Debina 系统,安装配置SELINUX

原文: https://wiki.debian.org/SELinux/Setup

配置步骤原文:

```

2. Steps to setup SELinux

The following steps describe how to install and configure SELinux together with the default policy which enables SELinux for the most important parts of your system (e.g. most Internet-facing daemons, see the policies section below for alternative policies):

  1. If you are not using the standard linux kernel provided by debian with an ext2/3/4, you have to make sure that you are using a SELinux capable kernel and filesystem (see the prerequisites section below).

  2. Get the default policy and the basic set of SELinux utilities by running apt-get install selinux-basics selinux-policy-default auditd.

  3. If using Ubuntu, download this _load_selinux_policy script (this is a slightly modified version of the script included in the Ubuntu 'selinux' package), place it in /usr/share/initramfs-tools/scripts/init-bottom/ then run update-initramfs -u (Upstart in Debian loads the SELinux policy automatically, but Upstart in Ubuntu does not. See https://bugs.launchpad.net/upstart/+bug/595774)

  4. Run selinux-activate to configure GRUB and PAM and to create /.autorelabel

  5. Reboot, it will take a while to label the filesystems on boot and then it will automatically reboot a second time when that is complete.

  6. Run check-selinux-installation to check that everything has been setup correctly and to catch common SELinux problems. (Note: in wheezy the warning about /etc/pam.d/login is a false positive)

You should now have a working SELinux system, which is in permissive mode. This means that the selinux policy is not enforced, but denials are logged. You can see all would-be denials since the last reboot with a small explanation for each with audit2why -al. If no critical audit errors appear in your syslog and you feel comfortable with SELinux, enable enforcing mode temporarily by running setenforce 1 or permanently by adding enforcing=1 to the kernel command line in /etc/default/grub and then rebooting one last time.

If you want to learn how to work with your newly configured SELinux system (relabelling files, moving files, checking the security context of files, etc), the Fedora Project SELinux FAQ documentation by RedHat may be useful.

 ```

 

太长不看系列:

1. 安装软件: apt-get install selinux-basics selinux-policy-default auditd

2. 重新生成内核initrd文件: update-initramfs -u

3. 重新配置GRUB: selinux-activate  (启动参数会自动加上 security=selinux)

4.  重启,第一次重启,selinux会给文件打上标签,过程会有几分钟,之后会自动重启

5. 结束,check-selinux-installation 检查配置情况

posted @ 2021-08-27 09:47  大长胡子  阅读(1398)  评论(0编辑  收藏  举报