#!/bin/bash --
#
# This script checks for device nodes that are unsupported by SELinux
# Unsupported device nodes fall back to the device_t generic type identifier for content in /dev
# The script just finds all chars and blocks, then looks if any of them as associated with the device_t type identifier
# If any device node is associated with device_t sid then the script uses matchpathcon to determine if SELinux is aware of the device node
# If matchpathcon thinks the device node should be associated with the device_t type then the device node is unsupported by SELinux one way or another
#
IFS=$'\n'
recurse_char() {
for i in "$1"/*;do
if [ -d "$i" ];then
recurse_char "$i"
elif [ -c "$i" -a ! -L "$i" ]; then
echo "$(ls -alZ "$i")"
fi
done
}
recurse_block() {
for i in "$1"/*;do
if [ -d "$i" ];then
recurse_block "$i"
elif [ -b "$i" -a ! -L "$i" ]; then
echo "$(ls -alZ "$i")"
fi
done
}
for s in $(recurse_char /dev); do
if [ "$(echo $s | /usr/bin/awk -F " " '{ print $4 }' | /usr/bin/awk -F ":" '{ print $3 }')" == "device_t" ] ; then
IFS=" "
read -r bits owner group context char <<< "$s"
mpc=$(/usr/sbin/matchpathcon "$char")
if [ "$(echo $mpc | /usr/bin/awk -F " " '{ print $2 }' | /usr/bin/awk -F ":" '{ print $3 }')" == "device_t" ] ; then
echo "unsupported char device: $char"
fi
fi
done
for s in $(recurse_block /dev); do
if [ "$(echo $s | /usr/bin/awk -F " " '{ print $4 }' | /usr/bin/awk -F ":" '{ print $3 }')" == "device_t" ] ; then
IFS=" "
read -r bits owner group context block <<< "$s"
mpc=$(/usr/sbin/matchpathcon "$block")
if [ "$(echo $mpc | /usr/bin/awk -F " " '{ print $2 }' | /usr/bin/awk -F ":" '{ print $3 }')" == "device_t" ] ; then
echo "unsupported block device: $block"
fi
fi
done
exit 0;
#EOF
Linux Security Summit 2023 Videos & Slides
-
Videos and slides from the 2023 Linux Security summits may be found here:
Linux Security Summit North America (LSS-NA), May 10-12 2023, Vancouver,
Canada. ...
4 maanden geleden
Geen opmerkingen:
Een reactie posten