1. setting
SELinux is " Security-Enhanced Linux " abbreviation,It is American state security bureau " NSA = The National Security Agency " with SCC (Secure Computing Corporation) an outspread and compulsive visit of the Linux of development controls safe module.Former be in what develop on Fluke,Released with GNU GPL 2000.
Regarding Internet as the server with Linux now is more and more general issue.In the item that I had made a few this years,The development of WEB is fundamental it is be based on Linux,There is big company to do here,Also do to the government sector,Of course more it is medium and small businesses do.This does to the government among them,We sell a site SELinux as,Accepted many items.
The reason of operating system of security of 2. our need
Now is government or civilian enterprise no matter,Everybody was to care more and more to information safety problem,Wear because of the memory on the server of the business platform of the enterprise many business affairs is confidential,Individual data,It matters to individual data directly privacy issue of the individual.Especially the website of our government,As the platform that information publishs,Its safety more appear important.These servers that connect Internet,All sorts of inevitable menace that should be come from world each district.Worst when our server is inbreaked,Homepage file is replaced,Confidential document is walked along by pilfer.Besides come from external outside menace,The illegal visit of in-house personnel,Attack also is cannot ignore.Be atttacked to these or saying is minatory,The idea that has a lot of of course,Have firewall,Inbreak testing system,Hit a patch to wait a moment.Also use UNIX with other trader because of Linux same,Ceaselessly of all kinds safe flaw is discovered.We cope with these flaw to must spend a lot of manpower to stem it.In these methods,The firm sex that raises OS system oneself appears exceedingly important.
The insufficient place of the Linux OS of 2.1 traditions
Although Linux compared with Windows for,Its dependability,Stability is close friends more surely,But he also is with other UNIX,Have the following these insufficient place.
1 ) Root of existence prerogative user
The limits of authority that ? ? anybody wants to get Root only,Can do as one wants to whole system.This Windows is same also.
2) differentiate to what the visit of the file counterpoises not quite fine
? ? is in Linux system,To the operation of the file,Only " possessory " , " all groups " , " other " these 3 kinds differentiate.
? ? to " other " this kind of user in is again careful there is method if differentiating finely.
3) the attributive of SUID program upgrades
If ? ? installed the program of SUID attributive to have the word of flaw,Be used very easily by aggressor place.
4) DAC (problem of Discretionary Access Control)
? ? of file directory possessory can have all operations to the file,This brings inconvenience to the management of systematic whole.
To above these inadequacy,Firewall,Inbreak testing system is helpless.
Below this kind of setting,To visitting attributive considerably for the OS SELinux of aggrandizement,Of its glamour boundless.
2.2The advantage of SELinux
SELinux system compared with normally Linux system comes,Safety performance wants tall much,It is passed to the user,Of process attributive the smallest change,Although be atttacked,Process or user attributive is divested,Also won't cause major effect to whole system.
A few characteristics that next I introduce SELinux.
Characteristic 1:MAC(Mandatory Access Control) -- ? is changed thoroughly to the control of the visit
To all files,Catalog,Port the visit of this kind resource,Can be be based on politic set,These strategy are by the administrator custom-built, average user is to do not have what attributive changes.
Characteristic 2:TE (Type Enforcement) -- ? pays only to the process with the least limits of authority
Te idea is exceedingly main in SELinux.Its characteristic is right all files gift a file type label that makes Type,Also gift to all processes a respective label that makes Domain.The operation that Domain label can execute also is it is good to be decided in strategy by Access Vector.
Our familiar Apache server,Httpd process can move in Httpd_t only,The operation that the Domain of this Httpd_t can execute,Can read webpage content file to gift for instance Httpd_sys_content_t, password file gifts Shadow_t, the 80 port of TCP gift Http_port_t is waited a moment.The flower that if in Access Vector we do not allow Http_t to undertake to Http_port_t,operates,Apache is started cannot start.On the contrary,We allow 80 port only,Allow to read the document that takes the Httpd_sys_content_t that be by mark only,Httpd_t cannot use other port,The document that also cannot alter those Httpd_sys_content_t that be by mark (Read Only) .
Characteristic 3:n of i of a of d o m is migratory -- prevent attributive to upgrade
Software Azureus downloads to the dot in the operating point in user environment,Your current Domain is Fu_t, but,You consider safe issue,You plan to let him move in Azureus_t,If you start the word of Azureus with the command in Terminal,The Domain of its process accedes with respect to meeting acquiesce the Fu_t of the Shell that you execute.
Had the word with migratory n of i of a of d o m ,Move in the Azureus_t that we can let Azureus be appointed in us,It is above safety,This kind of practice is more desirable,The Fu_t that it won't affect you.
The example that Domain migratory directive is below:Domain_auto_trans(fu_t, azureus_exec_t, azureus_t)
The meaning is,In Fu_t Domain when,Executed be by mark when the file of Azureus_exec_t,Domain from Fu_t migratory to Azureus_t.The migratory plan that Apache starts is below.Noticed,Because from which Domain can migratory to Httpd_t be had decided in strategy,So if our hand is moved (/ if Etc/init.d/httpd Start) starts Apache,The likelihood still stays in Sysadm_t,Cannot finish so correct migratory.Should come with Run_init command the hand is moved start.
Characteristic 4:RBAC (Role Base Access Control) -- -- ? pays only to the user with the least limits of authority
To the user,Be differentiated into a few ROLE,Even if ROOT user,If you are not in in Sysadm_r,Still also cannot execute Sysadm_t management to operate.Because of,Those ROLE can carry out those Domain also is in the set in strategy.ROLE also is OK migratory,But what also can bring politic provision only is migratory.
3.Control switch
Begin from Fedora Core 2,The version of 2.6 kernels supports Selinux. We see Fedora Core 5 in / Etc/sysconfig/selinux level set.
# This File Controls The State Of SELinux On The System.
# SELINUX= Can Take One Of These Three Values:
# Enforcing - SELinux Security Policy Is Enforced.
# Permissive - SELinux Prints Warnings Instead Of Enforcing.
# Disabled - SELinux Is Fully Disabled.
SELINUX=enforcing
#SELINUX=disabled
# SELINUXTYPE= Type Of Policy In Use. Possible Values Are:
# Targeted - Only Targeted Network Daemons Are Protected.
# Strict - Full SELinux Protection.
SELINUXTYPE=targeted
SELINUX has " Disabled " " Permissive " ," Enforcing " 3 kinds of choices.
Disabled need not say,Permissive is Selinux effective,But although you violated politic word,it lets you continue to operate,But come down your content record that disobey.Exceedingly useful when we develop strategy.
Be equivalent to Debug mode.
Enforcing is you disobeyed strategy,You cannot continue to operate go down.
SELINUXTYPE,There basically are 2 kinds big now,A kind of Targeted that is redcap development,It is only to,Main network service undertakes protective,For instance Apache, sendmail, bind, postgresql,Do not belong to those Domain let them in Unconfined_t,Can guide the gender is tall,Usability is good but cannot undertake protective to whole.
Another kind is Strict,Be NAS development,Can undertake protective to whole system,But set is complex,Although it is complex,I think,But a few basic meetings,Still can play so that move.
We besides in / Etc/sysconfig/selinux sets it to disable effectively outside,When start,Also can control it through delivering parameter Selinux to the kernel.(Fedora 5 acquiesce is effective)
Kernel /boot/vmlinuz-2.6.15-1.2054_FC5 Ro Root=LABEL=/ Rhgb Quiet Selinux=0
The change above can make it invalid.
[Root@python Sysconfig]# /usr/sbin/getenforce
Enforcing
Affirm effective hind gift to file system afresh label:
[Root@python Sysconfig]# /sbin/fixfiles Relabel
Or
[Root@python /]# Touch /.autorelabel
Next Reboot, you worked below the Linux environment of Secure.
4.The main operation of SELinux
The Linux operating system that SELinux is a course safety aggrandizement,Actually,Basically original apply software to not was necessary to revise can be above it move.Did truly special modification RPM bag wants only 50 many.Resembling file system EXT3 was to pass patulous.Also undertook expanding to a few original orders,Still increased a few new orders additionally,Next we see these orders.
4.1 file is operated
1) Ls command
Add after the command - Z perhaps adds - Context
[Root@python Azureus]# Ls -Z
- Rwxr-xr-x Fu Fu User_u:oBject_r:uSer_home_t Azureus
- Rw-r- - R- - Fu Fu User_u:oBject_r:uSer_home_t Azureus2.jar
- Rw-r- - R- - Fu Fu User_u:oBject_r:uSer_home_t Azureus.png
2) Chcon
Change the label of the file
[Root@python Tmp]# Ls- - Context Test.txt
- Rw-r- - R- - Root Root Root:oBject_r:sTaff_tmp_t Test.txt
[Root@python Tmp]# Chcon -t Etc_t Test.txt
[Root@python Tmp]# Ls -lZ Test.txt
- Rw-r- - R- - Root Root Root:oBject_r:eTc_t Test.txt
3)restorecon
There is a definition in strategy when this file is,Can restore original file label.
4) Setfiles
With the label that one part document can alter like Chcon,Do not need label of pair of reset of whole file system.
5) Fixfiles
Be pair of whole file systems commonly,Relabel follows commonly from the back, to whole system Relabel hind,General we are started afresh.If,If there is.autorelabel empty file below root catalog,Fixfiles Relabel is called when be being started afresh every time
6) Star
It is Tar in the exchange order below SELinux,Also can back up the label of the file together rise.
7) Cp
Can follow - Z, - - the Security Context that destination file appoints when Context=CONTEXT is being copied
8) Find
Can follow - the file that Context checks specific Type.
Example:Find /home/fu/- - Context Fu:fU_r:aMule_t -exec Ls -Z {} \ :
9) Run_init
Move in Sysadm_t old hand start a few programs that are like Apache and so on,Also can let its on the rails,Domain is migratory.
4.2 processes Domain admits really
The program moves in that Domain now,We can be added after Ps commands - Z
[Root@python /]# Ps -eZ
LABEL PID TTY TIME CMDSystem_u:sYstem_r:iNit_t 1? 00:00:00 InitSystem_u:sYstem_r:kErnel_t 2? 00:00:00 Ksoftirqd/0System_u:sYstem_r:kErnel_t 3? 00:00:00 Watchdog/0
4.3ROLE admits really and change
Command Id can use the Security Context that affirms his
[Root@python ~]# IdUid=0(root) Gid=0(root) Groups=0(root) , 1(bin) , 2(daemon) , 3(sys) , 4(adm) , 6(disk) , 10(wheel) Context=root:sTaff_r:sTaff_t
Here,Although be ROOT user,But just also move in general ROLE and Staff_t,If be below Enforcing mode,At this moment ROOT to systematic management job,It is whats cannot work.
[Root@python ~]# Newrole -r Sysadm_r
Authenticating Root.
Countersign:
[Root@python ~]# IdUid=0(root) Gid=0(root) Groups=0(root) , 1(bin) , 2(daemon) , 3(sys) , 4(adm) , 6(disk) , 10(wheel) Context=root:sYsadm_r:sYsadm_t
4.4 mode switch
1) Getenforce
Get current SELINUX is worth
[Root@python Bin]# Getenforce
Permissive
2) Setenforce
Change current SELINUX to be worth,Enforcing can follow from the back, permissive or 1, 0.
[Root@python Bin]# Setenforce Permissive
3) Sestatus
Show the information of current SELinux
[Root@python Bin]# Sestatus -v
SELinux Status: Enabled
SELinuxfs Mount: / Selinux
Current Mode: Permissive
Mode From Config File: Permissive
Policy Version: 20
Policy From Config File: Refpolicy
Process Contexts:
Current Context: User_u:uSer_r:uSer_t
Init Context: System_u:sYstem_r:iNit_t
/ Sbin/mingetty System_u:sYstem_r:gEtty_t
/ Usr/sbin/sshd System_u:sYstem_r:sShd_t
File Contexts:
Controlling Term: User_u:oBject_r:uSer_devpts_t
/ Etc/passwd System_u:oBject_r:eTc_t
/ Etc/shadow System_u:oBject_r:sHadow_t
/ Bin/bash System_u:oBject_r:sHell_exec_t
/ Bin/login System_u:oBject_r:lOgin_exec_t
/ Bin/sh System_u:oBject_r:bIn_t -%26gt;System_u:oBject_r:sHell_exec_t
/ Sbin/agetty System_u:oBject_r:gEtty_exec_t
/ Sbin/init System_u:oBject_r:iNit_exec_t
/ Sbin/mingetty System_u:oBject_r:gEtty_exec_t
4.5 other serious a nuisance make
1) Audit2allow
A very important order that writes with Python,Basically use processing daily record,the violates politic act record in the log,Changeover becomes Access Vector,Safe to development strategy is very useful.In Refpolicy,Its function is very bigger than having before patulous.
[Root@python Log]# Cat Dmesg | Audit2allow -m Local%26gt;Local.te
2) Checkmodule -m -o Local.mod Local.te
Compile module
[Root@python Log]# Checkmodule -m -o Local.mod Local.teCheckmodule: Loading Policy Configuration From Local.teCheckmodule: Policy Configuration LoadedCheckmodule: Writing Binary Representation (version 5) To Local.mod
3) Semodule_package
Found new module
[Root@python Log]# Semodule_package -o Local.pp -m Local.mod
4)semodule
Can show,To load,Delete module
The example of to load:
[Root@python Log]# Semodule -i Local.pp
5) Semanage
This is the strategy government tool with a powerful function,The source code that although do not have strategy,had it,Also be OK run safe strategy.Because I basically am the introduction,alter strategy with source code,Detailed usage everybody can consult its Man page.
5.Custom-built and politic
FC4, RHEL4 is introduce politic 1.X version,The RPM that and be offers politic source code is wrapped.The version that begins strategy from FC5 upgrades to 2.X from 1.X.A change with the biggest Refpolicy(reference Policy) of 2.X version introduces module namely (Module) this concept, same cover politic source code to be able to support Multi-LevelSecurity (MLS) with Non-MLS.Http://serefpolicy.sf.net/
The RPM that source code does not offer in standard FC5 is wrapped.The Audit2allow that FC5 offers, semanage, semodule also is OK develop a few simple politic module.But,If make the development of politic module,Those who increase and so on of a ROLE,The source code that still had better download Refpolicy.
The installation of file of 5.1 politic sources
The source code that downloads from CVS server is newest,If encounter,make mistake,Had better be so replace those packages that concern with SELinux in your system to newest condition.
Download source code from the CVS server of Source Forge
[Root@python Src]# Cd /usr/local/src
[Root@python Src]# Cvs -d:pServer:aNonymous@cvs.sourceforge.net:/cvsroot/serefpolicy Login
[Root@python Src]# Cvs -z3 -d:pServer:aNonymous@cvs.sourceforge.net:/cvsroot/serefpolicy Co -P Refpolicy
[Root@python Src]# Cd Refpolicy/
[Root@python Src]# Make Install-src
Following plan institute show the structure of source code catalog with fine installation:
Each module has 3 files to form,The definition label that the Sudo.fc that pursues than as above is the file related to command Sudo,(File Context Rabel) ,Sudo.te is Type Enforcement definition,Include TE to visit regulation to wait,Sudo.if is the interface definition that an exterior module calls this module.
[Root@python Src]# Cd /etc/selinux/refpolicy/src/policy
[Root@python Policy]# Cp Build.conf Build.conf.org
[Root@python Policy]# Vi Build.conf
[Root@python Policy]# Diff Build.conf Build.conf.org
32c32
%26lt;DISTRO = Redhat
---
%26gt;#DISTRO = Redhat
43c43
%26lt;MONOLITHIC=n
---
%26gt;MONOLITHIC=y
[Root@python Src]# Make Conf
[Root@python Src]# Make
Such,In / generate below Etc/selinux/refpolicy/src/policy of a lot of for suffixal file with Pp,These are SELinux module.Next we are revised / Etc/sysconfig/selinux,Set into SELINUXTYPE=refpolicy,Next Reboot.
After starting,The applicable condition that acknowledges strategy,Present version is 20.
[Fu@python ~]$ /usr/sbin/sestatus
SELinux Status: Enabled
SELinuxfs Mount: / Selinux
Current Mode: Permissive
Mode From Config File: Permissive
Policy Version: 20
Policy From Config File: Refpolicy
5.2 give a program custom-built Domain
Develop the common measure of program strategy
1. gives a file,The Object of port and so on gifts Type label
2. setting Type Enforcement (Domain is migratory,The visit is permitted)
3. politic to load
4.permissive mode issues moving order
5. affirms a log,Create visit license with Audit2allow
6. repeats 1,2,3,4,5 movements,Appear till the log that did not disobey
7. switch to Enforcing mode,Apply formally
Because of us the politic module of those services with commonly used place had had,When revising, also compare simple.Here I cite a general case.The friend estimation that downloads to the dot with the dot follows me same,With Azureus on Linux,Amule will download a thing.
It is with Azureus next exemple,If why interpose call together increases an Azureus.pp module in FC5.Before we are increasing Azureus.pp module,Azureus is move in the User_t Domain that has set to the user in the system.
[Fu@python Azureus]$ Ps -efZ | Grep AzureusUser_u:uSer_r:uSer_t Fu 1751 1732 0 22:28 Pts/3 00:00:00 /bin/bash. / Azureus
Next we are increasing 3 files.
1) Azureus.fc
Here I define a file only,Actual if be used really,The list that defines Azureus_t to be able to be written even.
[Root@python Apps]# More Azureus.fc
/ Home/fu/azureus- - Gen_context(user_u:oBject_r:aZureus_exec_t, s0)
2) Azureus.te
[Root@python Apps]# More Azureus.tePolicy_module(azureus, 1.0.0)Type Azureus_t;Type Azureus_exec_t;Role User_r Types Azureus_t;Require {Type User_t;
};Domain_type(azureus_t)Domain_entry_file(azureus_t, azureus_exec_t)Domain_auto_trans(user_t, azureus_exec_t, azureus_t)
3)azureus.if
Should call Azureus without other module actually,So this file is empty file also nevers mind.
[Root@python Apps]# More Azureus.if
# Policy/modules/apps/azureus.if
## %26lt;summary%26gt;Myapp Example Policy%26lt;/summary%26gt;
## %26lt;summary%26gt;
## Execute A Domain Transition To Run Azureus.
## %26lt;/summary%26gt;
## %26lt;param Name=%26quot;domain %26quot;%26gt;
## Domain Allowed To Transition.
## %26lt;/param%26gt;Interface(`azureus_domtrans' , `Gen_requires(`Type Azureus_t, azureus_exec_t;
' )Domain_auto_trans($1, azureus_exec_t, azureus_t)Allow $1 Azureus_t:fD Use;Allow Azureus_t $1:fD Use;Allow $1 Azureus_t:fIfo_file Rw_file_perms;Allow $1 Azureus_t:pRocess Sigchld;
' )
In / join in Etc/selinux/refpolicy/src/policy/policy/module.conf below group
[Root@python Policy]# Tail -1 Modules.confAzureus = Module
Affirm / the MONOLITHIC=n in Etc/selinux/refpolicy/src/policy
Final Make, make Load
[Root@python Policy]# Pwd
/ Etc/selinux/refpolicy/src/policy
[Root@python Policy]# Make;make Load
After normal cease,We can affirm with Semodule command Azureus.pp download went down to do not have.
[Root@python Policy]# Semodule -l | Grep AzureusAzureus 1.0.0
It seems is to do not have a problem.good we look again / the Security Context of Home/fu/azureus/azureus,We a moment ago were expectation in Azureus.fc it is User_u:oBject_r:aZureus_exec_t,Can be it this moment or the User_u:o that acceded to acquiesceBject_r:uSer_home_t,If not be the file label that we expect,Domain is cannot from User_t migratory to Azureus_t,Because of the word of Relabel,Can undertake setting label afresh to whole file system,Very beautiful time,So we are used above the command Chcon order that has introduced file label to change will change label.
[Root@python Azureus]# Chcon -t Azureus_exec_t Azureus
The new label that reads this again,Expect like us as expected,Become Azureus_exec_t.
[Root@python Policy]# Ls -lZ /home/fu/azureus/
- Rwxr-xr-x Fu Fu User_u:oBject_r:aZureus_exec_t Azureus
- Rw-r- - R- - Fu Fu User_u:oBject_r:uSer_home_t Azureus2.jar
Exit ROOT user next,Login with user Fu,Moving Azureus commands.
[Root@python Azureus]# Ps -efZ | Grep AzureusUser_u:uSer_r:aZureus_t Fu 8703 8647 0 23:23 Pts/1 00:00:00 /bin/bash. / AzureusUser_u:uSer_r:aZureus_t Fu 8717 8703 4 23:24 Pts/1 00:01:29 Java -Djava.ext.dirs=/usr/lib/jvm/java-1.4.2-gcj-1.4.2.0/jre/lib/ext -Xms16m -Xmx128m -cp /home/fu/azureus/Azureus2.jar:/home/fu/azureus/swt.jar -Djava.library.path=/home/fu/azureus -Dazureus.install.path=/home/fu/azureus Org.gudy.azureus2.ui.swt.MainUser_u:uSer_r:uSer_t Root 9347 1956 0 23:59 Pts/2 00:00:00 Grep Azureus
Glad!Succeeded.
Here I just demonstrate how to make Domain migratory,The setting of the strict Access Vector as to Azureus I oversight.
5.3 increases an appropriative ROLE to oneself
Here the ROLE that we want to increase to call Madia,Should undertake modification to a few files when increase.
The file below 5.3.1 /etc/selinux/refpolicy/src/policy/policy/modules/kernel is revised
1) Kernel.te
[Root@python Kernel]# Vi Kernel.te
In Role User_r below add groupRole Madia_r;
2) Domain.te
[Root@python Kernel]# Vi Domain.te
In Role User_r Types Domain; below add groupRole Madia_r Type Domain;
The file below 5.3.2 /etc/selinux/refpolicy/src/policy/policy/modules/system is revised
[Root@python System]# Vi Userdomain.te
Madia_r is increased in the 5th, following place are shown:Role Sysadm_r, staff_r, user_r, madia_r;
The group that adds fluctuation area below Unpriv_user_template(user) .Unpriv_user_template(madia)
The file below 5.3.3 /etc/selinux/refpolicy/src/policy/policy is revised
1) UserThe Users in Users and politic 1.X is about the same.The ROLE that definition user can use.
[Root@python Policy]# Vi UsersGen_user(madia, madia, madia_r, s0, s0)
2) Rolemap
[Root@python Policy]# Vi Rolemap
Group is added below User_r User User_tMadia_r Madia Madia_t
5.3.4 new Make is politic
[Root@python Policy]# Make Load
The modification of file of 5.3.5 /etc/selinux/refpolicy/seusers
Seusers is the user map that the department unites kind of user and SELinux.
[Root@python Refpolicy]# Vi SeusersMadia:mAdia
The file below 5.3.6 /etc/selinux/refpolicy/contexts is revised
1)default_type
The acquiescent ROLE when deciding the user logins.
[Root@python Refpolicy]# Vi Contexts/default_typeMadia_r:mAdia_t
2) Default_contexts
Decide the acquiescent Security Context when the user logins
[Root@python Refpolicy]# Vi Contexts/default_contextsSystem_r:lOcal_login_t Madia_r:mAdia_t Staff_r:sTaff_t User_r:uSer_t Sysadm_r:sYsadm_t
5.3.7 logins afresh with Madia user
Login with user Madia finally,Examining is to enter Madia_t.
[Madia@python ~]$ IdUid=501(madia) Gid=501(madia) Groups=501(madia) Context=madia:mAdia_r:mAdia_t
We can see above,Madia user was to entered Madia_t to move really.
We are in the operation of above,Still have actually revise omission place,Every time new Make when,Seusers can return original set,The friend that have fun at is OK where do oneself find out to still need to revise.
6. is final
We basically are returned now is Targeted strategy,Because of our server,Also basically run Apache, postgresql, tomcat, bind, postfix serves a few times this.Targeted can protect it.Our target is compare a few effects small,On the server that serves more onefold server to transplant to be able to run Strict strategy.Of course,Although we use SELinux,Also cannot treat sth lightly to systematic safety,Thought to have SELinux with respect to 100 % safety.
There is Unconfined_t in Targeted for instance,Holding the post of what why move in this Domain is be not protected.Still have,Systematic manager is caused to the setting mistake of TE cannot protect very well,The flaw that returns a kernel,Dos attack,SELinux also is helpless.
Besides SELinux,Still have LIDS,TOMOYO LINUX,The safe operating system such as AppArmor.Everybody is familiar with likely to LIDS and AppArmor quite,TOMOYO is development of company of Japanese NTT data.It is good to have perhaps the friend does not know this wherewith when choose.
Safe level tall %26lt;-----------------------------------%26gt; use a sex easily tall
SELINUX %26gt;%26gt;TOMOYO %26gt;%26gt;LIDS %26gt;%26gt;AppArmor
The individual feels,Although SELinux is configured rise bothered a dot,But can reach martial safety level,Should play with respect to the word,Still be SELinux has charm.
Now also somebody is developing politic GUI editor,Like SEEDIT,It is Japanese day hero of a when establish software engineering company village in crying develops for the center.The tool that had these GUI,Custom-built in the future strategy will be easier and easier.
Oneself are close 10 years trashy Chinese writes a thing,Wrong place asks great excuse!
%26lt; is referenced%26gt;
1.http://danwalsh.livejournal.com/
2.http://d.hatena.ne.jp/himainu/
3.http://seedit.sourceforge.net/
4.http://www.linuxtopia.org/online_books/linux_security_index.html
Textual link:Http://www.linuxforum.net/docnew/showthreaded.php? Cat=%26Board=new%26Number=1009%26page=0%26view=collapsed%26sb=7%26o=all
...
