SELinux [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

SELinux [Electronic resources] - نسخه متنی

Bill McCarty

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Sitemap

SELinux

Table of Contents

Copyright

Preface

Organization of This Book

Conventions Used in This Book

Using Code Examples

How to Contact Us

Acknowledgments

Chapter 1. Introducing SELinux

1.1 Software Threats and the Internet

1.2 SELinux Features

1.3 Applications of SELinux

1.4 SELinux History

1.5 Web and FTP Sites

Chapter 2. Overview of the SELinux Security Model

2.1 Subjects and Objects

2.2 Security Contexts

2.3 Transient and Persistent Objects

2.4 Access Decisions

2.5 Transition Decisions

2.6 SELinux Architecture

Chapter 3. Installing and Initially Configuring SELinux

3.1 SELinux Versions

3.2 Installing SELinux

3.3 Linux Distributions Supporting SELinux

3.4 Installation Overview

3.5 Installing SELinux from Binary or Source Packages

3.6 Installing from Source

Chapter 4. Using and Administering SELinux

4.1 System Modes and SELinux Tuning

4.2 Controlling SELinux

4.3 Routine SELinux System Use and Administration

4.4 Monitoring SELinux

4.5 Troubleshooting SELinux

Chapter 5. SELinux Policy and Policy Language Overview

5.1 The SELinux Policy

5.2 Two Forms of an SELinux Policy

5.3 Anatomy of a Simple SELinux Policy Domain

5.4 SELinux Policy Structure

Chapter 6. Role-Based Access Control

6.1 The SELinux Role-Based Access Control Model

6.2 Railroad Diagrams

6.3 SELinux Policy Syntax

6.4 User Declarations

6.5 Role-Based Access Control Declarations

Chapter 7. Type Enforcement

7.1 The SELinux Type-Enforcement Model

7.2 Review of SELinux Policy Syntax

7.3 Type-Enforcement Declarations

7.4 Examining a Sample Policy

Chapter 8. Ancillary Policy Statements

8.1 Constraint Declarations

8.2 Other Context-Related Declarations

8.3 Flask-Related Declarations

Chapter 9. Customizing SELinux Policies

9.1 The SELinux Policy Source Tree

9.2 On the Topics of Difficulty and Discretion

9.3 Using the SELinux Makefile

9.4 Creating an SELinux User

9.5 Customizing Roles

9.6 Adding Permissions

9.7 Allowing a User Access to an Existing Domain

9.8 Creating a New Domain

9.9 Using Audit2allow

9.10 Policy Management Tools

9.11 The Road Ahead

Appendix A. Security Object Classes

Appendix B. SELinux Operations

Appendix C. SELinux Macros Defined in src/policy/macros

Appendix D. SELinux General Types

Appendix E. SELinux Type Attributes

Colophon

Index

index_SYMBOL

index_A

index_B

index_C

index_D

index_E

index_F

index_G

index_H

index_I

index_K

index_L

index_M

index_N

index_O

index_P

index_Q

index_R

index_S

index_T

index_U

index_V

index_W

index_X

index_Z
توضیحات
افزودن یادداشت جدید








5.2 Two Forms of an SELinux Policy


If you're familiar with a
programming language, such as C, you'll find that
working with an SELinux policy resembles working with a program.
Programs generally have two forms: a source form and an object form.
Programmers work with the source form of a program, which resides in
one or more ordinary text files. These files can be created and
changed using a text editor or interactive development environment
(IDE). However, you can't load and run the source
form of a program. Instead, you must use a compiler to translate the
source form into object form. The file that contains the object form
of a program is a binary file that cannot
be viewed or changed using a text editor. Figure 5-1 shows the process that transforms a program
from source to object form.


Figure 5-1. Transforming a program from source to object form

Figure 5-2 shows the process that transforms an
SELinux policy from source to binary (object) form. The


checkpolicy
command is analogous to the compiler that converts a program from
source to object form. Sometimes, therefore, the
checkpolicy command is referred to as the
SELinux policy compiler.

Unlike a typical compiler used to translate computer programs, the
checkpolicy command can take input from only one
source file. So, all SELinux policy source files are concatenated and
written to the policy.conf file. The
checkpolicy command reads the
policy.conf file and writes a
policy.??
file
containing a binary policy. The replaceable part of the binary policy
filename indicates the version number of the SELinux policy language
that was used to create the binary policy. For instance, a binary
policy having filename policy.17 would relate to
Version 17 of the SELinux policy language.

The binary form of an SELinux policy can be loaded into a running
Linux kernel by issuing a load_policy command
specifying the binary policy filename as an argument. However, as
explained in Chapter 4, the system
administrator generally uses the SELinux
Makefile to load a policy. The


make install,
make load, and make reload
commands cause the SELinux Makefile
to issue the load_policy command.


Figure 5-2. Transforming an SELinux policy from source to binary form

Because the SELinux policy compiler can read only one file, it may
seem odd that an SELinux policy is organized as a set of files.
Indeed, it would be possible for the policy to reside only in
policy.conf. However, a typical SELinux policy
contains almost 250,000 lines of code. Editing such a large file
would be quite cumbersome. So the SELinux policy is distributed
throughout a directory tree, typically rooted at
/etc/security/selinux/src/policy. The principal
subdirectories of this directory tree include:

appconfig


Defines default types and security
contexts for several special circumstances.


domains


Defines
the type-enforcement domains.


file_contexts


Defines the security contexts of
persistent files.


flask


Defines
symbols used by the SELinux-capable kernel.


macros



Defines M4 macros used in policy
source files.


tmp


Concatenates policy source files
during policy compilation.




The tmp directory is merely a working directory
used during SELinux Makefile operations and
therefore has no permanent contents. It is not further explained in
this chapter.

types


Defines
several general typesthat is, types not
associated with particular domains.



Because the contents of the SELinux policy files are concatenated and
written to policy.conf before being compiled,
the SELinux policy compiler isn't aware which
SELinux policy file contains the policy statements it compiles. But
humans find it convenient to place related policy statements in a
single file. Doing so makes it easier to understand the policy, which
can be studied a file or two at a time, rather than all at once. And
distributing statements among a set of files makes it easier to
locate a statement of interest, because you can often deduce which
files are most likely to contain it. So when creating or revising an
SELinux policy, it's important to observe the
conventions used by the original developers of the policy. These
conventions are described more fully in the section of this chapter

titled
"SELinux Policy Structure."


/ 100