Sl: различия между версиями

Материал из ALT Linux Wiki
Нет описания правки
Нет описания правки
Строка 38: Строка 38:
Add patch for policycoreutils-newrole has patch, that adds to Linux capabilities: CAP_SETGID & CAP_AUDIT_WRITE.
Add patch for policycoreutils-newrole has patch, that adds to Linux capabilities: CAP_SETGID & CAP_AUDIT_WRITE.
For more info look up at: http://git.altlinux.org/gears/p/policycoreutils.git
For more info look up at: http://git.altlinux.org/gears/p/policycoreutils.git
=== Users ===
When system's users login the __default__ rule takes action.
This rule says that:
* all system users are mapped to generic_u SeLinux user.
* all OS users has access only to s0 level.
# semanage login -l
Login Name                SELinux User              MLS/MCS Range           
__default__              generic_u                s0                     
root                      officer_u                s0-s5:c0.c15     
Add for specfic user:
# semanage login -a -s generic_u -r s0-s3:c2.c14 stanv




Версия от 12:42, 24 апреля 2013

Howto get working SeLinux AltLinux policy

Install policy

Install package selinux-policy-altlinux

Update Grub config

Update configuration GRUB's file: /etc/sysconfig/grub2:

GRUB_CMDLINE_LINUX_DEFAULT='panic=30 quiet splash security=selinux selinux=1'

It is also possible to add:

  • enforcing=1
  • log_buf_len=1M
grub-mkconfig  > /boot/grub/grub.cfg

PAM configuration

  • Add to /etc/pam.d/newrole before pam_namespace.so module
session        required pam_exec.so debug /etc/security/alt.newrole/helper /etc/security/alt.newrole/config
  • Add to /etc/pam.d/common-login:
# The first `session' module
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close

# The last `session' module
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open verbose


ALT Linux aspects

newrole modifications

Add patch for policycoreutils-newrole has patch, that adds to Linux capabilities: CAP_SETGID & CAP_AUDIT_WRITE. For more info look up at: http://git.altlinux.org/gears/p/policycoreutils.git

Users

When system's users login the __default__ rule takes action. This rule says that:

  • all system users are mapped to generic_u SeLinux user.
  • all OS users has access only to s0 level.
# semanage login -l
Login Name                SELinux User              MLS/MCS Range            
__default__               generic_u                 s0                       
root                      officer_u                 s0-s5:c0.c15

Add for specfic user: 

# semanage login -a -s generic_u -r s0-s3:c2.c14 stanv
Features