Fedora 26 原始发行版本,启动后就发现一堆安全策略没有定义,比如:
[ 4.795945] SELinux: Class sctp_socket not defined in policy.
[ 4.796810] SELinux: Class icmp_socket not defined in policy.
[ 4.797669] SELinux: Class ax25_socket not defined in policy.
[ 4.798520] SELinux: Class ipx_socket not defined in policy.
[ 4.799365] SELinux: Class netrom_socket not defined in policy.
[ 4.800222] SELinux: Class atmpvc_socket not defined in policy.
[ 4.801076] SELinux: Class x25_socket not defined in policy.
[ 4.801933] SELinux: Class rose_socket not defined in policy.
[ 4.802792] SELinux: Class decnet_socket not defined in policy.
[ 4.803651] SELinux: Class atmsvc_socket not defined in policy.
[ 4.804511] SELinux: Class rds_socket not defined in policy.
[ 4.805382] SELinux: Class irda_socket not defined in policy.
[ 4.806251] SELinux: Class pppox_socket not defined in policy.
[ 4.807121] SELinux: Class llc_socket not defined in policy.
[ 4.807991] SELinux: Class can_socket not defined in policy.
[ 4.808845] SELinux: Class tipc_socket not defined in policy.
[ 4.809692] SELinux: Class bluetooth_socket not defined in policy.
[ 4.810549] SELinux: Class iucv_socket not defined in policy.
[ 4.811411] SELinux: Class rxrpc_socket not defined in policy.
[ 4.812281] SELinux: Class isdn_socket not defined in policy.
[ 4.813149] SELinux: Class phonet_socket not defined in policy.
[ 4.814022] SELinux: Class ieee802154_socket not defined in policy.
[ 4.814899] SELinux: Class caif_socket not defined in policy.
[ 4.815777] SELinux: Class alg_socket not defined in policy.
[ 4.816660] SELinux: Class nfc_socket not defined in policy.
[ 4.817536] SELinux: Class vsock_socket not defined in policy.
[ 4.818402] SELinux: Class kcm_socket not defined in policy.
[ 4.819260] SELinux: Class qipcrtr_socket not defined in policy.
[ 4.820109] SELinux: Class smc_socket not defined in policy.
[ 4.820948] SELinux: Class infiniband_pkey not defined in policy.
[ 4.821789] SELinux: Class infiniband_endport not defined in policy.
[ 4.822630] SELinux: the above unknown classes and permissions will be allowed
更新到最新的 selinux-policy-targeted-3.13.1-260.13.fc26,不仅没有解决,反而未定义的更多了,这个包相当大,安装后有 20 多 MB,我觉得,rh 的开发人员定义这么庞大的规则确实不容易,普通用户根本不想触碰它们,但费这么大力气,究竟能带来多大的安全提升呢?貌似就只有 RH 系的发行版默认启用 SELinux。
这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。
V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。
V2EX is a community of developers, designers and creative people.