SELinux Play Machine!

网上有人证明SELinux可以完全取代传统的Unix权限控制做得试验机,可以用来做测试和学习SELinux,很不错的想法!
下面是作者的Play Machine的访问方法,

Fedora


To access my Fedora play machine ssh to cable.coker.com.au
as root, the password is "qwerty".
I give no-one permission to distribute this password. If you want to share
information on this machine you must give the URL to this web site. In some
jurisdictions it would be considered a crime to distribute the password
without my permission (IE without giving the URL to this web page).
下面是关于这台Play Machine的FAQ,有机会一定也要搞台这样的Play Machine玩玩:-)

  • Editing thanks.txt_append_only with vi won't work, use cat or echo to
    append data to the file. The following commands will work:
    echo something >> thanks.txt_append_only_dont_edit_with_vicat >> thanks.txt_append_only_dont_edit_with_vi


  • There is no harm in letting you see dmesg output for such a machine,
    security by obscurity isn't much good anyway. For a serious server you would
    probably deny dmesg access, but this is a play machine. One of the purposes
    of the machine is to teach people about SE Linux, and you can learn a lot
    from the dmesg output.

  • This is not a virtual machine. It's a real P3-1000 IBM Desktop machine
    running Fedora SE Linux. You really have UID==0. SE Linux does it's own
    permission checks in addition to the Unix permission checks.
    If you don't believe me you are free to write assembler programs to call
    getuid() etc. But it would be a lot easier for you to just install a
    recent version of Fedora, see how it works, and read the source if you wish.

  • I will provide instructions on installing such machines soon.

  • To administer a SE Linux machine you need to have sysadm_r (the SE Linux
    administrative role) and UID==0 (the regular Unix admin account). So there
    needs to be a UID==0 account. As in regular Linux the UID==0 account does not
    need to be named "root". In the case of this machine the root account
    has UID 0, but it has few privs in SE Linux.

  • The default policy in Fedora is known as the targeted policy, it
    has no restrictions on user login sessions (so can never be used for such a
    machine). The policy I use for this machine is known as the strict
    policy. The default configuration of the strict policy does not
    support running in such a manner and requires some changes.

  • Exec-shield is being run too. It is a kernel patch to prevent
    stack-smashing attacks.

  • This machine is intentionally more permissive than the Gentoo play
    machine. I let you see the policy files so you can learn how to configure
    a machine in this way.

  • Regarding core-dumping bash to read the history. That's nice work, but
    you could have just used cat, grep, or any of your favourite tools on
    /root/.bash_history with much less effort.

  • Some people have asked for ping, telnet, etc access. I would like to
    provide such access (and have provided it in the past). I removed ping
    access because some people were using ping with large packet sizes to attack
    machines with small network connections. I removed telnet access because
    people were running scripts to try and discover (and attack) hosts with
    broken telnetd's.
    As for whether the machine is usable without such access, for it's intended
    purpose (demonstrating what SE Linux can do) it is quite useful. As a general
    shell server it's not very useful because you share your account with lots of
    people who may rm your files or kill your processes.

  • Some types of files and directories may not be stat'd by unprivileged
    users (this includes shadow_t for /etc/shadow). Such files and directories
    show up in flashing red in the output of "ls -l" because ls can't even
    determine whether it's a file or a directory.

Comments

Post a Comment

Popular posts from this blog

Freeware Software Top 300 from winAddons.Com!

来自winAddons.Com的推荐,最好的300款免费软件,其中当然不乏Open Source的品牌产品,如OpenOffice,Firefox等,也包含了Windows平台下常用的不花钱的玩意儿,如Adobe Acrobat Reader等。 全文摘录如下, 对我个人经常使用和熟悉的一些产品进行了评价!! Office 办公软件 OpenOffice - 最著名的免费的办公套件 PC Suite 602 - office suite AbiWord - text editor Atlantis Nova - text editor Microsoft PowerPoint Viewer - power point files viewer Adobe Reader - pdf reader Foxit PDF Reader - pdf reader PDFCreator - 优秀的PDF制作引擎,用于直接打印到PDF文件 Doc Convertor - document convertor Convert - unit convertor Converber - unit convertor Sunbird - calendar/organizer EssentialPIM Free - calendar/organizer PhraseExpress - speed up your writing ATnotes - create notes on the desktop Archive managers 压缩文件管理器 7-Zip - 最流行的免费压缩工具 IZArc - compression program TugZIP - compression program CabPack - compression program Universal Extractor - extract files from any type of archive Internet 因特网 Firefox - 火狐,火狐 Internet Explorer - web browser Maxthon - web browser Opera - web browser Avant Browser - web browser Thu...
Read more

What is DevOPS?

Image
What is DevOPS? As be a DevOPS engineer more than five years in the past, I was always asked what is DevOPS or what is a DevOPS role or what should a DevOPS Engineer do? Or even question like how to be a good DevOPS? What? How? should be the most two frequently questions from almost all organizations. As I am working with  Amazon Web Service  for a long time with my DevOPS career, I tried to get answers from AWS guys frist as they have a special section about AWS DevOPS, also they have AWS DevOPS certificate cources, even though I never try such cources. This is the first page said about DevOPS on AWS DevOPS to answer "What is DevOPS?", DevOps is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes. This speed enable...
Read more

RPM Build Tips!

Now, I am trying to build a Linux system based on the Fedora Core Release! Working with the RPM system in deep.The unpackaged file terminate the build process under RPM 4.x! Unpackaged files message in RPM-4.1 and following RPM version 4.1 and following demonstrate a new behaviour in the rpmbuild process. Previously, a build process might place any number of files, say in the %install stanza, when running the make install part of a Makefile , in the customary /var/tmp/%{name}-root/ BuildRoot (the RPM_BUILD_ROOT ). Once through that part of the Makefile , it can then completely ignore these files in the %files binary packaging stanza. This often happens when an upstream maintainer adds, or deletes items from new directory spurs in the make install , and the change might be missed during an unattended or automated rebuild. This option permits careful packagers to cross check the quality of their packaging. So as a cross check, /usr/lib/rpm/check-files is now enabled during ...
Read more