有没有 SELinux 高手直白地说一下,它究竟能在传统的基于用户权限的安全策略基础上增加多少安全性?为此而维护一套庞大的规则是否值得?
pq · 2017-11-12 15:20:30 +08:00 · 2427 次点击这是一个创建于 2561 天前的主题,其中的信息可能已经有所发展或是发生改变。
Fedora 26 原始发行版本,启动后就发现一堆安全策略没有定义,比如:
[ 4.795945] SELinux: Class sctp_socket not defined in policy.
[ 4.796810] SELinux: Class icmp_socket not defined in policy.
[ 4.797669] SELinux: Class ax25_socket not defined in policy.
[ 4.798520] SELinux: Class ipx_socket not defined in policy.
[ 4.799365] SELinux: Class netrom_socket not defined in policy.
[ 4.800222] SELinux: Class atmpvc_socket not defined in policy.
[ 4.801076] SELinux: Class x25_socket not defined in policy.
[ 4.801933] SELinux: Class rose_socket not defined in policy.
[ 4.802792] SELinux: Class decnet_socket not defined in policy.
[ 4.803651] SELinux: Class atmsvc_socket not defined in policy.
[ 4.804511] SELinux: Class rds_socket not defined in policy.
[ 4.805382] SELinux: Class irda_socket not defined in policy.
[ 4.806251] SELinux: Class pppox_socket not defined in policy.
[ 4.807121] SELinux: Class llc_socket not defined in policy.
[ 4.807991] SELinux: Class can_socket not defined in policy.
[ 4.808845] SELinux: Class tipc_socket not defined in policy.
[ 4.809692] SELinux: Class bluetooth_socket not defined in policy.
[ 4.810549] SELinux: Class iucv_socket not defined in policy.
[ 4.811411] SELinux: Class rxrpc_socket not defined in policy.
[ 4.812281] SELinux: Class isdn_socket not defined in policy.
[ 4.813149] SELinux: Class phonet_socket not defined in policy.
[ 4.814022] SELinux: Class ieee802154_socket not defined in policy.
[ 4.814899] SELinux: Class caif_socket not defined in policy.
[ 4.815777] SELinux: Class alg_socket not defined in policy.
[ 4.816660] SELinux: Class nfc_socket not defined in policy.
[ 4.817536] SELinux: Class vsock_socket not defined in policy.
[ 4.818402] SELinux: Class kcm_socket not defined in policy.
[ 4.819260] SELinux: Class qipcrtr_socket not defined in policy.
[ 4.820109] SELinux: Class smc_socket not defined in policy.
[ 4.820948] SELinux: Class infiniband_pkey not defined in policy.
[ 4.821789] SELinux: Class infiniband_endport not defined in policy.
[ 4.822630] SELinux: the above unknown classes and permissions will be allowed
更新到最新的 selinux-policy-targeted-3.13.1-260.13.fc26,不仅没有解决,反而未定义的更多了,这个包相当大,安装后有 20 多 MB,我觉得,rh 的开发人员定义这么庞大的规则确实不容易,普通用户根本不想触碰它们,但费这么大力气,究竟能带来多大的安全提升呢?貌似就只有 RH 系的发行版默认启用 SELinux。
 |
1
pq OP  1
|
 |
2
zlfzy 2017-11-12 15:48:09 +08:00
我司的服务器买回来第一件事就是关 SELINUX
|
 |
3
Senorsen 2017-11-12 18:05:03 +08:00 1
虽说没有绝对的安全,但安全措施是越多越细致就越好的。
|
 |
4
swulling 2017-11-12 18:10:39 +08:00 via iPhone 1
NSA 的成果,反人类的实现方式
开个玩笑,可能是 NSA 故意做的真的反人类,然后引导大家都关掉 |
 |
5
cy97cool 2017-11-12 23:31:13 +08:00 via Android
话说 linux 上有没有类似主动防御(如被 360 收购的 Malware Defender)的防护软件。。。
使用对人类友好的规则对文件、网络、进程行为进行防护 |
Select Language