ProHoster > Блог > Gudanarwa > Tambayoyin da ake Yiwa SELinux (FAQ)

Tambayoyin da ake Yiwa SELinux (FAQ)

Sannu duka! Musamman ga daliban kwas "Linux Tsaro" Mun shirya fassarar FAQ na hukuma na aikin SELinux. Da alama a gare mu wannan fassarar za ta iya zama da amfani ba ga ɗalibai kaɗai ba, don haka muna raba ta tare da ku.

Tambayoyin da ake Yiwa SELinux (FAQ)

Mun yi ƙoƙarin amsa wasu tambayoyin da aka fi yawan yi game da aikin SELinux. A halin yanzu, tambayoyi sun kasu kashi biyu. An bayar da duk tambayoyi da amsoshi akan shafin FAQ.

Siffar

Siffar

  1. Menene Ingantaccen Tsaro na Linux?
    Linux mai haɓaka tsaro (SELinux) shine aiwatar da tsarin gine-ginen tsaro na Flask don sassauƙa, tilasta ikon samun dama. An ƙirƙira shi don nuna fa'idar hanyoyin sarrafa hanyoyin samun sauƙi da yadda za'a iya ƙara irin waɗannan hanyoyin zuwa tsarin aiki. Daga baya an haɗa tsarin gine-ginen Flask zuwa Linux kuma an tura shi zuwa wasu tsare-tsare da yawa, gami da tsarin aiki na Solaris, tsarin aiki na FreeBSD, da kernel na Darwin, yana haifar da ayyuka masu alaƙa da yawa. Gine-ginen Flask yana ba da tallafi na gabaɗaya don amfani da nau'ikan tsare-tsaren kulawar samun tilastawa da yawa, gami da waɗanda suka dogara da ra'ayoyin Nau'in Tilasta, Sarrafa Samun Nau'in Role, da Tsaro na Matakan Dabaru.
  2. Menene Linux mai haɓaka tsaro ya samar da daidaitaccen Linux ɗin ba zai iya ba?
    Kwayar Linux wacce ta inganta tsaro tana saita ingantattun manufofin sarrafa damar shiga waɗanda ke iyakance shirye-shiryen masu amfani da sabar tsarin zuwa mafi ƙarancin gata da suke buƙata don yin ayyukansu. Tare da wannan ƙayyadaddun, ikon waɗannan shirye-shiryen masu amfani da tsarin daemon don haifar da lahani idan an daidaita su (misali, ta hanyar buffer ambaliya ko rashin tsari) an rage ko kawar da su. Wannan tsarin hanawa yana aiki ba tare da tsarin sarrafa damar shiga Linux na gargajiya ba. Ba shi da manufar “tushen” superuser kuma baya raba sanannun gazawar hanyoyin tsaro na Linux na al'ada (misali, dogaro da binary na setuid/setgid).
    Tsaron tsarin Linux wanda ba a gyara shi ya dogara da daidaitaccen kernel, duk aikace-aikacen gata, da kowane tsarin su. Matsala a kowane ɗayan waɗannan wuraren na iya haifar da lalacewa gabaɗayan tsarin. Sabanin haka, tsaro na tsarin da aka gyaggyarawa bisa ingantaccen tsaro na kernel na Linux ya dogara da farko akan daidaiton kwaya da tsarin manufofin tsaro. Ko da yake daidaitattun aikace-aikacen ko matsalolin daidaitawa na iya ba da damar iyakance iyakancewar shirye-shiryen mai amfani da kowane tsarin daemon, ba sa haifar da haɗarin tsaro ga sauran shirye-shiryen mai amfani da daemon tsarin ko ga tsaron tsarin gaba ɗaya.
  3. Menene amfanin?
    Sabbin fasalulluka na Linux tare da ingantaccen tsaro an ƙirƙira su don tabbatar da rarrabuwar bayanai dangane da buƙatun sirri da amincin. An tsara su don hana matakai daga karanta bayanai da shirye-shirye, lalata bayanai da shirye-shirye, ƙetare hanyoyin tsaro na aikace-aikacen, aiwatar da shirye-shiryen da ba a amince da su ba, ko tsoma baki tare da wasu hanyoyin da suka saba wa manufofin tsaro na tsarin. Hakanan suna taimakawa iyakance yuwuwar lalacewar da malware ko malware zasu iya haifarwa. Hakanan yakamata su kasance masu amfani wajen tabbatar da cewa masu amfani da izini daban-daban na tsaro zasu iya amfani da tsarin iri ɗaya don samun damar nau'ikan bayanai daban-daban tare da buƙatun tsaro daban-daban ba tare da lalata waɗannan buƙatun ba.
  4. Ta yaya zan iya samun kwafi?
    Yawancin Rarraba Linux sun haɗa da tallafi don SELinux, ko dai an gina shi azaman fasalin tsoho ko azaman fakitin zaɓi. Ana samun babban lambar ƙasar mai amfani ta SELinux a GitHub. Ya kamata masu amfani na ƙarshe su yi amfani da fakitin da aka samar ta hanyar rarraba su.
  5. Menene ya haɗa a cikin sakin ku?
    Sakin NSA SELinux ya haɗa da ainihin lambar ƙasar mai amfani ta SELinux. An riga an haɗa tallafin SELinux a cikin babban layin Linux 2.6 kernel, akwai a kernel.org. Babban lambar ƙasar mai amfani ta SELinux ta ƙunshi ɗakin karatu don sarrafa manufofin binary (libsepol), mai tara manufofin (checkpolicy), ɗakin karatu don aikace-aikacen tsaro (libselinux), ɗakin karatu don kayan aikin sarrafa manufofin (libsemanage), da abubuwan amfani da yawa masu alaƙa da manufofin ( manufofin manufofin).
    Baya ga kernel mai kunna SELinux da lambar ƙasar mai amfani na asali, kuna buƙatar tsari da wasu fakitin sararin amfani da SELinux-patched don amfani da SELinux. Ana iya samun manufofin daga SELinux reference manufofin aikin.
  6. Zan iya shigar da Linux Hardened akan tsarin Linux ɗin da ke akwai?
    Ee, zaku iya shigar da gyare-gyaren SELinux kawai akan tsarin Linux ɗin da ke akwai, ko kuna iya shigar da rarraba Linux wanda ya haɗa da tallafin SELinux. SELinux ya ƙunshi kernel Linux tare da tallafin SELinux, babban saitin ɗakunan karatu da kayan aiki, wasu fakitin mai amfani da aka gyara, da tsarin tsare-tsare. Don shigar da shi akan tsarin Linux na yanzu wanda ba shi da tallafin SELinux, dole ne ku sami damar tattara software kuma ku sami sauran fakitin tsarin da ake buƙata. Idan rarrabawar Linux ɗinku ta riga ta haɗa da tallafin SELinux, ba kwa buƙatar ginawa ko shigar da sakin NSA na SELinux.
  7. Yaya daidaita Linux Tsaro na Tsaro tare da Linux ɗin da ba a gyara ba?
    Linux Ingantaccen Tsaro yana ba da daidaituwa ta binary tare da aikace-aikacen Linux na yanzu kuma tare da samfuran kwaya na Linux da ke akwai, amma wasu samfuran kwaya na iya buƙatar gyara don yin hulɗa da kyau tare da SELinux. Waɗannan nau'ikan daidaitawa guda biyu an tattauna su dalla-dalla a ƙasa:

    • Daidaituwar aikace-aikacen
      SELinux yana ba da daidaituwar binary tare da aikace-aikacen da ke akwai. Mun tsawaita tsarin bayanan kwaya don haɗa sabbin halayen tsaro da ƙara sabbin kiran API don aikace-aikacen tsaro. Koyaya, ba mu canza kowane tsarin bayanan aikace-aikacen da ake iya gani ba ko canza mu'amalar kowane kiran tsarin da ake da shi, don haka aikace-aikacen da ke akwai zasu iya gudana ba tare da gyaggyarawa ba idan manufofin tsaro sun ba su damar aiki.
    • Daidaita Module Kernel
      Da farko, SELinux ya ba da jituwa ta asali kawai don samfuran kwaya; ya zama dole a sake tattara irin waɗannan samfuran a kan ƙwanƙwasa da aka canza don ɗaukar sabbin filayen tsaro da aka saka cikin tsarin bayanan kwaya. Tun da LSM da SELinux yanzu an haɗa su cikin babban Linux 2.6 kernel, SELinux yanzu yana ba da daidaituwa ta binary tare da samfuran kwaya. Koyaya, wasu samfuran kwaya na iya yin hulɗa da kyau tare da SELinux ba tare da gyara ba. Misali, idan tsarin kernel ya keɓance kai tsaye tare da saita abun kwaya ba tare da yin amfani da ayyukan farawa na yau da kullun ba, to abun kernel na iya rasa ingantaccen bayanin tsaro. Wasu na'urorin kernel kuma ƙila su rasa ingantaccen kulawar tsaro don ayyukansu; Duk wani kira da ake da shi zuwa ayyukan kwaya ko ayyukan izini kuma zai haifar da binciken izinin SELinux, amma ana iya buƙatar ƙarin ƙararrawa ko ƙarin sarrafawa don aiwatar da manufofin MAC.
      Linux mai ingantaccen tsaro bai kamata ya haifar da matsalolin haɗin kai tare da tsarin Linux na yau da kullun ba muddin tsarin tsarin tsaro ya ba da izinin duk ayyukan da suka dace.
  8. Menene maƙasudin tsarin tsarin manufofin tsaro?
    A babban matakin, makasudin shine don nuna sassauci da tsaro na ikon sarrafawa da aka tilasta da kuma samar da tsarin aiki mai sauƙi tare da ƙananan canje-canje ga aikace-aikace. A ƙaramin matakin, manufar tana da maƙasudai da dama da aka bayyana a cikin takaddun manufofin. Waɗannan manufofin sun haɗa da sarrafa damar samun damar bayanai, kare mutuncin kwaya, software na tsarin, bayanan tsarin tsarin da rajistan ayyukan, iyakance yuwuwar lalacewar da za a iya haifarwa ta hanyar amfani da rauni a cikin tsarin da ke buƙatar gata, kare hanyoyin gata daga aiwatar da ɓarna. code, kare aikin gudanarwa da yanki daga shiga ba tare da tantance mai amfani ba, hana tsarin mai amfani na yau da kullun daga tsoma baki tare da tsarin ko tsarin gudanarwa, da kare masu amfani da admins daga yin amfani da lahani a cikin burauzar su ta hanyar mugunyar lambar wayar hannu.
  9. Me yasa aka zaɓi Linux a matsayin tushen dandamali?
    An zaɓi Linux a matsayin dandamali don aiwatar da tunani na farko na wannan aikin saboda haɓakar nasararsa da yanayin ci gaba mai buɗewa. Linux yana ba da kyakkyawar dama don nuna cewa wannan aikin zai iya yin nasara a kan tsarin aiki mai watsa shiri kuma, a lokaci guda, yana ba da gudummawa ga tsaro na tsarin da aka yi amfani da shi sosai. Dandalin Linux kuma yana ba da kyakkyawar dama ga wannan aikin don samun fa'ida mafi fa'ida kuma yana iya zama tushen ƙarin bincike na tsaro ta wasu masu sha'awar.
  10. Me yasa kuka yi wannan aikin?
    Cibiyar Bincike ta Ƙasa don Tsaron Bayanai Hukumar Tsaro ta Kasa tana da alhakin bincike da haɓaka haɓaka fasahar da ake buƙata don baiwa NSA damar samar da hanyoyin tsaro na bayanai, samfura, da ayyuka don abubuwan more rayuwa na bayanai masu mahimmanci ga muradun tsaron ƙasar Amurka.
    Ƙirƙirar ingantaccen tsarin aiki, amintacce ya kasance babban ƙalubalen bincike. Manufarmu ita ce ƙirƙirar ingantaccen tsarin gine-gine wanda ke ba da tallafin tsaro da ake buƙata, gudanar da shirye-shirye ta hanyar da ta dace sosai ga mai amfani, kuma tana da kyau ga masu siyarwa. Mun yi imanin cewa muhimmin mataki na cimma wannan buri shi ne nuna yadda za a iya samun nasarar shigar da hanyoyin sarrafa hanyoyin shiga cikin nasara a cikin tsarin aiki.
  11. Ta yaya wannan ke da alaƙa da binciken NSA OS na baya?
    Masu bincike a Laboratory Assurance Research Laboratory na NSA da Secure Computing Corporation (SCC) sun ɓullo da ƙaƙƙarfan gine-gine mai sassauƙa na sarrafawa dangane da Nau'in Ƙarfafawa, tsarin da aka fara samar da tsarin LOCK. NSA da SCC sun ƙirƙira nau'ikan gine-ginen tushen Mach guda biyu: DTMach da DTOS (http://www.cs.utah.edu/flux/dtos/). NSA da SCC sannan suka yi aiki tare da ƙungiyar bincike ta Flux a Jami'ar Utah don jigilar gine-gine zuwa tsarin aikin bincike na Fluke. A lokacin wannan ƙaura, an inganta gine-ginen don mafi kyawun tallafawa manufofin tsaro masu ƙarfi. Wannan ingantaccen gine-ginen ana kiransa Flask (http://www.cs.utah.edu/flux/flask/). Yanzu NSA ta haɗa kayan gine-ginen Flask a cikin tsarin aiki na Linux don kawo fasaha ga al'ummar masu haɓakawa da masu amfani.
  12. Shin Linux mai ingantaccen tsaro amintaccen tsarin aiki ne?
    Kalmar “Tsarin Aiki Amintacce” gabaɗaya tana nufin tsarin aiki wanda ke ba da isasshiyar goyan baya ga matakan tsaro da yawa da tabbaci don biyan takamaiman buƙatun gwamnati. Linux mai haɓaka tsaro yana haɗa ra'ayoyi masu amfani daga waɗannan tsarin, amma yana mai da hankali kan tilasta ikon samun dama. Manufar farko na haɓaka Linux mai haɓaka tsaro shine ƙirƙirar ayyuka masu amfani waɗanda ke ba da fa'idodin tsaro na zahiri a cikin kewayon mahalli na gaske don nuna fasaha. SELinux kanta ba amintaccen tsarin aiki ba ne, amma yana ba da muhimmin yanayin tsaro - ikon sarrafa ikon amfani da shi - wanda amintaccen tsarin aiki ke buƙata. An haɗa SELinux cikin rarrabawar Linux waɗanda aka ƙididdige su bisa ga Labeled Profile Kariyar Tsaro. Ana iya samun bayanai game da samfuran da aka gwada da kuma tabbatarwa a http://niap-ccevs.org/.
  13. Shin da gaske tana da kariya?
    Manufar amintaccen tsari ya haɗa da halaye da yawa (misali, tsaro ta jiki, tsaro na ma'aikata, da sauransu), da Linux tare da ingantattun adiresoshin tsaro kaɗan ne kawai na waɗannan sifofin (wato, ikon ikon tilasta tilastawa a cikin tsarin aiki) . A wasu kalmomi, "tsarin tsaro" yana nufin amintaccen isa ya kare wasu bayanai a duniyar gaske daga abokin gaba na gaske wanda aka gargadi mai shi da/ko mai amfani da bayanin. Linux Ingantaccen Tsaro an yi niyya ne kawai don nuna abubuwan sarrafawa da ake buƙata a cikin tsarin aiki na zamani kamar Linux, don haka ba zai iya saduwa da kowane ma'anar ingantaccen tsari da kansa ba. Mun yi imanin fasahar da aka nuna a cikin ingantaccen tsaro na Linux za ta yi amfani ga mutanen da ke gina amintattun tsarin.
  14. Me kuka yi don inganta garanti?
    Manufar wannan aikin shine ƙara ikon aiwatarwa tare da ƙaramin canje-canje zuwa Linux. Wannan burin na ƙarshe yana iyakance abin da za a iya yi don inganta tabbaci, don haka babu wani aikin da aka yi da nufin inganta tabbacin Linux. A gefe guda kuma, haɓakawa ya dogara ne akan aikin da aka yi a baya game da tsara manyan gine-ginen tsaro, kuma yawancin waɗannan ka'idodin ƙira ana ɗauka zuwa Linux tare da ingantaccen tsaro.
  15. Shin CCEVS za ta kimanta Linux tare da ingantaccen tsaro?
    Ba a tsara Linux ɗin da aka Inganta Tsaro ba don magance cikakken saitin abubuwan tsaro da bayanin martabar tsaro ya gabatar. Ko da yake zai yiwu a kimanta kawai ayyukansa na yanzu, mun yi imanin cewa irin wannan kimantawa zai kasance mai ƙarancin ƙima. Koyaya, mun yi aiki tare da wasu don haɗa wannan fasaha a cikin rarrabawar Linux waɗanda aka kimanta da rarrabawa waɗanda ke ƙarƙashin ƙima. Ana iya samun bayanai game da samfuran da aka gwada da kuma tabbatarwa a http://niap-ccevs.org/.
  16. Shin kun yi ƙoƙarin daidaita kowane lahani?
    A'a, ba mu nemo ko gano wani lahani yayin aikinmu ba. Mun yi mafi ƙaranci kawai don ƙara sabbin hanyoyin mu.
  17. An amince da wannan tsarin don amfanin gwamnati?
    Linux mai ingantaccen tsaro ba shi da izini na musamman ko ƙarin izini don amfanin gwamnati akan kowane nau'in Linux ɗin.
  18. Ta yaya wannan ya bambanta da sauran tsare-tsare?
    Linux Ingantaccen Tsaro yana da ingantaccen tsarin gine-gine don sassauƙan aiwatar da ikon sarrafawa, wanda aka gwada ta hanyar gwaji ta amfani da tsarin samfuri da yawa (DTMach, DTOS, Flask). An gudanar da cikakken bincike kan ikon gine-gine na tallafawa manufofin tsaro da dama kuma ana samun su a ciki http://www.cs.utah.edu/flux/dtos/ и http://www.cs.utah.edu/flux/flask/.
    Gine-ginen yana ba da iko mai kyau akan yawancin kernel abstractions da sabis waɗanda wasu tsarin ba su sarrafa su. Wasu daga cikin bambance-bambancen tsarin Linux tare da ingantaccen tsaro sune:

    • Tsaftace rabuwar manufa daga haƙƙin aikace-aikace
    • Ingantattun mu'amalar manufofin siyasa
    • 'Yancin kai daga takamaiman manufofi da harsunan manufofin
    • 'Yancin takamaiman tsarin lakabin tsaro da abun ciki
    • Rarrabe alamomi da sarrafawa don abubuwa da sabis na kwaya
    • Caching samun damar yanke shawara don dacewa
    • Taimakawa ga canje-canjen manufofin
    • Sarrafa kan farawa tsari da shirin gada da kisa
    • Sarrafa tsarin fayil, kundayen adireshi, fayiloli da buɗaɗɗen bayanin fayil
    • Sarrafa soket, saƙonni da mu'amalar cibiyar sadarwa
    • Sarrafa kan amfani da "Dama"
  19. Menene ƙuntatawar lasisi na wannan tsarin?
    Duk lambar tushe da aka samo akan rukunin yanar gizon https://www.nsa.gov, rarraba a ƙarƙashin sharuɗɗa iri ɗaya da lambar tushe ta asali. Misali, faci na kernel na Linux da faci don yawancin abubuwan amfani da ake da su anan ana fitar dasu ƙarƙashin sharuɗɗan GNU General Public License (GPL).
  20. Akwai sarrafa fitar da kaya?
    Linux tare da Ingantaccen Tsaro ba shi da ƙarin sarrafa fitarwa idan aka kwatanta da kowane nau'in Linux.
  21. Shin NSA yana shirin amfani da shi a cikin gida?
    Don dalilai masu ma'ana, NSA ba ta yin magana game da amfani da aiki.
  22. Shin Bayanin Tabbaci na Yuli 26, 2002 ta Secure Computing Corporation ya canza matsayin NSA cewa an bayar da SELinux a ƙarƙashin GNU General Public License?
    Matsayin NSA bai canza ba. NSA ta ci gaba da yin imani cewa sharuɗɗa da sharuɗɗan lasisin Jama'a na GNU suna mulkin amfani, kwafi, rarrabawa, da gyara na SELinux. Cm. Sanarwar Jarida ta NSA Janairu 2, 2001.
  23. Shin NSA tana goyan bayan buɗaɗɗen software?
    Shirye-shiryen tsaro na software na NSA sun ƙunshi software na mallakar mallaka da buɗaɗɗen tushe, kuma mun yi nasarar amfani da samfuran mallakar mallaka da buɗaɗɗen tushe a cikin ayyukan bincikenmu. Ayyukan NSA don inganta tsaro na software yana da kwarin gwiwa ta hanyar la'akari ɗaya mai sauƙi: amfani da albarkatun mu don samarwa abokan cinikin NSA mafi kyawun zaɓin tsaro a cikin samfuran da aka fi amfani da su. Manufar shirin binciken NSA shine haɓaka ci gaban fasaha waɗanda za a iya raba su tare da al'ummomin haɓaka software ta hanyoyin isar da kayayyaki daban-daban. NSA ba ta yarda ko haɓaka kowane takamaiman samfurin software ko samfurin kasuwanci ba. Maimakon haka, NSA tana inganta tsaro.
  24. Shin NSA tana tallafawa Linux?
    Kamar yadda aka ambata a sama, NSA ba ta yarda ko haɓaka kowane takamaiman samfurin software ko dandamali ba; NSA na taimakawa kawai inganta tsaro. Gine-ginen Flask da aka nuna a cikin aiwatar da bayanan SELinux an aika zuwa wasu tsarin aiki da yawa, ciki har da Solaris, FreeBSD, da Darwin, da aka aika zuwa Xen hypervisor, kuma ana amfani da su zuwa aikace-aikace kamar X Window System, GConf, D-BUS, da kuma PostgreSQL. Hanyoyi na gine-ginen filasta suna amfani da ko'ina ga tsari da mahalli da dama.

Hadin kai

  1. Ta yaya muke shirin yin hulɗa tare da al'ummar Linux?
    Muna da saitin shafukan yanar gizo akan NSA.gov, wanda zai zama hanyar mu ta farko ta buga bayanai game da Linux tare da ingantaccen tsaro. Idan kuna sha'awar Linux mai ingantaccen tsaro, muna ƙarfafa ku ku shiga jerin wasiƙar masu haɓakawa, duba lambar tushe, da ba da ra'ayin ku (ko lambar). Don shiga jerin aikawasiku na masu haɓakawa, duba SELinux mai haɓaka jerin aikawasiku.
  2. Wanene zai iya taimaka?
    SELinux yanzu ana tallafawa da haɓaka ta hanyar buɗe tushen software na Linux.
  3. Shin NSA tana ba da kuɗin wani aikin bi-da-bi ne?
    A halin yanzu NSA ba ta yin la'akari da shawarwari don ƙarin aiki.
  4. Wane irin tallafi ake samu?
    Mun yi niyyar warware batutuwa ta jerin aikawasiku [email kariya], amma ƙila ba za mu iya amsa duk tambayoyin da suka shafi wani rukunin yanar gizo ba.
  5. Wanene ya taimaka? Me suka yi?
    NSA ta samar da samfurin Linux mai ingantaccen tsaro tare da abokan bincike NAI Labs, Secure Computing Corporation (SCC), da MITER Corporation. Bayan fitowar jama'a na farko, wasu abubuwa da yawa sun biyo baya. Duba jerin mahalarta.
  6. Ta yaya zan iya samun ƙarin bayani?
    Muna ƙarfafa ku da ku ziyarci shafukan yanar gizon mu, karanta takardu da takaddun bincike na baya, da shiga cikin jerin aikawasiku [email kariya]

Shin kuna ganin fassarar tana da amfani? Rubuta sharhi!

source: www.habr.com

Add a comment