZ2h0PSI2IiBvcmllbnQ9ImF1dG8iPjxwYXRoIGQ9Ik0gMCAwIEwgMTAgNSBMIDAgMTAgeiIgY2xhc3M9ImFycm93aGVhZFBhdGgiIHN0eWxlPSJzdHJva2Utd2lkdGg6IDFweDsgc3Ryb2tlLWRhc2hhcnJheTogMXB4LCAwcHg7Ij48L3BhdGg+PC9tYXJrZXI+PC9kZWZzPjwvZz48ZyBjbGFzcz0iZWRnZVBhdGgiIHN0eWxlPSJvcGFjaXR5OiAxOyI+PHBhdGggY2xhc3M9InBhdGgiIGQ9Ik00OTEuMTU2MjUsMzguMTQwNjI1TDU1MS4yMjY1NjI1LDM4LjE0MDYyNUw2MTEuMjk2ODc1LDM4LjE0MDYyNSIgbWFya2VyLWVuZD0idXJsKCNhcnJvd2hlYWQ4NjMpIiBzdHlsZT0ic3Ryb2tlOiAjMzMzOyBzdHJva2Utd2lkdGg6IDEuNXB4O2ZpbGw6bm9uZSI+PC9wYXRoPjxkZWZzPjxtYXJrZXIgaWQ9ImFycm93aGVhZDg2MyIgdmlld0JveD0iMCAwIDEwIDEwIiByZWZYPSI5IiByZWZZPSI1IiBtYXJrZXJVbml0cz0ic3Ryb2tlV2lkdGgiIG1hcmtlcldpZHRoPSI4IiBtYXJrZXJIZWlnaHQ9IjYiIG9yaWVudD0iYXV0byI+PHBhdGggZD0iTSAwIDAgTCAxMCA1IEwgMCAxMCB6IiBjbGFzcz0iYXJyb3doZWFkUGF0aCIgc3R5bGU9InN0cm9rZS13aWR0aDogMXB4OyBzdHJva2UtZGFzaGFycmF5OiAxcHgsIDBweDsiPjwvcGF0aD48L21hcmtlcj48L2RlZnM+PC9nPjwvZz48ZyBjbGFzcz0iZWRnZUxhYmVscyI+PGcgY2xhc3M9ImVkZ2VMYWJlbCIgdHJhbnNmb3JtPSIiIHN0eWxlPSJvcGFjaXR5OiAxOyI+PGcgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoMCwwKSIgY2xhc3M9ImxhYmVsIj48cmVjdCByeD0iMCIgcnk9IjAiIHdpZHRoPSIwIiBoZWlnaHQ9IjAiIHN0eWxlPSJmaWxsOiNlOGU4ZTg7Ij48L3JlY3Q+PHRleHQ+PHRzcGFuIHhtbDpzcGFjZT0icHJlc2VydmUiIGR5PSIxZW0iIHg9IjEiPjwvdHNwYW4+PC90ZXh0PjwvZz48L2c+PGcgY2xhc3M9ImVkZ2VMYWJlbCIgdHJhbnNmb3JtPSIiIHN0eWxlPSJvcGFjaXR5OiAxOyI+PGcgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoMCwwKSIgY2xhc3M9ImxhYmVsIj48cmVjdCByeD0iMCIgcnk9IjAiIHdpZHRoPSIwIiBoZWlnaHQ9IjAiIHN0eWxlPSJmaWxsOiNlOGU4ZTg7Ij48L3JlY3Q+PHRleHQ+PHRzcGFuIHhtbDpzcGFjZT0icHJlc2VydmUiIGR5PSIxZW0iIHg9IjEiPjwvdHNwYW4+PC90ZXh0PjwvZz48L2c+PGcgY2xhc3M9ImVkZ2VMYWJlbCIgdHJhbnNmb3JtPSIiIHN0eWxlPSJvcGFjaXR5OiAxOyI+PGcgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoMCwwKSIgY2xhc3M9ImxhYmVsIj48cmVjdCByeD0iMCIgcnk9IjAiIHdpZHRoPSIwIiBoZWlnaHQ9IjAiIHN0eWxlPSJmaWxsOiNlOGU4ZTg7Ij48L3JlY3Q+PHRleHQ+PHRzcGFuIHhtbDpzcGFjZT0icHJlc2VydmUiIGR5PSIxZW0iIHg9IjEiPjwvdHNwYW4+PC90ZXh0PjwvZz48L2c+PGcgY2xhc3M9ImVkZ2VMYWJlbCIgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoNTUxLjIyNjU2MjUsMzguMTQwNjI1KSIgc3R5bGU9Im9wYWNpdHk6IDE7Ij48ZyB0cmFuc2Zvcm09InRyYW5zbGF0ZSgtMzUuNjU2MjUsLTguMDA3ODEyNSkiIGNsYXNzPSJsYWJlbCI+PHJlY3Qgcng9IjAiIHJ5PSIwIiB3aWR0aD0iNjkuODQzNzUiIGhlaWdodD0iMTYuMjAzMTI1IiBzdHlsZT0iZmlsbDojZThlOGU4OyI+PC9yZWN0Pjx0ZXh0Pjx0c3BhbiB4bWw6c3BhY2U9InByZXNlcnZlIiBkeT0iMWVtIiB4PSIxIj5UReadg+mZkOajgOafpTwvdHNwYW4+PC90ZXh0PjwvZz48L2c+PC9nPjxnIGNsYXNzPSJub2RlcyI+PGcgY2xhc3M9Im5vZGUiIGlkPSJBIiB0cmFuc2Zvcm09InRyYW5zbGF0ZSg3My41LDM4LjE0MDYyNSkiIHN0eWxlPSJvcGFjaXR5OiAxOyI+PHJlY3Qgcng9IjAiIHJ5PSIwIiB4PSItNTMuNSIgeT0iLTE4LjE0MDYyNSIgd2lkdGg9IjEwNyIgaGVpZ2h0PSIzNi4yODEyNSI+PC9yZWN0PjxnIGNsYXNzPSJsYWJlbCIgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoMCwwKSI+PGcgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoLTQzLjUsLTguMTQwNjI1KSI+PHRleHQ+PHRzcGFuIHhtbDpzcGFjZT0icHJlc2VydmUiIGR5PSIxZW0iIHg9IjEiPkxpbnV457O757uf55So5oi3PC90c3Bhbj48L3RleHQ+PC9nPjwvZz48L2c+PGcgY2xhc3M9Im5vZGUiIGlkPSJCIiB0cmFuc2Zvcm09InRyYW5zbGF0ZSgyMjMuNjE3MTg3NSwzOC4xNDA2MjUpIiBzdHlsZT0ib3BhY2l0eTogMTsiPjxyZWN0IHJ4PSIwIiByeT0iMCIgeD0iLTQ2LjYxNzE4NzUiIHk9Ii0xOC4xNDA2MjUiIHdpZHRoPSI5My4yMzQzNzUiIGhlaWdodD0iMzYuMjgxMjUiPjwvcmVjdD48ZyBjbGFzcz0ibGFiZWwiIHRyYW5zZm9ybT0idHJhbnNsYXRlKDAsMCkiPjxnIHRyYW5zZm9ybT0idHJhbnNsYXRlKC0zNi42MTcxODc1LC04LjE0MDYyNSkiPjx0ZXh0Pjx0c3BhbiB4bWw6c3BhY2U9InByZXNlcnZlIiBkeT0iMWVtIiB4PSIxIj5TRUxpbnV455So5oi3PC90c3Bhbj48L3RleHQ+PC9nPjwvZz48L2c+PGcgY2xhc3M9Im5vZGUiIGlkPSJDIiB0cmFuc2Zvcm09InRyYW5zbGF0ZSgzNDkuNjcxODc1LDM4LjE0MDYyNSkiIHN0eWxlPSJvcGFjaXR5OiAxOyI+PHJlY3Qgcng9IjAiIHJ5PSIwIiB4PSItMjkuNDM3NSIgeT0iLTE4LjE0MDYyNSIgd2lkdGg9IjU4Ljg3NSIgaGVpZ2h0PSIzNi4yODEyNSI+PC9yZWN0PjxnIGNsYXNzPSJsYWJlbCIgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoMCwwKSI+PGcgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoLTE5LjQzNzUsLTguMTQwNjI1KSI+PHRleHQ+PHRzcGFuIHhtbDpzcGFjZT0icHJlc2VydmUiIGR5PSIxZW0iIHg9IjEiPnJvbGUocyk8L3RzcGFuPjwvdGV4dD48L2c+PC9nPjwvZz48ZyBjbGFzcz0ibm9kZSIgaWQ9IkQiIHRyYW5zZm9ybT0idHJhbnNsYXRlKDQ2MC4xMzI4MTI1LDM4LjE0MDYyNSkiIHN0eWxlPSJvcGFjaXR5OiAxOyI+PHJlY3Qgcng9IjAiIHJ5PSIwIiB4PSItMzEuMDIzNDM3NSIgeT0iLTE4LjE0MDYyNSIgd2lkdGg9IjYyLjA0Njg3NSIgaGVpZ2h0PSIzNi4yODEyNSI+PC9yZWN0PjxnIGNsYXNzPSJsYWJlbCIgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoMCwwKSI+PGcgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoLTIxLjAyMzQzNzUsLTguMTQwNjI1KSI+PHRleHQ+PHRzcGFuIHhtbDpzcGFjZT0icHJlc2VydmUiIGR5PSIxZW0iIHg9IjEiPnR5cGUocyk8L3RzcGFuPjwvdGV4dD48L2c+PC9nPjwvZz48ZyBjbGFzcz0ibm9kZSIgaWQ9IkUiIHRyYW5zZm9ybT0idHJhbnNsYXRlKDY2My42NjQwNjI1LDM4LjE0MDYyNSkiIHN0eWxlPSJvcGFjaXR5OiAxOyI+PHJlY3Qgcng9IjAiIHJ5PSIwIiB4PSItNTIuMzY3MTg3NSIgeT0iLTE4LjE0MDYyNSIgd2lkdGg9IjEwNC43MzQzNzUiIGhlaWdodD0iMzYuMjgxMjUiPjwvcmVjdD48ZyBjbGFzcz0ibGFiZWwiIHRyYW5zZm9ybT0idHJhbnNsYXRlKDAsMCkiPjxnIHRyYW5zZm9ybT0idHJhbnNsYXRlKC00Mi4zNjcxODc1LC04LjE0MDYyNSkiPjx0ZXh0Pjx0c3BhbiB4bWw6c3BhY2U9InByZXNlcnZlIiBkeT0iMWVtIiB4PSIxIj5vYmplY3QgdHlwZShzKTwvdHNwYW4+PC90ZXh0PjwvZz48L2c+PC9nPjwvZz48L2c+PC9nPjwvc3ZnPg==

constrain

前面讲了RBAC与TE结合提供的权限检查,RBAC还提供了一种直接的user/role权限检查方法,成为constrain。举个例子:

# 标准格式:constrain <object_class_set> <perm_set> <expression> ;
constrain file write (u1 == u2 and r1 == r2) ;

限制只有文件的创建者user/role与进程user/role相等时,才可以对文件进行写操作。注意这里是object class,控制的是一类资源,而不是具体哪一个object。
可以使用的逻辑运算符有:

  • ==, !=:user/role都可用
  • 仅针对role的eq, dom, domby, incomp

总结

PHN2ZyBpZD0iZHhrM2V5em95M3AiIHdpZHRoPSIxMDAlIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHN0eWxlPSJtYXgtd2lkdGg6IDM3NS45MjE4NzVweDsiIHZpZXdCb3g9IjAgMCAzNzUuOTIxODc1IDM0My42ODc1Ij48c3R5bGU+CgoKI2R4azNleXpveTNwIC5sYWJlbCB7CiAgZm9udC1mYW1pbHk6ICd0cmVidWNoZXQgbXMnLCB2ZXJkYW5hLCBhcmlhbDsKICBjb2xvcjogIzMzMzsgfQoKI2R4azNleXpveTNwIC5ub2RlIHJlY3QsCiNkeGszZXl6b3kzcCAubm9kZSBjaXJjbGUsCiNkeGszZXl6b3kzcCAubm9kZSBlbGxpcHNlLAojZHhrM2V5em95M3AgLm5vZGUgcG9seWdvbiB7CiAgZmlsbDogI0VDRUNGRjsKICBzdHJva2U6ICM5MzcwREI7CiAgc3Ryb2tlLXdpZHRoOiAxcHg7IH0KCiNkeGszZXl6b3kzcCAubm9kZS5jbGlja2FibGUgewogIGN1cnNvcjogcG9pbnRlcjsgfQoKI2R4azNleXpveTNwIC5hcnJvd2hlYWRQYXRoIHsKICBmaWxsOiAjMzMzMzMzOyB9CgojZHhrM2V5em95M3AgLmVkZ2VQYXRoIC5wYXRoIHsKICBzdHJva2U6ICMzMzMzMzM7CiAgc3Ryb2tlLXdpZHRoOiAxLjVweDsgfQoKI2R4azNleXpveTNwIC5lZGdlTGFiZWwgewogIGJhY2tncm91bmQtY29sb3I6ICNlOGU4ZTg7IH0KCiNkeGszZXl6b3kzcCAuY2x1c3RlciByZWN0IHsKICBmaWxsOiAjZmZmZmRlICFpbXBvcnRhbnQ7CiAgc3Ryb2tlOiAjYWFhYTMzICFpbXBvcnRhbnQ7CiAgc3Ryb2tlLXdpZHRoOiAxcHggIWltcG9ydGFudDsgfQoKI2R4azNleXpveTNwIC5jbHVzdGVyIHRleHQgewogIGZpbGw6ICMzMzM7IH0KCiNkeGszZXl6b3kzcCBkaXYubWVybWFpZFRvb2x0aXAgewogIHBvc2l0aW9uOiBhYnNvbHV0ZTsKICB0ZXh0LWFsaWduOiBjZW50ZXI7CiAgbWF4LXdpZHRoOiAyMDBweDsKICBwYWRkaW5nOiAycHg7CiAgZm9udC1mYW1pbHk6ICd0cmVidWNoZXQgbXMnLCB2ZXJkYW5hLCBhcmlhbDsKICBmb250LXNpemU6IDEycHg7CiAgYmFja2dyb3VuZDogI2ZmZmZkZTsKICBib3JkZXI6IDFweCBzb2xpZCAjYWFhYTMzOwogIGJvcmRlci1yYWRpdXM6IDJweDsKICBwb2ludGVyLWV2ZW50czogbm9uZTsKICB6LWluZGV4OiAxMDA7IH0KCiNkeGszZXl6b3kzcCAuYWN0b3IgewogIHN0cm9rZTogI0NDQ0NGRjsKICBmaWxsOiAjRUNFQ0ZGOyB9CgojZHhrM2V5em95M3AgdGV4dC5hY3RvciB7CiAgZmlsbDogYmxhY2s7CiAgc3Ryb2tlOiBub25lOyB9CgojZHhrM2V5em95M3AgLmFjdG9yLWxpbmUgewogIHN0cm9rZTogZ3JleTsgfQoKI2R4azNleXpveTNwIC5tZXNzYWdlTGluZTAgewogIHN0cm9rZS13aWR0aDogMS41OwogIHN0cm9rZS1kYXNoYXJyYXk6ICcyIDInOwogIHN0cm9rZTogIzMzMzsgfQoKI2R4azNleXpveTNwIC5tZXNzYWdlTGluZTEgewogIHN0cm9rZS13aWR0aDogMS41OwogIHN0cm9rZS1kYXNoYXJyYXk6ICcyIDInOwogIHN0cm9rZTogIzMzMzsgfQoKI2R4azNleXpveTNwICNhcnJvd2hlYWQgewogIGZpbGw6ICMzMzM7IH0KCiNkeGszZXl6b3kzcCAjY3Jvc3NoZWFkIHBhdGggewogIGZpbGw6ICMzMzMgIWltcG9ydGFudDsKICBzdHJva2U6ICMzMzMgIWltcG9ydGFudDsgfQoKI2R4azNleXpveTNwIC5tZXNzYWdlVGV4dCB7CiAgZmlsbDogIzMzMzsKICBzdHJva2U6IG5vbmU7IH0KCiNkeGszZXl6b3kzcCAubGFiZWxCb3ggewogIHN0cm9rZTogI0NDQ0NGRjsKICBmaWxsOiAjRUNFQ0ZGOyB9CgojZHhrM2V5em95M3AgLmxhYmVsVGV4dCB7CiAgZmlsbDogYmxhY2s7CiAgc3Ryb2tlOiBub25lOyB9CgojZHhrM2V5em95M3AgLmxvb3BUZXh0IHsKICBmaWxsOiBibGFjazsKICBzdHJva2U6IG5vbmU7IH0KCiNkeGszZXl6b3kzcCAubG9vcExpbmUgewogIHN0cm9rZS13aWR0aDogMjsKICBzdHJva2UtZGFzaGFycmF5OiAnMiAyJzsKICBzdHJva2U6ICNDQ0NDRkY7IH0KCiNkeGszZXl6b3kzcCAubm90ZSB7CiAgc3Ryb2tlOiAjYWFhYTMzOwogIGZpbGw6ICNmZmY1YWQ7IH0KCiNkeGszZXl6b3kzcCAubm90ZVRleHQgewogIGZpbGw6IGJsYWNrOwogIHN0cm9rZTogbm9uZTsKICBmb250LWZhbWlseTogJ3RyZWJ1Y2hldCBtcycsIHZlcmRhbmEsIGFyaWFsOwogIGZvbnQtc2l6ZTogMTRweDsgfQoKI2R4azNleXpveTNwIC5hY3RpdmF0aW9uMCB7CiAgZmlsbDogI2Y0ZjRmNDsKICBzdHJva2U6ICM2NjY7IH0KCiNkeGszZXl6b3kzcCAuYWN0aXZhdGlvbjEgewogIGZpbGw6ICNmNGY0ZjQ7CiAgc3Ryb2tlOiAjNjY2OyB9CgojZHhrM2V5em95M3AgLmFjdGl2YXRpb24yIHsKICBmaWxsOiAjZjRmNGY0OwogIHN0cm9rZTogIzY2NjsgfQoKCiNkeGszZXl6b3kzcCAuc2VjdGlvbiB7CiAgc3Ryb2tlOiBub25lOwogIG9wYWNpdHk6IDAuMjsgfQoKI2R4azNleXpveTNwIC5zZWN0aW9uMCB7CiAgZmlsbDogcmdiYSgxMDIsIDEwMiwgMjU1LCAwLjQ5KTsgfQoKI2R4azNleXpveTNwIC5zZWN0aW9uMiB7CiAgZmlsbDogI2ZmZjQwMDsgfQoKI2R4azNleXpveTNwIC5zZWN0aW9uMSwKI2R4azNleXpveTNwIC5zZWN0aW9uMyB7CiAgZmlsbDogd2hpdGU7CiAgb3BhY2l0eTogMC4yOyB9CgojZHhrM2V5em95M3AgLnNlY3Rpb25UaXRsZTAgewogIGZpbGw6ICMzMzM7IH0KCiNkeGszZXl6b3kzcCAuc2VjdGlvblRpdGxlMSB7CiAgZmlsbDogIzMzMzsgfQoKI2R4azNleXpveTNwIC5zZWN0aW9uVGl0bGUyIHsKICBmaWxsOiAjMzMzOyB9CgojZHhrM2V5em95M3AgLnNlY3Rpb25UaXRsZTMgewogIGZpbGw6ICMzMzM7IH0KCiNkeGszZXl6b3kzcCAuc2VjdGlvblRpdGxlIHsKICB0ZXh0LWFuY2hvcjogc3RhcnQ7CiAgZm9udC1zaXplOiAxMXB4OwogIHRleHQtaGVpZ2h0OiAxNHB4OyB9CgoKI2R4azNleXpveTNwIC5ncmlkIC50aWNrIHsKICBzdHJva2U6IGxpZ2h0Z3JleTsKICBvcGFjaXR5OiAwLjM7CiAgc2hhcGUtcmVuZGVyaW5nOiBjcmlzcEVkZ2VzOyB9CgojZHhrM2V5em95M3AgLmdyaWQgcGF0aCB7CiAgc3Ryb2tlLXdpZHRoOiAwOyB9CgoKI2R4azNleXpveTNwIC50b2RheSB7CiAgZmlsbDogbm9uZTsKICBzdHJva2U6IHJlZDsKICBzdHJva2Utd2lkdGg6IDJweDsgfQoKCgojZHhrM2V5em95M3AgLnRhc2sgewogIHN0cm9rZS13aWR0aDogMjsgfQoKI2R4azNleXpveTNwIC50YXNrVGV4dCB7CiAgdGV4dC1hbmNob3I6IG1pZGRsZTsKICBmb250LXNpemU6IDExcHg7IH0KCiNkeGszZXl6b3kzcCAudGFza1RleHRPdXRzaWRlUmlnaHQgewogIGZpbGw6IGJsYWNrOwogIHRleHQtYW5jaG9yOiBzdGFydDsKICBmb250LXNpemU6IDExcHg7IH0KCiNkeGszZXl6b3kzcCAudGFza1RleHRPdXRzaWRlTGVmdCB7CiAgZmlsbDogYmxhY2s7CiAgdGV4dC1hbmNob3I6IGVuZDsKICBmb250LXNpemU6IDExcHg7IH0KCgojZHhrM2V5em95M3AgLnRhc2tUZXh0MCwKI2R4azNleXpveTNwIC50YXNrVGV4dDEsCiNkeGszZXl6b3kzcCAudGFza1RleHQyLAojZHhrM2V5em95M3AgLnRhc2tUZXh0MyB7CiAgZmlsbDogd2hpdGU7IH0KCiNkeGszZXl6b3kzcCAudGFzazAsCiNkeGszZXl6b3kzcCAudGFzazEsCiNkeGszZXl6b3kzcCAudGFzazIsCiNkeGszZXl6b3kzcCAudGFzazMgewogIGZpbGw6ICM4YTkwZGQ7CiAgc3Ryb2tlOiAjNTM0ZmJjOyB9CgojZHhrM2V5em95M3AgLnRhc2tUZXh0T3V0c2lkZTAsCiNkeGszZXl6b3kzcCAudGFza1RleHRPdXRzaWRlMiB7CiAgZmlsbDogYmxhY2s7IH0KCiNkeGszZXl6b3kzcCAudGFza1RleHRPdXRzaWRlMSwKI2R4azNleXpveTNwIC50YXNrVGV4dE91dHNpZGUzIHsKICBmaWxsOiBibGFjazsgfQoKCiNkeGszZXl6b3kzcCAuYWN0aXZlMCwKI2R4azNleXpveTNwIC5hY3RpdmUxLAojZHhrM2V5em95M3AgLmFjdGl2ZTIsCiNkeGszZXl6b3kzcCAuYWN0aXZlMyB7CiAgZmlsbDogI2JmYzdmZjsKICBzdHJva2U6ICM1MzRmYmM7IH0KCiNkeGszZXl6b3kzcCAuYWN0aXZlVGV4dDAsCiNkeGszZXl6b3kzcCAuYWN0aXZlVGV4dDEsCiNkeGszZXl6b3kzcCAuYWN0aXZlVGV4dDIsCiNkeGszZXl6b3kzcCAuYWN0aXZlVGV4dDMgewogIGZpbGw6IGJsYWNrICFpbXBvcnRhbnQ7IH0KCgojZHhrM2V5em95M3AgLmRvbmUwLAojZHhrM2V5em95M3AgLmRvbmUxLAojZHhrM2V5em95M3AgLmRvbmUyLAojZHhrM2V5em95M3AgLmRvbmUzIHsKICBzdHJva2U6IGdyZXk7CiAgZmlsbDogbGlnaHRncmV5OwogIHN0cm9rZS13aWR0aDogMjsgfQoKI2R4azNleXpveTNwIC5kb25lVGV4dDAsCiNkeGszZXl6b3kzcCAuZG9uZVRleHQxLAojZHhrM2V5em95M3AgLmRvbmVUZXh0MiwKI2R4azNleXpveTNwIC5kb25lVGV4dDMgewogIGZpbGw6IGJsYWNrICFpbXBvcnRhbnQ7IH0KCgojZHhrM2V5em95M3AgLmNyaXQwLAojZHhrM2V5em95M3AgLmNyaXQxLAojZHhrM2V5em95M3AgLmNyaXQyLAojZHhrM2V5em95M3AgLmNyaXQzIHsKICBzdHJva2U6ICNmZjg4ODg7CiAgZmlsbDogcmVkOwogIHN0cm9rZS13aWR0aDogMjsgfQoKI2R4azNleXpveTNwIC5hY3RpdmVDcml0MCwKI2R4azNleXpveTNwIC5hY3RpdmVDcml0MSwKI2R4azNleXpveTNwIC5hY3RpdmVDcml0MiwKI2R4azNleXpveTNwIC5hY3RpdmVDcml0MyB7CiAgc3Ryb2tlOiAjZmY4ODg4OwogIGZpbGw6ICNiZmM3ZmY7CiAgc3Ryb2tlLXdpZHRoOiAyOyB9CgojZHhrM2V5em95M3AgLmRvbmVDcml0MCwKI2R4azNleXpveTNwIC5kb25lQ3JpdDEsCiNkeGszZXl6b3kzcCAuZG9uZUNyaXQyLAojZHhrM2V5em95M3AgLmRvbmVDcml0MyB7CiAgc3Ryb2tlOiAjZmY4ODg4OwogIGZpbGw6IGxpZ2h0Z3JleTsKICBzdHJva2Utd2lkdGg6IDI7CiAgY3Vyc29yOiBwb2ludGVyOwogIHNoYXBlLXJlbmRlcmluZzogY3Jpc3BFZGdlczsgfQoKI2R4azNleXpveTNwIC5kb25lQ3JpdFRleHQwLAojZHhrM2V5em95M3AgLmRvbmVDcml0VGV4dDEsCiNkeGszZXl6b3kzcCAuZG9uZUNyaXRUZXh0MiwKI2R4azNleXpveTNwIC5kb25lQ3JpdFRleHQzIHsKICBmaWxsOiBibGFjayAhaW1wb3J0YW50OyB9CgojZHhrM2V5em95M3AgLmFjdGl2ZUNyaXRUZXh0MCwKI2R4azNleXpveTNwIC5hY3RpdmVDcml0VGV4dDEsCiNkeGszZXl6b3kzcCAuYWN0aXZlQ3JpdFRleHQyLAojZHhrM2V5em95M3AgLmFjdGl2ZUNyaXRUZXh0MyB7CiAgZmlsbDogYmxhY2sgIWltcG9ydGFudDsgfQoKI2R4azNleXpveTNwIC50aXRsZVRleHQgewogIHRleHQtYW5jaG9yOiBtaWRkbGU7CiAgZm9udC1zaXplOiAxOHB4OwogIGZpbGw6IGJsYWNrOyB9CgojZHhrM2V5em95M3AgZy5jbGFzc0dyb3VwIHRleHQgewogIGZpbGw6ICM5MzcwREI7CiAgc3Ryb2tlOiBub25lOwogIGZvbnQtZmFtaWx5OiAndHJlYnVjaGV0IG1zJywgdmVyZGFuYSwgYXJpYWw7CiAgZm9udC1zaXplOiAxMHB4OyB9CgojZHhrM2V5em95M3AgZy5jbGFzc0dyb3VwIHJlY3QgewogIGZpbGw6ICNFQ0VDRkY7CiAgc3Ryb2tlOiAjOTM3MERCOyB9CgojZHhrM2V5em95M3AgZy5jbGFzc0dyb3VwIGxpbmUgewogIHN0cm9rZTogIzkzNzBEQjsKICBzdHJva2Utd2lkdGg6IDE7IH0KCiNkeGszZXl6b3kzcCAuY2xhc3NMYWJlbCAuYm94IHsKICBzdHJva2U6IG5vbmU7CiAgc3Ryb2tlLXdpZHRoOiAwOwogIGZpbGw6ICNFQ0VDRkY7CiAgb3BhY2l0eTogMC41OyB9CgojZHhrM2V5em95M3AgLmNsYXNzTGFiZWwgLmxhYmVsIHsKICBmaWxsOiAjOTM3MERCOwogIGZvbnQtc2l6ZTogMTBweDsgfQoKI2R4azNleXpveTNwIC5yZWxhdGlvbiB7CiAgc3Ryb2tlOiAjOTM3MERCOwogIHN0cm9rZS13aWR0aDogMTsKICBmaWxsOiBub25lOyB9CgojZHhrM2V5em95M3AgI2NvbXBvc2l0aW9uU3RhcnQgewogIGZpbGw6ICM5MzcwREI7CiAgc3Ryb2tlOiAjOTM3MERCOwogIHN0cm9rZS13aWR0aDogMTsgfQoKI2R4azNleXpveTNwICNjb21wb3NpdGlvbkVuZCB7CiAgZmlsbDogIzkzNzBEQjsKICBzdHJva2U6ICM5MzcwREI7CiAgc3Ryb2tlLXdpZHRoOiAxOyB9CgojZHhrM2V5em95M3AgI2FnZ3JlZ2F0aW9uU3RhcnQgewogIGZpbGw6ICNFQ0VDRkY7CiAgc3Ryb2tlOiAjOTM3MERCOwogIHN0cm9rZS13aWR0aDogMTsgfQoKI2R4azNleXpveTNwICNhZ2dyZWdhdGlvbkVuZCB7CiAgZmlsbDogI0VDRUNGRjsKICBzdHJva2U6ICM5MzcwREI7CiAgc3Ryb2tlLXdpZHRoOiAxOyB9CgojZHhrM2V5em95M3AgI2RlcGVuZGVuY3lTdGFydCB7CiAgZmlsbDogIzkzNzBEQjsKICBzdHJva2U6ICM5MzcwREI7CiAgc3Ryb2tlLXdpZHRoOiAxOyB9CgojZHhrM2V5em95M3AgI2RlcGVuZGVuY3lFbmQgewogIGZpbGw6ICM5MzcwREI7CiAgc3Ryb2tlOiAjOTM3MERCOwogIHN0cm9rZS13aWR0aDogMTsgfQoKI2R4azNleXpveTNwICNleHRlbnNpb25TdGFydCB7CiAgZmlsbDogIzkzNzBEQjsKICBzdHJva2U6ICM5MzcwREI7CiAgc3Ryb2tlLXdpZHRoOiAxOyB9CgojZHhrM2V5em95M3AgI2V4dGVuc2lvbkVuZCB7CiAgZmlsbDogIzkzNzBEQjsKICBzdHJva2U6ICM5MzcwREI7CiAgc3Ryb2tlLXdpZHRoOiAxOyB9CgojZHhrM2V5em95M3AgLmNvbW1pdC1pZCwKI2R4azNleXpveTNwIC5jb21taXQtbXNnLAojZHhrM2V5em95M3AgLmJyYW5jaC1sYWJlbCB7CiAgZmlsbDogbGlnaHRncmV5OwogIGNvbG9yOiBsaWdodGdyZXk7IH0KCgoKI2R4azNleXpveTNwIC5sYWJlbHsKICBjb2xvcjojMThCMTRFOwp9CiNkeGszZXl6b3kzcCAudGUtbWQtY29udGFpbmVyLS1kYXJrIC5ub2RlIHJlY3QgewogIGZpbGw6IHJlZDsKfQoKI2R4azNleXpveTNwIC5ub2RlIHJlY3QsCiNkeGszZXl6b3kzcCAubm9kZSBjaXJjbGUsCiNkeGszZXl6b3kzcCAubm9kZSBlbGxpcHNlLAojZHhrM2V5em95M3AgLm5vZGUgcG9seWdvbiB7CiAgZmlsbDogI0Y5RkZGQjs7CiAgc3Ryb2tlOiAjMkRCRDYwOwogIHN0cm9rZS13aWR0aDogMS41cHg7Cn0KI2R4azNleXpveTNwIC5hcnJvd2hlYWRQYXRoewogIGZpbGw6ICMyREJENjA7Cn0KI2R4azNleXpveTNwIC5lZGdlUGF0aCAucGF0aCB7CiAgc3Ryb2tlOiAjMkRCRDYwOwogIHN0cm9rZS13aWR0aDogMXB4Owp9CiNkeGszZXl6b3kzcCAuZWRnZUxhYmVsIHsKICBiYWNrZ3JvdW5kLWNvbG9yOiAjZmZmOwp9CiNkeGszZXl6b3kzcCAuY2x1c3RlciByZWN0IHsKICBmaWxsOiAjRjlGRkZCICFpbXBvcnRhbnQ7CiAgc3Ryb2tlOiAjMkRCRDYwICFpbXBvcnRhbnQ7CiAgc3Ryb2tlLXdpZHRoOiAxcHggIWltcG9ydGFudDsKfQoKI2R4azNleXpveTNwIC5jbHVzdGVyIHRleHQgewogIGZpbGw6ICNGOUZGRkI7Cn0KCiNkeGszZXl6b3kzcCBkaXYubWVybWFpZFRvb2x0aXAgewogIGJhY2tncm91bmQ6ICNGOUZGRkI7CiAgYm9yZGVyOiAxcHggc29saWQgIzJEQkQ2MDsKfQoKCiNkeGszZXl6b3kzcCAuYWN0b3IgewogIHN0cm9rZTogIzJEQkQ2MDsKICBmaWxsOiAjRjlGRkZCOwp9CgojZHhrM2V5em95M3AgdGV4dC5hY3RvciB7CiAgZmlsbDogIzJEQkQ2MDsKICBzdHJva2U6IG5vbmU7Cn0KCiNkeGszZXl6b3kzcCAuYWN0b3ItbGluZSB7CiAgc3Ryb2tlOiAjMkRCRDYwOwp9CgojZHhrM2V5em95M3AgLm1lc3NhZ2VMaW5lMCB7CiAgc3Ryb2tlLXdpZHRoOiAxLjU7CiAgc3Ryb2tlLWRhc2hhcnJheTogJzIgMic7CiAgbWFya2VyLWVuZDogJ3VybCgjYXJyb3doZWFkKSc7CiAgc3Ryb2tlOiAjMkRCRDYwOwp9CgojZHhrM2V5em95M3AgLm1lc3NhZ2VMaW5lMSB7CiAgc3Ryb2tlLXdpZHRoOiAxLjU7CiAgc3Ryb2tlLWRhc2hhcnJheTogJzIgMic7CiAgc3Ryb2tlOiAjMkRCRDYwOwp9CgojZHhrM2V5em95M3AgI2Fycm93aGVhZCB7CiAgZmlsbDogIzJEQkQ2MDsKfQoKI2R4azNleXpveTNwICNjcm9zc2hlYWQgcGF0aCB7CiAgZmlsbDogIzJEQkQ2MCAhaW1wb3J0YW50OwogIHN0cm9rZTogIzJEQkQ2MCAhaW1wb3J0YW50Owp9CgojZHhrM2V5em95M3AgLm1lc3NhZ2VUZXh0IHsKICBmaWxsOiAjMkRCRDYwOwogIHN0cm9rZTogbm9uZTsKfQoKI2R4azNleXpveTNwIC5sYWJlbEJveCB7CiAgc3Ryb2tlOiAjMkRCRDYwOwogIGZpbGw6ICNGOUZGRkI7Cn0KCiNkeGszZXl6b3kzcCAubGFiZWxUZXh0IHsKICBmaWxsOiAjMkRCRDYwOwogIHN0cm9rZTogIzJEQkQ2MDsKfQoKI2R4azNleXpveTNwIC5sb29wVGV4dCB7CiAgZmlsbDogIzJEQkQ2MDsKICBzdHJva2U6ICMyREJENjA7Cn0KCiNkeGszZXl6b3kzcCAubG9vcExpbmUgewogIHN0cm9rZS13aWR0aDogMjsKICBzdHJva2UtZGFzaGFycmF5OiAnMiAyJzsKICBtYXJrZXItZW5kOiAndXJsKCNhcnJvd2hlYWQpJzsKICBzdHJva2U6ICMyREJENjA7Cn0KCiNkeGszZXl6b3kzcCAubm90ZSB7CiAgc3Ryb2tlOiAjMkRCRDYwOwogIGZpbGw6ICNGOUZGRkI7Cn0KCiNkeGszZXl6b3kzcCAubm90ZVRleHQgewogIGZpbGw6ICMyREJENjA7CiAgc3Ryb2tlOiAjMkRCRDYwOwp9CgoKI2R4azNleXpveTNwIC5zZWN0aW9uewogIG9wYWNpdHk6MTsKfQojZHhrM2V5em95M3AgLnNlY3Rpb24wLCNkeGszZXl6b3kzcCAgLnNlY3Rpb24yIHsKICBmaWxsOiAjRUNGN0YwOwp9CgojZHhrM2V5em95M3AgLnNlY3Rpb24xLAojZHhrM2V5em95M3AgLnNlY3Rpb24zIHsKICBmaWxsOiAjRkZGOwp9CiNkeGszZXl6b3kzcCAudGFza1RleHQwLAojZHhrM2V5em95M3AgLnRhc2tUZXh0MSwKI2R4azNleXpveTNwIC50YXNrVGV4dDIsCiNkeGszZXl6b3kzcCAudGFza1RleHQzIHsKICBmaWxsOiAjZmZmOwp9CgojZHhrM2V5em95M3AgLnRhc2swLAojZHhrM2V5em95M3AgLnRhc2sxLAojZHhrM2V5em95M3AgLnRhc2syLAojZHhrM2V5em95M3AgLnRhc2szIHsKICBmaWxsOiAjMkRCRDYwOwogIHN0cm9rZTogIzM1OUY1QTsKfQo8L3N0eWxlPjxzdHlsZT4jZHhrM2V5em95M3AgewogICAgY29sb3I6IHJnYigyNDQsIDI0NCwgMjQ0KTsKICAgIGZvbnQ6IG5vcm1hbCBub3JtYWwgbm9ybWFsIG5vcm1hbCAxNHB4LzIyLjM5OTk5OTYxODUzMDI3M3B4IG1vbm9zcGFjZTsKICB9PC9zdHlsZT48ZyB0cmFuc2Zvcm09InRyYW5zbGF0ZSgtMTIsIC0xMikiPjxnIGNsYXNzPSJvdXRwdXQiPjxnIGNsYXNzPSJjbHVzdGVycyI+PC9nPjxnIGNsYXNzPSJlZGdlUGF0aHMiPjxnIGNsYXNzPSJlZGdlUGF0aCIgc3R5bGU9Im9wYWNpdHk6IDE7Ij48cGF0aCBjbGFzcz0icGF0aCIgZD0iTTYzLjMyMDMxMjUsNTYuMjgxMjVMNjMuMzIwMzEyNSw4MS4yODEyNUwxNzQuMDU0Njg3NSwxMTYuMjQyNjY5MDI1MTU3MjMiIG1hcmtlci1lbmQ9InVybCgjYXJyb3doZWFkODg0KSIgc3R5bGU9InN0cm9rZTogIzMzMzsgc3Ryb2tlLXdpZHRoOiAxLjVweDtmaWxsOm5vbmUiPjwvcGF0aD48ZGVmcz48bWFya2VyIGlkPSJhcnJvd2hlYWQ4ODQiIHZpZXdCb3g9IjAgMCAxMCAxMCIgcmVmWD0iOSIgcmVmWT0iNSIgbWFya2VyVW5pdHM9InN0cm9rZVdpZHRoIiBtYXJrZXJXaWR0aD0iOCIgbWFya2VySGVpZ2h0PSI2IiBvcmllbnQ9ImF1dG8iPjxwYXRoIGQ9Ik0gMCAwIEwgMTAgNSBMIDAgMTAgeiIgY2xhc3M9ImFycm93aGVhZFBhdGgiIHN0eWxlPSJzdHJva2Utd2lkdGg6IDFweDsgc3Ryb2tlLWRhc2hhcnJheTogMXB4LCAwcHg7Ij48L3BhdGg+PC9tYXJrZXI+PC9kZWZzPjwvZz48ZyBjbGFzcz0iZWRnZVBhdGgiIHN0eWxlPSJvcGFjaXR5OiAxOyI+PHBhdGggY2xhc3M9InBhdGgiIGQ9Ik0xOTkuOTYwOTM3NSw1Ni4yODEyNUwxOTkuOTYwOTM3NSw4MS4yODEyNUwxOTkuOTYwOTM3NSwxMDYuMjgxMjUiIG1hcmtlci1lbmQ9InVybCgjYXJyb3doZWFkODg1KSIgc3R5bGU9InN0cm9rZTogIzMzMzsgc3Ryb2tlLXdpZHRoOiAxLjVweDtmaWxsOm5vbmUiPjwvcGF0aD48ZGVmcz48bWFya2VyIGlkPSJhcnJvd2hlYWQ4ODUiIHZpZXdCb3g9IjAgMCAxMCAxMCIgcmVmWD0iOSIgcmVmWT0iNSIgbWFya2VyVW5pdHM9InN0cm9rZVdpZHRoIiBtYXJrZXJXaWR0aD0iOCIgbWFya2VySGVpZ2h0PSI2IiBvcmllbnQ9ImF1dG8iPjxwYXRoIGQ9Ik0gMCAwIEwgMTAgNSBMIDAgMTAgeiIgY2xhc3M9ImFycm93aGVhZFBhdGgiIHN0eWxlPSJzdHJva2Utd2lkdGg6IDFweDsgc3Ryb2tlLWRhc2hhcnJheTogMXB4LCAwcHg7Ij48L3BhdGg+PC9tYXJrZXI+PC9kZWZzPjwvZz48ZyBjbGFzcz0iZWRnZVBhdGgiIHN0eWxlPSJvcGFjaXR5OiAxOyI+PHBhdGggY2xhc3M9InBhdGgiIGQ9Ik0zMzYuNjAxNTYyNSw1Ni4yODEyNUwzMzYuNjAxNTYyNSw4MS4yODEyNUwyMjUuODY3MTg3NSwxMTYuMjQyNjY5MDI1MTU3MjMiIG1hcmtlci1lbmQ9InVybCgjYXJyb3doZWFkODg2KSIgc3R5bGU9InN0cm9rZTogIzMzMzsgc3Ryb2tlLXdpZHRoOiAxLjVweDtmaWxsOm5vbmUiPjwvcGF0aD48ZGVmcz48bWFya2VyIGlkPSJhcnJvd2hlYWQ4ODYiIHZpZXdCb3g9IjAgMCAxMCAxMCIgcmVmWD0iOSIgcmVmWT0iNSIgbWFya2VyVW5pdHM9InN0cm9rZVdpZHRoIiBtYXJrZXJXaWR0aD0iOCIgbWFya2VySGVpZ2h0PSI2IiBvcmllbnQ9ImF1dG8iPjxwYXRoIGQ9Ik0gMCAwIEwgMTAgNSBMIDAgMTAgeiIgY2xhc3M9ImFycm93aGVhZFBhdGgiIHN0eWxlPSJzdHJva2Utd2lkdGg6IDFweDsgc3Ryb2tlLWRhc2hhcnJheTogMXB4LCAwcHg7Ij48L3BhdGg+PC9tYXJrZXI+PC9kZWZzPjwvZz48ZyBjbGFzcz0iZWRnZVBhdGgiIHN0eWxlPSJvcGFjaXR5OiAxOyI+PHBhdGggY2xhc3M9InBhdGgiIGQ9Ik0xOTkuOTYwOTM3NSwxNDIuNTYyNUwxOTkuOTYwOTM3NSwxNzUuNzAzMTI1TDE5OS45NjA5Mzc1LDIwOC44NDM3NSIgbWFya2VyLWVuZD0idXJsKCNhcnJvd2hlYWQ4ODcpIiBzdHlsZT0ic3Ryb2tlOiAjMzMzOyBzdHJva2Utd2lkdGg6IDEuNXB4O2ZpbGw6bm9uZSI+PC9wYXRoPjxkZWZzPjxtYXJrZXIgaWQ9ImFycm93aGVhZDg4NyIgdmlld0JveD0iMCAwIDEwIDEwIiByZWZYPSI5IiByZWZZPSI1IiBtYXJrZXJVbml0cz0ic3Ryb2tlV2lkdGgiIG1hcmtlcldpZHRoPSI4IiBtYXJrZXJIZWlnaHQ9IjYiIG9yaWVudD0iYXV0byI+PHBhdGggZD0iTSAwIDAgTCAxMCA1IEwgMCAxMCB6IiBjbGFzcz0iYXJyb3doZWFkUGF0aCIgc3R5bGU9InN0cm9rZS13aWR0aDogMXB4OyBzdHJva2UtZGFzaGFycmF5OiAxcHgsIDBweDsiPjwvcGF0aD48L21hcmtlcj48L2RlZnM+PC9nPjxnIGNsYXNzPSJlZGdlUGF0aCIgc3R5bGU9Im9wYWNpdHk6IDE7Ij48cGF0aCBjbGFzcz0icGF0aCIgZD0iTTE5OS45NjA5Mzc1LDI0NS4xMjVMMTk5Ljk2MDkzNzUsMjc4LjI2NTYyNUwxOTkuOTYwOTM3NSwzMTEuNDA2MjUiIG1hcmtlci1lbmQ9InVybCgjYXJyb3doZWFkODg4KSIgc3R5bGU9InN0cm9rZTogIzMzMzsgc3Ryb2tlLXdpZHRoOiAxLjVweDtmaWxsOm5vbmUiPjwvcGF0aD48ZGVmcz48bWFya2VyIGlkPSJhcnJvd2hlYWQ4ODgiIHZpZXdCb3g9IjAgMCAxMCAxMCIgcmVmWD0iOSIgcmVmWT0iNSIgbWFya2VyVW5pdHM9InN0cm9rZVdpZHRoIiBtYXJrZXJXaWR0aD0iOCIgbWFya2VySGVpZ2h0PSI2IiBvcmllbnQ9ImF1dG8iPjxwYXRoIGQ9Ik0gMCAwIEwgMTAgNSBMIDAgMTAgeiIgY2xhc3M9ImFycm93aGVhZFBhdGgiIHN0eWxlPSJzdHJva2Utd2lkdGg6IDFweDsgc3Ryb2tlLWRhc2hhcnJheTogMXB4LCAwcHg7Ij48L3BhdGg+PC9tYXJrZXI+PC9kZWZzPjwvZz48L2c+PGcgY2xhc3M9ImVkZ2VMYWJlbHMiPjxnIGNsYXNzPSJlZGdlTGFiZWwiIHRyYW5zZm9ybT0iIiBzdHlsZT0ib3BhY2l0eTogMTsiPjxnIHRyYW5zZm9ybT0idHJhbnNsYXRlKDAsMCkiIGNsYXNzPSJsYWJlbCI+PHJlY3Qgcng9IjAiIHJ5PSIwIiB3aWR0aD0iMCIgaGVpZ2h0PSIwIiBzdHlsZT0iZmlsbDojZThlOGU4OyI+PC9yZWN0Pjx0ZXh0Pjx0c3BhbiB4bWw6c3BhY2U9InByZXNlcnZlIiBkeT0iMWVtIiB4PSIxIj48L3RzcGFuPjwvdGV4dD48L2c+PC9nPjxnIGNsYXNzPSJlZGdlTGFiZWwiIHRyYW5zZm9ybT0iIiBzdHlsZT0ib3BhY2l0eTogMTsiPjxnIHRyYW5zZm9ybT0idHJhbnNsYXRlKDAsMCkiIGNsYXNzPSJsYWJlbCI+PHJlY3Qgcng9IjAiIHJ5PSIwIiB3aWR0aD0iMCIgaGVpZ2h0PSIwIiBzdHlsZT0iZmlsbDojZThlOGU4OyI+PC9yZWN0Pjx0ZXh0Pjx0c3BhbiB4bWw6c3BhY2U9InByZXNlcnZlIiBkeT0iMWVtIiB4PSIxIj48L3RzcGFuPjwvdGV4dD48L2c+PC9nPjxnIGNsYXNzPSJlZGdlTGFiZWwiIHRyYW5zZm9ybT0iIiBzdHlsZT0ib3BhY2l0eTogMTsiPjxnIHRyYW5zZm9ybT0idHJhbnNsYXRlKDAsMCkiIGNsYXNzPSJsYWJlbCI+PHJlY3Qgcng9IjAiIHJ5PSIwIiB3aWR0aD0iMCIgaGVpZ2h0PSIwIiBzdHlsZT0iZmlsbDojZThlOGU4OyI+PC9yZWN0Pjx0ZXh0Pjx0c3BhbiB4bWw6c3BhY2U9InByZXNlcnZlIiBkeT0iMWVtIiB4PSIxIj48L3RzcGFuPjwvdGV4dD48L2c+PC9nPjxnIGNsYXNzPSJlZGdlTGFiZWwiIHRyYW5zZm9ybT0idHJhbnNsYXRlKDE5OS45NjA5Mzc1LDE3NS43MDMxMjUpIiBzdHlsZT0ib3BhY2l0eTogMTsiPjxnIHRyYW5zZm9ybT0idHJhbnNsYXRlKC00MC42NjQwNjI1LC04LjAwNzgxMjUpIiBjbGFzcz0ibGFiZWwiPjxyZWN0IHJ4PSIwIiByeT0iMCIgd2lkdGg9IjU3Ljc4MTI1IiBoZWlnaHQ9IjE2LjI4MTI1IiBzdHlsZT0iZmlsbDojZThlOGU4OyI+PC9yZWN0Pjx0ZXh0Pjx0c3BhbiB4bWw6c3BhY2U9InByZXNlcnZlIiBkeT0iMWVtIiB4PSIxIj51c2VyLCByb2xlPC90c3Bhbj48L3RleHQ+PC9nPjwvZz48ZyBjbGFzcz0iZWRnZUxhYmVsIiB0cmFuc2Zvcm09InRyYW5zbGF0ZSgxOTkuOTYwOTM3NSwyNzguMjY1NjI1KSIgc3R5bGU9Im9wYWNpdHk6IDE7Ij48ZyB0cmFuc2Zvcm09InRyYW5zbGF0ZSgtNjQuOTYwOTM3NSwtOC4wMDc4MTI1KSIgY2xhc3M9ImxhYmVsIj48cmVjdCByeD0iMCIgcnk9IjAiIHdpZHRoPSIxMDMuODQzNzUiIGhlaWdodD0iMTYuMjgxMjUiIHN0eWxlPSJmaWxsOiNlOGU4ZTg7Ij48L3JlY3Q+PHRleHQ+PHRzcGFuIHhtbDpzcGFjZT0icHJlc2VydmUiIGR5PSIxZW0iIHg9IjEiPlRFQUMgJmFtcDsgY29uc3RyYWluPC90c3Bhbj48L3RleHQ+PC9nPjwvZz48L2c+PGcgY2xhc3M9Im5vZGVzIj48ZyBjbGFzcz0ibm9kZSIgaWQ9IkEiIHRyYW5zZm9ybT0idHJhbnNsYXRlKDYzLjMyMDMxMjUsMzguMTQwNjI1KSIgc3R5bGU9Im9wYWNpdHk6IDE7Ij48cmVjdCByeD0iMCIgcnk9IjAiIHg9Ii00My4zMjAzMTI1IiB5PSItMTguMTQwNjI1IiB3aWR0aD0iODYuNjQwNjI1IiBoZWlnaHQ9IjM2LjI4MTI1Ij48L3JlY3Q+PGcgY2xhc3M9ImxhYmVsIiB0cmFuc2Zvcm09InRyYW5zbGF0ZSgwLDApIj48ZyB0cmFuc2Zvcm09InRyYW5zbGF0ZSgtMzMuMzIwMzEyNSwtOC4xNDA2MjUpIj48dGV4dD48dHNwYW4geG1sOnNwYWNlPSJwcmVzZXJ2ZSIgZHk9IjFlbSIgeD0iMSI+TGludXjnlKjmiLcxPC90c3Bhbj48L3RleHQ+PC9nPjwvZz48L2c+PGcgY2xhc3M9Im5vZGUiIGlkPSJCIiB0cmFuc2Zvcm09InRyYW5zbGF0ZSgxOTkuOTYwOTM3NSwxMjQuNDIxODc1KSIgc3R5bGU9Im9wYWNpdHk6IDE7Ij48cmVjdCByeD0iMCIgcnk9IjAiIHg9Ii0yNS45MDYyNSIgeT0iLTE4LjE0MDYyNSIgd2lkdGg9IjUxLjgxMjUiIGhlaWdodD0iMzYuMjgxMjUiPjwvcmVjdD48ZyBjbGFzcz0ibGFiZWwiIHRyYW5zZm9ybT0idHJhbnNsYXRlKDAsMCkiPjxnIHRyYW5zZm9ybT0idHJhbnNsYXRlKC0xNS45MDYyNSwtOC4xNDA2MjUpIj48dGV4dD48dHNwYW4geG1sOnNwYWNlPSJwcmVzZXJ2ZSIgZHk9IjFlbSIgeD0iMSI+UkJBQzwvdHNwYW4+PC90ZXh0PjwvZz48L2c+PC9nPjxnIGNsYXNzPSJub2RlIiBpZD0iQyIgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoMTk5Ljk2MDkzNzUsMzguMTQwNjI1KSIgc3R5bGU9Im9wYWNpdHk6IDE7Ij48cmVjdCByeD0iMCIgcnk9IjAiIHg9Ii00My4zMjAzMTI1IiB5PSItMTguMTQwNjI1IiB3aWR0aD0iODYuNjQwNjI1IiBoZWlnaHQ9IjM2LjI4MTI1Ij48L3JlY3Q+PGcgY2xhc3M9ImxhYmVsIiB0cmFuc2Zvcm09InRyYW5zbGF0ZSgwLDApIj48ZyB0cmFuc2Zvcm09InRyYW5zbGF0ZSgtMzMuMzIwMzEyNSwtOC4xNDA2MjUpIj48dGV4dD48dHNwYW4geG1sOnNwYWNlPSJwcmVzZXJ2ZSIgZHk9IjFlbSIgeD0iMSI+TGludXjnlKjmiLcyPC90c3Bhbj48L3RleHQ+PC9nPjwvZz48L2c+PGcgY2xhc3M9Im5vZGUiIGlkPSJEIiB0cmFuc2Zvcm09InRyYW5zbGF0ZSgzMzYuNjAxNTYyNSwzOC4xNDA2MjUpIiBzdHlsZT0ib3BhY2l0eTogMTsiPjxyZWN0IHJ4PSIwIiByeT0iMCIgeD0iLTQzLjMyMDMxMjUiIHk9Ii0xOC4xNDA2MjUiIHdpZHRoPSI4Ni42NDA2MjUiIGhlaWdodD0iMzYuMjgxMjUiPjwvcmVjdD48ZyBjbGFzcz0ibGFiZWwiIHRyYW5zZm9ybT0idHJhbnNsYXRlKDAsMCkiPjxnIHRyYW5zZm9ybT0idHJhbnNsYXRlKC0zMy4zMjAzMTI1LC04LjE0MDYyNSkiPjx0ZXh0Pjx0c3BhbiB4bWw6c3BhY2U9InByZXNlcnZlIiBkeT0iMWVtIiB4PSIxIj5MaW51eOeUqOaItzM8L3RzcGFuPjwvdGV4dD48L2c+PC9nPjwvZz48ZyBjbGFzcz0ibm9kZSIgaWQ9IkUiIHRyYW5zZm9ybT0idHJhbnNsYXRlKDE5OS45NjA5Mzc1LDIyNi45ODQzNzUpIiBzdHlsZT0ib3BhY2l0eTogMTsiPjxyZWN0IHJ4PSIwIiByeT0iMCIgeD0iLTU1LjI1NzgxMjUiIHk9Ii0xOC4xNDA2MjUiIHdpZHRoPSIxMTAuNTE1NjI1IiBoZWlnaHQ9IjM2LjI4MTI1Ij48L3JlY3Q+PGcgY2xhc3M9ImxhYmVsIiB0cmFuc2Zvcm09InRyYW5zbGF0ZSgwLDApIj48ZyB0cmFuc2Zvcm09InRyYW5zbGF0ZSgtNDUuMjU3ODEyNSwtOC4xNDA2MjUpIj48dGV4dD48dHNwYW4geG1sOnNwYWNlPSJwcmVzZXJ2ZSIgZHk9IjFlbSIgeD0iMSI+cHJvY2VzcyB0eXBlKHMpPC90c3Bhbj48L3RleHQ+PC9nPjwvZz48L2c+PGcgY2xhc3M9Im5vZGUiIGlkPSJHIiB0cmFuc2Zvcm09InRyYW5zbGF0ZSgxOTkuOTYwOTM3NSwzMjkuNTQ2ODc1KSIgc3R5bGU9Im9wYWNpdHk6IDE7Ij48cmVjdCByeD0iMCIgcnk9IjAiIHg9Ii01Mi4zNjcxODc1IiB5PSItMTguMTQwNjI1IiB3aWR0aD0iMTA0LjczNDM3NSIgaGVpZ2h0PSIzNi4yODEyNSI+PC9yZWN0PjxnIGNsYXNzPSJsYWJlbCIgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoMCwwKSI+PGcgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoLTQyLjM2NzE4NzUsLTguMTQwNjI1KSI+PHRleHQ+PHRzcGFuIHhtbDpzcGFjZT0icHJlc2VydmUiIGR5PSIxZW0iIHg9IjEiPm9iamVjdCB0eXBlKHMpPC90c3Bhbj48L3RleHQ+PC9nPjwvZz48L2c+PC9nPjwvZz48L2c+PC9zdmc+

MLS/MCS

MLS从Linux 2.6.12开始进入Linux内核,而SELinux大约是2.6.0开始进入内核。MLS与原始的SELinux支持的TE, RBAC鉴权手段是一种互补。具体可以阅读参考文献[7]。这篇文章来自Trusted Computer Solutions, Inc.(TCS)这家公司,是Linux内核MLS模块主要的设计者。文章写于2006年,估计是MLS合入内核不久。

A combination of MLS and TE creates a stronger, more functional system that benefits from the strengths of the two complementary models.
MLS models do not lend themselves easily to static analysis.
TE has deficiencies in handling a large number of labels or a dynamic work set of label names, especially in contrast to integrity concerns.

现在的MLS借助了RBAC定义的constrain机制,扩展了constrain语法,定义了所谓的mlsconstrain语法规则。为SELinux提供了基于Classification(Sensitivity Level)和Compartment(Category)语意的权限检查。
MLS是原始SELinux的扩展,所以在使能SELinux的时候也是可选的。你可以选择带MLS的SELinux,也可以选择不带MLS的SELinux。例如,在Fedora下的步骤如下:

  1. Install SELinux package
dnf install selinux-policy-mls
  1. Configure /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=mls

核心概念

MLS的核心理念由下图阐释了。

引用[2]中的一段话:

MLS在安全策略上有一个形象的描述叫no write down和no read up:

  • 高级别的东西不能往低级别的东西里边写数据:这样可能导致高级别的数据泄露到低级别中。
  • 高级别的东西只能从低级别的东西里边读数据

如图4中,Process的级别是Confidential,它可以往同级别的File B中读写数据,但是只能往高级别的File A(级别是Secret)里边写东西。Process可以从File C和File D中读数据,但是不能往File C和File D上写数据。

反过来说:

  • 低级别的东西只能往高级别的东西里边写数据
  • 低级别的东西不能从高级别的东西那边读数据

注:这里只考虑泄不泄密,不考虑溢出攻击

实现MLS的具体手段

主要就是在TE,RBAC的secure context之上,加了sensitivity和category两个字段。使能了MLS的secure context,格式如下:

user:role:type:sensitivity[:category,...]- sensitivity [:category,...]

举个实际的例子:

user_u:role_r:type_t:s0-s1:c0,c1-c255

s0 -- 最低sensitivity
s1:c0,c1-c255 -- 最高sensitivity

注:s0啥都不带代表
s0 is the lowest classification and contains no compartments, thus dominated by every label on the system.

那么怎么利用这组标签?MLS引入了扩展的constrain语法,称为mlsconstrain,格式为:

mlsconstrain class perm_set expression;

对比constrain语法:

constrain object_class_set perm_set expression;

一样啊,没有区别啊!区别在于expression。MLS的expression多了下面几个东西:

  • l1, l2:小写的L。l1表示源的low senstivity level。l2表示target的low sensitivity。
  • h1, h2:小写的H。h1表示源的high senstivity level。h2表示target的high sensitivity。
  • l和h的关系,包括dom,domby,eq和incomp。

举个实际的例子:

 # Datagram send: Sender must be dominated by receiver unless one of them is trusted.
 mlsconstrain unix_dgram_socket { sendto }
          (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
# mlstrustedsubject 是attribute

只有在以下3个条件之一成立的情况下,subject才能调用unix_dgram_socket class的object的sendto permission:

  • l1 domby l2, l1 sensitivity小于l2 sensitivity
  • t1匹配或者t2匹配标签mlstrustedsubject

总结

引用[6]中的几张图做个总结。

SELinux 顶层架构

SELinux 决策流程

Show me the code

参考[8], 下图是MLS的鉴权流程,但实际上SELinux的TE,RABC,MLS都是通过secure context的判断来鉴权的,它们的实现位置应该是在一起的。

参考文献

  1. 深入理解SELinux SEAndroid(第一部分)
  2. 深入理解SELinux SEAndroid之二
  3. 从头开始生成 SELinux
  4. SELinux学习笔记
  5. SELinux初始化登录用户安全上下文的方法
  6. Linux 基础 - 13. SELinux
  7. Chad Hanson, "SELinux and MLS: Putting the Pieces Together",Trusted Computer Solutions, Inc., 2006
  8. Linux强制访问控制机制模块详细描述(1)
SELinux%20%3D%20Security%20Enhanced%20Linux%0A%3E%20%20%5BWiki%3A%20Security-Enhanced%20Linux%5D(https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FSecurity-Enhanced_Linux)%0A%3E%20**Security-Enhanced%20Linux%20(SELinux)**%20is%20a%20Linux%20kernel%20security%20module%20that%20provides%20a%20mechanism%20for%20supporting%20access%20control%20security%20policies%2C%20including%20mandatory%20access%20controls%20(MAC).%0A%3E%20SELinux%20is%20**a%20set%20of%20kernel%20modifications**%20and%20**user-space%20tools**%20that%20have%20been%20added%20to%20various%20Linux%20distributions.%20%0A%0ASELinux%E8%B5%B7%E6%BA%90%E4%BA%8E%E7%BE%8E%E5%9B%BD%E5%9B%BD%E5%AE%89%E5%B1%80(NSA)%E3%80%82%E5%AE%83%E7%9A%84%E5%89%8D%E8%BA%AB%E6%98%AFNSA%E7%9A%84%E4%B8%80%E4%B8%AA%E5%8F%ABFlask%E7%9A%84%E9%A1%B9%E7%9B%AE%EF%BC%8C%E5%90%8E%E6%9D%A5%EF%BC%8CNSA%E8%A7%89%E5%BE%97Linux%E6%9B%B4%E5%85%B7%E5%8F%91%E5%B1%95%E5%92%8C%E6%99%AE%E5%8F%8A%E5%89%8D%E6%99%AF%EF%BC%8C%E6%89%80%E4%BB%A5%E5%B0%B1%E5%9C%A8Linux%E7%B3%BB%E7%BB%9F%E4%B8%8A%E9%87%8D%E6%96%B0%E5%AE%9E%E7%8E%B0%E4%BA%86FLASK%EF%BC%8C%E7%A7%B0%E4%B9%8B%E4%B8%BASELinux%E3%80%82%0A%0A%E5%9C%A8%E7%BD%91%E7%BB%9C%E4%B8%8A%E6%B5%8F%E8%A7%88%E4%BA%86%E4%B8%8D%E5%B0%91%E8%B5%84%E6%96%99%E3%80%82%E6%9C%89%E5%87%A0%E7%AF%87%E5%86%99%E7%9A%84%E9%9D%9E%E5%B8%B8%E5%A5%BD%2C%E7%BD%97%E5%88%97%E5%9C%A8%E5%8F%82%E8%80%83%E6%96%87%E7%8C%AE%E4%B8%AD%2C%E6%96%B9%E4%BE%BF%E8%AF%BB%E8%80%85%E5%8F%82%E8%80%83%E5%BC%95%E7%94%A8%E3%80%82%0A%5B1%5D%E4%BB%8B%E7%BB%8D%E4%BA%86SELinux%E7%9A%84%E5%9F%BA%E6%9C%AC%E6%A6%82%E5%BF%B5%EF%BC%8C%E9%9D%9E%E5%B8%B8%E5%80%BC%E5%BE%97%E5%85%A5%E9%97%A8%E9%98%85%E8%AF%BB%E3%80%82%E5%8C%85%E6%8B%ACDAC%EF%BC%8CMAC%EF%BC%8CTEAC%EF%BC%88%E7%AE%80%E7%A7%B0TE%EF%BC%89%EF%BC%8CRBAC%EF%BC%8C%E4%BB%A5%E5%8F%8Apolicy%E6%96%87%E4%BB%B6%E7%9A%84%E8%AF%AD%E6%B3%95%0A%5B2%5D%E6%98%AF%5B1%5D%E7%9A%84%E5%A7%8A%E5%A6%B9%E7%AF%87%EF%BC%8C%E4%BB%8B%E7%BB%8D%E4%BA%86File%20Context%E5%92%8CMLS%E7%9A%84%E6%A6%82%E5%BF%B5%EF%BC%8C%E4%BB%A5%E5%8F%8A%E7%BC%96%E8%AF%91%E6%9E%84%E5%BB%BASELinux%E7%9A%84%E6%AD%A5%E9%AA%A4%E3%80%82%E7%9D%80%E9%87%8D%E4%BA%8E%E5%8A%A8%E6%89%8B%E9%83%A8%E5%88%86%0A%5B3%5D%E6%9C%AC%E6%9D%A5%E6%98%AF%E4%B8%80%E4%B8%AA%E9%9D%9E%E5%B8%B8%E5%A5%BD%E7%9A%84%E4%BB%8E%E5%A4%B4%E8%87%B3%E5%B0%BE%E6%8C%87%E5%AF%BC%E5%8A%A8%E6%89%8B%E6%9E%84%E5%BB%BASELinux%E7%9A%84%E6%95%99%E7%A8%8B%EF%BC%8C%E5%8F%AF%E6%83%9C%E6%96%87%E7%AB%A0%E4%B8%AD%E6%B6%89%E5%8F%8A%E7%9A%84%E6%BA%90%E7%A0%81%E7%89%88%E6%9C%AC%E8%BF%87%E4%BA%8E%E8%80%81%E4%BA%86%EF%BC%88Linux%202.6%EF%BC%8CGentoo%202006%E7%89%88%EF%BC%89%E3%80%82%E7%BC%96%E8%AF%91%E6%9E%84%E5%BB%BA%E7%9A%84%E6%97%B6%E5%80%99%E9%94%99%E8%AF%AF%E4%B8%8D%E6%96%AD%E3%80%82%E5%8F%AA%E8%83%BD%E6%84%8F%E4%BC%9A%E4%BA%86%EF%BC%8C%E5%8F%AF%E6%83%9C%E5%8F%AF%E6%83%9C%E3%80%82%0A%5B4%5D%E6%98%AF%E4%B8%80%E4%BB%BD%E6%96%87%E6%A1%A3%EF%BC%8C%E6%9C%80%E6%96%B0%E7%89%88%E6%9C%AC%E6%98%AF2012%E5%B9%B4%E6%9B%B4%E6%96%B0%E7%9A%84%E7%89%88%E6%9C%AC%EF%BC%8C%E8%B6%B3%E6%9C%89444%E9%A1%B5%EF%BC%8C%E5%AE%8C%E5%85%A8%E5%8F%AF%E4%BB%A5%E5%BD%93%E4%B8%80%E6%9C%ACSELinux%E7%9A%84%E5%85%A5%E9%97%A8%E4%B9%A6%E7%B1%8D%E6%9D%A5%E9%98%85%E8%AF%BB%E3%80%82%E6%88%91%E7%9B%AE%E5%89%8D%E8%BF%98%E6%B2%A1%E7%9C%8B%E5%AE%8C%EF%BC%8C%E4%BD%86%E6%98%AF%E4%BB%8E%E7%9B%AE%E5%BD%95%E7%BB%93%E6%9E%84%E6%9D%A5%E7%9C%8B%EF%BC%8C%E6%84%9F%E8%A7%89%E8%AF%A5%E6%9C%89%E7%9A%84%E9%83%BD%E6%9C%89%E5%80%BC%E5%BE%97%E5%A5%BD%E5%A5%BD%E7%9C%8B%E4%B8%80%E7%9C%8B%E3%80%82%0A%5B5%5D%5B6%5D%E6%98%AF%E4%B8%80%E4%BA%9B%E6%AF%94%E8%BE%83general%E7%9A%84%E7%9F%A5%E8%AF%86%E7%9A%84%E5%B8%96%E5%AD%90%EF%BC%8C%E4%B9%9F%E6%9C%89%E5%8F%AF%E5%8F%96%E4%B9%8B%E5%A4%84%EF%BC%8C%E5%8F%AF%E4%BB%A5%E4%BD%9C%E4%B8%BA%E5%8F%82%E8%80%83%0A%5B7%5D%E9%98%90%E8%BF%B0%E4%BA%86MLS%E7%9A%84%E7%94%B1%E6%9D%A5%E4%BB%A5%E5%8F%8A%E5%9F%BA%E6%9C%AC%E6%A6%82%E5%BF%B5%EF%BC%8C%E7%94%B1MLS%E5%BC%80%E5%8F%91%E8%80%85%E5%85%AC%E5%8F%B8%E5%86%99%E7%9A%84%EF%BC%8C%E4%BC%BC%E4%B9%8E%E6%AF%94%E8%BE%83%E6%9D%83%E5%A8%81%0A%5B8%5D%E6%8F%90%E5%88%B0%E4%BA%86%E4%B8%80%E4%BA%9B%E4%BB%A3%E7%A0%81%E5%85%A5%E5%8F%A3%EF%BC%8C%E9%98%85%E8%AF%BB%E4%BB%A3%E7%A0%81%E7%9A%84%E8%AF%9D%E5%8F%AF%E4%BB%A5%E4%BB%8E%E5%85%B6%E4%B8%AD%E6%89%A9%E5%B1%95%E5%BC%80%E5%8E%BB%0A%0A%E6%9C%AC%E6%96%87%E4%B8%BB%E8%A6%81%E6%B3%A8%E9%87%8D%E7%90%86%E6%B8%85SELinux%E5%AE%9E%E7%8E%B0%E5%AE%89%E5%85%A8%E9%98%B2%E6%8A%A4%E7%9A%84%E6%80%9D%E8%B7%AF%EF%BC%8C%E4%B8%8D%E6%B6%89%E5%8F%8A%E5%85%B7%E4%BD%93%E8%AF%AD%E6%B3%95%E8%A7%A3%E9%87%8A%E3%80%82%E5%8F%A6%E5%A4%96%E8%BF%98%E4%BC%9A%E5%86%8D%E5%86%99%E4%B8%80%E7%AF%87%E7%9D%80%E9%87%8D%E4%BB%8B%E7%BB%8D%E5%9C%A8Linux%E7%94%A8%E6%88%B7%E6%80%81%E4%BD%BF%E8%83%BDSELinux%EF%BC%8C%E5%B9%B6%E4%BF%AE%E6%94%B9%E6%88%96%E6%B7%BB%E5%8A%A0SELinux%E7%AD%96%E7%95%A5%20%0A%0A%E5%A6%82%E6%9E%9C%E9%9C%80%E8%A6%81%E7%90%86%E8%A7%A3%E5%85%B7%E4%BD%93%E8%AF%AD%E6%B3%95%E5%8F%AF%E4%BB%A5%E5%8F%82%E8%80%83%E6%96%87%E7%8C%AE%5B1%5D%E3%80%82%E4%BB%A5%E5%8F%8AAndroid%E6%BA%90%E7%A0%81%E4%B8%BA%E4%BE%8B%EF%BC%8C%E5%8F%AF%E5%8F%82%E8%80%83%E9%93%BE%E6%8E%A5%5B%E5%AE%9E%E7%8E%B0%20SELinux%5D(https%3A%2F%2Fsource.android.com%2Fsecurity%2Fselinux%2Fimplement)%E3%80%82Android%E7%B3%BB%E7%BB%9F%E7%AD%96%E7%95%A5%E6%96%87%E4%BB%B6(.te)%E4%BD%8D%E7%BD%AE%E5%9C%A8%60system%2Fsepolicy%60%2C%60device%2F%3Cmanufacturer%3E%2F%3Cdevice-name%3E%2Fsepolicy%60%E3%80%82%0A%0A%23%23%20SELinux%E6%8F%90%E4%BE%9B%E7%9A%84%E9%98%B2%E6%8A%A4%E6%89%8B%E6%AE%B5%0A%E4%BB%8EWiki%20SELinux%E7%9A%84%E5%AE%9A%E4%B9%89%E5%B0%B1%E8%83%BD%E7%9C%8B%E5%87%BA%EF%BC%8CSELinux%E7%9A%84%E6%A0%B8%E5%BF%83%E5%B0%B1%E6%98%AF%E6%8F%90%E4%BE%9B%E4%BA%86%E4%B8%80%E5%A5%97MAC%E7%9A%84%E6%9D%83%E9%99%90%E7%AE%A1%E7%90%86%E3%80%82MAC%E5%85%A8%E7%A7%B0%E4%B8%BAMandatory%20Access%20Control%EF%BC%88%E4%B8%AA%E4%BA%BA%E7%90%86%E8%A7%A3%EF%BC%9AMAC%24%5Capprox%24TEAC%EF%BC%89%E3%80%82%E5%86%8D%E8%BE%85%E4%BB%A5%E5%85%B6%E4%BB%96%E4%B8%80%E7%B3%BB%E5%88%97%E8%BE%85%E5%8A%A9%E6%89%8B%E6%AE%B5%EF%BC%8C%E6%9D%A5%E8%BE%BE%E5%88%B0%E7%BB%9D%E5%AF%B9%E7%9A%84%E5%AE%89%E5%85%A8%EF%BC%88%E5%BD%93%E7%84%B6%E4%B8%96%E7%95%8C%E4%B8%8A%E5%8F%AA%E6%9C%89%E7%9B%B8%E5%AF%B9%E5%AE%89%E5%85%A8%EF%BC%8C%E6%B2%A1%E6%9C%89%E7%BB%9D%E5%AF%B9%E7%9A%84%E5%AE%89%E5%85%A8%EF%BC%89%E3%80%82%E6%9C%AC%E7%AB%A0%E5%B0%B1%E9%80%90%E4%B8%80%E4%BB%8B%E7%BB%8D%E8%BF%99%E4%BA%9B%E6%89%8B%E6%AE%B5%E3%80%82%0A%23%23%23%20DAC%20vs.%20MAC%0ADAC%20%3D%20Discretionary%20Access%20Control%EF%BC%8C%E4%B9%9F%E5%B0%B1%E6%98%AFLinux%E7%B3%BB%E7%BB%9F%E6%8F%90%E4%BE%9B%E7%BB%99%E6%88%91%E4%BB%AC%E7%9A%84%E5%9F%BA%E6%9C%AC%E7%9A%84%E6%9D%83%E9%99%90%E7%AE%A1%E7%90%86%EF%BC%8C%E4%BE%8B%E5%A6%82%E5%A6%82%E4%B8%8B%60ls%20-l%60%E8%BE%93%E5%87%BA%EF%BC%9A%0A%60%60%60%0Adrwx------%2B%2019%20user%20%20staff%20%20%20%20%20%20%20608%2010%2027%2010%3A07%20Desktop%0Adrwx------%2B%2017%20user%20%20staff%20%20%20%20%20%20%20544%20%208%2016%2021%3A39%20Documents%0Adrwx------%2B%2031%20user%20%20staff%20%20%20%20%20%20%20992%2011%2027%2019%3A51%20Downloads%0A%60%60%60%0A-%20user%E5%B0%B1%E6%98%AF%E8%AF%A5%E6%96%87%E4%BB%B6%E7%9A%84%E6%8B%A5%E6%9C%89%E8%80%85ID%EF%BC%88%E5%8D%B3UID%EF%BC%89%EF%BC%8Cstaff%E6%98%AFuser%E7%9A%84%E7%BB%84ID%EF%BC%88GID%EF%BC%89%0A-%20%60rwx------%60%E5%B0%B1%E6%98%AF%E6%88%91%E4%BB%AC%E9%80%9A%E5%B8%B8%E8%AF%B4%E7%9A%84%E6%9D%83%E9%99%90%E7%BB%84%EF%BC%8C%E6%AF%8F%E4%B8%89%E4%B8%AA%E5%AD%97%E6%AF%8D%E4%BB%A3%E8%A1%A8%E4%B8%80%E7%A7%8D%E6%9D%83%E9%99%90%E6%A0%87%E8%AE%B0%0A%20%20%20%20-%20rwx%E5%88%86%E5%88%AB%E8%A1%A8%E7%A4%BA%E5%8F%AF%E8%AF%BB%EF%BC%8C%E5%8F%AF%E5%86%99%EF%BC%8C%E5%8F%AF%E6%89%A7%E8%A1%8C%20%20%0A%20%20%20%20-%20%5B1..3%5D%20%E8%A1%A8%E7%A4%BA%E6%8B%A5%E6%9C%89%E8%80%85%E7%9A%84%E6%9D%83%E9%99%90%0A%20%20%20%20-%20%5B4..6%5D%20%E8%A1%A8%E7%A4%BA%E4%B8%8E%E6%8B%A5%E6%9C%89%E8%80%85%E5%90%8C%E7%BB%84%E7%9A%84%E7%94%A8%E6%88%B7%E7%9A%84%E6%9D%83%E9%99%90%0A%20%20%20%20-%20%5B7..9%5D%20%E8%A1%A8%E7%A4%BA%E5%85%B6%E4%BB%96%E7%94%A8%E6%88%B7%E7%9A%84%E6%9D%83%E9%99%90%0A%20%20%20%20-%20%60rwx------%60%E6%8D%A2%E7%AE%97%E6%88%908%E8%BF%9B%E5%88%B6%EF%BC%8C%E4%B9%9F%E5%B0%B1%E6%98%AF%E6%88%91%E4%BB%AC%E5%B8%B8%E8%AF%B4%E7%9A%84700%E6%9D%83%E9%99%90%EF%BC%8C%E4%BB%80%E4%B9%88644%E5%95%8A%EF%BC%8C777%E5%95%8A%E9%83%BD%E5%8F%AF%E4%BB%A5%E8%BF%99%E6%A0%B7%E6%8D%A2%E7%AE%97%0A%20%20%20%20%0ALinux%E5%9F%BA%E4%BA%8E%E5%9F%BA%E6%9C%AC%E7%9A%84UID%E5%92%8CGID%E5%8D%B3%E5%8F%AF%E4%BB%A5%E6%9C%89%E5%9F%BA%E6%9C%AC%E7%9A%84%E6%9D%83%E9%99%90%E6%8E%A7%E5%88%B6%E3%80%82DAC%E7%9A%84%E7%BC%BA%E9%99%B7%E5%9C%A8%E4%BA%8E%EF%BC%8C%E4%BB%96%E6%9C%89%E4%B8%80%E4%B8%AA%E8%B6%85%E7%BA%A7%E7%94%A8%E6%88%B7root%EF%BC%8C%E5%BD%93%E4%B8%80%E6%97%A6%E9%BB%91%E5%AE%A2%E9%80%9A%E8%BF%87%E6%BC%8F%E6%B4%9E%E5%AE%8C%E6%88%90%E4%BA%86%E6%8F%90%E6%9D%83%E6%93%8D%E4%BD%9C%EF%BC%8C%E9%82%A3%E4%B9%88%E6%89%80%E6%9C%89%E7%9A%84%E8%BF%99%E4%BA%9B%E6%9D%83%E9%99%90%E6%8E%A7%E5%88%B6%E5%B0%B1%E5%A4%B1%E6%95%88%E4%BA%86%E3%80%82%E6%89%80%E4%BB%A5NSA%E6%89%8D%E5%81%9A%E4%BA%86%E8%BF%99%E4%B9%88%E4%B8%80%E5%A5%97MAC%E6%9C%BA%E5%88%B6%E3%80%82%0A%3E%20MAC%E7%9A%84%E5%A4%84%E4%B8%96%E5%93%B2%E5%AD%A6%E9%9D%9E%E5%B8%B8%E7%AE%80%E5%8D%95%EF%BC%9A%E5%8D%B3%E4%BB%BB%E4%BD%95%E8%BF%9B%E7%A8%8B%E6%83%B3%E5%9C%A8SELinux%E7%B3%BB%E7%BB%9F%E4%B8%AD%E5%B9%B2%E4%BB%BB%E4%BD%95%E4%BA%8B%E6%83%85%EF%BC%8C%E9%83%BD%E5%BF%85%E9%A1%BB%E5%85%88%E5%9C%A8**%E5%AE%89%E5%85%A8%E7%AD%96%E7%95%A5%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6**%E4%B8%AD%E8%B5%8B%E4%BA%88%E6%9D%83%E9%99%90%E3%80%82%E5%87%A1%E6%98%AF%E6%B2%A1%E6%9C%89%E5%87%BA%E7%8E%B0%E5%9C%A8%E5%AE%89%E5%85%A8%E7%AD%96%E7%95%A5%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6%E4%B8%AD%E7%9A%84%E6%9D%83%E9%99%90%EF%BC%8C%E8%BF%9B%E7%A8%8B%E5%B0%B1%E6%B2%A1%E6%9C%89%E8%AF%A5%E6%9D%83%E9%99%90%E3%80%82%5B1%5D%0A%0A%23%23%23%20TEAC%0ATEAC%20%3D%20Type%20Enforcement%20Accesc%20Control%EF%BC%8C%E7%AE%80%E7%A7%B0TE%E3%80%82%0A%3ELinux%E4%B8%AD%E6%9C%89%E4%B8%A4%E7%A7%8D%E4%B8%9C%E8%A5%BF%EF%BC%8C%E4%B8%80%E7%A7%8D%E6%AD%BB%E7%9A%84%EF%BC%88Inactive%EF%BC%89%EF%BC%8C%E4%B8%80%E7%A7%8D%E6%B4%BB%E7%9A%84%EF%BC%88Active%EF%BC%89%E3%80%82%E6%AD%BB%E7%9A%84%E4%B8%9C%E8%A5%BF%E5%B0%B1%E6%98%AF%E6%96%87%E4%BB%B6%EF%BC%88Linux%E5%93%B2%E5%AD%A6%EF%BC%8C%E4%B8%87%E7%89%A9%E7%9A%86%E6%96%87%E4%BB%B6%E3%80%82%E6%B3%A8%E6%84%8F%EF%BC%8C%E4%B8%87%E4%B8%8D%E5%8F%AF%E7%8B%AD%E4%B9%89%E8%A7%A3%E9%87%8A%E4%B8%BAFile%EF%BC%89%EF%BC%8C%E8%80%8C%E6%B4%BB%E7%9A%84%E4%B8%9C%E8%A5%BF%E5%B0%B1%E6%98%AF%E8%BF%9B%E7%A8%8B%E3%80%82%E6%AD%A4%E5%A4%84%E7%9A%84%E2%80%9C%E6%AD%BB%E2%80%9D%E5%92%8C%E2%80%9C%E6%B4%BB%E2%80%9D%E6%98%AF%E4%B8%80%E7%A7%8D%E6%AF%94%E5%96%BB%EF%BC%8C%E6%98%A0%E5%B0%84%E5%88%B0%E8%BD%AF%E4%BB%B6%E5%B1%82%E9%9D%A2%E7%9A%84%E6%84%8F%E6%80%9D%E6%98%AF%EF%BC%9A%E8%BF%9B%E7%A8%8B%E8%83%BD%E5%8F%91%E8%B5%B7%E5%8A%A8%E4%BD%9C%EF%BC%8C%E4%BE%8B%E5%A6%82%E5%AE%83%E8%83%BD%E6%89%93%E5%BC%80%E6%96%87%E4%BB%B6%E5%B9%B6%E6%93%8D%E4%BD%9C%E5%AE%83%E3%80%82%E8%80%8C%E6%96%87%E4%BB%B6%E5%8F%AA%E8%83%BD%E8%A2%AB%E8%BF%9B%E7%A8%8B%E6%93%8D%E4%BD%9C%E3%80%82%5B1%5D%0A%0A%E6%89%80%E8%B0%93%E7%9A%84TEAC%E5%B0%B1%E6%98%AF%E4%B8%A4%E4%B8%AA%E4%B8%9C%E8%A5%BF%E7%9A%84Type%E8%A6%81%E5%8C%B9%E9%85%8D%E4%B8%8A%E3%80%82Type%E6%98%AF%E5%95%A5%EF%BC%9F%0A%23%23%23%23%20%E8%BF%9B%E7%A8%8B%E7%9A%84Type%0A%E5%AF%B9%E4%BA%8E%E8%BF%9B%E7%A8%8B%EF%BC%8C%E7%9C%8B%E4%B8%80%E4%B8%8B%60ps%20-Z%60%E5%91%BD%E4%BB%A4%E7%9A%84%E8%BE%93%E5%87%BA%EF%BC%9A%0A%60%60%60%0ALABEL%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20USER%20%20%20%20%20%20%20%20%20%20%20PID%20%20PPID%20%20%20%20%20VSZ%20%20%20%20RSS%20WCHAN%0Au%3Ar%3Ashell%3As0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20shell%20%20%20%20%20%20%20%20%203097%20%201427%20%20%20%205752%20%20%203024%20sigsuspe%2B%0Au%3Ar%3Ashell%3As0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20shell%20%20%20%20%20%20%20%20%203100%20%203097%20%20%20%207320%20%20%203228%200%0A%60%60%60%0A%E4%B8%8A%E9%9D%A2%E7%9A%84%E5%91%BD%E4%BB%A4%E5%9C%A8Android%20adb%20shell%E4%B8%AD%E8%BF%90%E8%A1%8C%E8%BE%93%E5%87%BA%E3%80%82%E8%BF%99%E4%B8%AA%60u%3Ar%3Ashell%3As0%60%E5%B0%B1%E6%98%AF%E4%B8%80%E4%B8%AA%E8%BF%9B%E7%A8%8B%E7%9A%84%E6%A0%87%E7%AD%BE%EF%BC%8C%E5%85%B6%E4%B8%AD%EF%BC%9A%0A-%20u%3ASELinux%E5%AE%9A%E4%B9%89%E7%9A%84%E4%B8%80%E4%B8%AA%E7%94%A8%E6%88%B7%EF%BC%8C%E8%BF%99%E4%B8%AA%E7%94%A8%E6%88%B7%E4%B8%8D%E5%90%8C%E4%BA%8ELinux%E7%9A%84%E7%B3%BB%E7%BB%9F%E7%94%A8%E6%88%B7%EF%BC%8C%E5%85%B7%E4%BD%93%E5%8F%82%E7%9C%8B%E5%90%8E%E9%9D%A2%E7%9A%84%E7%94%A8%E6%88%B7%E4%B8%8E%E8%A7%92%E8%89%B2%E4%B8%80%E8%8A%82%E3%80%82%0A-%20r%3ASELinux%E5%AE%9A%E4%B9%89%E7%9A%84%E4%B8%80%E4%B8%AA%E8%A7%92%E8%89%B2%EF%BC%88role%EF%BC%89%EF%BC%8C%E5%9C%A8policy%E6%8F%8F%E8%BF%B0%E8%AF%AD%E8%A8%80%E4%B8%AD%EF%BC%8C%E5%8F%AF%E4%BB%A5%E7%94%A8%60role%60%E5%85%B3%E9%94%AE%E5%AD%97%E6%9D%A5%E5%AE%9A%E4%B9%89%0A-%20shell%3A%E5%B0%B1%E6%98%AF%E6%88%91%E4%BB%AC%E8%A6%81%E7%9A%84Type%E4%BA%86%EF%BC%8CSELinux%E4%B8%AD%E7%A7%B0%E4%B8%BADomain%EF%BC%8C%E5%9C%A8policy%E6%8F%8F%E8%BF%B0%E8%AF%AD%E8%A8%80%E4%B8%AD%EF%BC%8C%E5%8F%AF%E4%BB%A5%E7%94%A8%60type%60%E6%88%96%E8%80%85%60attribute%60%E5%85%B3%E9%94%AE%E5%AD%97%E6%9D%A5%E5%AE%9A%E4%B9%89%0A-%20s0%3A%E6%98%AF%E5%AE%89%E5%85%A8%E7%BA%A7%E5%88%AB%EF%BC%8CMLS%E4%BC%9A%E7%94%A8%E5%88%B0%E7%9A%84%E4%B8%9C%E8%A5%BF%0A%0A%3E**%E7%89%B9%E5%88%AB%E6%B3%A8%E6%84%8F**%EF%BC%9A%E5%AF%B9%E5%88%9D%E5%AD%A6%E8%80%85%E8%80%8C%E8%A8%80%EF%BC%8Cattribute%E5%92%8Ctype%E7%9A%84%E5%85%B3%E7%B3%BB%E6%9C%80%E9%9A%BE%E7%90%86%E8%A7%A3%EF%BC%8C%E5%9B%A0%E4%B8%BA%E2%80%9Cattribute%E2%80%9D%E8%BF%99%E4%B8%AA%E5%85%B3%E9%94%AE%E8%AF%8D%E5%AE%9E%E5%9C%A8%E6%98%AF%E6%B2%A1%E5%8F%96%E5%A5%BD%E5%90%8D%E5%AD%97%EF%BC%8C%E5%BE%88%E5%AE%B9%E6%98%93%E4%BA%A7%E7%94%9F%E8%AF%AF%E8%A7%A3%EF%BC%9A%0A%3E%0A%3E%E5%AE%9E%E9%99%85%E4%B8%8A%EF%BC%8C**type%E5%92%8Cattribute%E4%BD%8D%E4%BA%8E%E5%90%8C%E4%B8%80%E4%B8%AA%E5%91%BD%E5%90%8D%E7%A9%BA%E9%97%B4**%EF%BC%8C%E5%8D%B3%E4%B8%8D%E8%83%BD%E7%94%A8type%E5%91%BD%E4%BB%A4%E5%92%8Cattribute%E5%91%BD%E4%BB%A4%E5%AE%9A%E4%B9%89%E7%9B%B8%E5%90%8C%E5%90%8D%E5%AD%97%E7%9A%84%E4%B8%9C%E8%A5%BF%E3%80%82%0A%E5%85%B6%E5%AE%9E%EF%BC%8Cattribute%E7%9C%9F%E6%AD%A3%E7%9A%84%E6%84%8F%E6%80%9D%E5%BA%94%E8%AF%A5%E6%98%AF%E7%B1%BB%E4%BC%BCtype%EF%BC%88%E6%88%96domain%EF%BC%89%20group%E8%BF%99%E6%A0%B7%E7%9A%84%E6%A6%82%E5%BF%B5%E3%80%82%E6%AF%94%E5%A6%82%EF%BC%8C%E5%B0%86type%20A%E5%92%8Cattribute%20B%E5%85%B3%E8%81%94%E8%B5%B7%E6%9D%A5%EF%BC%8C%E5%B0%B1%E6%98%AF%E8%AF%B4type%20A%E5%B1%9E%E4%BA%8Egroup%20B%E4%B8%AD%E7%9A%84%E4%B8%80%E5%91%98%E3%80%82%0A%0A%23%23%23%23%20%E6%96%87%E4%BB%B6%E7%9A%84Type%0A%E5%AF%B9%E4%BA%8E%E6%96%87%E4%BB%B6%EF%BC%8C%E5%8F%AF%E4%BB%A5%E5%8F%82%E8%80%83%60ls%20-Z%60%E7%9A%84%E8%BE%93%E5%87%BA%EF%BC%9A%0A%60%60%60%0Au%3Aobject_r%3Acgroup%3As0%20%20%20%20%20%20%20%20%20%20%20acct%0Au%3Aobject_r%3Arootfs%3As0%20%20%20%20%20%20%20%20%20%20%20bugreports%0Au%3Aobject_r%3Acache_file%3As0%20%20%20%20%20%20%20cache%0Au%3Aobject_r%3Arootfs%3As0%20%20%20%20%20%20%20%20%20%20%20charger%0Au%3Aobject_r%3Aconfigfs%3As0%20%20%20%20%20%20%20%20%20config%0A%60%60%60%0A%60u%3Aobject_r%3Arootfs%3As0%60%E5%B0%B1%E6%98%AF%E4%B8%80%E4%B8%AA%E6%96%87%E4%BB%B6%E7%9A%84%E6%A0%87%E7%AD%BE%E3%80%82%E6%98%AF%E4%B8%8D%E6%98%AF%E5%92%8C%E8%BF%9B%E7%A8%8B%E7%9A%84%E9%9D%9E%E5%B8%B8%E7%B1%BB%E4%BC%BC%EF%BC%9F%0A-%20u%3A%20%E4%BB%A3%E8%A1%A8%E5%88%9B%E5%BB%BA%E8%BF%99%E4%B8%AA%E6%96%87%E4%BB%B6%E7%9A%84SELinux%20user%20ID%E3%80%82%E6%B3%A8%E6%84%8F%E6%98%AFSELinux%E5%AE%9A%E4%B9%89%E7%9A%84%E7%94%A8%E6%88%B7%EF%BC%8C%E5%B9%B6%E4%B8%8D%E7%9B%B4%E6%8E%A5%E5%AF%B9%E5%BA%94Linux%E7%9A%84%E7%94%A8%E6%88%B7%E7%B3%BB%E7%BB%9F%EF%BC%8C%E4%B8%A4%E8%80%85%E6%9C%89%E4%B8%80%E4%B8%AA%E6%98%A0%E5%B0%84%E5%85%B3%E7%B3%BB%0A-%20object_r%3A%20%E6%98%AF%E8%BF%99%E4%B8%AA%E6%96%87%E4%BB%B6%E7%9A%84role%EF%BC%8C%E6%89%80%E6%9C%89%E7%9A%84%E6%96%87%E4%BB%B6%E7%9A%84role%E9%83%BD%E6%98%AFobject_r%0A-%20rootfs%3A%20%E5%B0%B1%E6%98%AF%E8%BF%99%E4%B8%AA%E6%96%87%E4%BB%B6%E7%9A%84Type%0A-%20s0%3A%20%E5%92%8C%E8%BF%9B%E7%A8%8B%E4%B8%80%E6%A0%B7%EF%BC%8C%E8%BF%99%E4%B8%AA%E4%B9%9F%E6%98%AF%E5%AE%89%E5%85%A8%E7%BA%A7%E5%88%AB%EF%BC%8C%E7%94%A8%E4%BA%8EMLS%E7%9A%84%0A%0A%23%23%23%23%20%E5%A6%82%E4%BD%95%E5%85%B3%E8%81%94%E8%BF%99%E4%B8%A4%E4%B8%AAType%EF%BC%9F%0A%E5%BD%93%E6%AF%8F%E4%B8%80%E4%B8%AA%E8%BF%9B%E7%A8%8B%E5%92%8C%E6%AF%8F%E4%B8%80%E4%B8%AA%E6%96%87%E4%BB%B6%E6%9C%89%E4%BA%86Type%E4%B9%8B%E5%90%8E%EF%BC%8CSELinux%E5%B0%B1%E5%8F%AF%E4%BB%A5%E5%8C%B9%E9%85%8D%E4%B8%A4%E8%80%85%E4%B9%8B%E9%97%B4%E7%9A%84Type%E6%9D%A5%E9%89%B4%E6%9D%83%E3%80%82%E5%85%B7%E4%BD%93%E7%9A%84%E5%81%9A%E6%B3%95%EF%BC%8C%E4%B9%9F%E5%B0%B1%E6%98%AFpolicy%E6%96%87%E4%BB%B6%E5%81%9A%E7%9A%84%E4%BA%8B%E6%83%85%E2%80%94%E2%80%94%E5%AE%9A%E4%B9%89%E8%A7%84%E5%88%99%E3%80%82%E4%B8%8B%E9%9D%A2%E6%98%AF%E4%B8%80%E4%B8%AA%E8%A7%84%E5%88%99%E7%9A%84%E4%BE%8B%E5%AD%90%EF%BC%9A%0A%60%60%60%0Aallow%20netd%20proc%3Afile%20write%0A%60%60%60%0A%E7%BF%BB%E8%AF%91%E6%88%90%E4%BA%BA%E7%B1%BB%E8%AF%AD%E8%A8%80%E5%B0%B1%E6%98%AF%EF%BC%9A%E5%85%81%E8%AE%B8netd%E7%B1%BB%E5%9E%8B%E7%9A%84process%EF%BC%8C%E4%BD%BF%E7%94%A8%EF%BC%88%E8%AE%BF%E9%97%AE%EF%BC%89type%E4%B8%BAproc%EF%BC%8Cclass%E4%B8%BAfile%E7%9A%84%E6%96%87%E4%BB%B6%E7%9A%84write%E6%93%8D%E4%BD%9C%E3%80%82%0A-%20allow%E6%98%AF%E5%AE%9A%E4%B9%89%E8%A7%84%E5%88%99%E7%9A%84%E5%8A%A8%E8%AF%8D%EF%BC%8C%E7%B1%BB%E4%BC%BC%E7%9A%84%E8%BF%98%E6%9C%89allowaudit%E3%80%81dontaudit%E3%80%81neverallow%E7%AD%89%E3%80%82%0A-%20netd%E6%98%AF%E8%BF%9B%E7%A8%8B%E7%9A%84Type%0A-%20proc%E6%98%AF%E6%96%87%E4%BB%B6%E7%9A%84Type%0A-%20file%E6%98%AF%E6%96%87%E4%BB%B6%E7%9A%84class%EF%BC%8C%E5%9B%A0%E4%B8%BA%E4%B8%8D%E5%90%8Cclass%E7%9A%84%E6%96%87%E4%BB%B6%E6%9C%89%E4%B8%8D%E5%90%8C%E7%9A%84%E6%93%8D%E4%BD%9C%E7%B1%BB%E5%9E%8B%EF%BC%8C%E4%BE%8B%E5%A6%82socket%E6%96%87%E4%BB%B6%E5%92%8C%E6%99%AE%E9%80%9A%E6%96%87%E4%BB%B6%E8%82%AF%E5%AE%9A%E4%B8%8D%E5%90%8C%EF%BC%8C%E8%AE%BE%E5%A4%87%E6%96%87%E4%BB%B6%E5%92%8C%E6%99%AE%E9%80%9A%E6%96%87%E4%BB%B6%E4%B9%9F%E4%B8%80%E5%AE%9A%E4%B8%8D%E5%90%8C%E7%AD%89%E7%AD%89%E3%80%82class%E5%90%8Cpolicy%E8%AF%AD%E8%A8%80%E7%9A%84%E5%85%B6%E4%BB%96%E7%B1%BB%E5%9E%8B%E4%B8%80%E6%A0%B7%EF%BC%8C%E4%B9%9F%E5%8F%AF%E4%BB%A5%E5%9C%A8%E6%96%87%E4%BB%B6%E4%B8%AD%E5%AE%9A%E4%B9%89%EF%BC%8C%E5%85%B6%E4%BD%BF%E7%94%A8%E7%9A%84%E5%85%B3%E9%94%AE%E5%AD%97%E5%B0%B1%E6%98%AFclass%0A-%20write%E6%98%AF%E8%AF%A5%E8%A7%84%E5%88%99%E6%B6%89%E5%8F%8A%E7%9A%84%E6%9D%83%E9%99%90%E9%9B%86(PermSet)%EF%BC%8C%E5%AE%83%E5%8F%AF%E4%BB%A5%E4%B8%8D%E5%8F%AA%E4%B8%80%E4%B8%AA%EF%BC%8C%E5%A6%82%E6%9E%9C%E6%98%AF%E5%A4%9A%E4%B8%AA%E6%9D%83%E9%99%90%EF%BC%8C%E5%88%99%E7%94%A8%E5%A4%A7%E6%8B%AC%E5%8F%B7%E5%8C%85%E8%B5%B7%E6%9D%A5%0A%0A%23%23%23%23%20%E6%80%BB%E7%BB%93%0A%E6%89%80%E4%BB%A5%EF%BC%8C%E6%95%B4%E4%B8%AATE%E7%9A%84%E6%A0%B8%E5%BF%83%E5%B0%B1%E6%98%AF%EF%BC%8C**%E5%AE%9A%E4%B9%89%E4%B8%80%E7%BB%84%E8%BF%9B%E7%A8%8BType%E5%92%8C%E6%96%87%E4%BB%B6Type%EF%BC%8C%E4%BB%A5%E5%8F%8A%E4%B8%80%E7%BB%84class%E5%92%8Cclass%20permset%EF%BC%8C%E7%84%B6%E5%90%8E%E7%94%A8%E8%A7%84%E5%88%99%E6%96%87%E4%BB%B6%E5%B0%86%E5%AE%83%E4%BB%AC%E5%85%B3%E8%81%94%E8%B5%B7%E6%9D%A5**%E3%80%82%0A%0A%3E%20%E5%8F%A6%E5%A4%96%E5%80%BC%E5%BE%97%E6%B3%A8%E6%84%8F%E7%9A%84%E6%98%AF%EF%BC%8CTEAC%E6%98%AF%E4%B8%80%E7%A7%8D%E7%99%BD%E5%90%8D%E5%8D%95%E6%9C%BA%E5%88%B6%EF%BC%8C%E5%8F%AA%E6%9C%89%E7%AD%96%E7%95%A5%E6%96%87%E4%BB%B6%E6%8F%8F%E8%BF%B0%E7%9A%84%E6%9D%83%E9%99%90%E6%89%8D%E4%BC%9A%E7%94%9F%E6%95%88%EF%BC%8C%E5%90%A6%E5%88%99%E9%BB%98%E8%AE%A4%E6%98%AF%E6%B2%A1%E6%9C%89%E5%AF%B9%E5%BA%94%E7%9A%84%E6%9D%83%E9%99%90%E3%80%82%0A%3E%20%E9%82%A3%E4%B9%88%E9%97%AE%E9%A2%98%E6%9D%A5%E4%BA%86%EF%BC%8C%E6%97%A2%E7%84%B6%E6%98%AF%E7%99%BD%E5%90%8D%E5%8D%95%E6%9C%BA%E5%88%B6%EF%BC%8C%E9%82%A3%E4%B9%88neverallow%E6%9C%89%E5%95%A5%E7%94%A8%EF%BC%9F%0A%3E%20neverallow%E7%9A%84%E4%BD%9C%E7%94%A8%E6%98%AF%E4%B8%BA%E4%BA%86%E9%AA%8C%E8%AF%81allow%E5%AE%9A%E4%B9%89%E7%9A%84%E8%A7%84%E5%88%99%E6%98%AF%E5%90%A6%E5%AE%8C%E5%A4%87%EF%BC%8C%E5%BD%93%E4%BD%A0%E6%8C%89%E7%85%A7allow%E7%9A%84%E8%A1%A5%E9%9B%86%E5%AE%9A%E4%B9%89neverallow%E8%A7%84%E5%88%99%E6%97%B6%EF%BC%8C%E5%8F%91%E7%94%9F%E4%BA%86%E6%9D%83%E9%99%90%E9%94%99%E8%AF%AF%EF%BC%8C%E9%82%A3%E4%B9%88%E5%8F%AF%E4%BB%A5%E8%82%AF%E5%AE%9A%E7%9A%84%E6%98%AFallow%E8%A7%84%E5%88%99%E5%AE%9A%E4%B9%89%E5%87%BA%E4%BA%86%E9%97%AE%E9%A2%98%E3%80%82%0A%0A%23%23%23%20RBAC%0ARBAC%20%3D%20Role%20Based%20Access%20Control%2C%20%E6%98%AF%E5%AF%B9TE%E7%9A%84%E4%B8%80%E7%A7%8D%E8%A1%A5%E5%85%85%E3%80%82%E5%87%86%E7%A1%AE%E7%9A%84%E8%AF%B4%EF%BC%8C%E6%98%AF%E5%9C%A8TE%E4%B9%8B%E4%B8%8A%E6%8F%90%E4%BE%9B%E4%BA%86%E4%B8%80%E5%B1%82%E7%BA%A6%E6%9D%9F%EF%BC%8C%E5%A2%9E%E5%BC%BA%E4%BA%86%E7%AD%96%E7%95%A5%E6%96%87%E4%BB%B6%E5%AE%9A%E4%B9%89%E7%9A%84%E5%8F%AF%E6%93%8D%E4%BD%9C%E6%80%A7%EF%BC%8C%E5%90%8C%E6%97%B6%E6%8F%90%E4%BE%9B%E4%BA%86Linux%E7%B3%BB%E7%BB%9F%E7%94%A8%E6%88%B7%E7%9A%84%E6%9D%83%E9%99%90%E7%BA%A6%E6%9D%9F%E5%AE%9E%E7%8E%B0%E3%80%82%0A%3ESELinux%20%E5%B9%B6%E4%B8%8D%E7%9B%B4%E6%8E%A5%E5%BB%BA%E7%AB%8B%E7%94%A8%E6%88%B7%E5%92%8C%20domain%20%E4%B9%8B%E9%97%B4%E7%9A%84%E8%81%94%E7%B3%BB%EF%BC%8C%E8%80%8C%E6%98%AF%E9%80%9A%E8%BF%87%E8%A7%92%E8%89%B2%E4%BD%9C%E4%B8%BA%E6%A1%A5%E6%A2%81%E3%80%82%E6%AD%A4%E4%B8%BE%E5%A5%BD%E5%A4%84%E5%A6%82%E4%B8%8B%EF%BC%9A%0A%3E%201.%20%E9%99%8D%E4%BD%8E%20policy%20%E5%A4%8D%E6%9D%82%E5%BA%A6%EF%BC%9A%E5%8F%AF%E8%83%BD%E6%9C%89%E4%B8%8A%E7%99%BE%E4%B8%AA%E7%94%A8%E6%88%B7%E5%92%8C%E4%B8%8A%E5%8D%83%E7%A7%8D%20domain%2Ftype%EF%BC%8C%E4%BD%86%E6%98%AF%E4%B8%8D%E5%90%8C%E7%94%A8%E6%88%B7%E6%89%80%E6%89%AE%E6%BC%94%E7%9A%84%E4%B8%8D%E5%90%8C%E8%A7%92%E8%89%B2%E5%8F%AA%E6%9C%89%20%E6%9C%89%E9%99%90%E5%87%A0%E4%B8%AA%EF%BC%9Brole%20%E4%BD%9C%E4%B8%BA%20user%20%E5%92%8C%20type%20%E4%B9%8B%E9%97%B4%E7%9A%84%E2%80%9C%E4%B8%AD%E9%97%B4%E5%B1%82%E2%80%9D%EF%BC%8C%E4%BE%BF%E4%BA%8E%E9%99%90%E5%88%B6%20user%20%E7%9A%84%E8%83%BD%E5%8A%9B%EF%BC%9B%20%0A%3E%202.%20%E7%BB%99%E4%B8%8D%E5%90%8C%E7%94%A8%E6%88%B7%E8%B5%8B%E4%BA%88%E4%B8%8D%E5%90%8C%E7%9A%84%E4%BC%98%E5%85%88%E7%BA%A7%EF%BC%9A%E7%94%A8%E6%88%B7%E9%80%9A%E8%BF%87%E6%89%AE%E6%BC%94%E6%9F%90%E7%A7%8D%E8%A7%92%E8%89%B2%E6%89%8D%E8%83%BD%E8%8E%B7%E5%BE%97%E9%82%A3%E7%A7%8D%E8%A7%92%E8%89%B2%E7%9A%84%E8%83%BD%E5%8A%9B%E3%80%82%E7%89%B9%E6%9D%83%E8%A7%92%E8%89%B2%E5%8F%AA%E8%83%BD%E7%94%B1%E7%89%B9%20%E6%9D%83%E7%94%A8%E6%88%B7%E6%9D%A5%E6%89%AE%E6%BC%94%EF%BC%9B%5B4%5D%0A%0A%E7%BF%BB%E8%AF%91%E4%B8%80%E4%B8%8B%EF%BC%8C%E6%88%91%E7%9A%84%E7%90%86%E8%A7%A3%E6%98%AF%EF%BC%9A%0A%E6%88%91%E4%BB%AC%E7%9F%A5%E9%81%93TE%E6%98%AFSELinux%20MAC%E7%9A%84%E6%A0%B8%E5%BF%83%EF%BC%8CTE%E9%80%9A%E8%BF%87%E6%AF%94%E5%AF%B9object%20type%E5%92%8Cprocess%20type%E6%9D%A5%E5%86%B3%E5%AE%9Aprocess%E6%98%AF%E5%90%A6%E6%9C%89%E6%9D%83%E9%99%90%E4%BD%BF%E7%94%A8%E8%BF%99%E4%B8%AAobject%E3%80%82%E4%B8%80%E6%9D%A1TE%E8%A7%84%E5%88%99%E7%BB%91%E5%AE%9A%E4%BA%86%E8%BF%99%E4%B8%A4%E8%80%85%E3%80%82%E5%81%87%E5%A6%82%E7%B3%BB%E7%BB%9F%E6%9C%89M%E4%B8%AAProcess%EF%BC%8CN%E4%B8%AAObject%EF%BC%8C%E9%82%A3%E6%98%AF%E4%B8%8D%E6%98%AF%E7%B3%BB%E7%BB%9F%E7%9A%84%E8%A7%84%E5%88%99%E6%95%B0%E5%B0%B1%E6%98%AFM%5C*N%E4%B8%AA%EF%BC%9F(M%E5%92%8CN%E5%8F%AF%E8%83%BD%E6%98%AF%E5%BE%88%E5%A4%A7%E7%9A%84%E6%95%B0%E5%93%A6)%0A%E7%AD%94%E6%A1%88%E6%98%AF%3A**%E8%A7%84%E5%88%99%E6%95%B0%E5%B9%B6%E4%B8%8D%E7%AD%89%E4%BA%8EM%5C*N**%E3%80%82%E5%90%A6%E5%88%99%E7%AD%96%E7%95%A5%E6%96%87%E4%BB%B6%E8%A6%81%E5%86%99%E7%9A%84%E7%B4%AF%E6%AD%BB%E3%80%82%0A%E8%A7%A3%E5%86%B3%E7%9A%84%E6%96%B9%E6%B3%95%E5%B0%B1%E6%98%AF%E5%AE%9A%E4%B9%89role%EF%BC%8C%E4%B8%80%E4%B8%AArole%E5%B0%B1%E5%AF%B9%E5%BA%94%E4%BA%86%E8%8B%A5%E5%B9%B2%E4%B8%AAtype%EF%BC%8C%E5%9C%A8%E7%AD%96%E7%95%A5%E6%96%87%E4%BB%B6%E4%B8%AD%E9%80%9A%E8%BF%87role%E5%85%B3%E9%94%AE%E5%AD%97%E5%AE%8C%E6%88%90role%E5%92%8Ctype%E7%9A%84%E7%BB%91%E5%AE%9A%EF%BC%8C%E4%BE%8B%E5%A6%82%EF%BC%9A%0A%60%60%60%0Arole%20user_r%20types%20user_t%3B%0Arole%20user_r%20types%20passwd_t%3B%0A%60%60%60%0Auser_r%E8%BF%99%E4%B8%AArole%E4%B8%80%E4%B8%8B%E5%AF%B9%E5%BA%94%E4%BA%86%E4%B8%A4%E4%B8%AAtype%EF%BC%8C%E5%88%86%E5%88%AB%E6%98%AFuser_t%E5%92%8Cpasswd_t%0A%60%60%60%0Auser%20joe%20roles%20%7B%20user_r%20%7D%3B%0A%60%60%60%0A%E8%BF%99%E6%9D%A1%E8%AF%AD%E5%8F%A5%E5%B0%B1%E7%BB%91%E5%AE%9A%E4%BA%86user%20joe%E5%92%8Crole%20user_r%E3%80%82%E9%82%A3%E4%B9%88%E5%BD%93joe%E6%98%AFuser_r%20role%E7%9A%84%E6%97%B6%E5%80%99%EF%BC%8C%E5%B0%B1%E5%85%B7%E5%A4%87%E4%BA%86user_t%E5%92%8Cpasswd_t%E7%9A%84%E6%A0%87%E7%AD%BE%EF%BC%8C%E9%82%A3%E4%B9%88joe%E5%B0%B1%E8%83%BD%E8%AE%BF%E9%97%AE%E5%AE%9A%E4%B9%89%E4%BA%86user_t%E5%92%8Cpasswd_t%E7%9A%84TE%E8%A7%84%E5%88%99%EF%BC%8C%E6%89%80%E6%8C%87%E5%AE%9A%E7%9A%84%E8%B5%84%E6%BA%90%EF%BC%88object%EF%BC%89%E3%80%82%0A%0A%3E%20%E8%A7%92%E8%89%B2%E6%98%AF%E4%B8%80%E5%A5%97Type%EF%BC%88%E8%BF%9B%E7%A8%8B%E7%9A%84Type%E5%8F%88%E7%A7%B0%E4%B8%BA%E5%9F%9FDomain%EF%BC%89%E7%B1%BB%E5%9E%8B%E7%9A%84%E9%9B%86%E5%90%88%0A%0A%E7%9F%A5%E9%81%93%E4%BA%86%E8%BF%99%E5%B1%82%E5%85%B3%E7%B3%BB%EF%BC%8C%E9%82%A3%E4%B9%88%E5%B0%B1%E5%8F%AF%E4%BB%A5%E7%90%86%E8%A7%A3role%E7%9A%84%E6%93%8D%E4%BD%9C%EF%BC%8C%E5%8C%85%E6%8B%AC%EF%BC%9A%0A-%20%E8%A7%92%E8%89%B2%E8%BD%AC%E6%8D%A2role_transition%0A-%20%E8%A7%92%E8%89%B2%E6%8E%A7%E5%88%B6role_dominance%0A%0A%23%23%23%23%20%E7%94%A8%E6%88%B7%E4%B8%8E%E8%A7%92%E8%89%B2%0ASELinux%E6%9C%89%E4%B8%80%E5%A5%97%E7%94%A8%E6%88%B7%E7%B3%BB%E7%BB%9F%EF%BC%8CLinux%E7%B3%BB%E7%BB%9F%E4%B9%9F%E6%9C%89%E4%B8%80%E5%A5%97%E7%94%A8%E6%88%B7%E7%B3%BB%E7%BB%9F%E3%80%82%E5%AE%83%E4%BB%AC%E4%B9%8B%E9%97%B4%E6%9C%89%E4%BB%80%E4%B9%88%E5%85%B3%E7%B3%BB%EF%BC%9F%E9%A6%96%E5%85%88%E5%8F%AF%E4%BB%A5%E7%A1%AE%E5%AE%9A%E7%9A%84%E6%98%AF%EF%BC%8C%E5%AE%83%E4%BB%AC%E4%B8%8D%E6%98%AF%E7%9B%B4%E6%8E%A5%E7%AD%89%E4%BB%B7%E7%9A%84%E3%80%82%E4%BE%8B%E5%A6%82%2C%20%E4%BB%A5root%E7%94%A8%E6%88%B7%E5%90%AF%E5%8A%A8Browser%EF%BC%8C%E9%82%A3%E4%B9%88Browser%E5%B0%B1%E6%9C%89root%E7%94%A8%E6%88%B7%E7%9A%84%E6%9D%83%E9%99%90%EF%BC%8C%E5%9C%A8Linux%E7%B3%BB%E7%BB%9F%E4%B8%8A%E8%83%BD%E5%B9%B2%E4%BB%BB%E4%BD%95%E4%BA%8B%E6%83%85%E3%80%82%E8%80%8Croot%E5%9C%A8SELinux%E4%B8%AD%E5%8F%AF%E8%83%BD%E5%B0%B1%E6%98%AF%E4%B8%80%E4%B8%AA%E6%B2%A1%E6%9D%83%E9%99%90%EF%BC%8C%E6%B2%A1%E5%9C%B0%E4%BD%8D%EF%BC%8C%E6%89%93%E6%89%93%E9%85%B1%E6%B2%B9%E7%9A%84%E2%80%9D%E8%B7%AF%E4%BA%BA%E7%94%B2%E2%80%9C%E3%80%82%E5%BD%93%E7%84%B6%EF%BC%8C%E8%BF%99%E4%B8%80%E5%88%87%E9%83%BD%E7%94%B1SELinux%E5%AE%89%E5%85%A8%E7%AD%96%E7%95%A5%E7%9A%84%E5%88%B6%E5%AE%9A%E8%80%85%E6%9D%A5%E5%86%B3%E5%AE%9A%E3%80%82%0ASELinux%E7%94%A8%E6%88%B7%E5%92%8CLinux%E7%B3%BB%E7%BB%9F%E7%94%A8%E6%88%B7%E7%9A%84%E6%98%A0%E5%B0%84%E5%85%B3%E7%B3%BB%E5%8F%AF%E4%BB%A5%E9%80%9A%E8%BF%87semanage%E5%B7%A5%E5%85%B7%E6%9D%A5%E6%9F%A5%E7%9C%8B%EF%BC%9A%0A%60%60%60%0A%5Broot%40zion%20~%5D%23%20semanage%20login%20-l%0A%0ALogin%20Name%20%20%20%20%20%20%20%20%20%20%20SELinux%20User%20%20%20%20%20%20%20%20%20MLS%2FMCS%20Range%20%20%20%20%20%20%20%20Service%0A%0A__default__%20%20%20%20%20%20%20%20%20%20unconfined_u%20%20%20%20%20%20%20%20%20s0-s0%3Ac0.c1023%20%20%20%20%20%20%20*%0Aroot%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20unconfined_u%20%20%20%20%20%20%20%20%20s0-s0%3Ac0.c1023%20%20%20%20%20%20%20*%0Asystem_u%20%20%20%20%20%20%20%20%20%20%20%20%20system_u%20%20%20%20%20%20%20%20%20%20%20%20%20s0-s0%3Ac0.c1023%20%20%20%20%20%20%20*%0A%60%60%60%0A%E5%BD%93%E4%B8%80%E4%B8%AA%E6%99%AE%E9%80%9A%E7%94%A8%E6%88%B7%E7%99%BB%E5%BD%95%E6%97%B6%EF%BC%8C%E5%85%B6%E6%98%A0%E5%B0%84%E5%88%B0SELinux%E8%BF%87%E7%A8%8B%E5%8F%AF%E4%BB%A5%E5%8F%82%E8%80%83%E6%96%87%E7%8C%AE%5B5%5D%E7%9A%84%E4%BB%8B%E7%BB%8D%E3%80%82%E5%A4%A7%E8%87%B4%E6%B5%81%E7%A8%8B%E5%A6%82%E4%B8%8B%EF%BC%9A%0A%60%60%60mermaid%0Agraph%20TD%0AA%5BLinux%E7%B3%BB%E7%BB%9F%E7%94%A8%E6%88%B7%E7%99%BB%E5%BD%95%5D%0AA%20--%3E%20B%7B%22%E7%B3%BB%E7%BB%9F%E6%96%87%E4%BB%B6%E6%98%AF%E5%90%A6%E6%8F%8F%E8%BF%B0%E4%BA%86%E7%94%A8%E6%88%B7%E9%97%B4%E7%9A%84%E6%98%A0%E5%B0%84%E5%85%B3%E7%B3%BB%EF%BC%9F%22%7D%0AB%20--%3E%20%7CN%7C%20C%5B%22%E7%94%A8%E6%88%B7%E6%98%A0%E5%B0%84%E4%B8%BA__default__%22%5D%0AB%20--%3E%20%7CY%7C%20D%5B%22%E7%94%A8%E6%88%B7%E7%9B%B4%E6%8E%A5%E6%98%A0%E5%B0%84%E5%88%B0SELinux%E7%94%A8%E6%88%B7%22%5D%0AC%20--%3E%20E%5B%22__default__%E7%94%A8%E6%88%B7%E8%A2%AB%E6%98%A0%E5%B0%84%E4%B8%BAunconfined_u%22%5D%0A%60%60%60%0A%E4%B8%8A%E9%9D%A2%E6%8F%90%E5%88%B0%E7%9A%84%E7%B3%BB%E7%BB%9F%E6%96%87%E4%BB%B6%E4%B8%BA%60%2Fetc%2Fselinux%2Fspecified-policy%2Fseusers%60%E3%80%82%0A%E9%80%9A%E8%BF%87%E4%B8%8A%E9%9D%A2%E7%9A%84%E6%B5%81%E7%A8%8B%E4%B9%9F%E5%8F%AF%E4%BB%A5%E7%9C%8B%E5%87%BA%EF%BC%8CSELinux%E7%9A%84%E7%AD%96%E7%95%A5%E6%96%87%E4%BB%B6%E5%B9%B6%E6%B2%A1%E6%9C%89%E4%B8%93%E9%97%A8%E5%AE%9A%E4%B9%89%E6%9C%89%E5%93%AA%E4%BA%9BSELinux%E7%94%A8%E6%88%B7%EF%BC%8C%E8%80%8C%E6%98%AF%E9%80%9A%E8%BF%87seusers%E6%96%87%E4%BB%B6%E4%B8%AD%E6%8F%8F%E8%BF%B0%E7%9A%84%E6%98%A0%E5%B0%84%E5%85%B3%E7%B3%BB%E6%9D%A5%E8%A1%A8%E6%98%8E%E6%9C%89%E5%93%AA%E4%BA%9BSELinux%E7%94%A8%E6%88%B7%E3%80%82%E7%94%A8%E6%88%B7%E5%86%8D%E9%80%9A%E8%BF%87role%E6%98%A0%E5%B0%84%E5%88%B0type%EF%BC%8C%E6%9C%80%E5%90%8E%E9%80%9A%E8%BF%87TE%E7%B3%BB%E7%BB%9F%E6%9D%A5%E7%A1%AE%E5%AE%9A%E6%9D%83%E9%99%90%E5%85%B3%E7%B3%BB%E3%80%82%E5%A4%A7%E8%87%B4%E5%85%B3%E7%B3%BB%E5%A6%82%E4%B8%8B%EF%BC%9A%0A%60%60%60mermaid%0Agraph%20LR%3B%0AA%5B%22Linux%E7%B3%BB%E7%BB%9F%E7%94%A8%E6%88%B7%22%5D%20--%3E%20B%5B%22SELinux%E7%94%A8%E6%88%B7%22%5D%0AB%20--%3E%20C%5B%22role(s)%22%5D%0AC%20--%3E%20D%5B%22type(s)%22%5D%0AD%20--%3E%20%7C%22TE%E6%9D%83%E9%99%90%E6%A3%80%E6%9F%A5%22%7C%20E%5B%22object%20type(s)%22%5D%0A%60%60%60%0A%23%23%23%23%20constrain%0A%E5%89%8D%E9%9D%A2%E8%AE%B2%E4%BA%86RBAC%E4%B8%8ETE%E7%BB%93%E5%90%88%E6%8F%90%E4%BE%9B%E7%9A%84%E6%9D%83%E9%99%90%E6%A3%80%E6%9F%A5%EF%BC%8CRBAC%E8%BF%98%E6%8F%90%E4%BE%9B%E4%BA%86%E4%B8%80%E7%A7%8D%E7%9B%B4%E6%8E%A5%E7%9A%84user%2Frole%E6%9D%83%E9%99%90%E6%A3%80%E6%9F%A5%E6%96%B9%E6%B3%95%EF%BC%8C%E6%88%90%E4%B8%BAconstrain%E3%80%82%E4%B8%BE%E4%B8%AA%E4%BE%8B%E5%AD%90%EF%BC%9A%0A%60%60%60bash%0A%23%20%E6%A0%87%E5%87%86%E6%A0%BC%E5%BC%8F%EF%BC%9Aconstrain%20%3Cobject_class_set%3E%20%3Cperm_set%3E%20%3Cexpression%3E%20%3B%0Aconstrain%20file%20write%20(u1%20%3D%3D%20u2%20and%20r1%20%3D%3D%20r2)%20%3B%0A%60%60%60%0A%E9%99%90%E5%88%B6%E5%8F%AA%E6%9C%89%E6%96%87%E4%BB%B6%E7%9A%84%E5%88%9B%E5%BB%BA%E8%80%85user%2Frole%E4%B8%8E%E8%BF%9B%E7%A8%8Buser%2Frole%E7%9B%B8%E7%AD%89%E6%97%B6%EF%BC%8C%E6%89%8D%E5%8F%AF%E4%BB%A5%E5%AF%B9%E6%96%87%E4%BB%B6%E8%BF%9B%E8%A1%8C%E5%86%99%E6%93%8D%E4%BD%9C%E3%80%82%E6%B3%A8%E6%84%8F%E8%BF%99%E9%87%8C%E6%98%AFobject%20class%EF%BC%8C%E6%8E%A7%E5%88%B6%E7%9A%84%E6%98%AF%E4%B8%80%E7%B1%BB%E8%B5%84%E6%BA%90%EF%BC%8C%E8%80%8C%E4%B8%8D%E6%98%AF%E5%85%B7%E4%BD%93%E5%93%AA%E4%B8%80%E4%B8%AAobject%E3%80%82%0A%E5%8F%AF%E4%BB%A5%E4%BD%BF%E7%94%A8%E7%9A%84%E9%80%BB%E8%BE%91%E8%BF%90%E7%AE%97%E7%AC%A6%E6%9C%89%EF%BC%9A%0A-%20%3D%3D%2C%20!%3D%EF%BC%9Auser%2Frole%E9%83%BD%E5%8F%AF%E7%94%A8%0A-%20%E4%BB%85%E9%92%88%E5%AF%B9role%E7%9A%84eq%2C%20dom%2C%20domby%2C%20incomp%0A%23%23%23%23%20%E6%80%BB%E7%BB%93%0A%60%60%60mermaid%0Agraph%20TD%3B%0AA%5B%22Linux%E7%94%A8%E6%88%B71%22%5D%20--%3E%20B%5B%22RBAC%22%5D%0AC%5B%22Linux%E7%94%A8%E6%88%B72%22%5D%20--%3E%20B%0AD%5B%22Linux%E7%94%A8%E6%88%B73%22%5D%20--%3E%20B%0AB%20--%3E%20%7Cuser%2C%20role%7C%20E%5B%22process%20type(s)%22%5D%0AE%20--%3E%20%7CTEAC%20%26%20constrain%7C%20G%5B%22object%20type(s)%22%5D%0A%60%60%60%0A%23%23%23%20MLS%2FMCS%0AMLS%E4%BB%8ELinux%202.6.12%E5%BC%80%E5%A7%8B%E8%BF%9B%E5%85%A5Linux%E5%86%85%E6%A0%B8%EF%BC%8C%E8%80%8CSELinux%E5%A4%A7%E7%BA%A6%E6%98%AF2.6.0%E5%BC%80%E5%A7%8B%E8%BF%9B%E5%85%A5%E5%86%85%E6%A0%B8%E3%80%82MLS%E4%B8%8E%E5%8E%9F%E5%A7%8B%E7%9A%84SELinux%E6%94%AF%E6%8C%81%E7%9A%84TE%2C%20RBAC%E9%89%B4%E6%9D%83%E6%89%8B%E6%AE%B5%E6%98%AF%E4%B8%80%E7%A7%8D%E4%BA%92%E8%A1%A5%E3%80%82%E5%85%B7%E4%BD%93%E5%8F%AF%E4%BB%A5%E9%98%85%E8%AF%BB%E5%8F%82%E8%80%83%E6%96%87%E7%8C%AE%5B7%5D%E3%80%82%E8%BF%99%E7%AF%87%E6%96%87%E7%AB%A0%E6%9D%A5%E8%87%AATrusted%20Computer%20Solutions%2C%20Inc.%EF%BC%88TCS%EF%BC%89%E8%BF%99%E5%AE%B6%E5%85%AC%E5%8F%B8%EF%BC%8C%E6%98%AFLinux%E5%86%85%E6%A0%B8MLS%E6%A8%A1%E5%9D%97%E4%B8%BB%E8%A6%81%E7%9A%84%E8%AE%BE%E8%AE%A1%E8%80%85%E3%80%82%E6%96%87%E7%AB%A0%E5%86%99%E4%BA%8E2006%E5%B9%B4%EF%BC%8C%E4%BC%B0%E8%AE%A1%E6%98%AFMLS%E5%90%88%E5%85%A5%E5%86%85%E6%A0%B8%E4%B8%8D%E4%B9%85%E3%80%82%0A%3EA%20combination%20of%20MLS%20and%20TE%20creates%20a%20stronger%2C%20more%20functional%20system%20that%20benefits%20from%20the%20strengths%20of%20the%20two%20complementary%20models.%0A%3E**MLS**%20models%20do%20not%20lend%20themselves%20easily%20to%20static%20analysis.%0A%3E**TE**%20has%20deficiencies%20in%20handling%20a%20large%20number%20of%20labels%20or%20a%20dynamic%20work%20set%20of%20label%20names%2C%20especially%20in%20contrast%20to%20integrity%20concerns.%0A%0A%E7%8E%B0%E5%9C%A8%E7%9A%84MLS%E5%80%9F%E5%8A%A9%E4%BA%86RBAC%E5%AE%9A%E4%B9%89%E7%9A%84constrain%E6%9C%BA%E5%88%B6%EF%BC%8C%E6%89%A9%E5%B1%95%E4%BA%86constrain%E8%AF%AD%E6%B3%95%EF%BC%8C%E5%AE%9A%E4%B9%89%E4%BA%86%E6%89%80%E8%B0%93%E7%9A%84mlsconstrain%E8%AF%AD%E6%B3%95%E8%A7%84%E5%88%99%E3%80%82%E4%B8%BASELinux%E6%8F%90%E4%BE%9B%E4%BA%86%E5%9F%BA%E4%BA%8EClassification%EF%BC%88Sensitivity%20Level%EF%BC%89%E5%92%8CCompartment%EF%BC%88Category%EF%BC%89%E8%AF%AD%E6%84%8F%E7%9A%84%E6%9D%83%E9%99%90%E6%A3%80%E6%9F%A5%E3%80%82%0AMLS%E6%98%AF%E5%8E%9F%E5%A7%8BSELinux%E7%9A%84%E6%89%A9%E5%B1%95%EF%BC%8C%E6%89%80%E4%BB%A5%E5%9C%A8%E4%BD%BF%E8%83%BDSELinux%E7%9A%84%E6%97%B6%E5%80%99%E4%B9%9F%E6%98%AF%E5%8F%AF%E9%80%89%E7%9A%84%E3%80%82%E4%BD%A0%E5%8F%AF%E4%BB%A5%E9%80%89%E6%8B%A9%E5%B8%A6MLS%E7%9A%84SELinux%EF%BC%8C%E4%B9%9F%E5%8F%AF%E4%BB%A5%E9%80%89%E6%8B%A9%E4%B8%8D%E5%B8%A6MLS%E7%9A%84SELinux%E3%80%82%E4%BE%8B%E5%A6%82%EF%BC%8C%E5%9C%A8Fedora%E4%B8%8B%E7%9A%84%E6%AD%A5%E9%AA%A4%E5%A6%82%E4%B8%8B%EF%BC%9A%0A1.%20Install%20SELinux%20package%0A%60%60%60bash%0Adnf%20install%20selinux-policy-mls%0A%60%60%60%0A2.%20Configure%20%60%2Fetc%2Fselinux%2Fconfig%60%0A%60%60%60bash%0A%23%20This%20file%20controls%20the%20state%20of%20SELinux%20on%20the%20system.%0A%23%20SELINUX%3D%20can%20take%20one%20of%20these%20three%20values%3A%0A%23%20%20%20%20%20%20%20enforcing%20-%20SELinux%20security%20policy%20is%20enforced.%0A%23%20%20%20%20%20%20%20permissive%20-%20SELinux%20prints%20warnings%20instead%20of%20enforcing.%0A%23%20%20%20%20%20%20%20disabled%20-%20No%20SELinux%20policy%20is%20loaded.%0ASELINUX%3Dpermissive%0A%23%20SELINUXTYPE%3D%20can%20take%20one%20of%20these%20two%20values%3A%0A%23%20%20%20%20%20%20%20targeted%20-%20Targeted%20processes%20are%20protected%2C%0A%23%20%20%20%20%20%20%20mls%20-%20Multi%20Level%20Security%20protection.%0ASELINUXTYPE%3Dmls%0A%60%60%60%0A%23%23%23%23%20%E6%A0%B8%E5%BF%83%E6%A6%82%E5%BF%B5%0AMLS%E7%9A%84%E6%A0%B8%E5%BF%83%E7%90%86%E5%BF%B5%E7%94%B1%E4%B8%8B%E5%9B%BE%E9%98%90%E9%87%8A%E4%BA%86%E3%80%82%0A%0A!%5B445184ec51cafa947460ef50a7b311dc.png%5D(evernotecid%3A%2F%2F22617523-9521-4D00-B771-5F27B85F00EB%2Fappyinxiangcom%2F161681%2FENResource%2Fp6228)%0A%3E%E5%BC%95%E7%94%A8%5B2%5D%E4%B8%AD%E7%9A%84%E4%B8%80%E6%AE%B5%E8%AF%9D%EF%BC%9A%0A%3E%0A%3EMLS%E5%9C%A8%E5%AE%89%E5%85%A8%E7%AD%96%E7%95%A5%E4%B8%8A%E6%9C%89%E4%B8%80%E4%B8%AA%E5%BD%A2%E8%B1%A1%E7%9A%84%E6%8F%8F%E8%BF%B0%E5%8F%ABno%20write%20down%E5%92%8Cno%20read%20up%EF%BC%9A%0A%3E%0A%3E-%20%E9%AB%98%E7%BA%A7%E5%88%AB%E7%9A%84%E4%B8%9C%E8%A5%BF%E4%B8%8D%E8%83%BD%E5%BE%80%E4%BD%8E%E7%BA%A7%E5%88%AB%E7%9A%84%E4%B8%9C%E8%A5%BF%E9%87%8C%E8%BE%B9%E5%86%99%E6%95%B0%E6%8D%AE%EF%BC%9A%E8%BF%99%E6%A0%B7%E5%8F%AF%E8%83%BD%E5%AF%BC%E8%87%B4%E9%AB%98%E7%BA%A7%E5%88%AB%E7%9A%84%E6%95%B0%E6%8D%AE%E6%B3%84%E9%9C%B2%E5%88%B0%E4%BD%8E%E7%BA%A7%E5%88%AB%E4%B8%AD%E3%80%82%0A%3E-%20%E9%AB%98%E7%BA%A7%E5%88%AB%E7%9A%84%E4%B8%9C%E8%A5%BF%E5%8F%AA%E8%83%BD%E4%BB%8E%E4%BD%8E%E7%BA%A7%E5%88%AB%E7%9A%84%E4%B8%9C%E8%A5%BF%E9%87%8C%E8%BE%B9%E8%AF%BB%E6%95%B0%E6%8D%AE%0A%3E%0A%3E%E5%A6%82%E5%9B%BE4%E4%B8%AD%EF%BC%8CProcess%E7%9A%84%E7%BA%A7%E5%88%AB%E6%98%AFConfidential%EF%BC%8C%E5%AE%83%E5%8F%AF%E4%BB%A5%E5%BE%80%E5%90%8C%E7%BA%A7%E5%88%AB%E7%9A%84File%20B%E4%B8%AD%E8%AF%BB%E5%86%99%E6%95%B0%E6%8D%AE%EF%BC%8C%E4%BD%86%E6%98%AF%E5%8F%AA%E8%83%BD%E5%BE%80%E9%AB%98%E7%BA%A7%E5%88%AB%E7%9A%84File%20A(%E7%BA%A7%E5%88%AB%E6%98%AFSecret)%E9%87%8C%E8%BE%B9%E5%86%99%E4%B8%9C%E8%A5%BF%E3%80%82Process%E5%8F%AF%E4%BB%A5%E4%BB%8EFile%20C%E5%92%8CFile%20D%E4%B8%AD%E8%AF%BB%E6%95%B0%E6%8D%AE%EF%BC%8C%E4%BD%86%E6%98%AF%E4%B8%8D%E8%83%BD%E5%BE%80File%20C%E5%92%8CFile%20D%E4%B8%8A%E5%86%99%E6%95%B0%E6%8D%AE%E3%80%82%0A%3E%0A%3E%E5%8F%8D%E8%BF%87%E6%9D%A5%E8%AF%B4%EF%BC%9A%0A%3E%0A%3E-%20%E4%BD%8E%E7%BA%A7%E5%88%AB%E7%9A%84%E4%B8%9C%E8%A5%BF%E5%8F%AA%E8%83%BD%E5%BE%80%E9%AB%98%E7%BA%A7%E5%88%AB%E7%9A%84%E4%B8%9C%E8%A5%BF%E9%87%8C%E8%BE%B9%E5%86%99%E6%95%B0%E6%8D%AE%0A%3E-%20%E4%BD%8E%E7%BA%A7%E5%88%AB%E7%9A%84%E4%B8%9C%E8%A5%BF%E4%B8%8D%E8%83%BD%E4%BB%8E%E9%AB%98%E7%BA%A7%E5%88%AB%E7%9A%84%E4%B8%9C%E8%A5%BF%E9%82%A3%E8%BE%B9%E8%AF%BB%E6%95%B0%E6%8D%AE%0A%3E%0A%3E%E6%B3%A8%EF%BC%9A%E8%BF%99%E9%87%8C%E5%8F%AA%E8%80%83%E8%99%91%E6%B3%84%E4%B8%8D%E6%B3%84%E5%AF%86%EF%BC%8C%E4%B8%8D%E8%80%83%E8%99%91%E6%BA%A2%E5%87%BA%E6%94%BB%E5%87%BB%0A%0A%23%23%23%23%20%E5%AE%9E%E7%8E%B0MLS%E7%9A%84%E5%85%B7%E4%BD%93%E6%89%8B%E6%AE%B5%0A%E4%B8%BB%E8%A6%81%E5%B0%B1%E6%98%AF%E5%9C%A8TE%EF%BC%8CRBAC%E7%9A%84secure%20context%E4%B9%8B%E4%B8%8A%EF%BC%8C%E5%8A%A0%E4%BA%86sensitivity%E5%92%8Ccategory%E4%B8%A4%E4%B8%AA%E5%AD%97%E6%AE%B5%E3%80%82%E4%BD%BF%E8%83%BD%E4%BA%86MLS%E7%9A%84secure%20context%EF%BC%8C%E6%A0%BC%E5%BC%8F%E5%A6%82%E4%B8%8B%EF%BC%9A%0A%60%60%60%0Auser%3Arole%3Atype%3Asensitivity%5B%3Acategory%2C...%5D-%20sensitivity%20%5B%3Acategory%2C...%5D%0A%60%60%60%0A%E4%B8%BE%E4%B8%AA%E5%AE%9E%E9%99%85%E7%9A%84%E4%BE%8B%E5%AD%90%EF%BC%9A%0A%60%60%60%0Auser_u%3Arole_r%3Atype_t%3As0-s1%3Ac0%2Cc1-c255%0A%60%60%60%0As0%20--%20%E6%9C%80%E4%BD%8Esensitivity%0As1%3Ac0%2Cc1-c255%20--%20%E6%9C%80%E9%AB%98sensitivity%0A%3E%E6%B3%A8%EF%BC%9As0%E5%95%A5%E9%83%BD%E4%B8%8D%E5%B8%A6%E4%BB%A3%E8%A1%A8%0A%3Es0%20is%20the%20lowest%20classification%20and%20contains%20no%20compartments%2C%20thus%20dominated%20by%20every%20label%20on%20the%20system.%0A%0A%E9%82%A3%E4%B9%88%E6%80%8E%E4%B9%88%E5%88%A9%E7%94%A8%E8%BF%99%E7%BB%84%E6%A0%87%E7%AD%BE%EF%BC%9FMLS%E5%BC%95%E5%85%A5%E4%BA%86%E6%89%A9%E5%B1%95%E7%9A%84constrain%E8%AF%AD%E6%B3%95%EF%BC%8C%E7%A7%B0%E4%B8%BAmlsconstrain%EF%BC%8C%E6%A0%BC%E5%BC%8F%E4%B8%BA%EF%BC%9A%0A%60%60%60%0Amlsconstrain%20class%20perm_set%20expression%3B%0A%60%60%60%0A%E5%AF%B9%E6%AF%94constrain%E8%AF%AD%E6%B3%95%EF%BC%9A%0A%60%60%60%0Aconstrain%20object_class_set%20perm_set%20expression%3B%0A%60%60%60%0A%E4%B8%80%E6%A0%B7%E5%95%8A%EF%BC%8C%E6%B2%A1%E6%9C%89%E5%8C%BA%E5%88%AB%E5%95%8A%EF%BC%81%E5%8C%BA%E5%88%AB%E5%9C%A8%E4%BA%8Eexpression%E3%80%82MLS%E7%9A%84expression%E5%A4%9A%E4%BA%86%E4%B8%8B%E9%9D%A2%E5%87%A0%E4%B8%AA%E4%B8%9C%E8%A5%BF%EF%BC%9A%0A%3E-%20l1%2C%20l2%EF%BC%9A%E5%B0%8F%E5%86%99%E7%9A%84L%E3%80%82l1%E8%A1%A8%E7%A4%BA%E6%BA%90%E7%9A%84low%20senstivity%20level%E3%80%82l2%E8%A1%A8%E7%A4%BAtarget%E7%9A%84low%20sensitivity%E3%80%82%0A%3E-%20h1%2C%20h2%EF%BC%9A%E5%B0%8F%E5%86%99%E7%9A%84H%E3%80%82h1%E8%A1%A8%E7%A4%BA%E6%BA%90%E7%9A%84high%20senstivity%20level%E3%80%82h2%E8%A1%A8%E7%A4%BAtarget%E7%9A%84high%20sensitivity%E3%80%82%0A%3E-%20l%E5%92%8Ch%E7%9A%84%E5%85%B3%E7%B3%BB%EF%BC%8C%E5%8C%85%E6%8B%ACdom%2Cdomby%2Ceq%E5%92%8Cincomp%E3%80%82%0A%0A%E4%B8%BE%E4%B8%AA%E5%AE%9E%E9%99%85%E7%9A%84%E4%BE%8B%E5%AD%90%EF%BC%9A%0A%60%60%60bash%0A%20%23%20Datagram%20send%3A%20Sender%20must%20be%20dominated%20by%20receiver%20unless%20one%20of%20them%20is%20trusted.%0A%20mlsconstrain%20unix_dgram_socket%20%7B%20sendto%20%7D%0A%20%20%20%20%20%20%20%20%20%20(l1%20domby%20l2%20or%20t1%20%3D%3D%20mlstrustedsubject%20or%20t2%20%3D%3D%20mlstrustedsubject)%3B%0A%23%20mlstrustedsubject%20%E6%98%AFattribute%0A%60%60%60%0A%E5%8F%AA%E6%9C%89%E5%9C%A8%E4%BB%A5%E4%B8%8B3%E4%B8%AA%E6%9D%A1%E4%BB%B6%E4%B9%8B%E4%B8%80%E6%88%90%E7%AB%8B%E7%9A%84%E6%83%85%E5%86%B5%E4%B8%8B%EF%BC%8Csubject%E6%89%8D%E8%83%BD%E8%B0%83%E7%94%A8unix_dgram_socket%20class%E7%9A%84object%E7%9A%84sendto%20permission%3A%0A-%20l1%20domby%20l2%2C%20l1%20sensitivity%E5%B0%8F%E4%BA%8El2%20sensitivity%0A-%20t1%E5%8C%B9%E9%85%8D%E6%88%96%E8%80%85t2%E5%8C%B9%E9%85%8D%E6%A0%87%E7%AD%BEmlstrustedsubject%0A%0A%23%23%20%E6%80%BB%E7%BB%93%0A%E5%BC%95%E7%94%A8%5B6%5D%E4%B8%AD%E7%9A%84%E5%87%A0%E5%BC%A0%E5%9B%BE%E5%81%9A%E4%B8%AA%E6%80%BB%E7%BB%93%E3%80%82%0A%23%23%23%20SELinux%20%E9%A1%B6%E5%B1%82%E6%9E%B6%E6%9E%84%0A!%5B07a76e86c5b555b9fb9070b609f2b0fe.png%5D(evernotecid%3A%2F%2F22617523-9521-4D00-B771-5F27B85F00EB%2Fappyinxiangcom%2F161681%2FENResource%2Fp6230)%0A%23%23%23%20SELinux%20%E5%86%B3%E7%AD%96%E6%B5%81%E7%A8%8B%0A!%5B418b433aea761cc938884e966e8c76bf.png%5D(evernotecid%3A%2F%2F22617523-9521-4D00-B771-5F27B85F00EB%2Fappyinxiangcom%2F161681%2FENResource%2Fp6231)%0A%23%23%23%20Show%20me%20the%20code%0A%E5%8F%82%E8%80%83%5B8%5D%2C%20%E4%B8%8B%E5%9B%BE%E6%98%AFMLS%E7%9A%84%E9%89%B4%E6%9D%83%E6%B5%81%E7%A8%8B%EF%BC%8C%E4%BD%86%E5%AE%9E%E9%99%85%E4%B8%8ASELinux%E7%9A%84TE%EF%BC%8CRABC%EF%BC%8CMLS%E9%83%BD%E6%98%AF%E9%80%9A%E8%BF%87secure%20context%E7%9A%84%E5%88%A4%E6%96%AD%E6%9D%A5%E9%89%B4%E6%9D%83%E7%9A%84%EF%BC%8C%E5%AE%83%E4%BB%AC%E7%9A%84%E5%AE%9E%E7%8E%B0%E4%BD%8D%E7%BD%AE%E5%BA%94%E8%AF%A5%E6%98%AF%E5%9C%A8%E4%B8%80%E8%B5%B7%E7%9A%84%E3%80%82%0A!%5B6ce0a26ebfc3e29766b25445ace8576d.png%5D(evernotecid%3A%2F%2F22617523-9521-4D00-B771-5F27B85F00EB%2Fappyinxiangcom%2F161681%2FENResource%2Fp6232)%0A%0A%0A%23%23%20%E5%8F%82%E8%80%83%E6%96%87%E7%8C%AE%0A1.%20%5B%E6%B7%B1%E5%85%A5%E7%90%86%E8%A7%A3SELinux%20SEAndroid%EF%BC%88%E7%AC%AC%E4%B8%80%E9%83%A8%E5%88%86%EF%BC%89%5D(https%3A%2F%2Fblog.csdn.net%2FInnost%2Farticle%2Fdetails%2F19299937)%0A2.%20%5B%E6%B7%B1%E5%85%A5%E7%90%86%E8%A7%A3SELinux%20SEAndroid%E4%B9%8B%E4%BA%8C%5D(https%3A%2F%2Fblog.csdn.net%2FInnost%2Farticle%2Fdetails%2F19641487)%0A3.%20%5B%E4%BB%8E%E5%A4%B4%E5%BC%80%E5%A7%8B%E7%94%9F%E6%88%90%20SELinux%5D(https%3A%2F%2Fwww.ibm.com%2Fdeveloperworks%2Fcn%2Flinux%2Fl-selinux.html)%0A4.%20%5BSELinux%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0%5D(https%3A%2F%2Fm.open-open.com%2Fpdf%2Fe88821debd374d1cab7b4f54ae14161e.html)%0A5.%20%5BSELinux%E5%88%9D%E5%A7%8B%E5%8C%96%E7%99%BB%E5%BD%95%E7%94%A8%E6%88%B7%E5%AE%89%E5%85%A8%E4%B8%8A%E4%B8%8B%E6%96%87%E7%9A%84%E6%96%B9%E6%B3%95%5D(https%3A%2F%2Fblog.csdn.net%2Fkeheinash%2Farticle%2Fdetails%2F81047520)%0A6.%20%5BLinux%20%E5%9F%BA%E7%A1%80%20-%2013.%20SELinux%5D(https%3A%2F%2Flinotes.imliloli.com%2Flinux%2Fselinux%2F%23135-%25E5%25AF%25B9%25E7%2594%25A8%25E6%2588%25B7%25E7%259A%2584%25E9%2599%2590%25E5%2588%25B6)%0A7.%20Chad%20Hanson%2C%20%22SELinux%20and%20MLS%3A%20Putting%20the%20Pieces%20Together%22%2CTrusted%20Computer%20Solutions%2C%20Inc.%2C%202006%0A8.%20%5BLinux%E5%BC%BA%E5%88%B6%E8%AE%BF%E9%97%AE%E6%8E%A7%E5%88%B6%E6%9C%BA%E5%88%B6%E6%A8%A1%E5%9D%97%E8%AF%A6%E7%BB%86%E6%8F%8F%E8%BF%B0%EF%BC%881%EF%BC%89%5D(http%3A%2F%2Fwww.sohu.com%2Fa%2F128175655_467784)