Gentoo SELinux°²×°(x86)
SELinuxµÄ²Î¿¼Á´½Ó£ºNSA SELinux main website ¨D [url]http://www.nsa.gov/selinux/[/url]
NSA SELinux FAQ ¨D [url]http://www.nsa.gov/selinux/info/faq.cfm[/url]
[url]http://fedora.redhat.com/docs/selinux-faq-fc2/[/url]
[url]http://fedora.redhat.com/docs/selinux-faq-fc3/[/url]
SELinux community page ¨D [url]http://selinux.sourceforge.net[/url]
UnOfficial FAQ ¨D [url]http://www.crypt.gen.nz/selinux/faq.html[/url]
Writing SE Linux policy HOWTO ¨D [url]https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=21266[/url]
Getting Started with SE Linux HOWTO: the new SE Linux (Debian) ¨D [url]https://sourceforge.net/docman/display_doc.php?docid=20372&group_id=21266[/url]
ÌÖÂÛ£º
On IRC ¨D irc.freenode.net, #fedora-selinux
Fedora mailing list ¨D mailto:fedora-selinux-list@redhat.com; read the archives or subscribe at [url]http://www.redhat.com/mailman/listinfo/fedora-selinux-list[/url]
»ù±¾Í¬gentooµÄÆÕͨ°²×°·½·¨£¬
ÐèҪעÒâµÄ¼¸µã£º
1.ÏÂÔØselinux stage
±ÈÈçstage1-x86-selinux-2004.2.tar.bz2°²×°»ù±¾ÏµÍ³
chrootʱҪ
# mount -t proc none /mnt/gentoo/proc
# mount -t selinuxfs none /mnt/gentoo/selinux
# chroot /mnt/gentoo /bin/bash
# env-update
# source /etc/profile
# emerge sync.........
2.°²×°ÅäÖÃÄÚºËʱ(¶ÔÁË£¬selinux½öÖ§³Öext2/3 ,xfs)
selinux-sources (the base 2.4 kernel source with SELinux patch),
hardened-sources (kernel source patched with SELinux and other security features),
hardened-dev-sources (kernel v2.6 source patched with other security features)
ÍƼöÓÃhardened-dev-sources,
# emerge hardened-dev-sources
make menuconfigʱעÒâ
[code]Under "Code maturity level options"
[*] Prompt for development and/or incomplete code/drivers
Under "General setup"
[*] Auditing support
Under "File systems"
<*> Second extended fs support (If using ext2)
[*] Ext2 extended attributes
[ ] Ext2 POSIX Access Control Lists
[*] Ext2 Security Labels
<*> Ext3 journalling file system support (If using ext3)
[*] Ext3 extended attributes
[ ] Ext3 POSIX Access Control Lists
[*] Ext3 security labels
<*> XFS filesystem support (If using XFS)
[ ] Realtime support (EXPERIMENTAL)
[ ] Quota support
[ ] ACL support
[*] Security Labels
[*] /proc file system support
[ ] /dev file system support (EXPERIMENTAL)
[*] /dev/pts file system for Unix98 PTYs (This option does not appear in 2.6, it is always on)
[*] /dev/pts Extended Attributes
[*] /dev/pts Security Labels
[*] Virtual memory file system support (former shm fs)
Under "Security options"
[*] Enable different security models
[*] Socket and Networking Security Hooks
<*> Capabilities Support
[*] NSA SELinux Support
[ ] NSA SELinux boot parameter
[ ] NSA SELinux runtime disable
[*] NSA SELinux Development Support
[ ] NSA SELinux MLS policy (EXPERIMENTAL)
[/code]
3.д/etc/fstab
ĬÈϵÄ
none /proc proc defaults 0 0
none /dev/shm tmpfs defaults 0 0
none /dev/pts devpts gid=5,mode=620 0 0
none /selinux selinuxfs defaults 0 0
²»ÒªÈ¥µôÁË
4.дÒýµ¼³ÌÐòʱҪ¼ÓÈëgentoo=nodevfs
5.°²×°Íê³Éºó£¬×¼±¸ÖØÆôʱҪrelabel the filesystems£º
# cd /etc/security/selinux/src/policy/
Adjust policy version if needed.
# make load
# make chroot_relabel
ÖØÆô
# exit
# umount /mnt/gentoo/proc /mnt/gentoo/selinux /mnt/gentoo
# reboot
ÔÙ´Îrelabel:
# cd /etc/security/selinux/src/policy
# make relabel
6.Ôö¼ÓÒ»¸öÆÕͨÓû§
# useradd john -m -G users,wheel,audio,tty -s /bin/bash
# passwd john
ÔÚ/etc/security/selinux/src/policy/usersÔö¼ÓÒ»ÐÐ
user john roles { staff_r sysadm_r };
½ÓÏÂÀ´emerge xorg gnomeʲôµÄ........... ºÍgentooÓÐʲô²»Í¬£¿
Ò³:
[1]