有没有 SELinux 高手直白地说一下,它究竟能在传统的基于用户权限的安全策略基础上增加多少安全性?为此而维护一套庞大的规则是否值得?

2017-11-12 15:20:30 +08:00
 pq

Fedora 26 原始发行版本,启动后就发现一堆安全策略没有定义,比如:

[    4.795945] SELinux:  Class sctp_socket not defined in policy.
[    4.796810] SELinux:  Class icmp_socket not defined in policy.
[    4.797669] SELinux:  Class ax25_socket not defined in policy.
[    4.798520] SELinux:  Class ipx_socket not defined in policy.
[    4.799365] SELinux:  Class netrom_socket not defined in policy.
[    4.800222] SELinux:  Class atmpvc_socket not defined in policy.
[    4.801076] SELinux:  Class x25_socket not defined in policy.
[    4.801933] SELinux:  Class rose_socket not defined in policy.
[    4.802792] SELinux:  Class decnet_socket not defined in policy.
[    4.803651] SELinux:  Class atmsvc_socket not defined in policy.
[    4.804511] SELinux:  Class rds_socket not defined in policy.
[    4.805382] SELinux:  Class irda_socket not defined in policy.
[    4.806251] SELinux:  Class pppox_socket not defined in policy.
[    4.807121] SELinux:  Class llc_socket not defined in policy.
[    4.807991] SELinux:  Class can_socket not defined in policy.
[    4.808845] SELinux:  Class tipc_socket not defined in policy.
[    4.809692] SELinux:  Class bluetooth_socket not defined in policy.
[    4.810549] SELinux:  Class iucv_socket not defined in policy.
[    4.811411] SELinux:  Class rxrpc_socket not defined in policy.
[    4.812281] SELinux:  Class isdn_socket not defined in policy.
[    4.813149] SELinux:  Class phonet_socket not defined in policy.
[    4.814022] SELinux:  Class ieee802154_socket not defined in policy.
[    4.814899] SELinux:  Class caif_socket not defined in policy.
[    4.815777] SELinux:  Class alg_socket not defined in policy.
[    4.816660] SELinux:  Class nfc_socket not defined in policy.
[    4.817536] SELinux:  Class vsock_socket not defined in policy.
[    4.818402] SELinux:  Class kcm_socket not defined in policy.
[    4.819260] SELinux:  Class qipcrtr_socket not defined in policy.
[    4.820109] SELinux:  Class smc_socket not defined in policy.
[    4.820948] SELinux:  Class infiniband_pkey not defined in policy.
[    4.821789] SELinux:  Class infiniband_endport not defined in policy.
[    4.822630] SELinux: the above unknown classes and permissions will be allowed

更新到最新的 selinux-policy-targeted-3.13.1-260.13.fc26,不仅没有解决,反而未定义的更多了,这个包相当大,安装后有 20 多 MB,我觉得,rh 的开发人员定义这么庞大的规则确实不容易,普通用户根本不想触碰它们,但费这么大力气,究竟能带来多大的安全提升呢?貌似就只有 RH 系的发行版默认启用 SELinux。

2316 次点击
所在节点    问与答
5 条回复
pq
2017-11-12 15:38:53 +08:00
http://www.jianshu.com/p/e3452dec84d7

这篇写得不错。
zlfzy
2017-11-12 15:48:09 +08:00
我司的服务器买回来第一件事就是关 SELINUX
Senorsen
2017-11-12 18:05:03 +08:00
虽说没有绝对的安全,但安全措施是越多越细致就越好的。
swulling
2017-11-12 18:10:39 +08:00
NSA 的成果,反人类的实现方式

开个玩笑,可能是 NSA 故意做的真的反人类,然后引导大家都关掉
cy97cool
2017-11-12 23:31:13 +08:00
话说 linux 上有没有类似主动防御(如被 360 收购的 Malware Defender)的防护软件。。。
使用对人类友好的规则对文件、网络、进程行为进行防护

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/405726

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX