ÉîÈë̽ÌÖSELinuxµÄÈýÖÖÕ½ÂÔ·ÖÀà
SELinux ÊÇÒ»ÖÖÇ¿ÖÆ»á¼û¿ØÖÆÇå¾²ÊÖÒÕ£¬ÓÃÓÚÔöÇ¿ Linux ²Ù×÷ϵͳµÄÇå¾²ÐÔ¡£ÔÚ SELinux ÖУ¬Õ½ÂÔ±»·ÖΪÈýÖÖÖ÷Òª·ÖÀࣺĿµÄÕ½ÂÔ£¨Targeted Policy£©¡¢¶àÕ½ÂÔ£¨MLS/MCS Policy£©ºÍ¶¨ÖÆÕ½ÂÔ£¨Custom Policy£©¡£ÕâÈýÖÖÕ½ÂÔ·ÖÀàÔÚ SELinux µÄÇå¾²»úÖÆÖÐÊÎÑÝ×ÅÖ÷ÒªµÄ½ÇÉ«£¬±¾ÎĽ«ÍŽáÏêϸ´úÂëʾÀýÏêϸÏÈÈÝÕâÈýÖÖÕ½ÂÔ·ÖÀà¡£
Ä¿µÄÕ½ÂÔ£¨Targeted Policy£©
Ä¿µÄÕ½ÂÔÊÇ SELinux ÖÐ×î³£ÓõÄÒ»ÖÖÕ½ÂÔ·ÖÀ࣬Ëü»ùÓÚÓû§¡¢³ÌÐòºÍÀú³ÌÖ®¼äµÄ¹ØϵÀ´ÏÞÖÆ»á¼ûȨÏÞ¡£ÔÚÄ¿µÄÕ½ÂÔÖУ¬Ö»ÓÐÉÙÊýµÄÓû§»òÀú³Ì±»½ç˵ΪÇå¾²Õ½ÂÔ£¬ÆäËûÓû§»òÀú³ÌÔò¼ÌÐøĬÈÏÕ½ÂÔ¡£Í¨¹ý¸øÕâЩÓû§»òÀú³Ì·ÖÅɽÇÉ«ºÍȨÏÞ£¬¿ÉÒÔÓÐÓÿØÖÆËüÃǵĻá¼ûȨÏÞ¡£
ÏÂÃæÊÇÒ»¸öʾÀý´úÂ룬ÑÝʾÔõÑùʹÓÃÄ¿µÄÕ½ÂÔÀ´ÏÞÖÆÒ»¸öÓû§¶Ôij¸öÎļþµÄ»á¼ûȨÏÞ£º
# ½¨ÉèÒ»¸ö²âÊÔÎļþ touch testfile.txt # Ϊ¸ÃÎļþÉèÖÃÇå¾²ÉÏÏÂÎÄ chcon system_u:object_r:admin_home_t:s0 testfile.txt # ½¨ÉèÒ»¸öÓû§ useradd testuser # ¸ø¸ÃÓû§·ÖÅɽÇÉ«ºÍȨÏÞ semanage user -a -R "staff_r system_r" testuser # Çл»Óû§ÖÁ testuser su testuser # ʵÑé¶ÁÈ¡Îļþ cat testfile.txt
µÇ¼ºó¸´ÖÆ
¶àÕ½ÂÔ£¨MLS/MCS Policy£©
¶àÕ½ÂÔÊÇÒ»ÖÖÔ½·¢ÑÏ¿áµÄÕ½ÂÔ·ÖÀ࣬¿ÉÒÔʵÏÖ¸üϸÁ£¶ÈµÄÇå¾²¿ØÖÆ¡£ÔÚ MLS£¨Multi-Level Security£©ºÍ MCS£¨Multi-Category Security£©Õ½ÂÔÖУ¬ÎļþºÍÀú³Ìƾ֤ÆäÇ徲Ʒ¼¶»òÖֱ𱻻®·Öµ½²î±ðµÄ»á¼û¿ØÖÆÓòÖУ¬½ø¶øʵÏÖ¶Ô¸÷¸öÓòÖ®¼äµÄ»á¼û¿ØÖÆ¡£
ÏÂÃæÊÇÒ»¸öʾÀý´úÂ룬ÑÝʾÔõÑùÔÚÒ»¸ö MLS Õ½ÂÔÖÐÉèÖÃÎļþµÄÇ徲Ʒ¼¶£º
# ½¨ÉèÒ»¸ö²âÊÔÎļþ touch testfile.txt # Ϊ¸ÃÎļþÉèÖÃÇ徲Ʒ¼¶ setfattr -n security.selinux -v "s0:c0,c1" testfile.txt # Éó²éÎļþµÄÇ徲Ʒ¼¶ getfattr -n security.selinux testfile.txt
µÇ¼ºó¸´ÖÆ
¶¨ÖÆÕ½ÂÔ£¨Custom Policy£©
¶¨ÖÆÕ½ÂÔÊÇָƾ֤Ìض¨ÐèÇó×Ô½ç˵µÄÕ½ÂÔ£¬ÓÃÓÚʵÏÖ¸öÐÔ»¯µÄÇå¾²¿ØÖÆ¡£Í¨¹ý±àд×Ô½çËÃ÷ÈÕ½ÂÔÄ£¿éÒÔ¼°Ïà¹Ø¹æÔò£¬¿ÉÒÔ¶Ô SELinux µÄĬÈÏÐÐΪ¾ÙÐж¨ÖÆ£¬Öª×ãÌض¨µÄÇå¾²ÐèÇó¡£
ÏÂÃæÊÇÒ»¸öʾÀý´úÂ룬ÑÝʾÔõÑù±àдһ¸ö¼òÆ SELinux ×Ô½çËÃ÷ÈÕ½ÂÔÄ£¿é£º
#include <selinux/selinux.h> #include <selinux/label.h> int main() { security_context_t scontext, tcontext; char *class = "file"; char *perms = "read"; security_id_t sid, tid; int rc = getfilecon("/etc/passwd", &scontext); if (rc < 0) { perror("getfilecon"); return 1; } rc = security_compute_user(scontext, &sid, &tcontext); if (rc < 0) { perror("security_compute_user"); return 1; } rc = security_compute_av(sid, class, perms, &tid); if (rc < 0) { perror("security_compute_av"); return 1; } printf("Source context: %s ", tcontext); printf("Target context: %s ", tcontext); return 0; }
µÇ¼ºó¸´ÖÆ
ͨ¹ýÒÔÉÏʾÀý£¬ÎÒÃÇ¶Ô SELinux µÄÄ¿µÄÕ½ÂÔ¡¢¶àÕ½ÂԺͶ¨ÖÆÕ½ÂÔ¾ÙÐÐÁËÏêϸÏÈÈÝ£¬²¢ÌṩÁËÏêϸµÄ´úÂëʾÀý¡£Í¨¹ýÏàʶºÍÕÆÎÕÕâЩսÂÔ·ÖÀ࣬¿ÉÒÔ×ÊÖúÓû§Ô½·¢ÉîÈëµØÃ÷È· SELinux µÄÇå¾²»úÖÆ£¬²¢¸üºÃµØÓ¦ÓÃÓÚÏÖʵµÄϵͳÇå¾²¿ØÖÆÖС£
ÒÔÉϾÍÊÇÉîÈë̽ÌÖSELinuxµÄÈýÖÖÕ½ÂÔ·ÖÀàµÄÏêϸÄÚÈÝ£¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡