在 Ubuntu 20.10 上:
- 禁用装甲
- 安装了 selinux*
- selinux-激活
- 在 /etc/selinux/config 中强制执行
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# default - equivalent to the old strict and targeted policies
# mls - Multi-Level Security (for military and educational use)
# src - Custom policy built from source
SELINUXTYPE=default
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0
重启
brad@zika:/home/brad# sudo seinfo
Statistics for policy file: /etc/selinux/default/policy/policy.32
Policy Version: 32 (MLS enabled)
Target Policy: selinux
Handle unknown classes: allow
Classes: 131 Permissions: 423
Sensitivities: 1 Categories: 1024
Types: 3943 Attributes: 212
Users: 7 Roles: 15
Booleans: 300 Cond. Expr.: 331
Allow: 102134 Neverallow: 0
Auditallow: 22 Dontaudit: 16881
Type_trans: 8877 Type_change: 123
Type_member: 16 Range_trans: 33
Role allow: 32 Role_trans: 388
Constraints: 133 Validatetrans: 0
MLS Constrain: 57 MLS Val. Tran: 0
Permissives: 0 Polcap: 5
Defaults: 0 Typebounds: 0
Allowxperm: 0 Neverallowxperm: 0
Auditallowxperm: 0 Dontauditxperm: 0
Ibendportcon: 0 Ibpkeycon: 0
Initial SIDs: 27 Fs_use: 26
Genfscon: 92 Portcon: 475
Netifcon: 0 Nodecon: 0
但 check-selinux-installation 输出报告缺少 2 个目录:
check-selinux-installation
getfilecon: getfilecon(/proc/1) failed
SELinux is not enabled.
Could not read the domain of PID 1.
The directories /sys/fs/selinux and /selinux are missing.
Postfix init script is syncing the chroots.
Postfix has chrooted service in master.cf
/etc/default/grub
GRUB_CMDLINE_LINUX=" security=selinux"
and
update-grub
启动时没有注意到重新标记,并且 getenforce 报告已被禁用..我做错了什么?
更新:SELinux 突然激活并在宽容模式下正常工作。