메뉴 건너뛰기

리눅스 관련 모음

본문시작

조회 수 35458 추천 수 0 댓글 0
?

단축키

Prev이전 문서

Next다음 문서

크게 작게 위로 아래로 댓글로 가기 인쇄
?

단축키

Prev이전 문서

Next다음 문서

크게 작게 위로 아래로 댓글로 가기 인쇄

국산 통나무 수공예 남원제기, 남원목기

자료가 도움이 되셨다면
혼수용품제수용품 필요시
남원제기 공식 홈페이지 http://남원제기.kr
남원목기 공식 홈페이지 http://otchil.kr
에서 구매 해 주세요
정성껏 모시겠습니다.
 
In Fedora 11, Linux users by default are mapped to the unconfined_u SELinux user. The unconfined_u SELinux user is mapped to the unconfined_r, system_r roles and to all available Multi Category Security compartments.

Both unconfined_r and system_r are roles that map to SELinux security domains. SELinux security domains are defined security environments for processes on the Linux system.

The unconfined security domain, unconfined_t, is a environment reserved for processes that are to a large extend exempted from SELinux restrictions. The system_r role maps to security domains for system processes.

The unconfined_u SELinux user has access to the system_r role to be able to run system processes in their security domains. SELinux user unconfined_u operates in the unconfined_t security domain via the unconfined_r role that it is mapped to.

The semanage command can be used to add, modify and delete Linux user to SELinux user mappings, as well as other settings related to SELinux management. Alternatively the system-config-selinux graphical user interface to semanage can be used to modify these settings.

To use the semanage command to list to which SELinux user, Linux users get mapped by default type:
sudo semanage login -l | grep default

__default__ unconfined_u SystemLow-SystemHigh

In the example above Linux users are mapped to the unconfined_u SELinux user by default.

To modify this configuration to map Linux users by default to a confined SELinux user called user_u simply type:
sudo semanage login -m -s user_u "__default__"

This will map new Linux users to the restricted user_u SELinux user by default.

You can override this mapping when you run the useradd command to add Linux users with the -Z option. This option specifies to which SELinux user the Linux user should be mapped. For example type:
sudo useradd -Z guest_u joe

The usermod command with -Z option can also be used to modify a Linux user to SELinux user mapping.

This will add a Linux user called joe and will map joe to the guest_u SELinux user instead of mapping joe to the defined default SELinux user.

There are some SELinux user profiles predefined. These profiles can be listed with the semanage command. type:
sudo semanage user -l

Next i will discuss some of the properties of these predefined SELinux users.

The guest_u SELinux user:

This profile is used for users that need to be tightly controlled. The guest_u SELinux user can only log in using OpenSSH. Guest users have no access to network resources, setuid, setgid programs.


The xguest_u SELinux user:

This profile is identical to that of guest_u. The exception is that Xguest users can only log in to Xwindows and cannot log in using OpenSSH. Another exception of Xguest users is that this partical user can access HTTP port using a SELinux restricted instance of Mozilla Firefox.

The user_u SELinux user:

The user_u SELinux user resembles a ordinary unprivileged SELinux confined user. This user can log in using Xwindows and OpenSSH, has access to network resources, but cannot use setuid and setgid programs.


The staff_u SELinux user:

This SELinux user is identical to user_u except that staff_u can access setuid and getgid programs. The staff_u SELinux user can also stat all process on the system amongst other minor extra privileges compared to user_u.

The sysadm_u SELinux user:

This user is designed for SELinux restricted root login, which is not recommended. This SELinux user is used in a Multi Level Security Environment where there is no unconfined_u.

The unconfined_u SELinux user:

The unconfined_u SELinux user is the environment where all Linux users are mapped to be default in Fedora Targeted policy. This user is to a large extend exempted from SELinux confinement. The exception is Memory Execution Protections.

Real Linux users, not root, should not be mapped to the unconfined_u SELinux user group if you want to improve security on your system. In many scenarios having unconfined users on a system creates a gaping hole in security.

Root logins should be prohibited always. Root should only be able to log in using the terminal in case of an emergency. In Fedora, the Linux user root is mapped to unconfined_u. This means that root logins are almost not protected by SELinux.

The improve the security of root logins one could map the root Linux user to the sysadm_u SELinux user. Although this does not provide much security over unconfined_u, and root will be able to bypass SELinux security.

Bottom line is that root logins should not be permitted except on the terminals in case of emergency.


The system_u SELinux user:

This SELinux user profile is reserved for the system. Linux users should not be mapped to the System_u SELinux user.

I explained how one can define a default SELinux user for new Linux users by default, and i explained how one can override this with the useradd command and -Z option.

The available predefined SELinux users were explained. What is left is to show how SELinux user mappings to Linux users can be altered.


To list all Linux user to SELinux user mappings:

sudo semanage login -l

To manually map a Linux user to a SELinux user:

sudo semanage login -a (...)

To modify a Linux user to SELinux user mapping:

sudo semanage -m (...)

To delete a Linux user to SELinux uper mapping:

sudo semanage -d (...)

Conclusion:

Configure SELinux to map Linux users to confined SELinux users by default to improve security.
Disallow root logins using OpenSSH and Xwindows altogether. Allow root to only login using the terminal in case of emergency. Either leave the root Linux user mapping to the unconfined_u SELinux user or map root to sysadm_u. (for example if you decide to de-install the unconfineduser SELinux module)
Map your Linux users to the appropriate confined SELinux user by using the profile that best fits.
Use the useradd command with -Z option to add Linux users, overriding the default Linux user to SELinux user mapping by the SELinux user that you pass as its argument.

Refer: man semanage, man useradd, man usermod


   

List of Articles
번호 분류 제목 글쓴이 날짜 조회 수
150 설치관련 스팸어쎄신(spamassassin)은 설치 후 service등록과 업데이트를 한번 더 해 줘야 한다. 햇빛소년 2012.05.10 30050
149 iptables 삭제명령 햇빛소년 2012.05.15 71798
148 chmod 파일 퍼미션의 다양한 조건들.... 햇빛소년 2012.05.16 28990
147 cdcc 문서 햇빛소년 2012.05.30 33140
146 Red Hat / CentOS IPv6 Network Configuration 햇빛소년 2012.05.30 28484
145 설치관련 DCC+razor2+pyzor how to ---[ spamassassin -D <test 2>debug ] file 햇빛소년 2012.05.31 32129
144 - FQDN - 올바른 Hostname 설정하기. 햇빛소년 2012.06.02 33339
143 DCC관련 명령어 모음 햇빛소년 2012.06.02 44296
142 selinux 관련 명령모음. 햇빛소년 2012.06.07 36673
» SELinux Lockdown Part One: SELinux Users 햇빛소년 2012.06.07 35458
140 audit2allow라는 프로그램 햇빛소년 2012.06.08 30596
139 open(/var/dcc/map): Permission denied --- maillog에러 메세지 드디어 해결!! 햇빛소년 2012.06.09 32273
138 open(/var/dcc/map): Permission denied --- maillog에러 메세지 드디어 해결!! --제2편 햇빛소년 2012.06.09 31420
137 SELinux/audit2allow 햇빛소년 2012.06.11 33689
136 audit.log 관련... 햇빛소년 2012.06.15 29172
135 리눅스의 데몬 설명 햇빛소년 2012.06.15 38411
134 procmail: Lock failure on "spamassassin.lock" 햇빛소년 2012.06.16 27391
133 /etc/security/pam_env.conf: No such file or directory 햇빛소년 2012.06.18 30552
132 procmail: Couldn't create or rename temp file "/var/spool/mail/spam/" 햇빛소년 2012.06.18 31722
131 passwd, groups, gpasswd 알아두면 좋을듯한 생소한 명령사용법. 햇빛소년 2012.06.19 27844
Board Pagination Prev 1 2 3 4 5 6 7 8 9 10 Next
/ 10