SELinux 的HOWTO(new), 介绍很周详.

Getting Started with SE Linux HOWTO: the new SE Linux

Faye Coker
faye@lurking-grue.org
Last update: 06 December 2003

This document has been revised for the new SE Linux. The old "Getting Started with SE Linux HOWTO" will remain in place as a legacy document, but it is highly recommened that all new installs of SE Linux use the new SE Linux. The new SE Linux runs on 2.6.x kernels and has also been backported for 2.4.x. This document is largely a duplicate of that for the old SE Linux, with modifications made where necessary.

This document is a general introduction to NSA Security Enhanced Linux. It is mainly focused on Debian and as such command examples given for package management are largely Debian based. This document is tailored towards people wanting to get started with SE Linux so there's no confusing advanced stuff here. See the Resources section for links to other SE Linux material.

Table of Contents

  1. Introduction
    1.1. Feedback
    1.2. Disclaimer
    1.3. New features of the new SE Linux
    1.4. Policy source directory for Fedora users

  2. Overview
    2.1. Why SE Linux?
    2.2. Terminology used
    2.2.1 identity
    2.2.2 domain
    2.2.3 type
    2.2.4 role
    2.2.5 security context
    2.2.6 transition
    2.2.7 policy

  3. Installation
    3.1. Installing base packages for Debian
    3.1.1 Modified Debian package management tools
    3.2. Intalling base packages for Fedora
    3.3. Installing SE Linux related packages
    3.3.1 Installing the LSM kernel image
    3.3.2 Installing the selinux-policy-default package
    3.3.3 Editing your /etc/fstab file and creating the /selinux mount point
    3.3.4 Running make relabel
    3.3.5 Editing /etc/pam.d/login and /etc/pam.d/ssh
    3.3.6 Adding users

  4. Logging in
    4.1. Supplying a user context at login
    4.2. Changing context with the newrole -r command
    4.3. Running commands in the sysadm_t domain
    4.4. Permissive and Enforcing mode
    4.5. Comparison of running commands in different roles

  5. Creating user accounts
    5.1. Creating a new user
    5.2. Assigning roles to users and applying the changes
    5.3. Setting the default security context for users
    5.4. Relabelling the user's home directory

  6. Adding a new user domain
    6.1. Editing the user domains file
    6.2. Creating a new test user (again)

  7. Explanation of log file messages

  8. Resources

1. Introduction

This document was put together in response to people asking if an intro level HOWTO was available for getting started with SE Linux. It covers the more basic aspects of SE Linux such as terminology, installation and adding users in addition to a few other areas. A more advanced HOWTO-type of document will follow, including areas such as how to edit policy files (which causes a little too much information overload with users new to SE Linux and is not included here).

1.1. Feedback

Comments on this document are welcome. Please email faye@lurking-grue.org

1.2. Disclaimer

This document is a guide only. I strongly recommend you install SE Linux on a test machine before deploying on a production server.

1.3. New features of the new SE Linux

The new SE Linux has a number of new features, listed below.

/selinux filesystem
A /selinux filesystem is now included. Part of the installation process requires you to edit /etc/fstab accordingly. The /selinux filesystem is similar to /proc in that it is also a pseudo filesystem. Doing a ls -l /selinux shows 

total 0

-rw-rw-rw-    1 root     root            0 Nov 25 11:27 access

-rw-rw-rw-    1 root     root            0 Nov 25 11:27 context

-rw-rw-rw-    1 root     root            0 Nov 25 11:27 create

-rw-------    1 root     root            0 Nov 25 14:19 enforce

-rw-------    1 root     root            0 Nov 25 11:27 load

-r--r--r--    1 root     root            0 Nov 25 11:27 policyvers

-rw-rw-rw-    1 root     root            0 Nov 25 11:27 relabel

-rw-rw-rw-    1 root     root            0 Nov 25 11:27 user
Running the cat command on the file "enforce" will show either a 1 for enforcing mode, or 0 for permissive mode.

Use of extended attributes
The new SE Linux uses extended attributes to store security contexts. You must build your kernel with extended attribute support. Extended attributes are a name-data tuple-- for example, security.selinux is the name of an attribute and the security context is the data. You can see the security context of a file with the command ls --context filename (further explained in this document) if SE Linux is running, but if you want to see the extended attributes when SE Linux isn't (or is) running, use the

文章整理:西部数码--专业提供域名注册虚拟主机服务
http://www.west263.com
以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息,谢谢!