User Tools

Site Tools


модули_mac

This is an old revision of the document!


Модули MAC

Вариант использования как AppArmor

Выбор приложения

Тестирование

# fetch -qo - http://server.corpX.un/index.html

# fetch -qo - http://server.corpX.un/../../etc/passwd

Патчинг модулей biba и mls

# rcsdiff /usr/src/sys/security/mac_mls/mac_mls.c
875c875
<       mls_set_effective(dest, MAC_MLS_TYPE_LOW, 0, NULL);
---
>       mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
# rcsdiff /usr/src/sys/security/mac_biba/mac_biba.c
915c915
<       biba_set_effective(dest, MAC_BIBA_TYPE_HIGH, 0, NULL);
---
>       biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);

Сборка ядра

Включение модулей при загрузке

# cat /boot/loader.conf
mac_mls_load="YES"
mac_biba_load="YES"

Включение множественных меток на файловой системе

http://www.freebsd.org/doc/ru/books/handbook/mac-troubleshoot.html

# cat /etc/fstab
...
/dev/ad0s1a             /               ufs     ro              1
...

Reboot in single mode (4)

# tunefs -l enable /

# init 6

Reboot in multiuser mode (Не обращаем внимания на ругательства при запуске системы с корневым разделом смонтированным только на чтение)

# mount -urw /

# cat /etc/fstab
...
/dev/ad0s1a             /               ufs     rw              1
...
# init 6

Reboot in multiuser mode

 # mount
/dev/ad0s1a on / (ufs, local, multilabel)
...
# ps axZ

# getfmac /etc/passwd

# setfmac 'biba/high,mls/high' /etc/passwd

Установка меток на файловую систему

!!! Процесс занимает 15-20 минут !!!

# ldd /bin/sh
# ldd /bin/cat
# ldd /usr/bin/file

# man file

# cat /etc/policy.contexts
.*                              biba/high,mls/high

/                               biba/equal,mls/equal
/var                            biba/equal,mls/equal
/var/www                        biba/equal,mls/equal
/var/www/.*                     biba/equal,mls/equal
/bin                            biba/equal,mls/equal
/bin/sh                         biba/equal,mls/equal
/bin/cat                        biba/equal,mls/equal
/libexec                        biba/equal,mls/equal
/libexec/ld-elf.so.1            biba/equal,mls/equal
/lib                            biba/equal,mls/equal
/lib/libedit.so.7               biba/equal,mls/equal
/lib/libncurses.so.8            biba/equal,mls/equal
/lib/libc.so.7                  biba/equal,mls/equal
/usr                            biba/equal,mls/equal
/usr/bin                        biba/equal,mls/equal
/usr/bin/file                   biba/equal,mls/equal
/lib/libz.so.5                  biba/equal,mls/equal
/usr/lib                        biba/equal,mls/equal
/usr/lib/libmagic.so.4          biba/equal,mls/equal
/usr/share                      biba/equal,mls/equal
/usr/share/misc                 biba/equal,mls/equal
/usr/share/misc/magic           biba/equal,mls/equal
/usr/local                      biba/equal,mls/equal
/usr/local/sbin                 biba/equal,mls/equal
/usr/local/sbin/webd            biba/equal,mls/equal
# setfsmac -evf /etc/policy.contexts /

Запуск приложения

# cat /etc/inetd.conf
...
http stream tcp nowait root /usr/sbin/setpmac setpmac biba/low,mls/low /usr/local/sbin/webd
модули_mac.1383105417.txt.gz · Last modified: 2013/10/30 07:56 by val