This one’s a two-fer! Dan Walsh covers the evolution of SELinux from Fedora 2 all the way to the upcoming Fedora 9 launch. Find out how it started and how user access controls will grow in the newest release. As a bonus, this is also a preview of Walsh’s scheduled talk at the upcoming Red Hat Summit. Want more? Check out the schedule of talks and register–and we’ll see you in Boston.

History

When SELinux was first developed, the goal was to confine as many system processes as possible to the least amount of privilege required. Fedora 2 was released with SELinux policy that confined users as well as system processes. We quickly realized that SELinux policy was not mature enough to handle a modern mainstream desktop operating system. After a quick redesign of the policy, we created “targeted” policy, replacing the previously named “strict” policy. The goal of targeted policy was to “target” certain processes in the operating system for confinement and leave the rest of the processes “unconfined.”

Logged-in user’s processes were unconfined in targeted policy. A logged-in user’s process is started by login programs (like login, sshd, or gdm) when the user provides authentication. In Red Hat® Enterprise Linux® 4, there were fifteen targeted applications that were confined, and in Red Hat Enterprise Linux 5 this grew to two hundred.

In Red Hat Enterprise Linux 5, we still did not confine the user. Strict policy was still provided, but few people used the confined user components. Multi Level Security (MLS) policy–which was developed for Red Hat Enteprise Linux 5–attains the highest level of security possible for a main line operating system used in military environments. It provides confinement for the users. MLS, however, only supports servers, so X-Windows applications did not benefit from this confinement.

The MLS development forced us to concentrate more on confining users, and we realized that we could take advantage of this confinement within targeted policy.

Customers/Partner engineers that were looking to work with MLS policy kept asking: How would you write policy for a logged in user who could only talk to a single port? How about a user who could only read a certain directory?

The two types of logged-in users we had developed for strict and MLS policy were user_t and staff_t. This was a problem because these users had basically the same interfaces/transitions and pretty much the same access.

staff_t was able to transition to sysadm_t, which was sort of a poor mans unconfined process. But trying to build a confined user policy out of either of these user types was impossible, since you needed to take lots of privileges away.

I reexamined the policy and decided it was necessary to create a least privileged user, a user that could login to the system with no access other than to read/write his home directory and use /tmp. This user would not be allowed to access the network, or run any setuid applications.

Customers also requested that the user not be able to execute files in his home directory. With this type of user as a base, customers could slowly add privileges to meet their needs.

The guest_t and xguest_t user types

In Fedora 8, we introduced the guest_t and xguest_t user types. The guest_t user has only the privileges necessary to login to a system via a terminal (Login, sshd, rshd, rlogind, and telnet). The xguest_t user has only the privileges required to login to an X-Windows system.
Once we had created these users, we began to find more possible uses for them. For example, at Red Hat, I have ssh access to people.redhat.com and people.fedoraproject.org. We ssh to these accounts and copy files there to set up http web pages, like so:

http://people.redhat.com/dwalsh

Files at this site are actually just files in my home/public_html directory on people.redhat.com. When I ssh to these machines, I really should not use the network to leave them, and I do not need to run any setuid applications while I am on them. So setting up these machines where all users are guest_t would make sense.

xguest_t also comes in handy for use on desktop machines. I have blogged about the use of xguest to confine my wife. [ Ed note.: No wives were harmed in the writing of this article. ] I extended xguest_t to transition to xguest_mozilla_t when running firefox. The xguest_mozilla_t domain is allowed to access http ports but nothing else. The xguest_t account allows me to lock down the system enough so that I know what processes are connecting to the internet. If the user downloads a spam application, it will not be allowed to run in the home directory, nor can it connect to the mail ports.

Other users have suggested using xguest_t for running games and other untrusted software applications. You could also set up an xguest user account to allow others to “borrow” your machine. In Fedora 8 and 9, there is an xguest rpm, which setups a kiosk mode user.
This “xguest” user can log in to your system from the console without a password when SELinux is in enforcing mode. The xguest rpm also sets up pam_namespace to create temporary home directories and /tmp directories, which are destroyed when the user logs out. We think this is an excellent way to run a kiosk machine. The login user can only browse the web (using firefox) and can not leave any apps around to attack other users that log into the system. Everything that user does on the machine is erased when they log out, so no one could grab any password information that might have been left behind.

You can try out xguest by executing:

# yum install xguest

The user_t SELinux user type

For Fedora 9, we combined the strict policy with the targeted policy. We have enhanced the user_t and staff_t SELinux user and now allow you to setup these users in a targeted policy system.

The user_t SELinux user is the standard SELinux user. At Red Hat, we have a distribution of Red Hat Enterprise Linux that is given to all non-engineers by the IT department. Sales people, support, administration, and management staff are given machines installed with a version of Red Hat Enterprise Linux but are not usually given the root password. These are machines for people who do not want to administer their own boxes. The IT department is in charge of updating the software on these boxes and maintaining the security. If users want to add software or modify their machines they have to contact the help desk for an update.

Accounts like these should be set up to use the user_u SELinux user. user_u is a complete login user account, unlike xguest, and it has full networking so that the user can connect to any network port. It does not have the ability to run setuid applications without a transition.

setuid applications are executables that have a special flag set on them. This flag tells the kernel to run the application with the identity of the owner of the application rather then the identity of the person executing the program. Usually setuid apps are owned by root, so running as setuid application as a normal user allows you to gain privileges. Over the years, many setuid applications have had vulnerabilities that allowed root exploits of the system. user_t would not be allowed to run any of these applications.

Since the users of this machine have no reason to ever become root, they do not have the ability to run su, sudo, userhelper, or any other application that requires setuid. Even if you had a setuid shell program on your system, user_t would not be allowed to execute it. Additionally, user_t processes are not allowed to read a lot of system space, so you are somewhat protected from “snooping eyes” looking at how the system is running.

If you have a setuid application that you want the user to be able to run, you can write policy to allow the user_u account to transition to a different domain to execute the code. For example, xlock uses pam to verify the users password. pam executes /sbin/unix_chkpwd, a setuid application. policy allows a transition from user_u:user_r:user_t -> user_u:user_r:chkpwd_t, which can run as root.

Like xguest , the user_u account can be set to disallow execution of programs in the home directory or /tmp.

setsebool -P allow_user_exec_content=0

If you want to set up your system to try out the user account, you can execute the following command as root:

# semanage login -m -s user_u USERNAME

or

# usermod -Z user_u USERNAME

If you want to add a user with user_u, you can execute:

useradd -Z user_u USERNAME

If you want all users on your system to default to user_u you would execute:

# semanage login -m -s user_u __default__

The staff_t SELinux user type

The staff_t user is for users who need to do some system administration, but do not need to be fully unconfined. This is the user that I log in as every day. Staff_t is similar to user_t in that it has full networking and is only allowed to run setuid applications via a transition. staff_t has a transition to sudo so you can write policy to allow the staff_t user to transition to a confined root user via the sudo command. If I run any other setuid application, it will fail, including su.

I actually have a transition defined between the staff_t to unconfined_t. When I become root, I become the unconfined_t user. This allows me to manage my machines any way I want, but requires me to go through sudo to gain the privilege. We have a webadm_t policy available in Fedora 9 that can also be used for a “confined” root user.

My sudoers file has the following line in it:

dwalsh	ALL=(ALL) 	TYPE=unconfined_t ROLE=unconfined_r ALL

To only allow this user to administer apache server I could use:

dwalsh	ALL=(ALL) 	TYPE=webadm_t ROLE=webadm_r ALL

To try out the staff account, execute the following command as root:

# semanage login -a -s staff_u -r s0-s0:c0.c1023 USERNAME

or

# usermod -Z staff_u USERNAME

Configure the staff_u user to allow it webadm_r and/or unconfined_r by executing:

# semanage user -m -R"unconfined_r webadm_r staff_r" staff_u

My next SELinux article will cover using the SELinux GUI to define additional SELinux users or extend the existing users. Also, I will be presenting this information at the Red Hat Summit and hope to be handing out xguest/kiosk liveCDs. If you have any questions or ideas, please come to my talk and let me know.

About the author

Dan Walsh has over 20 years experience in the computer field. He has spent most of his career working on Security Applications and platforms. He spent several years working on the Athena Project while at Digital Equipment Corp. Dan was also involved in designing and developing the AltaVista Firewall and AltaVista Tunnel (VPN) Products. He has worked for Netect developing HackerShield, a Vulnerability Assessment Product. Netect was acquired by BindView, where he continued working on HackerShield and developed a new product, BVControl for UNIX. At Red Hat, Dan has led the SELinux project, concentrating mainly on the application space and policy development. Dan Graduated with a BA in Mathematics from the College of the Holy Cross and a MS in Computer Science from Worcester Polytechnic Institute.

On Monday I had a chance to have a chat with Paul Vallee from Pythian. This was quite an enlightening talk, and I was very impressed by Paul openness and willing to share with me a lot of internal operations details. I wish there would be more people out where as open and helpful even when it comes to somewhat competing businesses. Though he is of course right - for small companies as we are there is much more business out where which is neither ours nor theirs and by being helpful to each other we can increase part of the pie to share.

Paul has significantly older (10 years) and larger (70 people) company so he has a lot to share. They have great internal systems and there is a lot we can learn from them in this area. We do fine with ours so far having just 7 active consultants but as we grow we need to get much better.

When I’m saying we’re somewhat competing businesses this is indeed only somewhat. Pythian focuses on Remote DBA with long term commitments while we do a lot of one time, emergency projects and only starting to get into 24/7 Support and Remote DBA offerings, We also do a lot of Architecture Design Scaling jobs and some custom MySQL Extensions/porting patches jobs. Paul can well deal with Fortune 500 companies dealing with all this statement of work, reporting etc while we’re more focused on startups, small/medium businesses and “light” web companies. Pythian is able to provide services for number of databases (Oracle, SQL Server, MySQL) while we provide services for number of full MySQL stacks and help people with implementing memcached caching, web layer, hardware selection etc. This is the reason there are few cases when we really run into each other on business side.

Besides internal systems approach I really liked approach of assigning customers to the Teams to deal. We usually have customer working with same engineer which works great for small projects but for longer projects you need to have a team as any single person can get sick or go on vacation.

Another difference is organization - we’re fully virtual company. At this point out of some 20 people we have (this includes not only MySQL Consultants but people busy with other projects as well) not a single of them works from the office. We do have office in Pleasanton,CA, which is part of my Visa requirements and we even got desks which previous renter did not want to take with them, though the only inhabitants in this office are some noisy servers we use for tests.

Pythian on other hand has most of employees in the offices in few places in the world though some people also work remotely. This is probably another thing which enterprise customers would appreciate.

Well anyway, I did not meant a lot to get into details comparing our companies but rather to publicly say thanks to Paul for what he shared with us and even more for showing the great leadership example in making word a better place.

---

Entry posted by peter | One comment

Add to: | | | |

Author:NinGoo posted on NinGoo.net

从网上下了本电子书《Perl for Oracle DBAs》，chm格式的。但是无法打开，所有的页面都显示：

此程序无法显示网页
最可能的原因是:
未连接到 Internet。
该网站遇到了问题。
在地址中可能存在键入错误。
…

由于并非系统中所有的chm文件都无法打开，那么问题应该在这个文件本身了。Google了一下，找到了解决方法，在该chm文件上点右键，选择属性，会发现有一个解除锁定的按钮，并且有说明文字：

此文件来自其他计算机，可能被阻止以保护该计算机

点击解除锁定，重新打开文件，问题解除。Windows这么做是出于安全考虑，因为chm是可执行文件，由html打包而成，里面有可能包含恶意代码。

除此之外，chm文件还有一种比较常见的打不开的情况，显示“不能打开文件mk:@MSITStore:\****.chm”，这可能是由于一个ocx控件注册有问题，重新注册一下该控件可能有帮助：

regsvr32 c:\windows\system\hhctrl.ocx

Related Articles

Add Comments(0)

在很多年前, 大约是本世纪初的时候, 当 Software as a Service 这个概念被提出来的时候, 我很难设想出具体的 SaaS 的使用体验会是怎样的, 或许很多人也会和我想得一样, 在一个下载速度不超过 10kb/s 的时代, 我们会以为 SaaS 就是把软件下载下来, 然后按照使用时间来付费. 毫无疑问, 因为恶劣的网络条件及缺乏方便的付费手段, 这样的使用体验会非常恐怖.

而现在, 很多构建在 Software as a Service 理念上的公司已经极大地发展甚至成功了, 典型的例子就是前段时间与 Google 达成了合作关系的 Salesforce.



Salesforce 于 1999 在美国加州由一位前 Oracle 高管 Marc Benioff 建立, 主营业务是通过浏览器在线使用的 CRM 软件, 通过订阅的方式向用户收费. 在经过了 5 年的发展之后, Salesforce 在 2004 年 6 月的时候在纽交所上市. 在 2005 年, 其总收入就达到了 US$309.857 million.

从 2000 年到现在的 8 年中发生的什么事情让这样的 SaaS 成为了现实呢? 在摩尔定律驱动下高速发展的网络带宽及计算机处理能力毫无疑问是其中最重要的硬件因素, 这样的硬件因素使得完整的商业软件应用如 Salesforce, 沟通工具如 Meebo, 甚至是像 Photoshop 这样的重量级多媒体应用, 能够有可能在浏览器中实现完整而流畅的用户体验. 而 PayPal 和 Google Checkout 则带来了方便和安全的在线支付手段.

因此, 我们可以说, 在今天, 构建 SaaS 所需要的一切外部环境已经完全成熟, 而用户也确实从这样的无需安装, 随时打开浏览器就可以使用体验中感受了简易和强大, Salesforce 在美国的热线电话的号码就是 1-800-NO-SOFTWARE, 有趣的口号.

而目前国内成熟的大规模 SaaS 应用还不多见, 不过据我所知, 已经有一些公司开始了这个方向的努力, 尤其是金融领域. 期望能够早日看到他们的成功吧.

附录 - 目前国内的一些金融领域的 SaaS 模式创业公司:

• 51value - 功能强大的选股软件及基于价值投资理念的股票价值判断工具, 3 天的免费试用结束之后, 根据功能强大程度分为几个档次按年订阅收费.
• 财帮子 - 共同基金投资管理工具, 可以进行一些简单的分析, 免费使用.

[ read more on livid.cn ]

©作者：eygle 发布在 eygle.com

今天起了大早，赶往亚运村法庭，参加Kamus的庭审。
法庭位置在木偶剧院附近，但是实在是不太好找，到木偶剧院已经是8：35分，担心赶不上开庭，所以一路狂奔。

给Kamus打电话，他已经在法庭内，但是也说不太清楚，我继续跑，当看到一个小区门口挂着一个"推介律师"的牌子后，我知道差不多了。
进了院子碰见Kamus，我赶紧换了旁听证，可是法庭内已经没有位子了，法庭很小，大约只有40个位子，光媒体据说就有20几家，出了记者和摄像、摄影师之外，已经没有几个空位了。
还好和朋友在最后一排挤在一个位子，没有被赶出去，同事后来到场，已经没办法进入了。
很多网友也守候外法庭之外。

上午最开始是原告方阐述起诉原因，列举证据。原告方主要指责被告方对原告进行了诽谤和攻击，导致原告失去工作，进而要求经济及精神赔偿。
原告律师诵读了大量网络上的文章，包括网友的一些言论，生成这些言论构成诽谤。

我这时候给Julia发短信，说觉得很好笑，原告列举的例证就比如我说你RP有问题，结果你来告我诽谤。
这真是吵架吵出法律纠纷，你会觉得太无奈。

Kamus网站上对于死者的怀念文章也被拿出来做证据，说其中的言语伤害了原告。我晕倒，难道我们连表达自己情感的权利都没了？
也许人原告真的不应该CNN到这个地步。

真不知道法律上会怎样来界定这些，如果双方无法对一句话产生的双方不可达成一致的理解，那怎么办？听法官的?

还有很多气愤的事情，不说了。看一张镜头下的Kamus吧：

上午Kamus的律师还诵读了姜岩的遗书，播放了姜岩父母一段声明的视频，法庭上我不知道，观众席上很多女孩子已经哭成一片，也许以后会有语音视频流传出来，真的很心酸和感动，让人落泪。

下午庭审继续，4点左右法官宣布暂时休庭，下次再审。

这一天下来，我感觉都很辛苦，不要说Kamus了，希望他能够以良好的心态打赢这场官司。

目前 网络暴力 这个词和这个案件被关联起来，然而我们都认为99.99%的网友都是在支持正确的价值与道德观，而且绝大多数网友的观点是公正的。我认为所谓的网络暴力在这次事件中起到了积极的作用，网络作为新媒体成为正义伸张、记录和宣传的新的阵地。

庭审后我和大旗、天涯的律师聊，我问他们，是不是你们找原告出来告你们自己的？这简直是给你们做免费的宣传。

明天还有很多工作需要做，暂时记录不做评判了。

-The End-

相关文章|Related Articles

• 一场即将到来的费解官司-声援Kamus
  
• 《深度解析Oracle》之《数据的存储》
  
• 东方标准系列课程-《深度解析Oracle》
  
• 《深入浅出Oracle》技术交流会圆满结束
  
• 推荐Kamus的新Blog
  

评论数量(2)|Add Comments

本文网址：http://www.eygle.com/archives/2008/04/kamus_oneday.html

很多人一直很困惑，如何去设置UNDO Retention和UNDO TBS的大小，其实可以根据v$undostat来做判断。

特别是UNDO TBS的大小，很大一部分取决于DBA对系统的熟悉程度（虽然算UNDO的公式很多），见过很多人，为了防止出错，把UNDO TBS设置的其大，包括UNDO Retention。

今天看文档，文档上说：

UNDO最大可以设置为：undo maximum value is 2的32次方 seconds (more than 187 years).

这下可以放心了，尽管设吧！！

从上午9:00到下午4:00，第一次庭审暂告结束。二次庭审择日进行，具体日期另行通知。

就今天我看到的新闻，我保留起诉对方律师恶意诽谤、蓄意诬陷的权利。

网络暴力肯定有组织者，而第一被告，北飞的候鸟创建人张某就是组织者。他其实就是姜岩的前男友。”据张律师说，张某在接受采访时曾表示，他是姜岩大学四年的男朋友，他在网上也写过一段悼念的文字，提及过当年和姜岩分手时的痛苦心情。“网络上有很多帖子其实就是张某发的，他本人也说过，建网站就是为了替姜岩讨回公道。

你点名道姓说我是网络行动的组织者，又说网络上很多帖子其实就是我发的，请你（如果我不是在克制自己，我会在这里加上国骂）给我举出证据来，什么行动？什么时间？我怎么组织的？哪个帖子？发表在哪里？怎么看出是我发的？

800多年前，秦桧说，“莫须有”，今天这个情景再次浮现在我的眼前。但是我相信一手遮天的事情在今天不会再发生。我一直保有着一个人不会无耻到这种地步的幻想，今天，真的让我见识到了人性的丑恶。

不多说了，感谢所有支持我们的朋友，感谢今天这么多我认识的不认识的朋友的短信关怀，感谢我的代理律师李春谊（你是我见过的最优秀的最富有激情的最负责任的律师，跟我心目中的律师形象完全吻合，我非常庆幸自己能够找到你），感谢我的老板Rocky（你的宽容让我能够有时间来应对这件事情，你一直是最好的老板），感谢我的同事Snow和Victor（你们帮我承担了原本该我去做的工作，并且给我声音上的支持）。

对于二次庭审我们还会认真准备，让支持我们的人继续，让不支持我们的人倒戈。再次感谢。

dbanotes posted a photo:

DBA就是头上悬着达摩克利斯之剑的工作,啥是达摩克利斯之剑,查了下,原文如下:

“达摩克利斯（头上）的剑”的意译，用来表示时刻存在的危险。此典出于古希腊的一个历史故事：公元前四世纪西西里东部的叙拉古王迪奥尼修斯（公元前430－367）打击了贵族势力，建立了雅典式的民主政权，但遭到了贵族的不满和反对，这使他感到虽然权力很大，但地位却不可靠。有一次他向宠臣达摩克利斯谈了这个问题，并且用形象的办法向他表明自己的看法。他为了满足一下宠臣达摩克利斯的贪欲，把宫殿交托给他，并赋予他有完全的权力来实现自己的任何欲望。这个追求虚荣、热中势利的达摩克利斯在大庆宴会时，抬头看到在自己的坐位上方天花板下，沉甸甸地倒悬着一把锋利的长剑，剑柄只有一根马鬃系着，眼看就要掉在头上，吓得他离席而逃。这时迪奥尼修斯王便走出来说道：”（达摩克利斯头上）这把利剑就是每分钟都在威胁王上的危险象征，至于王上的幸福和安乐，只不过是外表的现象而已。”

作DBA,小心呀,谨慎呀,一个不小心,后果是非常难以承受的!

记录之,提醒自己和team的兄弟.

SCOPE & APPLICATION-------------------This is intended as a reference for anyone involved in database tuning. At the moment we consider the following PX wait events as idle: - "PX Idle Wait"- "PX Deq: Execution Msg"- "PX Deq: Table Q Normal"- "PX Deq Credit: send blkd"- "PX Deq: Execute Reply"- "PX Deq Credit: need buffer"- "PX Deq: Signal ACK"- "PX Deque wait"In 9i statspack does not filter out all idle PX wait event inthe Top 5 wait event section. So it can happen that you seea PX idle wait ev...