extern/doc.rustdesk.com
1
0
Fork 1
mirror of https://github.com/rustdesk/doc.rustdesk.com.git synced 2025-06-02 16:05:41 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update _index.en.md

Browse Source
This commit is contained in:
Mr-Update 2023-10-23 21:55:46 +02:00 committed by GitHub
parent 40d3f4a244
commit c249a35647
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 67 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
content/client/linux/SELinux/_index.en.md
View File

@ -9,7 +9,7 @@ You can run `sestatus` in the terminal to check whether SELinux is enabled.
Depending on whether it is enabled or not, you can see two different outputs as follows:
```bash
```sh
# Enabled
SELinux status: enabled
...
@ -19,39 +19,39 @@ SELinux status: disabled
...
```
## Add SELinux Policies
### Add SELinux Policies
For an introduction to SELinux, please refer to [SELinux/Tutorials](https://wiki.gentoo.org/wiki/SELinux/Tutorials).
Here we take Fedora 38 as an example to introduce how to add SELinux policies.
```bash
```sh
sudo dnf install selinux-policy-devel make
```
Adding SELinux policies requires determining the type of service, which is in the security context of the process.
```bash
```sh
$ ps -eZ | grep rustdesk
system_u:system_r:init_t:s0 80439 ? 00:00:02 rustdesk
```
`system_u:system_r:init_t:s0` is the security context of the rustdesk process, where the third field `init_t` is the type of the process.
`system_u:system_r:init_t:s0` is the security context of the RustDesk process, where the third field `init_t` is the type of the process.
There are two ways to write SELinux type rules:
1. Add rules to the default `init_t`.
2. Add a new type `rustdesk_t` and add rules.
The first method has relatively minor modifications, but because the default `init_t` is changed, it is equivalent to adding authorization to other services using the `init_t` type. **Not recommended for use**.
The first method has relatively minor modifications, but because the default `init_t` is changed, it is equivalent to adding authorization to other services using the `init_t` type. **Not recommended for use.**
The second method is to add rules from scratch. There will be many rules that need to be added, and different systems may have differences. It may be necessary to make some adjustments during actual use.
### Use The Default Type
#### Use The Default Type
The default type of the RustDesk service is `init_t``, which is determined by [the context inheritance rules of SELinux](https://wiki.gentoo.org/wiki/SELinux/Tutorials/How_does_a_process_get_into_a_certain_context).
The default type of the RustDesk service is `init_t`, which is determined by [the context inheritance rules of SELinux](https://wiki.gentoo.org/wiki/SELinux/Tutorials/How_does_a_process_get_into_a_certain_context).
**CAUTION**: Modifying the default type means that the policies of other services may also change. Please use this method with caution!
**Caution**: Modifying the default type means that the policies of other services may also change. Please use this method with caution!
Edit the rule file rustdesk.te:
@ -108,15 +108,15 @@ allow init_t user_tmp_t:file map;
Run:
```bash
```sh
$ checkmodule -M -m -o rustdesk.mod rustdesk.te && semodule_package -o rustdesk.pp -m rustdesk.mod && sudo semodule -i rustdesk.pp
$ sudo semodule -l | grep rustdesk
```
### Create A Type "rustdesk_t"
#### Create a type `rustdesk_t`
1. Create a new directory. `mkdir rustdesk-selinux-1.0`.
2. Create SELinux policy files. `touch Makefile rustdesk.te rustdesk.fc rustdesk.if`.
1. Create a new directory: `mkdir rustdesk-selinux-1.0`.
2. Create SELinux policy files: `touch Makefile rustdesk.te rustdesk.fc rustdesk.if`.
```text
.
@ -129,15 +129,15 @@ $ sudo semodule -l | grep rustdesk
`rustdesk.te` is the main policy file.
In this example, this file mainly comes from 3 parts:
1. [`init.te`](https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/system/init.te) in githubs selinux-policy repository.
1. [`init.te`](https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/system/init.te) in GitHubs selinux-policy repository.
2. Audit log, `grep rustdesk /var/log/audit/audit.log | audit2allow -a -M test`.
3. The test system's `init_t` policy, `sesearch -A | grep 'allow init_t ' | sed 's/allow init_t /allow rustdesk_t /g'`.
Some policies are duplicates and some are redundant, but this is ok since it works on rustdesk_t.
Some policies are duplicates and some are redundant, but this is ok since it works on `rustdesk_t`.
The contents of each file are as follows.
rustdes.te:
`rustdesk.te`:
```text
@ -541,7 +541,7 @@ gen_require(`
###############################################################################
#
# Part 1. The following rules are mainly from the opensource `init.te`
# Part 1. The following rules are mainly from the open source `init.te`
# https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/system/init.te
#
# Note: Part 1 will probably be mostly the same as Part 3. But it's acceptable for now.
@ -1710,21 +1710,21 @@ allow rustdesk_t xserver_t:unix_stream_socket connectto;
```
rustdesk.fc:
`rustdesk.fc`:
```text
/usr/bin/rustdesk -- gen_context(system_u:object_r:rustdesk_exec_t,s0)
```
rustdesk.if:
`rustdesk.if`:
```text
## <summary>RustDesk</summary>
```
Makefile:
`Makefile`:
```makefile
@ -1758,9 +1758,9 @@ install: man
```
#### Enable Directly
##### Enable directly
View the security context of rustdesk before modification:
View the security context of RustDesk before modification:
```sh
$ ls -lZ /usr/lib/rustdesk/rustdesk
@ -1792,11 +1792,11 @@ $ ps -eZ | grep rustdesk
system_u:system_r:rustdesk_t:s0 110565 ? 00:00:00 rustdesk
```
#### Enable through rpm installation
##### Enable through rpm installation
You can use the `sepolicy generate` command:
```bash
```sh
$ # install deps
$ sudo dnf install -y rpm rpm-build binutils
$ # generate
@ -1819,9 +1819,9 @@ $ # restart the service
$ sudo systemctl restart rustdesk
```
## Troubleshooting
### Troubleshooting
### Iteratively Add Policies
#### Iteratively Add Policies
```sh
$ cd /tmp
@ -1831,8 +1831,9 @@ $ # merge rustdesk_tmp.te to rustdesk.te
$ make clean && make && sudo make install-policy
```
## References
### References
- [SELinux/Tutorials](https://wiki.gentoo.org/wiki/SELinux/Tutorials)
- [SELinux Policy module installation](https://fedoraproject.org/wiki/SELinux/IndependentPolicy#SELinux_Policy_module_installation)
- [How to create SELinux custom policy rpm package](https://lukas-vrabec.com/index.php/2015/07/07/how-to-create-selinux-custom-policy-rpm-package/)
1. [SELinux/Tutorials](https://wiki.gentoo.org/wiki/SELinux/Tutorials)
1. [SELinux_Policy_module_installation](https://fedoraproject.org/wiki/SELinux/IndependentPolicy#SELinux_Policy_module_installation)
1. [how-to-create-selinux-custom-policy-rpm-package](https://lukas-vrabec.com/index.php/2015/07/07/how-to-create-selinux-custom-policy-rpm-package/)