This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
mac [2012/05/24 16:33] val |
mac [2012/05/25 16:59] val |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== MAC ====== | ====== MAC ====== | ||
+ | ===== Вариант использование как AppArmor ===== | ||
+ | |||
+ | ==== Выбор приложения ==== | ||
+ | |||
+ | [[Средства программирования shell#Web свервер на shell]] | ||
+ | |||
+ | [[Сервис INETD]] | ||
+ | |||
+ | ==== Тестирование ==== | ||
<code> | <code> | ||
- | # rcsdiff /usr/src/sys/security/mac_mls/mac_mls.c | + | # fetch -qo - http://172.16.1.6/index.html |
- | =================================================================== | + | |
- | RCS file: /usr/src/sys/security/mac_mls/mac_mls.c,v | + | # fetch -qo - http://172.16.1.6/../../etc/passwd |
- | retrieving revision 1.1 | + | </code> |
- | diff -r1.1 /usr/src/sys/security/mac_mls/mac_mls.c | + | |
+ | ==== Патчинг модулей biba и mls ==== | ||
+ | <code> | ||
+ | # rcsdiff /usr/src/sys/security/mac_mls/mac_mls.c | ||
+ | </code><code> | ||
875c875 | 875c875 | ||
< mls_set_effective(dest, MAC_MLS_TYPE_LOW, 0, NULL); | < mls_set_effective(dest, MAC_MLS_TYPE_LOW, 0, NULL); | ||
Line 14: | Line 27: | ||
# rcsdiff /usr/src/sys/security/mac_biba/mac_biba.c | # rcsdiff /usr/src/sys/security/mac_biba/mac_biba.c | ||
</code><code> | </code><code> | ||
- | =================================================================== | ||
- | RCS file: /usr/src/sys/security/mac_biba/mac_biba.c,v | ||
- | retrieving revision 1.1 | ||
- | diff -r1.1 /usr/src/sys/security/mac_biba/mac_biba.c | ||
915c915 | 915c915 | ||
< biba_set_effective(dest, MAC_BIBA_TYPE_HIGH, 0, NULL); | < biba_set_effective(dest, MAC_BIBA_TYPE_HIGH, 0, NULL); | ||
--- | --- | ||
> biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL); | > biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL); | ||
+ | </code> | ||
+ | |||
+ | ==== Включение модулей при загрузке ==== | ||
+ | |||
+ | <code> | ||
+ | # cat /boot/loader.conf | ||
+ | </code><code> | ||
+ | mac_mls_load="YES" | ||
+ | mac_biba_load="YES" | ||
+ | </code> | ||
+ | |||
+ | ==== Включение множественных меток на файловой системе ==== | ||
+ | |||
+ | <code> | ||
+ | # cat /etc/fstab | ||
+ | </code><code> | ||
+ | ... | ||
+ | /dev/ad0s1a / ufs ro 1 | ||
+ | ... | ||
+ | </code> | ||
+ | |||
+ | Reboot in single mode | ||
+ | |||
+ | <code> | ||
+ | # tunefs -l enable / | ||
+ | |||
+ | # mount -a | ||
+ | |||
+ | # cat /etc/fstab | ||
+ | </code><code> | ||
+ | ... | ||
+ | /dev/ad0s1a / ufs rw 1 | ||
+ | ... | ||
+ | </code> | ||
+ | |||
+ | Reboot in multiuser mode | ||
+ | |||
+ | <code> | ||
+ | # ps axZ | ||
+ | |||
+ | # getfmac /etc/passwd | ||
+ | </code> | ||
+ | |||
+ | ==== Установка меток на файловую систему ==== | ||
+ | |||
+ | <code> | ||
+ | # cat /etc/policy.contexts | ||
+ | </code><code> | ||
+ | .* biba/high,mls/high | ||
+ | |||
+ | / biba/equal,mls/equal | ||
+ | /var biba/equal,mls/equal | ||
+ | /var/www biba/equal,mls/equal | ||
+ | /var/www/.* biba/equal,mls/equal | ||
+ | /bin biba/equal,mls/equal | ||
+ | /bin/sh biba/equal,mls/equal | ||
+ | /libexec biba/equal,mls/equal | ||
+ | /libexec/ld-elf.so.1 biba/equal,mls/equal | ||
+ | /lib biba/equal,mls/equal | ||
+ | /lib/libedit.so.7 biba/equal,mls/equal | ||
+ | /lib/libncurses.so.8 biba/equal,mls/equal | ||
+ | /lib/libc.so.7 biba/equal,mls/equal | ||
+ | /usr biba/equal,mls/equal | ||
+ | /usr/bin biba/equal,mls/equal | ||
+ | /usr/bin/file biba/equal,mls/equal | ||
+ | /lib/libz.so.5 biba/equal,mls/equal | ||
+ | /usr/lib biba/equal,mls/equal | ||
+ | /usr/lib/libmagic.so.4 biba/equal,mls/equal | ||
+ | /usr/share biba/equal,mls/equal | ||
+ | /usr/share/misc biba/equal,mls/equal | ||
+ | /usr/share/misc/magic biba/equal,mls/equal | ||
+ | /usr/local biba/equal,mls/equal | ||
+ | /usr/local/sbin biba/equal,mls/equal | ||
+ | /usr/local/sbin/webd biba/equal,mls/equal | ||
+ | </code><code> | ||
+ | # setfsmac -evf /etc/policy.contexts / | ||
+ | </code> | ||
+ | |||
+ | ==== Запуск приложения ==== | ||
+ | |||
+ | <code> | ||
+ | # cat /etc/inetd.conf | ||
+ | </code><code> | ||
+ | ... | ||
+ | http stream tcp nowait root /usr/sbin/setpmac setpmac biba/low,mls/low /usr/local/sbin/webd | ||
+ | </code> | ||
+ | |||
+ | ==== Тестирование ==== | ||
+ | |||
+ | <code> | ||
+ | # fetch -qo - http://172.16.1.6/index.html | ||
+ | # fetch -qo - http://172.16.1.6/../../etc/passwd | ||
</code> | </code> |