- 论坛徽章:
- 0
|
这是本人第一次发帖,今天在REDHAT的电子杂志上看到一篇有关SELinux的文章,心血来潮就翻译了一下。
由于是第一次翻译文站,水平有限,听大家多多指正。
SELinux.rar
(21.67 KB, 下载次数: 518)
全文请见附件
Astep-by-step guide to building a new SELinux policy module一步一步学习创建SELinux策略模块by DanWalshWho’s afraid of SELinux? Well, if youare, you shouldn’t be! Thanks to the introduction of new GUI tools,customizing your system’s protection by creating new policy modulesis easier than ever. In this article, Dan Walsh gently walks youthrough the policy module creation process.
谁对SELinux有恐惧感?是你,其实不用的。感谢新的图形界面工具,现在定制新的安全策略模块比以前容易多了,在这篇文章中,DanWalsh将指引你完成策略模块的创建过程。
A lot of people think that building a new SELinux policy is magic,but magic tricks never seem quite as difficult once you know howthey’re done. This article explains how I build a policy module andgives you the step-by-step process for using the tools to build yourown.
很多人认为创建一个新的SELinux策略是天方夜谭,但你一旦了解了它们是怎么工作的,就容易多了。这篇文章将展示我是怎样创建一个策略模块的,通过这个知道你也可以创建自己的策略模块了。
Before we start, let’s review why we work with policy modules.In the past, in order to modify the current SELinux policy on asystem running Red Hat Enterprise Linux 4, a system administratorwould have had to to download the policy source, edit the policysource code, and rebuild and install the policy using tools like makeinstall. The introduction of policy modules made this processeasier and less error-prone. A system administrator could use theaudit2allow utility to generate policy module updatesdirectly from audit.log error messages. These modules function in away similar to kernel modules in that they enable systemadministrators to modify part of the policy (a specific module)without having to rebuild the entire thing.
在我们开始之前让我们先来了解一下为什么需要策略模块。在过去,为了修改一个在线运行的RHEL4SELinux策略,系统管理员必须下载,编辑,重编译和安装策略源码。策略模块就是为了省去这些复杂步骤并减少错误的发生。系统管理员可以使用“audit2allow”工具从audit.log错误信息直接升级策略模块。这种模块功能和Kernel模块有些类似,即允许在不重编译整个系统的情况下允许管理员修改策略的某些部分(特殊模块)。
Remember to start small从容易的开始
One reminder! When you start to write policy, start small. Often,people send me email telling me they want to write SELinux policy andthen they choose to write it for something huge like Firefox. Whenyou decide to write policy for an application, you should have anidea of what the application does and what your security goals arefor the application.For example:
一定记住!当你开始创建策略的时候,挑个容易的开始。经常有读者给我Email告诉我他们开始创建SELinux策略了,并且总是选择一些想火狐这样的大程序开始。在为应用程序创建策略的时候你必须明确应用程序的用途和你所期望的安全目标,举个例子:
- Least privilege.
- 最小优先级
An application’s security goals are often based on “least privilege,” meaning that the application is only allowed to do the things it was designed to do. For example, FTP isn’t allowed to talk to the telnet port.
应用程序的安全目标经常是“最小优先级”,意思是应用程序只能运行设计好的功能。就如FTP不应使用telnet的端口 - Modified privilege.
- 修改优先级
Sometimes your security goal might be to give the application less privilege than it was designed to have. This is for when you want to prevent Firefox from writing to your home directories.
有时你设计的应用程序优先级过低,导致应用程序不能正常工作。 - Booleans.
- 布尔值
You might want to add booleans so your end user could modify the security policy depending on his security goals for the application. The best example of this is FTP servers. Most people run anonymous FTP servers, but some want full access to the users’ home directories. I can write policy to satisfy both users and have a boolean to arrive at least privilege.
你可以添加布尔值让你的终端用户可以按照他们的安全目标修改安全策略。FTP是个好的例子,很多人都使用匿名FTP服务,如果想要用户跟目录的全部访问权限。我可以创建策略满足需求并在最小优先权设置布尔值。
Since simple daemon applications usually have security goals closeto what the application is designed to do,a good place to beginwriting policy is for daemonsstarted during the system startup routines or CGI scripts. Avoidwriting policy for user applications until you thoroughly understandSELinux and your security goals for that application.
自从简单守护进程应用程序达到足够的安全等级后,它就是一个很好的开始创建策略的地方。避免在你还没有理解SELinux和应用程序安全目标前就开始创建策略。
For this article I will describe confining the rwhodaemon. This daemon generates output similar to who, butfor users logged in to hosts on the local network. It’s helpful(but not necessary) if policy writers have an intimate understandingof the applications they’re going to confine.You certainly don’thave to know every application you confine.
在本文中我将描述如何禁止rwoh守护进程通讯。这个守护进程输出本地网登录本机的用户,和who很相似。它对策略创建者深入了解他们编辑的对象很有帮助(但不是必须)。你也不必须了解你编辑的每一个对象。
The new policy generation GUI tool: polgengui创建新策略的图形工具:plogengui
To build things, you need tools. Starting with RHEL5 and Fedora 7,I began building a GUI tool to help people generate templates forpolicy generation. I examined the upstream policy and built templatesaround how that policy is written. The goal was to easily get policyupstreamed to get the maximum usage. So I added the polgenguitool to the system-config-selinux utility. This tool generates fourfiles:
在RHEL5和Fedora7中,我开始编译一个图形工具帮助用户开发策略模板。我验证上流策略编辑模板如何创建策略。目标是更容易的使策略能够在上流充分的利用。所以我把polgengui工具加入到system-config-selinux工具中,它产生四个文件:
- Type enforcement (te) file–contains all of the code used to confine my application
- 类型强制文件(te)-包含禁止应用程序的全部代码
- File context (fc) file–contains the mappings between files and file context
- 文件关联文件(fc)-包含文件和文件关联的映射
- Interface (if) file–contains all of the interfaces that other domains might want to use to
communicate with my domain and the file types created by my applications. - 界面文件(if)-包含所有的其他守护进程和本守护进程通讯界面和本守护进程创建的文件类型
- Shell script (sh)–used to compile, install and fix the labeling on the test system.
- 脚本(sh)-用来在测试系统上编译,安装和纠错。
Now let’s start writing policy. There are three main steps thatwe’ll perform.
现在我们开始写策略,我们执行3个主要的步骤
Step 1 – Use system-config-selinux to create a new policymodule步骤1-使用system-config-selinux创建新的策略模型
Start by running system-config-selinux:
运行system-config-selinux
![]()
To begin building a new policy module, click the New button to runthe SELinux Policy Generation Druid.
开始创建一个新的策略模块,点击“NEW”键运行SELinux策略制作向导
![]()
This druid is a wizard that chunks the policy creation processinto seven quick dialog boxes:
这个向导分为7步创建过程
- Name of application to be confined
- 受限应用程序名称
- Application type
- 应用程序类型
- Incoming network port connections
- 输入网络端口连接
- Outgoing network port connections
- 输出网络端口连接
- Common application traits
- 通用应用程序特征
- Files and directories (where the application will write)
- 文件和目录(应用程序写入地)
- Generate policy in this directory
- 目录中的策略行为
Name of application to be confined受限应用程序名称
![]()
This screen will prompt you for a name for your confinedapplication and the path to the executable used to start it. The toolwill use this information to create two SELinux types, rwho_tand rwho_exec_t. The running process (domain) will use therwho_t type. File context on disk will use rwho_exec_t.
此屏幕提示你命名要受限的应用程序和起始执行目录,并创建两个SELinux类型:rwho_t和rwho_exec_t。守护进程使用rwho_t类型,磁盘上的文件关联使用rwho_exec_t。
Application type应用程序类型
![]()
This screen asks you to identify the type of application. Thisallows you to set up all of the policy to correctly transition fromother domains. The supported application types are:
此屏幕要求你定义应用程序类型。这有助于你设置所有守护进程正确的转换到策略。支持如下应用程序类型:
- Standard Init Daemon. These applications are started during the init process either by rc.sysinit directly or as a start up script in /etc/init.d.
- 标准Init守护进程。这些应用程序在init调用rc.sysinit或者/etc/init.d目录下的脚本时启动
- Internet Services Daemon. These applications are started by inetd or xinetd.
- 英特网服务守护进程。这些应用程序有inetd或者xinetd启动
- Web Application/Script (CGI). These Applications are actually executed by apache as separate process. This type does not currently work for applications that run in-process, like mod_perl or mod_php.
- Web应用程序/脚本(CGI)。这些应用程序有Apache分成几段运行。对于处在in-process状态的应用程序这种类型一般不工作。如mod_perl或者mod_php。
- User Application. These applications are usually started by a logged in user.
- 用户应用程序。通常由用户发起。
In the future we will be adding a mechanism for writing policy toactually confine a logged in user.
将来我们会增加一类结构,可以用策略禁止一个登录的了用户
Incoming network port connections输入网络端口连接
![]()
This screen allows you to enter a space-separated list of networkports that the application will bind/listen on for incomingconnections. If you’re not sure, you can leave this blank and comeback to it later.In this screenshot, rwho will listen on UDPport 513.
本屏幕允许你输入用空格分割的一系列用于输入连接的应用程序绑定/监听网络端口。如果你不确定,可以空着此处不填以后再填。rwho监听UDP的513端口。
Outgoing network port connections输出网络端口连接
![]()
This screen allows you to specify TCP and UDP ports that theconfined application needs to connect to. Because rhwoddoesn’t connect to any ports, I leave it blank.
本屏幕允许你指定应用程序连接的TCP和UDP端口。因为rwhod不连接任何端口,此处空
Both of the ports screens search through the existing policy tosee if a type is already defined for that port number. If the port isdefined, it will write the appropriate interface to use the port. Ifthe port is not currently defined, polgengui willgenerate a new type for the port and the appropriate interface. Ifyou define a new port, you will need to run some semanage commands todefine the ports during install. The sh script file thatwill be generated by polgengui will contain the correctsemanage command.
以上两个定义端口的步骤会扫描已经存在的策略,验证端口是否已经被定义。如端口已经被定义过了,将分配给应用程序使用。如果端口还没有被定义,poglengui会生成一个新的端口和适当的接口。如果你定义了一个新的类型,就需要使用一些semanage命令定义端口。由polgengui生成的shell脚本文件会包括正确的semanage命令。
Common application traits通用应用程序特征
![]()
This screen allows you to specify some common traits thatapplications exhibit. Checking these boxes will add policy to yourtemplate and allow the application to perform the selected functions.If you are not sure whether your applications need any of these,leave them blank, and polgengui will generate the policyby running the application. If you have access to the source a youcan use grep to quickly find out if the application requires any ofthese. For example, grep -r syslog . will tell whether ornot your application uses syslog, and grep -r getpw . willtell whether or not you want to use nsswitch.
本屏幕允许你指定应用程序展示的通用特征,选中方框将相应的特征加入策略模板并允许应用程序使用这些功能。如果不确定应用程序需要那些,空着不填,polgengui会应用相应的策略。如果你可以访问源,就可以使用grep快速的查询应用程序需要那些特性。例如,grep-r syslog,确定应用程序是否使用syslog,grep-r getpw,确定是否应用nsswitch。
Files and directories文件和目录
This screen allows you to designate files and directories wherethe confined application needs write privileges. The tool looks atthe paths that you enter and uses them to establish the name of thetype to use. It is doing this based on the conventions established inthe reference policy. So files stored under /var/log shouldbe labeled rwho_log_t, and files/directories stored under/var/spool should be labeled rwho_spool_t. In orderto get the regular expression labeling correct, polgenguiasks you to differentiate between files and directories.Files/directories do not have to exist before running theapplication. Most new paths added to this screen will result in a newtype being generated.
本屏幕允许你指定应用程序需要写权限的文件和目录。这个工具寻找你输入的路径然后建立类型的文件。基于系统默认的策略。文件在/var/log/下,命名为rwho_log_t,文件/目录在/var/spool下,命名为rwho_spool_t。为保证正则表达式的正确,polgengui询问你是否需要不同的文件名和目录名。在应用程序运行之前文件和目录不必存在。填入新的路径会产生新的类型。
Note: One common mistake people make when writing policy is theover-generation of types. File context types should be generated onlyfor files/directories that are owned and written by theconfined application. If the file/directory is only read by theapplication, you are better off leaving it as the default filecontext. So conf files in /etc/ should usually be left asetc_t. Files with sensitive security data are the exception.Something like a credit card database should not be labeled etc_t,even if the confined application treats it as read-only.
注意:无效的类型是人们在创建策略的时候常犯的错误。文件关联类型应该在创建的时候由文件/目录唯一产生且只有此应用程序拥有和可写,如果是只读,最好从默认的文件关联中清除。如此/etc/目录中的conf文件会变成etc_t。包含敏感数据的文件例外。像信用卡数据库不会被标记为etc_t。甚至应用程序视其为只读。
Generate policy in this directory目录中的策略行为
![]()
This screen asks you where to put the tool’s output. It willdefault to the current working directory, but often you are betteroff putting your policy files in a separate directory.
本屏幕询问你工具的输出地点,默认是当前工作目录,但通常最好指定一个不同的目录。 |
|
免费注册
发表于 2007-08-24 16:06
