×ðÁú¿­Ê±¹ÙÍøµÇ¼

ÉîÈë̽ÌÖSELinuxµÄÈýÖÖÕ½ÂÔ·ÖÀà

SELinux ÊÇÒ»ÖÖÇ¿ÖÆ»á¼û¿ØÖÆÇå¾²ÊÖÒÕ£¬ÓÃÓÚÔöÇ¿ Linux ²Ù×÷ϵͳµÄÇå¾²ÐÔ¡£ÔÚ SELinux ÖУ¬Õ½ÂÔ±»·ÖΪÈýÖÖÖ÷Òª·ÖÀࣺĿµÄÕ½ÂÔ£¨Targeted Policy£©¡¢¶àÕ½ÂÔ£¨MLS/MCS Policy£©ºÍ¶¨ÖÆÕ½ÂÔ£¨Custom Policy£©¡£ÕâÈýÖÖÕ½ÂÔ·ÖÀàÔÚ SELinux µÄÇå¾²»úÖÆÖÐÊÎÑÝ×ÅÖ÷ÒªµÄ½ÇÉ«£¬±¾ÎĽ«ÍŽáÏêϸ´úÂëʾÀýÏêϸÏÈÈÝÕâÈýÖÖÕ½ÂÔ·ÖÀà¡£

Ä¿µÄÕ½ÂÔ£¨Targeted Policy£©

Ä¿µÄÕ½ÂÔÊÇ SELinux ÖÐ×î³£ÓõÄÒ»ÖÖÕ½ÂÔ·ÖÀ࣬Ëü»ùÓÚÓû§¡¢³ÌÐòºÍÀú³ÌÖ®¼äµÄ¹ØϵÀ´ÏÞÖÆ»á¼ûȨÏÞ¡£ÔÚÄ¿µÄÕ½ÂÔÖУ¬Ö»ÓÐÉÙÊýµÄÓû§»òÀú³Ì±»½ç˵ΪÇå¾²Õ½ÂÔ£¬ÆäËûÓû§»òÀú³ÌÔò¼ÌÐøĬÈÏÕ½ÂÔ¡£Í¨¹ý¸øÕâЩÓû§»òÀú³Ì·ÖÅɽÇÉ«ºÍȨÏÞ£¬¿ÉÒÔÓÐÓÿØÖÆËüÃǵĻá¼ûȨÏÞ¡£

ÏÂÃæÊÇÒ»¸öʾÀý´úÂ룬ÑÝʾÔõÑùʹÓÃÄ¿µÄÕ½ÂÔÀ´ÏÞÖÆÒ»¸öÓû§¶Ôij¸öÎļþµÄ»á¼ûȨÏÞ£º

# ½¨ÉèÒ»¸ö²âÊÔÎļþ
touch testfile.txt

# Ϊ¸ÃÎļþÉèÖÃÇå¾²ÉÏÏÂÎÄ
chcon system_u:object_r:admin_home_t:s0 testfile.txt

# ½¨ÉèÒ»¸öÓû§
useradd testuser

# ¸ø¸ÃÓû§·ÖÅɽÇÉ«ºÍȨÏÞ
semanage user -a -R "staff_r system_r" testuser

# Çл»Óû§ÖÁ testuser
su testuser

# ʵÑé¶ÁÈ¡Îļþ
cat testfile.txt

µÇ¼ºó¸´ÖÆ

¶àÕ½ÂÔ£¨MLS/MCS Policy£©

¶àÕ½ÂÔÊÇÒ»ÖÖÔ½·¢ÑÏ¿áµÄÕ½ÂÔ·ÖÀ࣬¿ÉÒÔʵÏÖ¸üϸÁ£¶ÈµÄÇå¾²¿ØÖÆ¡£ÔÚ MLS£¨Multi-Level Security£©ºÍ MCS£¨Multi-Category Security£©Õ½ÂÔÖУ¬ÎļþºÍÀú³Ìƾ֤ÆäÇ徲Ʒ¼¶»òÖֱ𱻻®·Öµ½²î±ðµÄ»á¼û¿ØÖÆÓòÖУ¬½ø¶øʵÏÖ¶Ô¸÷¸öÓòÖ®¼äµÄ»á¼û¿ØÖÆ¡£

ÏÂÃæÊÇÒ»¸öʾÀý´úÂ룬ÑÝʾÔõÑùÔÚÒ»¸ö MLS Õ½ÂÔÖÐÉèÖÃÎļþµÄÇ徲Ʒ¼¶£º

# ½¨ÉèÒ»¸ö²âÊÔÎļþ
touch testfile.txt

# Ϊ¸ÃÎļþÉèÖÃÇ徲Ʒ¼¶
setfattr -n security.selinux -v "s0:c0,c1" testfile.txt

# Éó²éÎļþµÄÇ徲Ʒ¼¶
getfattr -n security.selinux testfile.txt

µÇ¼ºó¸´ÖÆ

¶¨ÖÆÕ½ÂÔ£¨Custom Policy£©

¶¨ÖÆÕ½ÂÔÊÇָƾ֤Ìض¨ÐèÇó×Ô½ç˵µÄÕ½ÂÔ£¬ÓÃÓÚʵÏÖ¸öÐÔ»¯µÄÇå¾²¿ØÖÆ¡£Í¨¹ý±àд×Ô½çËÃ÷ÈÕ½ÂÔÄ £¿éÒÔ¼°Ïà¹Ø¹æÔò£¬¿ÉÒÔ¶Ô SELinux µÄĬÈÏÐÐΪ¾ÙÐж¨ÖÆ£¬Öª×ãÌض¨µÄÇå¾²ÐèÇó¡£

ÏÂÃæÊÇÒ»¸öʾÀý´úÂ룬ÑÝʾÔõÑù±àдһ¸ö¼òÆ SELinux ×Ô½çËÃ÷ÈÕ½ÂÔÄ £¿é£º

#include <selinux/selinux.h>
#include <selinux/label.h>

int main() {
    security_context_t scontext, tcontext;
    char *class = "file";
    char *perms = "read";
    security_id_t sid, tid;

    int rc = getfilecon("/etc/passwd", &scontext);
    if (rc < 0) {
        perror("getfilecon");
        return 1;
    }

    rc = security_compute_user(scontext, &sid, &tcontext);
    if (rc < 0) {
        perror("security_compute_user");
        return 1;
    }

    rc = security_compute_av(sid, class, perms, &tid);
    if (rc < 0) {
        perror("security_compute_av");
        return 1;
    }

    printf("Source context: %s
", tcontext);
    printf("Target context: %s
", tcontext);

    return 0;
}

µÇ¼ºó¸´ÖÆ

ͨ¹ýÒÔÉÏʾÀý£¬ÎÒÃÇ¶Ô SELinux µÄÄ¿µÄÕ½ÂÔ¡¢¶àÕ½ÂԺͶ¨ÖÆÕ½ÂÔ¾ÙÐÐÁËÏêϸÏÈÈÝ£¬²¢ÌṩÁËÏêϸµÄ´úÂëʾÀý¡£Í¨¹ýÏàʶºÍÕÆÎÕÕâЩսÂÔ·ÖÀ࣬¿ÉÒÔ×ÊÖúÓû§Ô½·¢ÉîÈëµØÃ÷È· SELinux µÄÇå¾²»úÖÆ£¬²¢¸üºÃµØÓ¦ÓÃÓÚÏÖʵµÄϵͳÇå¾²¿ØÖÆÖС£

ÒÔÉϾÍÊÇÉîÈë̽ÌÖSELinuxµÄÈýÖÖÕ½ÂÔ·ÖÀàµÄÏêϸÄÚÈÝ£¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡

ÃâÔð˵Ã÷£ºÒÔÉÏչʾÄÚÈÝȪԴÓÚÏàÖúýÌå¡¢ÆóÒµ»ú¹¹¡¢ÍøÓÑÌṩ»òÍøÂçÍøÂçÕûÀí£¬°æȨÕùÒéÓë±¾Õ¾Î޹أ¬ÎÄÕÂÉæ¼°¿´·¨Óë¿´·¨²»´ú±í×ðÁú¿­Ê±¹ÙÍøµÇ¼ÂËÓÍ»úÍø¹Ù·½Ì¬¶È£¬Çë¶ÁÕß½ö×ö²Î¿¼¡£±¾ÎĽӴýתÔØ£¬×ªÔØÇë˵Ã÷À´ÓÉ¡£ÈôÄúÒÔΪ±¾ÎÄÇÖÕ¼ÁËÄúµÄ°æȨÐÅÏ¢£¬»òÄú·¢Ã÷¸ÃÄÚÈÝÓÐÈκÎÉæ¼°ÓÐÎ¥¹«µÂ¡¢Ã°·¸Ö´·¨µÈÎ¥·¨ÐÅÏ¢£¬ÇëÄúÁ¬Ã¦ÁªÏµ×ðÁú¿­Ê±¹ÙÍøµÇ¼ʵʱÐÞÕý»òɾ³ý¡£

Ïà¹ØÐÂÎÅ

ÁªÏµ×ðÁú¿­Ê±¹ÙÍøµÇ¼

18523999891

¿É΢ÐÅÔÚÏß×Éѯ

ÊÂÇéʱ¼ä£ºÖÜÒ»ÖÁÖÜÎ壬9:30-18:30£¬½ÚãåÈÕÐÝÏ¢

QR code
ÍøÕ¾µØͼ