使能SELinux
当启用SELinux时,所有系统对象,包括文件、目录、进程、套接字、驱动程序等,都被标记有一个安全上下文。
安全上下文由用户、角色、类型标识符和可选的敏感度组成,用冒号分隔。
例如:user:role:type:sensitivity
注意,用户与Linux用户无关,类型与对象的种类无关。
- 在策略中定义了一组有效的用户、角色和类型。
- 不同的对象可以标记相同的安全上下文。
- SELinux安全策略的MAC机制通过以下方式实现:
- 类型强制(TE)
- 基于角色的访问控制(RBAC)
- 多级安全(MLS)
- 类型使策略能够指定允许的操作。
以下步骤解释了如何启用SELinux和更改SELinux模式。
注意:
为了测试,SELinux实现以宽松模式(Permissive mode)启动,而不是非功能性禁用模式(Disabled mode)或最严格的强制模式(Enforcing mode)。这种模式作为参考,便于测试和开发。
-
启用或禁用SELinux:
- 要为构建禁用SELinux,删除SELINUX_DISTRO_SECTION中的代码行。默认情况下,构建启用SELinux。
- 要启用SELinux,添加SELINUX_DISTRO_SECTION中的代码行,如图所示以启用SELinux。
- 使用策略版本33。
- 要为SELinux添加策略,请参见上游refpolicy。
图示显示了SELinux中的步骤:
-
使用getenforce命令检查系统状态。该命令返回以下三个值之一:
- enforcing
- permissive
- disabled
-
要更改模式,在运行时通过运行setenforce命令和一个数字来选择模式(此更改在重启后不会保留)。
a.要在重启后保留设置:
通过SSH连接到设备。有关说明,请参见《How to》 →《How to SSH》。
运行以下命令:umount -l /etc mount -o rw,remount /
编辑 /etc/selinux/config 中的SELINUX=行,将其设置为以下三个支持的值之一:enforcing、permissive或disabled。
使用以下命令重启设备:reboot
b.要在构建中指定SELinux模式:将DEFAULT_ENFORCING构建标志更改为以下三个支持的值之一:enforcing、permissive或disabled。
conf/distro/include/qcom-base.inc -- DEFAULT_ENFORCING = "permissive" ++ DEFAULT_ENFORCING = "enforcing"
-
SELinux禁用模式留下一些通过SELinux框架的代码路径。这些代码路径对于KPI测试或验证SELinux框架中的错误没有用处。它也不会比宽松模式允许更多的访问。
要在测试中禁用该功能,请从DISTRO_FEATURES中删除SELinux:conf/distro/include/qcom-base.inc -- DISTRO_FEATURES:append = " selinux"
使能UEFI安全启动
您可以设置初始 UEFI 安全启动配置,并将密钥和证书转换为 UEFI 可以理解的格式。
请参阅工作流程以了解非目标准备和设备上的执行。
生成 UEFI 安全启动密钥的先决条件
您应确保安装以下工具:
工具 | 描述 |
---|---|
OpenSSL 0.9.80 June 2010 (or later version) | 此工具必须安装在 Linux 主机上。 |
Cert-to-efi-sig-list | 此工具将 OpenSSL 证书转换为 EFI 签名列表。它作为 efitools 包的一部分安装。 |
Sign-efi-sig-list | 此工具签署 EFI 签名列表,这对于管理 UEFI 中的安全变量至关重要。它作为 efitools 包的一部分安装。 |
Hash-efi-sig-list | 此工具从二进制文件创建哈希签名列表条目。 |
生成密钥和证书
为了启用UEFI安全启动,生成一对用于签名和认证的密钥和证书。
签名镜像并将(.auth)密钥/签名文件复制到EFI分区
EFI系统分区包含EFI、loader和dtb目录,这些目录在使用systemd-boot时包含与EFI相关的信息。
从systemd-boot菜单启用UEFI安全启动
EFI二进制文件由签名的镜像和安全启动密钥组成,这些镜像和密钥被生成后刷写到系统中。有关更多详细信息,请参阅签名镜像并将(.auth)密钥/签名文件复制到EFI分区。
哈希未签名的镜像并更新数据库以进行镜像认证
UEFI安全启动允许镜像认证。即使镜像未签名或镜像中的证书未存储在签名数据库(DB)中,这种认证也可以通过存储在签名数据库中的镜像哈希来实现。
OpenSSL的配置文件例子
#
# Copyright (c) 2013 Qualcomm Technologies, Inc.
# All Rights Reserved.
# Confidential and Proprietary - Qualcomm Technologies, Inc.
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several certificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha1 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ v3_req ]
# Extensions to add to a certificate request
subjectKeyIdentifier=hash
#authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
#authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo