我正在尝试从CentOS 7的源代码构建SELinux refpolicy,因为我想增加可以使用的MCS类别的数量。
我成功构建并安装了SELinux refpolicy,并编辑了build.conf文件,其中包含以下内容:
########################################
#
# Policy build options
#
# Policy version
# By default, checkpolicy will create the highest
# version policy it supports. Setting this will
# override the version. This only has an
# effect for monolithic policies.
#OUTPUT_POLICY = 18
# Policy Type
# standard, mls, mcs
TYPE = mcs
# Policy Name
# If set, this will be used as the policy
# name. Otherwise the policy type will be
# used for the name.
NAME = refpolicy
# Distribution
# Some distributions have portions of policy
# for programs or configurations specific to the
# distribution. Setting this will enable options
# for the distribution.
# redhat, gentoo, debian, suse, and rhel4 are current options.
# Fedora users should enable redhat.
DISTRO = redhat
# Unknown Permissions Handling
# The behavior for handling permissions defined in the
# kernel but missing from the policy. The permissions
# can either be allowed, denied, or the policy loading
# can be rejected.
# allow, deny, and reject are current options.
UNK_PERMS = allow
# Direct admin init
# Setting this will allow sysadm to directly
# run init scripts, instead of requring run_init.
# This is a build option, as role transitions do
# not work in conditional policy.
DIRECT_INITRC = n
# Systemd
# Setting this will configure systemd as the init system.
SYSTEMD = n
# Build monolithic policy. Putting y here
# will build a monolithic policy.
MONOLITHIC = n
# User-based access control (UBAC)
# Enable UBAC for role separations.
UBAC = y
# Custom build options. This field enables custom
# build options. Putting foo here will enable
# build option blocks named foo. Options should be
# separated by spaces.
CUSTOM_BUILDOPT =
# Number of MLS Sensitivities
# The sensitivities will be s0 to s(MLS_SENS-1).
# Dominance will be in increasing numerical order
# with s0 being lowest.
MLS_SENS = 16
# Number of MLS Categories
# The categories will be c0 to c(MLS_CATS-1).
MLS_CATS = 2048
# Number of MCS Categories
# The categories will be c0 to c(MLS_CATS-1).
MCS_CATS = 2048
# Set this to y to only display status messages
# during build.
QUIET = n
# Set this to treat warnings as errors.
WERROR = n
但是,启用refpolicy并重新标记系统后,我仍然看不到或使用MLS / MCS标签和范围。
sestatus命令为我提供了这一点:
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: refpolicy
Current mode: permissive
Mode from config file: permissive
Policy MLS status: disabled
Policy deny_unknown status: denied
Max kernel policy version: 31
semanage login -l命令为我提供了这一点:
Login Name SELinux User
__default__ user_u
root root
我按照this guide中的步骤从源头构建了策略。我缺少启用MLS / MCS的其他步骤了吗?
或者,我一直在搜索针对SELinux的策略源代码,但无济于事。有谁知道我在哪里可以找到它?我也有兴趣尝试从源头构建目标政策。
编辑
实际上似乎没有应用build.conf中指定的设置...