UbuntuHelp:SELinux
来自Ubuntu中文
 |
点击翻译: |
English |
请不要直接编辑翻译本页,本页将定期与来源同步。 |
NOTE: Page not updated for Hardy. Upstart should work with selinux in Hardy and later.
Introduction
Security-enhanced Linux (SELinux) was originally developed as a research prototype of the Linux® kernel and a number of utilities with enhanced security functionality designed to demonstrate the value of mandatory access controls to the Linux community and how such controls could be added to Linux. Today SELinux is integrated into the mainline Linux 2.6 kernel series and several Linux distributions. The Security-enhanced Linux kernel contains new architectural components originally developed to improve the security of the Flask operating system. These architectural components provide general support for the enforcement of many kinds of mandatory access control policies, including those based on the concepts of Type Enforcement®, Role-based Access Control, and Multi-level Security.
Target Audience
This guide is designed for intermediate to advanced users of Ubuntu, and is not recommended for beginners. The changes SELinux can make to your Ubuntu system can potentially render parts of your system inoperative, or have other adverse affects. You should have a very good understanding of what will occur for every change you allow SELinux to make, and understand any potential ramifications which may arise later from those changes. The author of this guide, the creators of SELinux, and Ubuntu cannot be responsible for any adverse conditions with your Ubuntu system which may be caused by failure to understand what you are doing with SELinux. You have been warned.
Installation
Installing SELinux is easy..
1.Check to see if your kernel supports SELinux - you'll want to look in /boot/config-`uname -r` for SELinux. If you're using the Ubuntu supplied server or desktop kernels, its already in there.
2.You have to enable the Ubuntu universe repositories. To do this see here
however, that you only need universe, not multiverse. Because of the nature of multiverse, Common suggestion is to leave it disabled unless you know you need it.
3.Next,you have to boot into an selinux-enabled kernel. Using your favourite text editor,open up /boot/grub/menu.lst. Then add, to the end of the kernel line of the first kernel, "selinux=1 enforcing=0". Or, optionally, you can copy the first one, paste the entry in the appropriate place above (being careful about where Ubuntu does and does not what you to put custom boot stanzas), and add selinux=1 enforcing=0 to the copy instead.
4.Now, you must reboot so that you're in an selinux-enabled kernel. Right now, you're only in a kernel with support compiled in, not turned on.
5.Next, install selinux-default-policy (selinux-basics on Gutsy), either with aptitude or synaptic. (To do this give a simple search with the keywords SELinux and you will see a variety of SELinux binaries returned in the result.)
6.Finally, upstart's /bin/init isn't SELinux-enabled. So, you want to aptitude get install sysvinit - at this point, you should reboot...
Hopefully, sysvinit scripts should work for you.
