V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
V2EX 提问指南
pq
V2EX  ›  问与答

有没有 SELinux 高手直白地说一下,它究竟能在传统的基于用户权限的安全策略基础上增加多少安全性?为此而维护一套庞大的规则是否值得?

  •  
  •   pq · 2017-11-12 15:20:30 +08:00 · 2456 次点击
    这是一个创建于 2603 天前的主题,其中的信息可能已经有所发展或是发生改变。

    Fedora 26 原始发行版本,启动后就发现一堆安全策略没有定义,比如:

    [    4.795945] SELinux:  Class sctp_socket not defined in policy.
    [    4.796810] SELinux:  Class icmp_socket not defined in policy.
    [    4.797669] SELinux:  Class ax25_socket not defined in policy.
    [    4.798520] SELinux:  Class ipx_socket not defined in policy.
    [    4.799365] SELinux:  Class netrom_socket not defined in policy.
    [    4.800222] SELinux:  Class atmpvc_socket not defined in policy.
    [    4.801076] SELinux:  Class x25_socket not defined in policy.
    [    4.801933] SELinux:  Class rose_socket not defined in policy.
    [    4.802792] SELinux:  Class decnet_socket not defined in policy.
    [    4.803651] SELinux:  Class atmsvc_socket not defined in policy.
    [    4.804511] SELinux:  Class rds_socket not defined in policy.
    [    4.805382] SELinux:  Class irda_socket not defined in policy.
    [    4.806251] SELinux:  Class pppox_socket not defined in policy.
    [    4.807121] SELinux:  Class llc_socket not defined in policy.
    [    4.807991] SELinux:  Class can_socket not defined in policy.
    [    4.808845] SELinux:  Class tipc_socket not defined in policy.
    [    4.809692] SELinux:  Class bluetooth_socket not defined in policy.
    [    4.810549] SELinux:  Class iucv_socket not defined in policy.
    [    4.811411] SELinux:  Class rxrpc_socket not defined in policy.
    [    4.812281] SELinux:  Class isdn_socket not defined in policy.
    [    4.813149] SELinux:  Class phonet_socket not defined in policy.
    [    4.814022] SELinux:  Class ieee802154_socket not defined in policy.
    [    4.814899] SELinux:  Class caif_socket not defined in policy.
    [    4.815777] SELinux:  Class alg_socket not defined in policy.
    [    4.816660] SELinux:  Class nfc_socket not defined in policy.
    [    4.817536] SELinux:  Class vsock_socket not defined in policy.
    [    4.818402] SELinux:  Class kcm_socket not defined in policy.
    [    4.819260] SELinux:  Class qipcrtr_socket not defined in policy.
    [    4.820109] SELinux:  Class smc_socket not defined in policy.
    [    4.820948] SELinux:  Class infiniband_pkey not defined in policy.
    [    4.821789] SELinux:  Class infiniband_endport not defined in policy.
    [    4.822630] SELinux: the above unknown classes and permissions will be allowed
    

    更新到最新的 selinux-policy-targeted-3.13.1-260.13.fc26,不仅没有解决,反而未定义的更多了,这个包相当大,安装后有 20 多 MB,我觉得,rh 的开发人员定义这么庞大的规则确实不容易,普通用户根本不想触碰它们,但费这么大力气,究竟能带来多大的安全提升呢?貌似就只有 RH 系的发行版默认启用 SELinux。

    5 条回复    2017-11-12 23:31:13 +08:00
    pq
        1
    pq  
    OP
       2017-11-12 15:38:53 +08:00   ❤️ 1
    zlfzy
        2
    zlfzy  
       2017-11-12 15:48:09 +08:00
    我司的服务器买回来第一件事就是关 SELINUX
    Senorsen
        3
    Senorsen  
       2017-11-12 18:05:03 +08:00   ❤️ 1
    虽说没有绝对的安全,但安全措施是越多越细致就越好的。
    swulling
        4
    swulling  
       2017-11-12 18:10:39 +08:00 via iPhone   ❤️ 1
    NSA 的成果,反人类的实现方式

    开个玩笑,可能是 NSA 故意做的真的反人类,然后引导大家都关掉
    cy97cool
        5
    cy97cool  
       2017-11-12 23:31:13 +08:00 via Android
    话说 linux 上有没有类似主动防御(如被 360 收购的 Malware Defender)的防护软件。。。
    使用对人类友好的规则对文件、网络、进程行为进行防护
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   937 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 23ms · UTC 22:42 · PVG 06:42 · LAX 14:42 · JFK 17:42
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.