|
|
发表于 2005-7-16 23:51:46
|
显示全部楼层
1. Introduction
This document was put together in response to people asking if an intro level HOWTO was available for getting started with SE Linux. It covers the more basic aspects of SE Linux such as terminology, installation and adding users in addition to a few other areas. A more advanced HOWTO-type of document will follow, including areas such as how to edit policy files (which causes a little too much information overload with users new to SE Linux and is not included here).
1.1. Feedback
Comments on this document are welcome. Please email faye@lurking-grue.org
1.2. Disclaimer
This document is a guide only. I strongly recommend you install SE Linux on a test machine before deploying on a production server.
1.3. New features of the new SE Linux
The new SE Linux has a number of new features, listed below.
/selinux filesystem
A /selinux filesystem is now included. Part of the installation process requires you to edit /etc/fstab accordingly. The /selinux filesystem is similar to /proc in that it is also a pseudo filesystem. Doing a ls -l /selinux shows
total 0
-rw-rw-rw- 1 root root 0 Nov 25 11:27 access
-rw-rw-rw- 1 root root 0 Nov 25 11:27 context
-rw-rw-rw- 1 root root 0 Nov 25 11:27 create
-rw------- 1 root root 0 Nov 25 14:19 enforce
-rw------- 1 root root 0 Nov 25 11:27 load
-r--r--r-- 1 root root 0 Nov 25 11:27 policyvers
-rw-rw-rw- 1 root root 0 Nov 25 11:27 relabel
-rw-rw-rw- 1 root root 0 Nov 25 11:27 user
Running the cat command on the file "enforce" will show either a 1 for enforcing mode, or 0 for permissive mode.
Use of extended attributes
The new SE Linux uses extended attributes to store security contexts. You must build your kernel with extended attribute support. Extended attributes are a name-data tuple-- for example, security.selinux is the name of an attribute and the security context is the data. You can see the security context of a file with the command ls --context filename (further explained in this document) if SE Linux is running, but if you want to see the extended attributes when SE Linux isn't (or is) running, use the getfattr command. Note that you must first install the package attr and from there read the man page for getfattr. Running the command as follows gives
faye@kaos:~$ getfattr -m . -d /etc/passwd
getfattr: Removing leading '/' from absolute path names
# file: etc/passwd
security.selinux="system_u bject_r:etc_t\000"
The attribute security.selinux has the context which matches the file you are querying, so in the above case the context is system_ubject_r:etc_t All files on ext2 and ext3 filesystems on the new SE Linux have the attribute security.selinux (a key new feature). If you were to boot to a non SE Linux kernel, the extended attributes would still be there and you could still see them. The extended attribute is set when you run setfiles which sets the file security contexts during a make relabel operation.
Loading SE Linux policy from init
init is now responsible for mounting the /selinux filesystem, and then loads the policy after that.
SIDs and PSIDs no longer used
SIDs (Security Identifiers) were used in the old SE Linux in the interface to the kernel (from userspace). PSIDs (Persistent SIDs) were used in the kernel code for mapping files to contexts for files and directories on disk. See the NSA's document Configuring the SELinux Policy" document for more information. In the new SE Linux, the extended attributes contain the context so SIDs and PSIDs are no longer necessary.
-Z shortcut option
-Z can be used instead of typing --context after a command such as ls or ps.
No chsid command: uses chcon instead
The chsid command was used in the old SE Linux to change the context of a file. The new SE Linux uses the chcon command which changes the context of a file. chcon was available in the old SE Linux but has been improved for the new SE Linux, with options for setting the user or type. See the manpage for more details.
1.4. policy source directory for Fedora users
On Debian, the policy source directory is /etc/selinux. On Fedora it is /etc/security/selinux/src/policy. In this document I refer to the Debian policy source directory, so if you're a Fedora user, substitute /etc/selinux with /etc/security/selinux/src/policy.
1.介绍
该文档汇集了人们关于一个介绍级的HOWTO对于刚开始接触SE Linux是否有用的反应。它覆
盖了SE Linux中较为基础的方面,如术语,安装和添加用户和其他一些领域。较为高深的
HOWTO内容将在文档后面有介绍,其涉及的范围有如何去编辑文件的策略(这对于新的SE
Linux用户可能将导致一些文件信息要超载,而对这种问题的解决方法在这却是不包括的.)
1.1.反馈
对于该文档的评论我们表示欢迎。请将你的评论邮寄给我们,我们的邮箱: faye@lurking
-grue.org
1.2.权责声明
该文档这是一个向导。我们强烈推荐你在安装SE Linux时,先在别的测试机上配置好后,再
配置你的机械。
1.3.SE Linux的新特性
新版的SE Linux有如下 的新特性:
/selinux 文件系统
新版的SE Linux包含一个/selinx 文件系统,部分安装过程需要你修改/etc/fstab,因此,
/selinux 文件系统和/proc一样是假的文件系统。用 ls -l /selinux 可以要如下的结果:
total 0
-rw-rw-rw- 1 root root 0 Nov 25 11:27 access
-rw-rw-rw- 1 root root 0 Nov 25 11:27 context
-rw-rw-rw- 1 root root 0 Nov 25 11:27 create
-rw------- 1 root root 0 Nov 25 14:19 enforce
-rw------- 1 root root 0 Nov 25 11:27 load
-r--r--r-- 1 root root 0 Nov 25 11:27 policyvers
-rw-rw-rw- 1 root root 0 Nov 25 11:27 relabel
-rw-rw-rw- 1 root root 0 Nov 25 11:27 user
对于enforce文件用cat指令打开会显示" 1 for enforcing mode",或者" 0 for permissive
mode."
扩展的属性的运用
新版SE Linux采用扩展属性来存储安全的上下文。必须要构建一个支持扩展属性的内核。扩
展属性是一组命名数据元组——例如,security.selinux是一种属性的名称,而安全上下文
则是数据。如果SE Linux正在运行,你可以通过指令 ls --contect 文件名 来查看一个文
件的安全上下文(关于这方面的问题我们将会在下面的内容中介绍),假如你想在SE Linux没
有运行的时候查看文件的扩展属性,可以使用 getfattr 指令。注意的是,你必须先要安装
attr包,阅读man中有关getfattr的页。下面是运行该指令得到的结果:
faye@kaos:~$ getfattr -m . -d /etc/passwd
getfattr: Removing leading '/' from absolute path names
# file: etc/passwd
security.selinux="system_ubject_r:etc_t\000"
属性安全
SE Linux有与你所查询的文件相匹配的上下文,因此,在上面的举例中,文件的上下文是
system_ubject_r:etc_t\000 。所有的在新版SE Linux中的ext2和ext3的文件系统的文件
都有security.selinux属性(一个重要的新属性 )。如果你要引导一个非SE Linux内核,扩
展属性将依然存在,你照旧可以看到它们。当你在运行在为文件重新设定卷标的操作时设置
文件安全的指令时,上下文扩展属性被固定。
由init加载SE Linux的策略
init用于负责挂载/selinux文件系统后,加载策略。
SIDs和PSIs不再被使用
在旧版的SE Linux中,SIDs(安全标实)用于内核与用户平台的接口。PSIDs(永久的SIDs)用
于内核为磁盘文件和目录的映射到文件的上下文的加密。从NSA的配置SE Linux策略文档有
更为详尽的说明。在新版SE Linux,扩展属性包含了上下文,因此,SIDs和PSIDs就不再必
要了。
-Z 快捷选项
-Z 能被用来代替指令如ls或ps后的--context项。
chsid指令被chcon指令替代
在旧版的SE Linux中chsid指令常常用于文件上下文的修改。而载新版的SE Linux中使用
chcon指令来对文件的上下文进行修改。在旧版的SE Linux也是可用的,但是在新版的SE
Liunx中得到的加强,通过选项可以对用户和类型进行设置。详情请看相关的man页面。
1.4.Fedora用户的策略源目录
在Debian,策略源目录是/etc/selinux,而在Fedora则是
在/etc/security/selinux/src/policy。在该文档中我提及的是Debian的策略源目录,而对
于Fedora用户,则可用/etc/security/selinux/src/policy代替/etc/selinuc。 |
|
IP卡
狗仔卡
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡
楼主