extern/doc.rustdesk.com
1
0
Fork 1
mirror of https://github.com/rustdesk/doc.rustdesk.com.git synced 2025-06-04 08:55:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update _index.en.md

Browse Source
This commit is contained in:
Mr-Update 2023-10-23 21:55:46 +02:00 committed by GitHub
parent 40d3f4a244
commit c249a35647
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 67 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
content/client/linux/SELinux/_index.en.md
View File

@ -9,7 +9,7 @@ You can run `sestatus` in the terminal to check whether SELinux is enabled.
Depending on whether it is enabled or not, you can see two different outputs as follows: Depending on whether it is enabled or not, you can see two different outputs as follows:
```bash ```sh
# Enabled # Enabled
SELinux status: enabled SELinux status: enabled
... ...
@ -19,39 +19,39 @@ SELinux status: disabled
... ...
``` ```
## Add SELinux Policies ### Add SELinux Policies
For an introduction to SELinux, please refer to [SELinux/Tutorials](https://wiki.gentoo.org/wiki/SELinux/Tutorials). For an introduction to SELinux, please refer to [SELinux/Tutorials](https://wiki.gentoo.org/wiki/SELinux/Tutorials).
Here we take Fedora 38 as an example to introduce how to add SELinux policies. Here we take Fedora 38 as an example to introduce how to add SELinux policies.
```bash ```sh
sudo dnf install selinux-policy-devel make sudo dnf install selinux-policy-devel make
``` ```
Adding SELinux policies requires determining the type of service, which is in the security context of the process. Adding SELinux policies requires determining the type of service, which is in the security context of the process.
```bash ```sh
$ ps -eZ | grep rustdesk $ ps -eZ | grep rustdesk
system_u:system_r:init_t:s0 80439 ? 00:00:02 rustdesk system_u:system_r:init_t:s0 80439 ? 00:00:02 rustdesk
``` ```
`system_u:system_r:init_t:s0` is the security context of the rustdesk process, where the third field `init_t` is the type of the process. `system_u:system_r:init_t:s0` is the security context of the RustDesk process, where the third field `init_t` is the type of the process.
There are two ways to write SELinux type rules: There are two ways to write SELinux type rules:
1. Add rules to the default `init_t`. 1. Add rules to the default `init_t`.
2. Add a new type `rustdesk_t` and add rules. 2. Add a new type `rustdesk_t` and add rules.
The first method has relatively minor modifications, but because the default `init_t` is changed, it is equivalent to adding authorization to other services using the `init_t` type. **Not recommended for use**. The first method has relatively minor modifications, but because the default `init_t` is changed, it is equivalent to adding authorization to other services using the `init_t` type. **Not recommended for use.**
The second method is to add rules from scratch. There will be many rules that need to be added, and different systems may have differences. It may be necessary to make some adjustments during actual use. The second method is to add rules from scratch. There will be many rules that need to be added, and different systems may have differences. It may be necessary to make some adjustments during actual use.
### Use The Default Type #### Use The Default Type
The default type of the RustDesk service is `init_t``, which is determined by [the context inheritance rules of SELinux](https://wiki.gentoo.org/wiki/SELinux/Tutorials/How_does_a_process_get_into_a_certain_context). The default type of the RustDesk service is `init_t`, which is determined by [the context inheritance rules of SELinux](https://wiki.gentoo.org/wiki/SELinux/Tutorials/How_does_a_process_get_into_a_certain_context).
**CAUTION**: Modifying the default type means that the policies of other services may also change. Please use this method with caution! **Caution**: Modifying the default type means that the policies of other services may also change. Please use this method with caution!
Edit the rule file rustdesk.te: Edit the rule file rustdesk.te:
@ -108,15 +108,15 @@ allow init_t user_tmp_t:file map;
Run: Run:
```bash ```sh
$ checkmodule -M -m -o rustdesk.mod rustdesk.te && semodule_package -o rustdesk.pp -m rustdesk.mod && sudo semodule -i rustdesk.pp $ checkmodule -M -m -o rustdesk.mod rustdesk.te && semodule_package -o rustdesk.pp -m rustdesk.mod && sudo semodule -i rustdesk.pp
$ sudo semodule -l | grep rustdesk $ sudo semodule -l | grep rustdesk
``` ```
### Create A Type "rustdesk_t" #### Create a type `rustdesk_t`
1. Create a new directory. `mkdir rustdesk-selinux-1.0`. 1. Create a new directory: `mkdir rustdesk-selinux-1.0`.
2. Create SELinux policy files. `touch Makefile rustdesk.te rustdesk.fc rustdesk.if`. 2. Create SELinux policy files: `touch Makefile rustdesk.te rustdesk.fc rustdesk.if`.
```text ```text
. .
@ -129,15 +129,15 @@ $ sudo semodule -l | grep rustdesk
`rustdesk.te` is the main policy file. `rustdesk.te` is the main policy file.
In this example, this file mainly comes from 3 parts: In this example, this file mainly comes from 3 parts:
1. [`init.te`](https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/system/init.te) in githubs selinux-policy repository. 1. [`init.te`](https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/system/init.te) in GitHubs selinux-policy repository.
2. Audit log, `grep rustdesk /var/log/audit/audit.log | audit2allow -a -M test`. 2. Audit log, `grep rustdesk /var/log/audit/audit.log | audit2allow -a -M test`.
3. The test system's `init_t` policy, `sesearch -A | grep 'allow init_t ' | sed 's/allow init_t /allow rustdesk_t /g'`. 3. The test system's `init_t` policy, `sesearch -A | grep 'allow init_t ' | sed 's/allow init_t /allow rustdesk_t /g'`.
Some policies are duplicates and some are redundant, but this is ok since it works on rustdesk_t. Some policies are duplicates and some are redundant, but this is ok since it works on `rustdesk_t`.
The contents of each file are as follows. The contents of each file are as follows.
rustdes.te: `rustdesk.te`:
```text ```text
@ -1710,21 +1710,21 @@ allow rustdesk_t xserver_t:unix_stream_socket connectto;
``` ```
rustdesk.fc: `rustdesk.fc`:
```text ```text
/usr/bin/rustdesk -- gen_context(system_u:object_r:rustdesk_exec_t,s0) /usr/bin/rustdesk -- gen_context(system_u:object_r:rustdesk_exec_t,s0)
``` ```
rustdesk.if: `rustdesk.if`:
```text ```text
## <summary>RustDesk</summary> ## <summary>RustDesk</summary>
``` ```
Makefile: `Makefile`:
```makefile ```makefile
@ -1758,9 +1758,9 @@ install: man
``` ```
#### Enable Directly ##### Enable directly
View the security context of rustdesk before modification: View the security context of RustDesk before modification:
```sh ```sh
$ ls -lZ /usr/lib/rustdesk/rustdesk $ ls -lZ /usr/lib/rustdesk/rustdesk
@ -1792,11 +1792,11 @@ $ ps -eZ | grep rustdesk
system_u:system_r:rustdesk_t:s0 110565 ? 00:00:00 rustdesk system_u:system_r:rustdesk_t:s0 110565 ? 00:00:00 rustdesk
``` ```
#### Enable through rpm installation ##### Enable through rpm installation
You can use the `sepolicy generate` command: You can use the `sepolicy generate` command:
```bash ```sh
$ # install deps $ # install deps
$ sudo dnf install -y rpm rpm-build binutils $ sudo dnf install -y rpm rpm-build binutils
$ # generate $ # generate
@ -1819,9 +1819,9 @@ $ # restart the service
$ sudo systemctl restart rustdesk $ sudo systemctl restart rustdesk
``` ```
## Troubleshooting ### Troubleshooting
### Iteratively Add Policies #### Iteratively Add Policies
```sh ```sh
$ cd /tmp $ cd /tmp
@ -1831,8 +1831,9 @@ $ # merge rustdesk_tmp.te to rustdesk.te
$ make clean && make && sudo make install-policy $ make clean && make && sudo make install-policy
``` ```
## References ### References
- [SELinux/Tutorials](https://wiki.gentoo.org/wiki/SELinux/Tutorials)
- [SELinux Policy module installation](https://fedoraproject.org/wiki/SELinux/IndependentPolicy#SELinux_Policy_module_installation)
- [How to create SELinux custom policy rpm package](https://lukas-vrabec.com/index.php/2015/07/07/how-to-create-selinux-custom-policy-rpm-package/)
1. [SELinux/Tutorials](https://wiki.gentoo.org/wiki/SELinux/Tutorials)
1. [SELinux_Policy_module_installation](https://fedoraproject.org/wiki/SELinux/IndependentPolicy#SELinux_Policy_module_installation)
1. [how-to-create-selinux-custom-policy-rpm-package](https://lukas-vrabec.com/index.php/2015/07/07/how-to-create-selinux-custom-policy-rpm-package/)