1. Introduction of Selinux

Security-enhanced Linux(SELinux) is the NATIONAL Security Agency’s (NSA) implementation of mandatory access control and is the most prominent new Security subsystem in the history of Linux. The software design architecture of SELinux is based on Flask, which is a flexible security architecture of operating system and implemented in Fluke Research Operating system. Flask’s main feature is that the security policy execution code and the security policy decision code are divided into two components. The Security policy decision code is called Security Server in the Flask architecture. In addition to these two components, another component, Vector Cache(AVC), provides caching of policy decision results to improve the performance of Security Server.

SELinux has three running states: disabled, permissive, and enforcing

  • Disable: Indicates that SELinux is disabled and no new resources are labeled. If SELinux is disabled again, the resources are labeled again. The process is slow.

  • Permissive: If the security policy is violated, the operation is not actually rejected. Instead, a log message is recorded. \

  • Enforcing: Default mode, normal state of SELinux, actually disables policy violation operations

2. Set and obtain the selinux flag


static char *g_pszSelinuxFileSystemString=NULL;
static char **g_pSelinuxFileSystemStringPointer = &g_pszSelinuxFileSystemString;
// User sets selinux flag
int setSelinuxFlag(int value) {
	int fd=0, length=0;
	char fileContentBuffer[20] = {0};
	char filePath[1024] = {0};
	

	if (*g_pSelinuxFileSystemStringPointer == NULL) {
		errno = 2;
		return -1;
	}

	snprintf(filePath, 1024."%s/enforce", *g_pSelinuxFileSystemStringPointer);
	fd = open(filePath, 2);
	if (fd < 0)
		return -1;

	snprintf(fileContentBuffer, 20."%d", value);
	length = strlen(fileContentBuffer);
	
	length = write(fd, fileContentBuffer, len);

	close(fd);

	return length >> 31;
}
Copy the code
// To get the selinux flag
int getSelinuxFlag(a) {
	int fd=0, readLength=0, value=0;
	char fileContentBuffer[20] = {0};
	char filePath[1024] = {0};
	
	if (*g_pSelinuxFileSystemStringPointer == NULL) {
		errno = 2;
		return -1;
	}

	snprintf(filePath, 1024."%s/enforce", *g_pSelinuxFileSystemStringPointer);
	fd = open(filePath, 0);
	if (fd < 0)
		return -1;

	memset(fileContentBuffer, 0.20);
	readLength = read(fd, fileContentBuffer, 19);
	close(fd);

	if (readLength < 0)
		return -1;

	readLength = sscanf(fileContentBuffer, "%d", &value);
	if(readLength ! =1)
		return -1;

	return value;
}

Copy the code

3. Check selinux implementation

/ / testing selinux
 void checkSelinux(a) {
	if (*g_pSelinuxFileSystemStringPointer == NULL) {
		int ret=0;
		FILE *pFilesystems=NULL;
		char fileLineBuffer[1024] = {0};
		struct statfs statfsBuffer={0};


		while ((ret = statfs("/sys/fs/selinux", &statfsBuffer)) < 0) {
			if (errno == EINTR)
				continue;
			
			LOGE("statfs error:%s\n", strerror(errno));
			
			return ;
		}

		if (ret == 0 && statfsBuffer.f_type == 0xF97CFF8C ) {
			*g_pSelinuxFileSystemStringPointer = strdup("/sys/fs/selinux");

			return;
		}

		pFilesystems = fopen("/proc/filesystems"."r");
		if (pFilesystems == NULL)
			return ;

		do {
			if (fgets(fileLineBuffer, 1024, pFilesystems) == NULL) {
				fclose(pFilesystems);
				return ;
			}

			if (strstr(fileLineBuffer, "selinuxfs")) {
				break; }}while (1);

		fclose(pFilesystems);

		pFilesystems = fopen("/proc/mounts"."r");
		if (pFilesystems == NULL)
			return ;

		do {
			char *spacePosition;
			char *fileSystemName;
			
			if (fgets(fileLineBuffer, 1024, pFilesystems) == NULL) {
				fclose(pFilesystems);
				return ;
			}

			spacePosition = strchr(fileLineBuffer, ' ');
			if (spacePosition == NULL) {
				fclose(pFilesystems);
				return ;
			}

			spacePosition++;
			fileSystemName = spacePosition;
			spacePosition = strchr(fileSystemName, ' ');
			if (spacePosition == NULL) {
				fclose(pFilesystems);
				return ;
			}

			spacePosition++;

			if (strncmp(spacePosition, "selinuxfs ".10) != 0)
				continue;

			*(spacePosition -1) = 0;
			*g_pSelinuxFileSystemStringPointer = strdup(fileSystemName);
			break;
		} while (1); fclose(pFilesystems); }}Copy the code