1.先关闭selinux权限
setenforce 0
2.通过log过滤avc 并配置缺少的权限
3.配置权限
override } for capability=1 scontext=u:r:tcpdump:s0 tcontext=u:r:tcpdump:s0 tclass=capability permissive=0
配置格式:allow scontext tcontext:tclass {缺少的权限};
例如
allow tcpdump self:capability { net_raw setgid setuid dac_override};
报ioctl权限的需要注意
avc: denied { ioctl } for path="socket:[1="sockfs" ino=193028 ioctlcmd=0x8994 scontext=u:r:tcpdump:s0 tcontext=u:r:tcpdump:s0 tclass=packet_socket permissive=0
需要在 system\sepolicy\public\ioctl_defines 下查找 ioctcmd 对应的类型 ,先声明ioctl再声明ioctl的子类型
allow tcpdump self:packet_socket { create bind getopt setopt map read write ioctl}; allowxperm tcpdump self:packet_socket ioctl { SIOCBONDINFOQUERY SIOCGIFINDEX SIOCGIWMODE SIOCETHTOOL SIOCGIFHWADDR SIOCGIWNAME};
