Sl
Материал из ALT Linux Wiki
(Различия между версиями)
Stanv (обсуждение | вклад) |
Stanv (обсуждение | вклад) |
||
Строка 38: | Строка 38: | ||
Add patch for policycoreutils-newrole has patch, that adds to Linux capabilities: CAP_SETGID & CAP_AUDIT_WRITE. | Add patch for policycoreutils-newrole has patch, that adds to Linux capabilities: CAP_SETGID & CAP_AUDIT_WRITE. | ||
For more info look up at: http://git.altlinux.org/gears/p/policycoreutils.git | For more info look up at: http://git.altlinux.org/gears/p/policycoreutils.git | ||
+ | |||
+ | === Users === | ||
+ | |||
+ | When system's users login the __default__ rule takes action. | ||
+ | This rule says that: | ||
+ | * all system users are mapped to generic_u SeLinux user. | ||
+ | * all OS users has access only to s0 level. | ||
+ | |||
+ | # semanage login -l | ||
+ | Login Name SELinux User MLS/MCS Range | ||
+ | __default__ generic_u s0 | ||
+ | root officer_u s0-s5:c0.c15 | ||
+ | |||
+ | Add for specfic user: | ||
+ | # semanage login -a -s generic_u -r s0-s3:c2.c14 stanv | ||
Версия 09:42, 24 апреля 2013
Содержание |
Howto get working SeLinux AltLinux policy
Install policy
Install package selinux-policy-altlinux
Update Grub config
Update configuration GRUB's file: /etc/sysconfig/grub2:
GRUB_CMDLINE_LINUX_DEFAULT='panic=30 quiet splash security=selinux selinux=1'
It is also possible to add:
- enforcing=1
- log_buf_len=1M
grub-mkconfig > /boot/grub/grub.cfg
PAM configuration
- Add to /etc/pam.d/newrole before pam_namespace.so module
session required pam_exec.so debug /etc/security/alt.newrole/helper /etc/security/alt.newrole/config
- Add to /etc/pam.d/common-login:
# The first `session' module # pam_selinux.so close should be the first session rule session required pam_selinux.so close
# The last `session' module # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open verbose
ALT Linux aspects
newrole modifications
Add patch for policycoreutils-newrole has patch, that adds to Linux capabilities: CAP_SETGID & CAP_AUDIT_WRITE. For more info look up at: http://git.altlinux.org/gears/p/policycoreutils.git
Users
When system's users login the __default__ rule takes action. This rule says that:
- all system users are mapped to generic_u SeLinux user.
- all OS users has access only to s0 level.
# semanage login -l Login Name SELinux User MLS/MCS Range __default__ generic_u s0 root officer_u s0-s5:c0.c15
Add for specfic user:
# semanage login -a -s generic_u -r s0-s3:c2.c14 stanv