Gentoo and SELinux
SELinux的参考链接:NSA SELinux main website — http://www.nsa.gov/selinux/
NSA SELinux FAQ — http://www.nsa.gov/selinux/info/faq.cfm
http://fedora.redhat.com/docs/selinux-faq-fc2/
http://fedora.redhat.com/docs/selinux-faq-fc3/
SELinux community page — http://selinux.sourceforge.net
UnOfficial FAQ — http://www.crypt.gen.nz/selinux/faq.html
Writing SE Linux policy HOWTO — https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=21266
Getting Started with SE Linux HOWTO: the new SE Linux (Debian) — https://sourceforge.net/docman/display_doc.php?docid=20372&group_id=21266
讨论:
On IRC — irc.freenode.net, #fedora-selinux
Fedora mailing list — mailto:[email protected]; read the archives or subscribe at http://www.redhat.com/mailman/listinfo/fedora-selinux-list
基本同gentoo的普通安装方法,
需要注意的几点:
1.下载selinux stage
比如stage1-x86-selinux-2004.2.tar.bz2安装基本系统
chroot时要
# mount -t proc none /mnt/gentoo/proc
# mount -t selinuxfs none /mnt/gentoo/selinux
# chroot /mnt/gentoo /bin/bash
# env-update
# source /etc/profile
# emerge sync.........
2.安装配置内核时(对了,selinux仅支持ext2/3 ,xfs)
selinux-sources (the base 2.4 kernel source with SELinux patch),
hardened-sources (kernel source patched with SELinux and other security features),
hardened-dev-sources (kernel v2.6 source patched with other security features)
推荐用hardened-dev-sources,
# emerge hardened-dev-sources
make menuconfig时注意
Under "Code maturity level options"
Prompt for development and/or incomplete code/drivers
Under "General setup"
Auditing support
Under "File systems"
<*> Second extended fs support (If using ext2)
Ext2 extended attributes
[ ] Ext2 POSIX Access Control Lists
Ext2 Security Labels
<*> Ext3 journalling file system support (If using ext3)
Ext3 extended attributes
[ ] Ext3 POSIX Access Control Lists
Ext3 security labels
<*> XFS filesystem support (If using XFS)
[ ] Realtime support (EXPERIMENTAL)
[ ] Quota support
[ ] ACL support
Security Labels
/proc file system support
[ ] /dev file system support (EXPERIMENTAL)
/dev/pts file system for Unix98 PTYs (This option does not appear in 2.6, it is always on)
/dev/pts Extended Attributes
/dev/pts Security Labels
Virtual memory file system support (former shm fs)
Under "Security options"
Enable different security models
Socket and Networking Security Hooks
<*> Capabilities Support
NSA SELinux Support
[ ] NSA SELinux boot parameter
[ ] NSA SELinux runtime disable
NSA SELinux Development Support
[ ] NSA SELinux MLS policy (EXPERIMENTAL)
3.写/etc/fstab
默认的
none /proc proc defaults 0 0
none /dev/shm tmpfs defaults 0 0
none /dev/pts devpts gid=5,mode=620 0 0
none /selinux selinuxfs defaults 0 0
不要去掉了
4.写引导程序时要加入gentoo=nodevfs
5.安装完成后,准备重启时要relabel the filesystems:
# cd /etc/security/selinux/src/policy/
Adjust policy version if needed.
# make load
# make chroot_relabel
重启
# exit
# umount /mnt/gentoo/proc /mnt/gentoo/selinux /mnt/gentoo
# reboot
再次relabel:
# cd /etc/security/selinux/src/policy
# make relabel
6.增加一个普通用户
# useradd john -m -G users,wheel,audio,tty -s /bin/bash
# passwd john
在/etc/security/selinux/src/policy/users增加一行
user john roles { staff_r sysadm_r };
接下来emerge xorg gnome什么的.......... stage1-x86-selinux-2004.2.tar.bz2在哪里下的? 日本那个gentoo的镜像站点上就有:
http://mirror.gentoo.gr.jp/releases/x86/2004.2/stages/x86/hardened/ 谢谢
不过我已经打算用2004.3了 :mrgreen: emerge -uD world :mrgreen: 用 Gentoo 2004.2 的 SELinux LiveCD 直接装 SELinux 是不会成功的,尤其是 emerge system 的时候,到 psmisc 和 tcpwrapper 就会出错进行不下去。
还有,手册里说推荐 hardened-dev-sources,其实这个是要跟 Gentoo 给的 policy 的版本对应起来的才行。 我是在九月二十几号在服务器上装的 Gentoo SELinux, policy 的版本是 18,emerge sync 了以后hardened-dev-sources-2.6.7-rXX 的最高版本是 17。 最后只好装了 develop-sources-2.6.8.1 才成功的 make load。
我觉得装Gentoo SELinux 大概还是按通常方法装了基本系统,然后再转过 SELinux 去来的方便些 :?
我觉得装Gentoo SELinux 大概还是按通常方法装了基本系统,然后再转过 SELinux 去来的方便些
_________________
哪天换我吃吃螃蟹 :mrgreen:
页:
[1]