使能SELinux

《SELinux介绍》一文中，阐述了一些SELinux的基本逻辑，包括TE，RBAC和MLS。那么在一个发型版上怎么将SELinux跑起来呢？我们能对策略文件做点什么呢？这个策略文件能不能动态修改呢？本篇主要目的是回答这几个问题。我不打算做成step by step的教程，具体的步骤可以google之。但会对主要的资源做一些索引，并通过我的思路将它们串联起来。

Fedora上的SELinux

Fedora/RHEL是默认支持SELinux的，且默认就是enforcing状态。如果需要修改，可以

• 临时关闭（不用重启机器）：

setenforce 0         ##设置SELinux 成为permissive模式

• 修改配置文件需要重启机器：
  修改/etc/selinux/config文件, 将SELINUX=enforcing改为SELINUX=disabled

Fedora policy文件的位置在/etc/selinux/targeted/policy/policy.31。31表示版本号。具体的文件格式信息，需要查看Linux源码policydb_read函数，位置在security/selinux/ss/policydb.c

值得注意的是，Ubuntu使用的是AppArmore，而不是SELinux
可以认为：SELinux和AppArmore都是基于LSM（Linux Secure Module）的两个平行的模块。如果希望在Ubuntu上使能SELinux，需要disable AppArmore。如果直接安装并使能SELinux而不关闭AppArmore，系统会挂死。因为2个安全系统拥有不同的文件系统读写配置，形成死锁。网上有很多相关的帖子，可以尝试着做一做实验。我已经以身试法上面说的挂死的情况了。请莫效仿。

Labelling

SELinux的核心思想就是一个标签体系（security context，简称SContext）。那么这个标签是怎么打上去的？这个打标签的过程称为labelling。那么labelling是怎么和内核启动相结合以及如何与终端用户（或者管理员用户）交互的呢？
如果暂时放下SELinux，我们想一想应该怎么做？我认为如果是我，可能会：

• 先给所有的process打上类似user_u:role_r:type_t:s0-s1:c0,c1-c255这样的标签
• 然后给所有的file（此处的file，应该是Linux中万物皆文件的file）也打上类似的标签，不过role就是固定的object_r了

那么看看SELinux到底是不是这样做的呢？

给进程打标签

First of all, know that SELinux supports inheritance of contexts. Furthermore more, inheritance of contexts is the default behavior: if there is no policy in SELinux that specifies otherwise, then anything created will inherit the context of its parent.[1]

我们知道Linux的所有进程都是kernel启动时的1号进程通过fork系统调用叫起来的。1号进程可能是openrc或者systemd之类的进程。所以所有的进程一上来都会继承init进程的所有标签，然后再根据具体的policy设定进行type transition。
正好，SELinux就支持这种Domain/Type Transition的语法（当然不是正好，是SELinux设计者们就是这么设计的）。

注：通过《SELinux介绍》一文，我们可以知道Domain其实就是进程的Type

举个Domain Transition的例子

type_transition init_t apache_exec_t : process apache_t

翻译成人类语言就是：
当init_t Domain中的进程执行type为apache_exec_t类型的可执行文件（fork并execv）时（文件的class为process），所属Domain（对process而言，肯定是指Domain）需要切换到apache_t域。

要做到这个type transition，那显然要涉及到以下3个权限：
1.首先，你得让init_t域中的进程能够执行type为apache_exec_t的文件
allow init_t apache_exec_t : file execute;
2.然后，你还得告诉SELiux，允许init_t做DT切换以进入apache_t域
allow init_t apache_t : process transition;
3.最后，你还得告诉SELinux，切换入口（对应为entrypoint权限）为执行apache_exec_t类型的文件
allow apache_t apache_exec_t : file entrypoint;

所以一条type transition的规则就要搭配另外至少3条规则（事实上，具体的发行版可能会更多）来运行。于是SELinux就发明了宏，类似函数来方便定义进程的标签转换。参考安卓的实现[1]:

# [external/sepolicy/te_macros]
# 定义domain_trans宏。$1,$2等等代表宏的第一个，第二个....参数

define(`domain_trans', `
    allow $1 $2:file { getattr open read execute };
    allow $1 $3:process transition;
    allow $3 $2:file { entrypoint read execute };
    ...
')

#定义domain_auto_trans宏，这个宏才是我们在te中直接使用的

define(`domain_auto_trans', `
    domain_trans($1,$2,$3)
    type_transition $1 $2:process $3;
')

对应到之前的例子，如果apache_exec_t类型的文件被init进程叫起来以后，要切换到apache_t域就要用下面这条宏调用。

domain_auto_trans(init_t, apache_exec_t, apache_t)

以一个真实的例子结束这一段：

# 在external/sepolicy/init_shell.te中就有上述宏的用法：
./init_shell.te:4:domain_auto_trans(init, shell_exec, init_shell)

给文件打标签

进程的标签是从init进程继承，并按照策略文件进行响应的domain transition来的。那么文件的标签是从哪来的呢？例如u:object_r:cache_file:s0。
事实上初始的文件系统也是有个初始值的，这个初始值通常放在一个叫file_contexts的文件里。例如Android的在external/sepolicy/file_contexts。再摘去一段看看，这个file_contexts到底是啥：

/dev(/.*)?        u:object_r:device:s0
/dev/akm8973.*        u:object_r:akm_device:s0
/dev/accelerometer    u:object_r:accelerometer_device:s0
/dev/alarm        u:object_r:alarm_device:s0
/dev/android_adb.*    u:object_r:adb_device:s0
/dev/ashmem        u:object_r:ashmem_device:s0
/dev/audio.*        u:object_r:audio_device:s0

可见file_contexts描述的就是一些文件和文件夹的安全标签（SContext)。
那么新建一个目录或者一个文件，他的标签又怎么来呢？
当创建一个新文件时（目录也是一种文件），实际上它的标签会继承自其父目录，之后按照规则文件规定的做type transition。和进程的打标签过程是不是很类似？
具体的语法可以参考[1]

特殊的标签sid

可以参考[5]。[2]中阐述了sid以及sid_context的语法。但是对为什么有这两个东西，并且它们有什么用上，没有说清楚。[5]做了比较好的解释。
总结一下就是，Linux kernel在init进程加载policy之前，也需要一些基本的标签，而这些标签也就是所谓的sid（secure ID）。每个sid对应一个sid_context。这些都是固化在内核里的。在init加载以后，所有sid对应的标签都会被转换到正常的设置。

策略/标签文件从哪来?

先看实例，Android的策略文件的位置在
Android系统策略文件(.te)位置在system/sepolicy,device/<manufacturer>/<device-name>/sepolicy

#############################
# Default HALs
#
/(vendor|system/vendor)/bin/hw/android\.hardware\.audio@2\.0-service          u:object_r:hal_audio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service  u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.0-service  u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-service  u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service      u:object_r:hal_bluetooth_default_exec:s0

既然和写代码一样，那就也有开发环境了，参考[2]的7.6一节。在此不做深究。
安卓上编译策略文件的流程如下图：

策略更新

策略加载的流程通常都是由1号进程完成的。它负责读取配置文件，加载编译后的策略文件，并传入内核的LSM（Linux Secure Module）来完成SELinux的初始化。那么如果我们要修改策略（增删改），那势必要重新编译，重新部署。这一部分可以参考[3]。虽然里面的软件版本比较旧，但核心的思路不变。我理解的大致流程如下（我还没有试验过，可以找一个虚拟机试试看）：

• 编译策略文件，生成二进制的策略文件policy.bin
• 将policy.bin放入/etc/目录
• 使用setfiles重新标记文件系统
• 使用semanage创建管理员账号
• 重启生效

以上的操作都要由root账号来完成。可见root还是很无敌啊。

用户态工具链

引用[4]中的文字：

The policycoreutils package installs the following utilities:

• fixfiles: Fixes the security context on file systems
• load_policy: Loads a new SELinux policy into the kernel
• restorecon: Resets the security context on one or more files
• setfiles: Initializes the security context on one or more files
• secon: Displays the SELinux context from a file, program, or user input
• semodule_package: Creates an SELinux policy module package
• restorecond: Is a daemon that watches for file creation and sets the default file context
• semodule: Manages SELinux policy modules
• sestatus: Displays SELinux status
• setsebool: Sets SELinux Boolean value

我所用过的：

• checkpolicy: 编译策略文件(.te)
• setfiles: 给文件系统打标签
• semanage: 管理SELinux下的用户系统

参考文献

1. Gentoo Linux - SELinux/Tutorials/How does a process get into a certain context
2. SELinux学习笔记
3. 从头开始生成 SELinux
4. List of SELinux Utilities
5. Initial Security Identifiers

%E3%80%8ASELinux%E4%BB%8B%E7%BB%8D%E3%80%8B%E4%B8%80%E6%96%87%E4%B8%AD%EF%BC%8C%E9%98%90%E8%BF%B0%E4%BA%86%E4%B8%80%E4%BA%9BSELinux%E7%9A%84%E5%9F%BA%E6%9C%AC%E9%80%BB%E8%BE%91%EF%BC%8C%E5%8C%85%E6%8B%ACTE%EF%BC%8CRBAC%E5%92%8CMLS%E3%80%82%E9%82%A3%E4%B9%88%E5%9C%A8%E4%B8%80%E4%B8%AA%E5%8F%91%E5%9E%8B%E7%89%88%E4%B8%8A%E6%80%8E%E4%B9%88%E5%B0%86SELinux%E8%B7%91%E8%B5%B7%E6%9D%A5%E5%91%A2%EF%BC%9F%E6%88%91%E4%BB%AC%E8%83%BD%E5%AF%B9%E7%AD%96%E7%95%A5%E6%96%87%E4%BB%B6%E5%81%9A%E7%82%B9%E4%BB%80%E4%B9%88%E5%91%A2%EF%BC%9F%E8%BF%99%E4%B8%AA%E7%AD%96%E7%95%A5%E6%96%87%E4%BB%B6%E8%83%BD%E4%B8%8D%E8%83%BD%E5%8A%A8%E6%80%81%E4%BF%AE%E6%94%B9%E5%91%A2%EF%BC%9F%E6%9C%AC%E7%AF%87%E4%B8%BB%E8%A6%81%E7%9B%AE%E7%9A%84%E6%98%AF%E5%9B%9E%E7%AD%94%E8%BF%99%E5%87%A0%E4%B8%AA%E9%97%AE%E9%A2%98%E3%80%82%E6%88%91%E4%B8%8D%E6%89%93%E7%AE%97%E5%81%9A%E6%88%90step%20by%20step%E7%9A%84%E6%95%99%E7%A8%8B%EF%BC%8C%E5%85%B7%E4%BD%93%E7%9A%84%E6%AD%A5%E9%AA%A4%E5%8F%AF%E4%BB%A5google%E4%B9%8B%E3%80%82%E4%BD%86%E4%BC%9A%E5%AF%B9%E4%B8%BB%E8%A6%81%E7%9A%84%E8%B5%84%E6%BA%90%E5%81%9A%E4%B8%80%E4%BA%9B%E7%B4%A2%E5%BC%95%EF%BC%8C%E5%B9%B6%E9%80%9A%E8%BF%87%E6%88%91%E7%9A%84%E6%80%9D%E8%B7%AF%E5%B0%86%E5%AE%83%E4%BB%AC%E4%B8%B2%E8%81%94%E8%B5%B7%E6%9D%A5%E3%80%82%0A%23%23%20Fedora%E4%B8%8A%E7%9A%84SELinux%0AFedora%2FRHEL%E6%98%AF%E9%BB%98%E8%AE%A4%E6%94%AF%E6%8C%81SELinux%E7%9A%84%EF%BC%8C%E4%B8%94%E9%BB%98%E8%AE%A4%E5%B0%B1%E6%98%AFenforcing%E7%8A%B6%E6%80%81%E3%80%82%E5%A6%82%E6%9E%9C%E9%9C%80%E8%A6%81%E4%BF%AE%E6%94%B9%EF%BC%8C%E5%8F%AF%E4%BB%A5%0A-%20%E4%B8%B4%E6%97%B6%E5%85%B3%E9%97%AD%EF%BC%88%E4%B8%8D%E7%94%A8%E9%87%8D%E5%90%AF%E6%9C%BA%E5%99%A8%EF%BC%89%EF%BC%9A%0A%60%60%60bash%0Asetenforce%200%20%20%20%20%20%20%20%20%20%23%23%E8%AE%BE%E7%BD%AESELinux%20%E6%88%90%E4%B8%BApermissive%E6%A8%A1%E5%BC%8F%0A%60%60%60%0A-%20%E4%BF%AE%E6%94%B9%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6%E9%9C%80%E8%A6%81%E9%87%8D%E5%90%AF%E6%9C%BA%E5%99%A8%EF%BC%9A%0A%E4%BF%AE%E6%94%B9%2Fetc%2Fselinux%2Fconfig%E6%96%87%E4%BB%B6%2C%20%E5%B0%86SELINUX%3Denforcing%E6%94%B9%E4%B8%BASELINUX%3Ddisabled%0A%0AFedora%20policy%E6%96%87%E4%BB%B6%E7%9A%84%E4%BD%8D%E7%BD%AE%E5%9C%A8%2Fetc%2Fselinux%2Ftargeted%2Fpolicy%2Fpolicy.31%E3%80%8231%E8%A1%A8%E7%A4%BA%E7%89%88%E6%9C%AC%E5%8F%B7%E3%80%82%E5%85%B7%E4%BD%93%E7%9A%84%E6%96%87%E4%BB%B6%E6%A0%BC%E5%BC%8F%E4%BF%A1%E6%81%AF%EF%BC%8C%E9%9C%80%E8%A6%81%E6%9F%A5%E7%9C%8BLinux%E6%BA%90%E7%A0%81%60policydb_read%60%E5%87%BD%E6%95%B0%EF%BC%8C%E4%BD%8D%E7%BD%AE%E5%9C%A8%60security%2Fselinux%2Fss%2Fpolicydb.c%60%0A%3E%20%E5%80%BC%E5%BE%97%E6%B3%A8%E6%84%8F%E7%9A%84%E6%98%AF%EF%BC%8CUbuntu%E4%BD%BF%E7%94%A8%E7%9A%84%E6%98%AFAppArmore%EF%BC%8C%E8%80%8C%E4%B8%8D%E6%98%AFSELinux%0A%3E%20%E5%8F%AF%E4%BB%A5%E8%AE%A4%E4%B8%BA%EF%BC%9ASELinux%E5%92%8CAppArmore%E9%83%BD%E6%98%AF%E5%9F%BA%E4%BA%8ELSM%EF%BC%88Linux%20Secure%20Module%EF%BC%89%E7%9A%84%E4%B8%A4%E4%B8%AA%E5%B9%B3%E8%A1%8C%E7%9A%84%E6%A8%A1%E5%9D%97%E3%80%82%E5%A6%82%E6%9E%9C%E5%B8%8C%E6%9C%9B%E5%9C%A8Ubuntu%E4%B8%8A%E4%BD%BF%E8%83%BDSELinux%EF%BC%8C%E9%9C%80%E8%A6%81disable%20AppArmore%E3%80%82%E5%A6%82%E6%9E%9C%E7%9B%B4%E6%8E%A5%E5%AE%89%E8%A3%85%E5%B9%B6%E4%BD%BF%E8%83%BDSELinux%E8%80%8C%E4%B8%8D%E5%85%B3%E9%97%ADAppArmore%EF%BC%8C%E7%B3%BB%E7%BB%9F%E4%BC%9A%E6%8C%82%E6%AD%BB%E3%80%82%E5%9B%A0%E4%B8%BA2%E4%B8%AA%E5%AE%89%E5%85%A8%E7%B3%BB%E7%BB%9F%E6%8B%A5%E6%9C%89%E4%B8%8D%E5%90%8C%E7%9A%84%E6%96%87%E4%BB%B6%E7%B3%BB%E7%BB%9F%E8%AF%BB%E5%86%99%E9%85%8D%E7%BD%AE%EF%BC%8C%E5%BD%A2%E6%88%90%E6%AD%BB%E9%94%81%E3%80%82%E7%BD%91%E4%B8%8A%E6%9C%89%E5%BE%88%E5%A4%9A%E7%9B%B8%E5%85%B3%E7%9A%84%E5%B8%96%E5%AD%90%EF%BC%8C%E5%8F%AF%E4%BB%A5%E5%B0%9D%E8%AF%95%E7%9D%80%E5%81%9A%E4%B8%80%E5%81%9A%E5%AE%9E%E9%AA%8C%E3%80%82%E6%88%91%E5%B7%B2%E7%BB%8F%E4%BB%A5%E8%BA%AB%E8%AF%95%E6%B3%95%E4%B8%8A%E9%9D%A2%E8%AF%B4%E7%9A%84%E6%8C%82%E6%AD%BB%E7%9A%84%E6%83%85%E5%86%B5%E4%BA%86%E3%80%82%E8%AF%B7%E8%8E%AB%E6%95%88%E4%BB%BF%E3%80%82%0A%23%23%20Labelling%0ASELinux%E7%9A%84%E6%A0%B8%E5%BF%83%E6%80%9D%E6%83%B3%E5%B0%B1%E6%98%AF%E4%B8%80%E4%B8%AA%E6%A0%87%E7%AD%BE%E4%BD%93%E7%B3%BB%EF%BC%88security%20context%EF%BC%8C%E7%AE%80%E7%A7%B0SContext%EF%BC%89%E3%80%82%E9%82%A3%E4%B9%88%E8%BF%99%E4%B8%AA%E6%A0%87%E7%AD%BE%E6%98%AF%E6%80%8E%E4%B9%88%E6%89%93%E4%B8%8A%E5%8E%BB%E7%9A%84%EF%BC%9F%E8%BF%99%E4%B8%AA%E6%89%93%E6%A0%87%E7%AD%BE%E7%9A%84%E8%BF%87%E7%A8%8B%E7%A7%B0%E4%B8%BAlabelling%E3%80%82%E9%82%A3%E4%B9%88labelling%E6%98%AF%E6%80%8E%E4%B9%88%E5%92%8C%E5%86%85%E6%A0%B8%E5%90%AF%E5%8A%A8%E7%9B%B8%E7%BB%93%E5%90%88%E4%BB%A5%E5%8F%8A%E5%A6%82%E4%BD%95%E4%B8%8E%E7%BB%88%E7%AB%AF%E7%94%A8%E6%88%B7%EF%BC%88%E6%88%96%E8%80%85%E7%AE%A1%E7%90%86%E5%91%98%E7%94%A8%E6%88%B7%EF%BC%89%E4%BA%A4%E4%BA%92%E7%9A%84%E5%91%A2%EF%BC%9F%0A%E5%A6%82%E6%9E%9C%E6%9A%82%E6%97%B6%E6%94%BE%E4%B8%8BSELinux%EF%BC%8C%E6%88%91%E4%BB%AC%E6%83%B3%E4%B8%80%E6%83%B3%E5%BA%94%E8%AF%A5%E6%80%8E%E4%B9%88%E5%81%9A%EF%BC%9F%E6%88%91%E8%AE%A4%E4%B8%BA%E5%A6%82%E6%9E%9C%E6%98%AF%E6%88%91%EF%BC%8C%E5%8F%AF%E8%83%BD%E4%BC%9A%EF%BC%9A%0A-%20%E5%85%88%E7%BB%99%E6%89%80%E6%9C%89%E7%9A%84process%E6%89%93%E4%B8%8A%E7%B1%BB%E4%BC%BC%60user_u%3Arole_r%3Atype_t%3As0-s1%3Ac0%2Cc1-c255%60%E8%BF%99%E6%A0%B7%E7%9A%84%E6%A0%87%E7%AD%BE%0A-%20%E7%84%B6%E5%90%8E%E7%BB%99%E6%89%80%E6%9C%89%E7%9A%84file%EF%BC%88%E6%AD%A4%E5%A4%84%E7%9A%84file%EF%BC%8C%E5%BA%94%E8%AF%A5%E6%98%AFLinux%E4%B8%AD%E4%B8%87%E7%89%A9%E7%9A%86%E6%96%87%E4%BB%B6%E7%9A%84file%EF%BC%89%E4%B9%9F%E6%89%93%E4%B8%8A%E7%B1%BB%E4%BC%BC%E7%9A%84%E6%A0%87%E7%AD%BE%EF%BC%8C%E4%B8%8D%E8%BF%87role%E5%B0%B1%E6%98%AF%E5%9B%BA%E5%AE%9A%E7%9A%84object_r%E4%BA%86%0A%0A%E9%82%A3%E4%B9%88%E7%9C%8B%E7%9C%8BSELinux%E5%88%B0%E5%BA%95%E6%98%AF%E4%B8%8D%E6%98%AF%E8%BF%99%E6%A0%B7%E5%81%9A%E7%9A%84%E5%91%A2%EF%BC%9F%0A%23%23%23%20%E7%BB%99%E8%BF%9B%E7%A8%8B%E6%89%93%E6%A0%87%E7%AD%BE%0A%3EFirst%20of%20all%2C%20know%20that%20SELinux%20supports%20inheritance%20of%20contexts.%20Furthermore%20more%2C%20inheritance%20of%20contexts%20is%20the%20default%20behavior%3A%20if%20there%20is%20no%20policy%20in%20SELinux%20that%20specifies%20otherwise%2C%20then%20anything%20created%20will%20inherit%20the%20context%20of%20its%20parent.%5B1%5D%0A%0A%E6%88%91%E4%BB%AC%E7%9F%A5%E9%81%93Linux%E7%9A%84%E6%89%80%E6%9C%89%E8%BF%9B%E7%A8%8B%E9%83%BD%E6%98%AFkernel%E5%90%AF%E5%8A%A8%E6%97%B6%E7%9A%841%E5%8F%B7%E8%BF%9B%E7%A8%8B%E9%80%9A%E8%BF%87fork%E7%B3%BB%E7%BB%9F%E8%B0%83%E7%94%A8%E5%8F%AB%E8%B5%B7%E6%9D%A5%E7%9A%84%E3%80%821%E5%8F%B7%E8%BF%9B%E7%A8%8B%E5%8F%AF%E8%83%BD%E6%98%AFopenrc%E6%88%96%E8%80%85systemd%E4%B9%8B%E7%B1%BB%E7%9A%84%E8%BF%9B%E7%A8%8B%E3%80%82%E6%89%80%E4%BB%A5%E6%89%80%E6%9C%89%E7%9A%84%E8%BF%9B%E7%A8%8B%E4%B8%80%E4%B8%8A%E6%9D%A5%E9%83%BD%E4%BC%9A%E7%BB%A7%E6%89%BFinit%E8%BF%9B%E7%A8%8B%E7%9A%84%E6%89%80%E6%9C%89%E6%A0%87%E7%AD%BE%EF%BC%8C%E7%84%B6%E5%90%8E%E5%86%8D%E6%A0%B9%E6%8D%AE%E5%85%B7%E4%BD%93%E7%9A%84policy%E8%AE%BE%E5%AE%9A%E8%BF%9B%E8%A1%8Ctype%20transition%E3%80%82%0A%E6%AD%A3%E5%A5%BD%EF%BC%8CSELinux%E5%B0%B1%E6%94%AF%E6%8C%81%E8%BF%99%E7%A7%8DDomain%2FType%20Transition%E7%9A%84%E8%AF%AD%E6%B3%95%EF%BC%88%E5%BD%93%E7%84%B6%E4%B8%8D%E6%98%AF%E6%AD%A3%E5%A5%BD%EF%BC%8C%E6%98%AFSELinux%E8%AE%BE%E8%AE%A1%E8%80%85%E4%BB%AC%E5%B0%B1%E6%98%AF%E8%BF%99%E4%B9%88%E8%AE%BE%E8%AE%A1%E7%9A%84%EF%BC%89%E3%80%82%0A%3E%E6%B3%A8%EF%BC%9A%E9%80%9A%E8%BF%87%E3%80%8ASELinux%E4%BB%8B%E7%BB%8D%E3%80%8B%E4%B8%80%E6%96%87%EF%BC%8C%E6%88%91%E4%BB%AC%E5%8F%AF%E4%BB%A5%E7%9F%A5%E9%81%93Domain%E5%85%B6%E5%AE%9E%E5%B0%B1%E6%98%AF%E8%BF%9B%E7%A8%8B%E7%9A%84Type%0A%0A%E4%B8%BE%E4%B8%AADomain%20Transition%E7%9A%84%E4%BE%8B%E5%AD%90%0A%60%60%60%0Atype_transition%20init_t%20apache_exec_t%20%3A%20process%20apache_t%0A%60%60%60%0A%E7%BF%BB%E8%AF%91%E6%88%90%E4%BA%BA%E7%B1%BB%E8%AF%AD%E8%A8%80%E5%B0%B1%E6%98%AF%EF%BC%9A%0A%E5%BD%93**init_t%20Domain**%E4%B8%AD%E7%9A%84%E8%BF%9B%E7%A8%8B**%E6%89%A7%E8%A1%8C**type%E4%B8%BA**apache_exec_t**%E7%B1%BB%E5%9E%8B%E7%9A%84%E5%8F%AF%E6%89%A7%E8%A1%8C%E6%96%87%E4%BB%B6%EF%BC%88fork%E5%B9%B6execv%EF%BC%89%E6%97%B6%EF%BC%88%E6%96%87%E4%BB%B6%E7%9A%84class%E4%B8%BAprocess%EF%BC%89%EF%BC%8C%E6%89%80%E5%B1%9EDomain%EF%BC%88%E5%AF%B9process%E8%80%8C%E8%A8%80%EF%BC%8C%E8%82%AF%E5%AE%9A%E6%98%AF%E6%8C%87Domain%EF%BC%89%E9%9C%80%E8%A6%81%E5%88%87%E6%8D%A2%E5%88%B0apache_t%E5%9F%9F%E3%80%82%0A%0A%E8%A6%81%E5%81%9A%E5%88%B0%E8%BF%99%E4%B8%AAtype%20transition%EF%BC%8C%E9%82%A3%E6%98%BE%E7%84%B6%E8%A6%81%E6%B6%89%E5%8F%8A%E5%88%B0%E4%BB%A5%E4%B8%8B3%E4%B8%AA%E6%9D%83%E9%99%90%EF%BC%9A%0A1.%E9%A6%96%E5%85%88%EF%BC%8C%E4%BD%A0%E5%BE%97%E8%AE%A9init_t%E5%9F%9F%E4%B8%AD%E7%9A%84%E8%BF%9B%E7%A8%8B%E8%83%BD%E5%A4%9F%E6%89%A7%E8%A1%8Ctype%E4%B8%BAapache_exec_t%E7%9A%84%E6%96%87%E4%BB%B6%0A%60allow%20init_t%20apache_exec_t%20%3A%20file%20execute%3B%60%0A2.%E7%84%B6%E5%90%8E%EF%BC%8C%E4%BD%A0%E8%BF%98%E5%BE%97%E5%91%8A%E8%AF%89SELiux%EF%BC%8C%E5%85%81%E8%AE%B8init_t%E5%81%9ADT%E5%88%87%E6%8D%A2%E4%BB%A5%E8%BF%9B%E5%85%A5apache_t%E5%9F%9F%0A%60allow%20init_t%20apache_t%20%3A%20process%20transition%3B%60%0A3.%E6%9C%80%E5%90%8E%EF%BC%8C%E4%BD%A0%E8%BF%98%E5%BE%97%E5%91%8A%E8%AF%89SELinux%EF%BC%8C%E5%88%87%E6%8D%A2%E5%85%A5%E5%8F%A3%EF%BC%88%E5%AF%B9%E5%BA%94%E4%B8%BAentrypoint%E6%9D%83%E9%99%90%EF%BC%89%E4%B8%BA%E6%89%A7%E8%A1%8Capache_exec_t%E7%B1%BB%E5%9E%8B%E7%9A%84%E6%96%87%E4%BB%B6%0A%60allow%20apache_t%20apache_exec_t%20%3A%20file%20entrypoint%3B%60%0A%0A%E6%89%80%E4%BB%A5%E4%B8%80%E6%9D%A1type%20transition%E7%9A%84%E8%A7%84%E5%88%99%E5%B0%B1%E8%A6%81%E6%90%AD%E9%85%8D%E5%8F%A6%E5%A4%96%E8%87%B3%E5%B0%913%E6%9D%A1%E8%A7%84%E5%88%99%EF%BC%88%E4%BA%8B%E5%AE%9E%E4%B8%8A%EF%BC%8C%E5%85%B7%E4%BD%93%E7%9A%84%E5%8F%91%E8%A1%8C%E7%89%88%E5%8F%AF%E8%83%BD%E4%BC%9A%E6%9B%B4%E5%A4%9A%EF%BC%89%E6%9D%A5%E8%BF%90%E8%A1%8C%E3%80%82%E4%BA%8E%E6%98%AFSELinux%E5%B0%B1%E5%8F%91%E6%98%8E%E4%BA%86%E5%AE%8F%EF%BC%8C%E7%B1%BB%E4%BC%BC%E5%87%BD%E6%95%B0%E6%9D%A5%E6%96%B9%E4%BE%BF%E5%AE%9A%E4%B9%89%E8%BF%9B%E7%A8%8B%E7%9A%84%E6%A0%87%E7%AD%BE%E8%BD%AC%E6%8D%A2%E3%80%82%E5%8F%82%E8%80%83%E5%AE%89%E5%8D%93%E7%9A%84%E5%AE%9E%E7%8E%B0%5B1%5D%3A%0A%60%60%60bash%0A%23%20%5Bexternal%2Fsepolicy%2Fte_macros%5D%0A%23%20%E5%AE%9A%E4%B9%89domain_trans%E5%AE%8F%E3%80%82%241%2C%242%E7%AD%89%E7%AD%89%E4%BB%A3%E8%A1%A8%E5%AE%8F%E7%9A%84%E7%AC%AC%E4%B8%80%E4%B8%AA%EF%BC%8C%E7%AC%AC%E4%BA%8C%E4%B8%AA....%E5%8F%82%E6%95%B0%0A%0Adefine(%60domain_trans'%2C%20%60%0A%20%20%20%20allow%20%241%20%242%3Afile%20%7B%20getattr%20open%20read%20execute%20%7D%3B%0A%20%20%20%20allow%20%241%20%243%3Aprocess%20transition%3B%0A%20%20%20%20allow%20%243%20%242%3Afile%20%7B%20entrypoint%20read%20execute%20%7D%3B%0A%20%20%20%20...%0A')%0A%0A%23%E5%AE%9A%E4%B9%89domain_auto_trans%E5%AE%8F%EF%BC%8C%E8%BF%99%E4%B8%AA%E5%AE%8F%E6%89%8D%E6%98%AF%E6%88%91%E4%BB%AC%E5%9C%A8te%E4%B8%AD%E7%9B%B4%E6%8E%A5%E4%BD%BF%E7%94%A8%E7%9A%84%0A%0Adefine(%60domain_auto_trans'%2C%20%60%0A%20%20%20%20domain_trans(%241%2C%242%2C%243)%0A%20%20%20%20type_transition%20%241%20%242%3Aprocess%20%243%3B%0A')%0A%60%60%60%0A%E5%AF%B9%E5%BA%94%E5%88%B0%E4%B9%8B%E5%89%8D%E7%9A%84%E4%BE%8B%E5%AD%90%EF%BC%8C%E5%A6%82%E6%9E%9Capache_exec_t%E7%B1%BB%E5%9E%8B%E7%9A%84%E6%96%87%E4%BB%B6%E8%A2%ABinit%E8%BF%9B%E7%A8%8B%E5%8F%AB%E8%B5%B7%E6%9D%A5%E4%BB%A5%E5%90%8E%EF%BC%8C%E8%A6%81%E5%88%87%E6%8D%A2%E5%88%B0apache_t%E5%9F%9F%E5%B0%B1%E8%A6%81%E7%94%A8%E4%B8%8B%E9%9D%A2%E8%BF%99%E6%9D%A1%E5%AE%8F%E8%B0%83%E7%94%A8%E3%80%82%0A%60%60%60%0Adomain_auto_trans(init_t%2C%20apache_exec_t%2C%20apache_t)%0A%60%60%60%0A%E4%BB%A5%E4%B8%80%E4%B8%AA%E7%9C%9F%E5%AE%9E%E7%9A%84%E4%BE%8B%E5%AD%90%E7%BB%93%E6%9D%9F%E8%BF%99%E4%B8%80%E6%AE%B5%EF%BC%9A%0A%60%60%60bash%0A%23%20%E5%9C%A8external%2Fsepolicy%2Finit_shell.te%E4%B8%AD%E5%B0%B1%E6%9C%89%E4%B8%8A%E8%BF%B0%E5%AE%8F%E7%9A%84%E7%94%A8%E6%B3%95%EF%BC%9A%0A.%2Finit_shell.te%3A4%3Adomain_auto_trans(init%2C%20shell_exec%2C%20init_shell)%0A%60%60%60%0A%23%23%23%20%E7%BB%99%E6%96%87%E4%BB%B6%E6%89%93%E6%A0%87%E7%AD%BE%0A%E8%BF%9B%E7%A8%8B%E7%9A%84%E6%A0%87%E7%AD%BE%E6%98%AF%E4%BB%8Einit%E8%BF%9B%E7%A8%8B%E7%BB%A7%E6%89%BF%EF%BC%8C%E5%B9%B6%E6%8C%89%E7%85%A7%E7%AD%96%E7%95%A5%E6%96%87%E4%BB%B6%E8%BF%9B%E8%A1%8C%E5%93%8D%E5%BA%94%E7%9A%84domain%20transition%E6%9D%A5%E7%9A%84%E3%80%82%E9%82%A3%E4%B9%88%E6%96%87%E4%BB%B6%E7%9A%84%E6%A0%87%E7%AD%BE%E6%98%AF%E4%BB%8E%E5%93%AA%E6%9D%A5%E7%9A%84%E5%91%A2%EF%BC%9F%E4%BE%8B%E5%A6%82%60u%3Aobject_r%3Acache_file%3As0%60%E3%80%82%0A%E4%BA%8B%E5%AE%9E%E4%B8%8A%E5%88%9D%E5%A7%8B%E7%9A%84%E6%96%87%E4%BB%B6%E7%B3%BB%E7%BB%9F%E4%B9%9F%E6%98%AF%E6%9C%89%E4%B8%AA%E5%88%9D%E5%A7%8B%E5%80%BC%E7%9A%84%EF%BC%8C%E8%BF%99%E4%B8%AA%E5%88%9D%E5%A7%8B%E5%80%BC%E9%80%9A%E5%B8%B8%E6%94%BE%E5%9C%A8%E4%B8%80%E4%B8%AA%E5%8F%ABfile_contexts%E7%9A%84%E6%96%87%E4%BB%B6%E9%87%8C%E3%80%82%E4%BE%8B%E5%A6%82Android%E7%9A%84%E5%9C%A8%60external%2Fsepolicy%2Ffile_contexts%60%E3%80%82%E5%86%8D%E6%91%98%E5%8E%BB%E4%B8%80%E6%AE%B5%E7%9C%8B%E7%9C%8B%EF%BC%8C%E8%BF%99%E4%B8%AAfile_contexts%E5%88%B0%E5%BA%95%E6%98%AF%E5%95%A5%EF%BC%9A%0A%60%60%60%0A%2Fdev(%2F.*)%3F%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%20u%3Aobject_r%3Adevice%3As0%0A%2Fdev%2Fakm8973.*%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%20u%3Aobject_r%3Aakm_device%3As0%0A%2Fdev%2Faccelerometer%C2%A0%C2%A0%C2%A0%20u%3Aobject_r%3Aaccelerometer_device%3As0%0A%2Fdev%2Falarm%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%20u%3Aobject_r%3Aalarm_device%3As0%0A%2Fdev%2Fandroid_adb.*%C2%A0%C2%A0%C2%A0%20u%3Aobject_r%3Aadb_device%3As0%0A%2Fdev%2Fashmem%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%20u%3Aobject_r%3Aashmem_device%3As0%0A%2Fdev%2Faudio.*%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%20u%3Aobject_r%3Aaudio_device%3As0%0A%60%60%60%0A%E5%8F%AF%E8%A7%81file_contexts%E6%8F%8F%E8%BF%B0%E7%9A%84%E5%B0%B1%E6%98%AF%E4%B8%80%E4%BA%9B%E6%96%87%E4%BB%B6%E5%92%8C%E6%96%87%E4%BB%B6%E5%A4%B9%E7%9A%84%E5%AE%89%E5%85%A8%E6%A0%87%E7%AD%BE%EF%BC%88SContext)%E3%80%82%0A%E9%82%A3%E4%B9%88%E6%96%B0%E5%BB%BA%E4%B8%80%E4%B8%AA%E7%9B%AE%E5%BD%95%E6%88%96%E8%80%85%E4%B8%80%E4%B8%AA%E6%96%87%E4%BB%B6%EF%BC%8C%E4%BB%96%E7%9A%84%E6%A0%87%E7%AD%BE%E5%8F%88%E6%80%8E%E4%B9%88%E6%9D%A5%E5%91%A2%EF%BC%9F%0A%E5%BD%93%E5%88%9B%E5%BB%BA%E4%B8%80%E4%B8%AA%E6%96%B0%E6%96%87%E4%BB%B6%E6%97%B6%EF%BC%88%E7%9B%AE%E5%BD%95%E4%B9%9F%E6%98%AF%E4%B8%80%E7%A7%8D%E6%96%87%E4%BB%B6%EF%BC%89%EF%BC%8C%E5%AE%9E%E9%99%85%E4%B8%8A%E5%AE%83%E7%9A%84%E6%A0%87%E7%AD%BE%E4%BC%9A%E7%BB%A7%E6%89%BF%E8%87%AA%E5%85%B6%E7%88%B6%E7%9B%AE%E5%BD%95%EF%BC%8C%E4%B9%8B%E5%90%8E%E6%8C%89%E7%85%A7%E8%A7%84%E5%88%99%E6%96%87%E4%BB%B6%E8%A7%84%E5%AE%9A%E7%9A%84%E5%81%9Atype%20transition%E3%80%82%E5%92%8C%E8%BF%9B%E7%A8%8B%E7%9A%84%E6%89%93%E6%A0%87%E7%AD%BE%E8%BF%87%E7%A8%8B%E6%98%AF%E4%B8%8D%E6%98%AF%E5%BE%88%E7%B1%BB%E4%BC%BC%EF%BC%9F%0A%E5%85%B7%E4%BD%93%E7%9A%84%E8%AF%AD%E6%B3%95%E5%8F%AF%E4%BB%A5%E5%8F%82%E8%80%83%5B1%5D%0A%0A%23%23%23%20%E7%89%B9%E6%AE%8A%E7%9A%84%E6%A0%87%E7%AD%BEsid%0A%E5%8F%AF%E4%BB%A5%E5%8F%82%E8%80%83%5B5%5D%E3%80%82%5B2%5D%E4%B8%AD%E9%98%90%E8%BF%B0%E4%BA%86sid%E4%BB%A5%E5%8F%8Asid_context%E7%9A%84%E8%AF%AD%E6%B3%95%E3%80%82%E4%BD%86%E6%98%AF%E5%AF%B9%E4%B8%BA%E4%BB%80%E4%B9%88%E6%9C%89%E8%BF%99%E4%B8%A4%E4%B8%AA%E4%B8%9C%E8%A5%BF%EF%BC%8C%E5%B9%B6%E4%B8%94%E5%AE%83%E4%BB%AC%E6%9C%89%E4%BB%80%E4%B9%88%E7%94%A8%E4%B8%8A%EF%BC%8C%E6%B2%A1%E6%9C%89%E8%AF%B4%E6%B8%85%E6%A5%9A%E3%80%82%5B5%5D%E5%81%9A%E4%BA%86%E6%AF%94%E8%BE%83%E5%A5%BD%E7%9A%84%E8%A7%A3%E9%87%8A%E3%80%82%0A%E6%80%BB%E7%BB%93%E4%B8%80%E4%B8%8B%E5%B0%B1%E6%98%AF%EF%BC%8CLinux%20kernel%E5%9C%A8init%E8%BF%9B%E7%A8%8B%E5%8A%A0%E8%BD%BDpolicy%E4%B9%8B%E5%89%8D%EF%BC%8C%E4%B9%9F%E9%9C%80%E8%A6%81%E4%B8%80%E4%BA%9B%E5%9F%BA%E6%9C%AC%E7%9A%84%E6%A0%87%E7%AD%BE%EF%BC%8C%E8%80%8C%E8%BF%99%E4%BA%9B%E6%A0%87%E7%AD%BE%E4%B9%9F%E5%B0%B1%E6%98%AF%E6%89%80%E8%B0%93%E7%9A%84sid%EF%BC%88secure%20ID%EF%BC%89%E3%80%82%E6%AF%8F%E4%B8%AAsid%E5%AF%B9%E5%BA%94%E4%B8%80%E4%B8%AAsid_context%E3%80%82%E8%BF%99%E4%BA%9B%E9%83%BD%E6%98%AF%E5%9B%BA%E5%8C%96%E5%9C%A8%E5%86%85%E6%A0%B8%E9%87%8C%E7%9A%84%E3%80%82%E5%9C%A8init%E5%8A%A0%E8%BD%BD%E4%BB%A5%E5%90%8E%EF%BC%8C%E6%89%80%E6%9C%89sid%E5%AF%B9%E5%BA%94%E7%9A%84%E6%A0%87%E7%AD%BE%E9%83%BD%E4%BC%9A%E8%A2%AB%E8%BD%AC%E6%8D%A2%E5%88%B0%E6%AD%A3%E5%B8%B8%E7%9A%84%E8%AE%BE%E7%BD%AE%E3%80%82%0A%0A%23%23%23%20%E7%AD%96%E7%95%A5%2F%E6%A0%87%E7%AD%BE%E6%96%87%E4%BB%B6%E4%BB%8E%E5%93%AA%E6%9D%A5%3F%0A%E5%85%88%E7%9C%8B%E5%AE%9E%E4%BE%8B%EF%BC%8CAndroid%E7%9A%84%E7%AD%96%E7%95%A5%E6%96%87%E4%BB%B6%E7%9A%84%E4%BD%8D%E7%BD%AE%E5%9C%A8%0AAndroid%E7%B3%BB%E7%BB%9F%E7%AD%96%E7%95%A5%E6%96%87%E4%BB%B6(.te)%E4%BD%8D%E7%BD%AE%E5%9C%A8%60system%2Fsepolicy%60%2C%60device%2F%3Cmanufacturer%3E%2F%3Cdevice-name%3E%2Fsepolicy%60%0A!%5B87292b4c69317c24eb8af5269259a41b.png%5D(evernotecid%3A%2F%2F22617523-9521-4D00-B771-5F27B85F00EB%2Fappyinxiangcom%2F161681%2FENResource%2Fp6234)%0A%E8%BF%99%E4%BA%9B.te%E6%96%87%E4%BB%B6%E9%80%9A%E9%80%9A%E9%83%BD%E6%98%AF%E7%AD%96%E7%95%A5%E6%96%87%E4%BB%B6%EF%BC%8C%E8%80%8C%E4%B8%94%E9%80%9A%E9%80%9A%E9%83%BD%E6%98%AF%E6%89%8B%E5%8A%A8%E7%A0%81%E5%87%BA%E6%9D%A5%E7%9A%84%E5%93%A6%E3%80%82%E5%92%8C%E5%86%99%E4%BB%A3%E7%A0%81%E4%B8%80%E6%A0%B7%E3%80%82%E4%B8%8B%E5%9B%BE%E6%98%AF%E7%BC%96%E8%AF%91%E5%AE%89%E5%8D%93%E7%AD%96%E7%95%A5%E6%96%87%E4%BB%B6%E7%9A%84%E6%B5%81%E7%A8%8B%E3%80%82%0Afile_contexts%E5%9C%A8%60%2Fsystem%2Fsepolicy%2Fprebuilts%2Fapi%2F28.0%2Fprivate%2Ffile_contexts%60%2C%E7%9E%84%E4%B8%80%E7%9C%BC%2C%20%E9%9A%8F%E4%BE%BF%E6%88%AA%E4%BA%86%E4%B8%80%E5%B0%8F%E6%AE%B5%EF%BC%8C%E6%98%AF%E4%B8%8D%E6%98%AF%E5%BE%88%E5%A4%8D%E6%9D%82%EF%BC%9A%0A%60%60%60bash%0A%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%0A%23%20Default%20HALs%0A%23%0A%2F(vendor%7Csystem%2Fvendor)%2Fbin%2Fhw%2Fandroid%5C.hardware%5C.audio%402%5C.0-service%20%20%20%20%20%20%20%20%20%20u%3Aobject_r%3Ahal_audio_default_exec%3As0%0A%2F(vendor%7Csystem%2Fvendor)%2Fbin%2Fhw%2Fandroid%5C.hardware%5C.automotive%5C.audiocontrol%401%5C.0-service%20%20u%3Aobject_r%3Ahal_audiocontrol_default_exec%3As0%0A%2F(vendor%7Csystem%2Fvendor)%2Fbin%2Fhw%2Fandroid%5C.hardware%5C.automotive%5C.evs%401%5C.0-service%20%20u%3Aobject_r%3Ahal_evs_default_exec%3As0%0A%2F(vendor%7Csystem%2Fvendor)%2Fbin%2Fhw%2Fandroid%5C.hardware%5C.automotive%5C.vehicle%402%5C.0-service%20%20u%3Aobject_r%3Ahal_vehicle_default_exec%3As0%0A%2F(vendor%7Csystem%2Fvendor)%2Fbin%2Fhw%2Fandroid%5C.hardware%5C.bluetooth%401%5C.0-service%20%20%20%20%20%20u%3Aobject_r%3Ahal_bluetooth_default_exec%3As0%0A%60%60%60%0A%E6%97%A2%E7%84%B6%E5%92%8C%E5%86%99%E4%BB%A3%E7%A0%81%E4%B8%80%E6%A0%B7%EF%BC%8C%E9%82%A3%E5%B0%B1%E4%B9%9F%E6%9C%89%E5%BC%80%E5%8F%91%E7%8E%AF%E5%A2%83%E4%BA%86%EF%BC%8C%E5%8F%82%E8%80%83%5B2%5D%E7%9A%847.6%E4%B8%80%E8%8A%82%E3%80%82%E5%9C%A8%E6%AD%A4%E4%B8%8D%E5%81%9A%E6%B7%B1%E7%A9%B6%E3%80%82%0A%E5%AE%89%E5%8D%93%E4%B8%8A%E7%BC%96%E8%AF%91%E7%AD%96%E7%95%A5%E6%96%87%E4%BB%B6%E7%9A%84%E6%B5%81%E7%A8%8B%E5%A6%82%E4%B8%8B%E5%9B%BE%EF%BC%9A%0A!%5B60b0f175f725e78e2472b2571d499c1f.gif%5D(evernotecid%3A%2F%2F22617523-9521-4D00-B771-5F27B85F00EB%2Fappyinxiangcom%2F161681%2FENResource%2Fp6233)%0A%0A%23%23%20%E7%AD%96%E7%95%A5%E6%9B%B4%E6%96%B0%0A%E7%AD%96%E7%95%A5%E5%8A%A0%E8%BD%BD%E7%9A%84%E6%B5%81%E7%A8%8B%E9%80%9A%E5%B8%B8%E9%83%BD%E6%98%AF%E7%94%B11%E5%8F%B7%E8%BF%9B%E7%A8%8B%E5%AE%8C%E6%88%90%E7%9A%84%E3%80%82%E5%AE%83%E8%B4%9F%E8%B4%A3%E8%AF%BB%E5%8F%96%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6%EF%BC%8C%E5%8A%A0%E8%BD%BD%E7%BC%96%E8%AF%91%E5%90%8E%E7%9A%84%E7%AD%96%E7%95%A5%E6%96%87%E4%BB%B6%EF%BC%8C%E5%B9%B6%E4%BC%A0%E5%85%A5%E5%86%85%E6%A0%B8%E7%9A%84LSM%EF%BC%88Linux%20Secure%20Module%EF%BC%89%E6%9D%A5%E5%AE%8C%E6%88%90SELinux%E7%9A%84%E5%88%9D%E5%A7%8B%E5%8C%96%E3%80%82%E9%82%A3%E4%B9%88%E5%A6%82%E6%9E%9C%E6%88%91%E4%BB%AC%E8%A6%81%E4%BF%AE%E6%94%B9%E7%AD%96%E7%95%A5%EF%BC%88%E5%A2%9E%E5%88%A0%E6%94%B9%EF%BC%89%EF%BC%8C%E9%82%A3%E5%8A%BF%E5%BF%85%E8%A6%81%E9%87%8D%E6%96%B0%E7%BC%96%E8%AF%91%EF%BC%8C%E9%87%8D%E6%96%B0%E9%83%A8%E7%BD%B2%E3%80%82%E8%BF%99%E4%B8%80%E9%83%A8%E5%88%86%E5%8F%AF%E4%BB%A5%E5%8F%82%E8%80%83%5B3%5D%E3%80%82%E8%99%BD%E7%84%B6%E9%87%8C%E9%9D%A2%E7%9A%84%E8%BD%AF%E4%BB%B6%E7%89%88%E6%9C%AC%E6%AF%94%E8%BE%83%E6%97%A7%EF%BC%8C%E4%BD%86%E6%A0%B8%E5%BF%83%E7%9A%84%E6%80%9D%E8%B7%AF%E4%B8%8D%E5%8F%98%E3%80%82%E6%88%91%E7%90%86%E8%A7%A3%E7%9A%84%E5%A4%A7%E8%87%B4%E6%B5%81%E7%A8%8B%E5%A6%82%E4%B8%8B%EF%BC%88%E6%88%91%E8%BF%98%E6%B2%A1%E6%9C%89%E8%AF%95%E9%AA%8C%E8%BF%87%EF%BC%8C%E5%8F%AF%E4%BB%A5%E6%89%BE%E4%B8%80%E4%B8%AA%E8%99%9A%E6%8B%9F%E6%9C%BA%E8%AF%95%E8%AF%95%E7%9C%8B%EF%BC%89%EF%BC%9A%0A-%20%E7%BC%96%E8%AF%91%E7%AD%96%E7%95%A5%E6%96%87%E4%BB%B6%EF%BC%8C%E7%94%9F%E6%88%90%E4%BA%8C%E8%BF%9B%E5%88%B6%E7%9A%84%E7%AD%96%E7%95%A5%E6%96%87%E4%BB%B6policy.bin%0A-%20%E5%B0%86policy.bin%E6%94%BE%E5%85%A5%2Fetc%2F%E7%9B%AE%E5%BD%95%0A-%20%E4%BD%BF%E7%94%A8setfiles%E9%87%8D%E6%96%B0%E6%A0%87%E8%AE%B0%E6%96%87%E4%BB%B6%E7%B3%BB%E7%BB%9F%0A-%20%E4%BD%BF%E7%94%A8semanage%E5%88%9B%E5%BB%BA%E7%AE%A1%E7%90%86%E5%91%98%E8%B4%A6%E5%8F%B7%0A-%20%E9%87%8D%E5%90%AF%E7%94%9F%E6%95%88%0A%0A%E4%BB%A5%E4%B8%8A%E7%9A%84%E6%93%8D%E4%BD%9C%E9%83%BD%E8%A6%81%E7%94%B1root%E8%B4%A6%E5%8F%B7%E6%9D%A5%E5%AE%8C%E6%88%90%E3%80%82%E5%8F%AF%E8%A7%81root%E8%BF%98%E6%98%AF%E5%BE%88%E6%97%A0%E6%95%8C%E5%95%8A%E3%80%82%0A%23%23%20%E7%94%A8%E6%88%B7%E6%80%81%E5%B7%A5%E5%85%B7%E9%93%BE%0A%E5%BC%95%E7%94%A8%5B4%5D%E4%B8%AD%E7%9A%84%E6%96%87%E5%AD%97%EF%BC%9A%0A%3EThe%20policycoreutils%20package%20installs%20the%20following%20utilities%3A%0A%3E%0A%3E-%20fixfiles%3A%20Fixes%20the%20security%20context%20on%20file%20systems%0A%3E-%20load_policy%3A%20Loads%20a%20new%20SELinux%20policy%20into%20the%20kernel%0A%3E-%20restorecon%3A%20Resets%20the%20security%20context%20on%20one%20or%20more%20files%0A%3E-%20setfiles%3A%20Initializes%20the%20security%20context%20on%20one%20or%20more%20files%0A%3E-%20secon%3A%20Displays%20the%20SELinux%20context%20from%20a%20file%2C%20program%2C%20or%20user%20input%0A%3E-%20semodule_package%3A%20Creates%20an%20SELinux%20policy%20module%20package%0A%3E-%20restorecond%3A%20Is%20a%20daemon%20that%20watches%20for%20file%20creation%20and%20sets%20the%20default%20file%20context%0A%3E-%20semodule%3A%20Manages%20SELinux%20policy%20modules%0A%3E-%20sestatus%3A%20Displays%20SELinux%20status%0A%3E-%20setsebool%3A%20Sets%20SELinux%20Boolean%20value%0A%0A%E6%88%91%E6%89%80%E7%94%A8%E8%BF%87%E7%9A%84%EF%BC%9A%0A-%20checkpolicy%3A%20%E7%BC%96%E8%AF%91%E7%AD%96%E7%95%A5%E6%96%87%E4%BB%B6(.te)%0A-%20setfiles%3A%20%E7%BB%99%E6%96%87%E4%BB%B6%E7%B3%BB%E7%BB%9F%E6%89%93%E6%A0%87%E7%AD%BE%0A-%20semanage%3A%20%E7%AE%A1%E7%90%86SELinux%E4%B8%8B%E7%9A%84%E7%94%A8%E6%88%B7%E7%B3%BB%E7%BB%9F%0A%0A%23%23%20%E5%8F%82%E8%80%83%E6%96%87%E7%8C%AE%0A1.%20%5BGentoo%20Linux%20-%20SELinux%2FTutorials%2FHow%20does%20a%20process%20get%20into%20a%20certain%20context%5D(https%3A%2F%2Fwiki.gentoo.org%2Fwiki%2FSELinux%2FTutorials%2FHow_does_a_process_get_into_a_certain_context)%0A2.%20%5BSELinux%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0%5D(https%3A%2F%2Fm.open-open.com%2Fpdf%2Fe88821debd374d1cab7b4f54ae14161e.html)%0A3.%20%5B%E4%BB%8E%E5%A4%B4%E5%BC%80%E5%A7%8B%E7%94%9F%E6%88%90%20SELinux%5D(https%3A%2F%2Fwww.ibm.com%2Fdeveloperworks%2Fcn%2Flinux%2Fl-selinux.html)%0A4.%20%5BList%20of%20SELinux%20Utilities%5D(https%3A%2F%2Fwww.thegeekdiary.com%2Flist-of-selinux-utilities%2F)%0A5.%20%5BInitial%20Security%20Identifiers%5D(https%3A%2F%2Fflylib.com%2Fbooks%2Fen%2F2.803.1.79%2F1%2F)%0A%0A