providingpermissiondenied
permissiondenied 时间:2021-03-17 阅读:()
CopyrightIBMCorporation2009TrademarksSecureLinuxcontainerscookbookPage1of12SecureLinuxcontainerscookbookStrengthenlightweightcontainerswithSELinuxandSmackSergeE.
HallynFebruary03,2009Lightweightcontainers,otherwiseknownasVirtualPrivateServers(VPS)orJails,areoftenthoughtofasasecuritytoolsdesignedtoconfineuntrustedapplicationsorusers;butaspresentlyconstructed,thesecontainersdonotprovideadequatesecurityguarantees.
BystrengtheningthesecontainersusingSELinuxorSmackpolicy,amuchmoresecurecontainercanbeimplementedinLinux.
ThisarticleshowsyouhowtocreateamoresecureLinux-Security-Modules-protectedcontainer.
BoththeSELinuxandSmackpolicyareconsideredworksinprogress,tobeimproveduponwithhelpfromtheirrespectivecommunities.
Acommonresponsewhensomeonefirsthearsaboutcontainersis"HowdoIcreateasecurecontainer"ThisarticleanswersthatquestionbyshowingyouhowtouseLinuxSecurityModules(LSM)toimprovethesecurityofcontainers.
Inparticular,itshowsyouhowtospecifyasecuritygoalandmeetitwithboththeSmackandSELinuxsecuritymodules.
ForbackgroundreadingonLinuxContainers,see"LXC:Linuxcontainertools"(developerWorks,February2009).
LinuxcontainersarereallyaconceptualartificebuiltatopseveralLinuxtechnologies:Resourcenamespacesallowthemanipulationoflookupsofprocesses,files,SYSVIPCresources,networkinterfaces,andmore,allinsideofcontainers.
Controlgroupsallowresourcelimitstobeplacedoncontainers.
Capabilityboundingsetslimittheprivilegeavailabletocontainers.
Thesetechnologiesmustbecoordinatedinordertoprovidetheillusionofcontainers.
Twoprojectsalreadyprovidethisfunctionality:LibvirtisalargeprojectthatcancreatevirtualmachinesusingtheXenhypervisor,qemuemulator,andkvm,andalsousinglightweightcontainers.
Liblxcisasmallersetoflibrariesanduserspacecommandswritteninparttohelpkerneldevelopersquicklyandeasilytestthecontainersfunctionality.
developerWorksibm.
com/developerWorks/SecureLinuxcontainerscookbookPage2of12Because"LXC:Linuxcontainertools"waswrittenusingliblxcasitsfoundation,Iwillcontinuewithliblxchere;however,anythingwedoherecanjustaseasilybedoneusinglibvirt'scontainersupport.
Majorplayer1:LSMBeforewestart,ifyouknowlittleabouttheLSM,hereisaquickreview.
AccordingtotheWikipediaentry:LinuxSecurityModules(LSM)isaframeworkthatallowstheLinuxkerneltosupportavarietyofcomputersecuritymodelswhileavoidingfavoritismtowardanysinglesecurityimplementation.
TheframeworkislicensedunderthetermsoftheGNUGeneralPublicLicenseandisstandardpartoftheLinuxkernelsinceLinux2.
6.
.
.
.
LSMwasdesignedtoprovidethespecificneedsofeverythingneededtosuccessfullyimplementamandatoryaccesscontrolmodule,whileimposingthefewestpossiblechangestotheLinuxkernel.
LSMavoidstheapproachofsystemcallinterpositionasusedinSystracebecauseitdoesnotscaletomultiprocessorkernelsandissubjecttoTOCTTOU(race)attacks.
Instead,LSMinserts"hooks"(upcallstothemodule)ateverypointinthekernelwhereauser-levelsystemcallisabouttoresultinaccesstoanimportantinternalkernelobjectsuchasinodesandtaskcontrolblocks.
.
.
.
Theprojectisnarrowlyscopedtosolvetheproblemofaccesscontroltoavoidimposingalargeandcomplexchangepatchonthemainstreamkernel.
Itisnotintendedasageneral"hook"or"upcall"mechanism,nordoesitsupportvirtualization.
.
.
.
LSM'saccesscontrolgoalisverycloselyrelatedtotheproblemofsystemauditing,butissubtlydifferent.
Auditingrequiresthateveryattemptataccessberecorded.
LSMcannotdeliverthat,becauseitwouldrequireagreatmanymorehooks,soastodetectcaseswherethekernel"shortcircuits"failingsystemcallsandreturnsanerrorcodebeforegettingnearsignificantobjects.
Systemsecurityconsistsoftwosomewhatcontradictorygoals.
Thefirstistoachievecompleteandfine-grainedaccesscontrol.
Ateverypointthatinformationcanbeleakedorcorrupted,youmustbeabletoexertcontrol.
Controlsthataretoocoarseisthesameasbeinguncontrolled.
Forinstance,if(attheextreme)allfilesmustbeclassifiedasonetypeandanyonefilemustbeworld-readable,thenallfilesmustbeworld-readable.
Ontheotherhand,configurationmustalsobesimple,otherwiseadministratorswilloftendefaulttogivingtoomuchaccess(andIcan'temphasizethisenough--thisisthesameasbeinguncontrolled).
Forinstance,ifmakingaprogramworkrequiresthousandsofaccessrules,thenchancesareanadminwillgivetheprogramtoomanyaccessrightsratherthantestingwhethereachaccessrulewasreallyneeded.
ThetwoprimarysecuritymodulesinLinuxeachtakeadifferentviewonhowtohandlethisbalance.
SELinuxbeginsbycontrollingeverythingwhileusinganimpressivepolicylanguagetosimplifypolicymanagement.
Smackisprimarilyconcernedwithprovidingasimpleaccesscontrol.
ibm.
com/developerWorks/developerWorksSecureLinuxcontainerscookbookPage3of12Majorplayer2:SELinuxSELinuxisbyfarthemostwell-knownMACsystemforLinux(mandatoryaccesscontrol).
Whileitcertainlystillhasitsdetractors,thefactthatthepopularFedoradistributionhasbeendeployedwithSELinuxenforcingforyearsisatremendoustestamenttoitssuccess.
SELinuxisconfiguredusingamodularpolicylanguagewhichallowsaninstalledpolicytobeeasilyupdatedbyusers.
Thelanguagealsoprovidesinterfaces,allowingmorehigh-levelstatementstobeusedtorepresentacollectionoflow-level"allow"statements.
Inthisarticle,wewillbeusinganewinterfacetodefinecontainers.
Whiletheinterfaceitselfwillbequitelargeduetothemanyaccessrightsyoumustgivethecontainer,usingtheinterfacetocreateanewcontainerwillbeverysimple.
Hopefullytheinterfacecanbecomeapartofthecoredistributedpolicy.
Majorplayer3:SmackSmackistheSimplifiedMandatoryAccessControlKernel.
Itbeginsbylabelingallprocesses,files,andnetworktrafficwithsimpletextlabels.
Newlycreatedfilesarecreatedwiththelabelofthecreatingprocess.
Afewdefaulttypesalwaysexistwithclearlydefinedaccessrules.
Aprocesscanalwaysreadandwriteobjectsofthesamelabel.
PrivilegetobypasstheSmackaccessrulesarecontrolledusingPOSIXcapabilities,soataskcarryingCAP_MAC_OVERRIDEcanoverridetherules;ataskcarryingCAP_MAC_ADMINcanchangetherulesandlabels.
"POSIXfilecapabilities:Parcelingthepowerofroot"(Relatedtopics)demonstratestheseprivileges.
OursecuritygoalInsteadofsimplyblindlyapplyingpolicyandhopingtoendupwithsomethinguseful,let'sbeginbydefiningaclearsecuritygoal.
ThesimplicityofSmackactuallylimitsthegoalswecanachieve,butwe'llpursuethefollowinggoal:1.
CreatecontainerswithsegregatedfilesystemsprovidingWebandsshservices.
2.
Containerswillbeprotectedfromeachother.
Acontainerdesignatedvs1cannotreadfilesownedbyanothercontainervs2orkillitstasks.
3.
Thehostcanprotectitskeyfilesfromcontainers.
4.
TheoutsideworldcanreachtheWebserversandsshserversonthecontainers.
ThegeneralsetupInthisarticlewe'lldotwoexperiments--firstwe'llsetupcontainersprotectedbySELinux,thencontainersprotectedbySmack.
Theexperimentswillsharemuchofthepreliminarysetup.
Youcanusearealmachinetodotheseexperiments,butyoumayfinditeasierormorecomfortingtouseavirtualmachine.
Touseqemuorkvm,youcancreateaharddiskusingqemu-imgcreatevm.
img10G.
BootthevirtualmachinefromCDROMusingacommandlikekvm-hdavm.
img-cdromcdrom.
iso-bootd-m512M.
AgoodchoiceforaCDROMimageistogotofedoraproject.
org/get-fedoraanddownloadaninstallationDVDforFedora10fori386.
SubstitutethefilenameyoudownloadfordeveloperWorksibm.
com/developerWorks/SecureLinuxcontainerscookbookPage4of12cdrom.
isointhepreviouscommand.
Youcanmostlyusetheinstallationdefaults,butmakesuretounselectofficeandproductivityandselectsoftwaredevelopment.
You'llalsowanttoinstallthebridge-utils,debootstrap,andncurses-develrpms,probablyusingtheyumpackagemanager.
Nowyouneedtocompileacustomkernel.
Downloadthekernel-sourcesrpm,patchitwithenable-netns.
patch(seetheDownloadsection)toprovidenetworknamespaces(whichwillbeupstreamasof2.
6.
29butnotinFedora10),changetheconfiguration,thencompletethecompilationandinstallation,byfollowingthefollowinginstructionsasroot:yumdownloader--sourcekernelrpm-ikernel*cdrpmbuildrpmbuild-bcSPECS/kernel-*cdBUILD/kernel-2.
6.
27/linux-2.
6*patch-p1Networkingoptionsmenus).
FortheSmackexperiment,alsogointotheSecurityoptionsmenu,deselectSELinux,andselectthenextoption,Smack.
Youmayalsoneedtoswitchthedefaultbootentryin/boot/grub/grub.
confbackto0insteadof1.
Nowwewanttotryoutliblxc.
"LXC:Linuxcontainertools"describesthebasicusageofliblxcindetail,sowe'llglossoverithere.
Simplyusethecontainer_setup.
shscript(seetheDownloadsection)tosetupthebridgeonwhichcontainernetworkdeviceswilltalk.
Itwillalsoclearyourfirewall,whichbydefaultisn'tsetuptohandlethebridge,aswellassetuptheSmackpolicy(whichwe'llcreatelaterinthefile/etc/smackaccesses)ifyouaredoingtheSmackexperiment.
You'llneedtoruncontainer_setup.
shaftereachrebootorifyouknowhow,makeitrunatbootautomatically.
Nowyourmachineisready!
Let'stryoutliblxc.
Youcandownloadthelatestsourceusingcvsfromlxc.
sf.
netandcompileitusingthefollowing:cvs-d:pserver:anonymous@lxc.
cvs.
sourceforge.
net:/cvsroot/lxclogincvs-z3-d:pserver:anonymous@lxc.
cvs.
sourceforge.
net:/cvsroot/lxcco-Plxccdlxc.
/bootstrap&&.
/configure&&make&&makeinstallNowifyoulookattheREADME,you'llseetherearequiteafewoptionsforgettingstarted.
Containerscanbeextremelylightweightbecausetheycansharemanyresourceswithyoursystem--includingthefilesystem.
Butourgoalistoprovidesomesimpleisolationsowewillusethescriptlxc-debiantocreateafulldebianchrootimageforeachcontainer.
Beginbycreatingacontainernamedvsplain:ibm.
com/developerWorks/developerWorksSecureLinuxcontainerscookbookPage5of12mkdir/vsplaincd/vsplainlxc-debiancreatecontainername:vsplainhostname:vsplainIP10.
0.
2.
20gateway:10.
0.
2.
2Theconfigurationforthiscontainerisstoredunderthedirectory/usr/local/var/lxc/vsplain.
Ifyoulookatthefilecalledcgroup,you'llseesomelinesbeginningwithdevices.
.
Thesearedirectivestothedeviceswhitelistcgroupwhichwillmediatedevicecreation,read,andwritebythecontainer.
Startthiscontainerusingthecommandlxc-start-nvsplain.
You'llbepresentedwithaloginprompt.
Logintothecontainerusingusernamerootwithnopassword.
Finally,whenyourcontainerisupandrunning,youwillwanttoapt-getinstallopenssh-serverapt-getinstallapacheNowyoucansshfromthekvmhosttothecontainerandlookatitsWebpageusing10.
0.
2.
20forvsplain'sipaddressand10.
0.
2.
15forthehost's.
Youcanshutthecontainerdownatanytimefromarootterminalonthekvmhostusingthecommandlxc-stop-nvsplain.
Atthispoint,youmaywanttosaveyourselfsometimebycloningtwonewvirtualmachinesfromthistemplate.
Shutdownyourvmanddo:cpvm.
imgselinux.
imgcpvm.
imgsmack.
imgSELinux-protectedcontainersTheSELinuxpolicyforcontainerswe'llusewillconsistofapolicymodule;themodulehasbeenpostedtorefpolicy--SELinuxReferencePolicydevelopmentmaillist.
Downloadthepolicyintoadirectory/root/vs,intofilescalledvs.
if,vs.
fc,andvs.
terespectively.
Compileandinstallthenewmoduleasfollows:cp-r/usr/share/selinux/devel/usr/share/selinux/vscp/root/vs.
/usr/share/selinux/vs/cd/usr/share/selinux/vsmake&&semodule-ivs.
ppThencreatecontainers/vs1and/vs2usinglxc-debianandrelabeltheirfilesystemsusingdeveloperWorksibm.
com/developerWorks/SecureLinuxcontainerscookbookPage6of12mkdir/vs1;cd/vs1lxc-debiancreatecontainername:vs1hostname:vs1address:10.
0.
2.
21gateway:10.
0.
2.
2arch:2(i386)mkdir/vs2;cd/vs2lxc-debiancreatecontainername:vs2hostname:vs2address:10.
0.
2.
22gateway:10.
0.
2.
2arch:2(i386)fixfilesrelabel/vs1fixfilesrelabel/vs2Whenyoustartyourcontainers(forinstancebyusinglxc-start-nvs1),you'lllikelygetafewauditmessagesaboutSELinuxaccessdenials.
Don'tworry--thecontainerstartsupfinewithnetworkservicesenabledandthecontainersarenowisolated.
Ifyouhelpcontainervs1cheatusingmount--bind//vs1/rootfs.
vs1/mntbeforestartingthecontainer,you'llfindthateventhoughyouaretherootuser,ls/mnt/rootwillberefused.
Toseehowthisworks,let'slookatthevs.
ifinterfacefile.
Thisdefinesaninterfacecalledcontainerwhichtakesoneargument,thebasenameforthecontainertodefine.
Thevs.
tefilecallsthisfunctiontwicewiththecontainernamesvs1,vs2.
Intheinterface,$1isexpandedtotheargument,so$1_tbecomesvs1_twhenwecallcontainer(vs1).
(Fromhereonlet'sassumewearedefiningvs1).
Themostimportantlinesarethoseinvolvingvs1_exec_t.
Thecontainerrunsintypevs1_t.
Itentersthistypewhenunconfined_texecutesthecontainer's/sbin/initwhichisoftypevs1_exec_t.
Mostoftherestofthepolicymerelyistheretograntthecontainersufficientprivilegetoaccessbitsofthesystem:networkports,devices,consoles,etc.
Theinterfaceisaslongasitisduetothefine-grainednatureoftheexistingSELinuxreferencepolicy.
Aswe'reabouttosee,theSmack-protectedcontainerwillhaveamuchsimplerpolicy;inreturn,itwillpromisemuchlessflexibleprotectionfrommisbehavingsystemservices.
Thereisonemorethingyouneedtodo.
Youmayhavenotedthatwhilethecontainerisnotabletooverwriteits$1_exec_t,thatis/sbin/init.
Butwhatitcandoissomethinglikemv/sbin/sbin.
bakmkdir/sbintouch/sbin/initTheresulting/sbin/initwillbeoftypevs1_file_t.
WhydoyouthinkthecontaineradminwouldwanttodothisBecauseitwouldlaunchthecontainer,includingthesshdaemon,intheunconfined_tdomain,givinghimaprivilegedshellandallowinghimtoescapetheSELinuxconstraintsweweretryingtoenforce.
Topreventthis,youactuallywanttostartthecontainerthroughacustomscriptandrelabelsbin/inittovs1_exec_tbeforestartingthecontainer.
Infact,youcancopyapristinecopyofinitbackintoibm.
com/developerWorks/developerWorksSecureLinuxcontainerscookbookPage7of12thecontainerandrelabelthatifthecontaineradministratordidn'tmind.
Butwe'lljustrelabeltheexistinginit:cat>>/vs1/vs1.
sh>/vs1/vs1.
sh/proc/self/attr/currentlxc-start-nvs1/bin/dropmacadmin/sbin/initEOFchmodu+x/vs1/vs1.
shOnemorethingwillletvs1writetothetmpfsfilesystemitisgoingtomount:sed-i's/defaults/defaults,smackfsroot=vs1,smackfsdef=vs1/'\/vs1/rootfs.
vs1/etc/fstabThiswillcausethetmpfsfilesystemmountedat/dev/shmtocarrythevs1labelsothatvs1canwritetoit.
Otherwise,vs1initscriptswon'tbeabletocreatethe/dev/shm/networkdirectoryituseswhilesettingupthenetwork.
Similarly,ifyouwanttousearam-based/tmp,you'llwantthosesameoptions.
Nowagainlet'shelpvs1cheat.
Createvs2thesamewayyoucreatedvs1,substitutingvs2forvs1ateachstep.
Thenbind-mounttherootfilesystemundervs1's/mnt:mount--bind/vs1/vs1mount--make-runbindable/vs1mount--rbind//vs1/rootfs.
vs1/mntibm.
com/developerWorks/developerWorksSecureLinuxcontainerscookbookPage9of12Startthecontainerusingvs1.
sh.
NotethatyoucanstillseetheWebpageonvs1andvs2fromthekvmhost.
Notealsothatvs1cannotaccessvs2overthenetwork.
Italsocan'tlookthroughvs2'sfiles:vs1:~#ls/mnt/(directorylisting)vs1:~#ls/mnt/vs2/rootfs.
vs2ls:/mnt/vs2/rootfs.
vs2:Permissiondeniedvs1:~#mkdir/cgroupvs1:~#mount-tcgroupcgroup/cgroupvs1:~#ls/cgroupls:/mnt/vs3:Permissiondeniedvs1:~#mknod/dev/sda1b81mknod:`/dev/sda1':Operationnotpermittedvs1:~#mount/mnt/dev/sda1/tmpmount:permissiondeniedItcanlookthroughthehostfilesystem.
Anythingwewanttoprotectagainst,wecanlabelwiththehostlabel.
That'swhatwedidwiththecgroupfilesystemwhichiswhyls/cgroupfailed.
Finally,thedeviceswhitelistcgroupispreventingusfromcreatingadiskdevice,aswellasmountingitifitexists(asitdoesthrough/mnt).
Ofcourse,thewaywe'vesetthisup,thecontaineradmincanremove/mnt/dev/sda1,aswellmessupthehostinanynumberofways,sootherthanasdemonstrationthisbindmountisobviouslynotdesirable!
NotethatwhileontheSELinuxsystem,thedefault(andeasy)routewastoallowthecontainerstotalktoeachotheroverthenetwork,theinverseistrueinSmack.
Allowingcontainerstotalktoeachotheriscurrentlyveryhardtodo.
AnabilitytosetlabelsonIPaddressesiscomingsoonthoughandshouldallowustosetuppolicytoallowcontainerstocommunicate.
RelatedtohowwesetupSmacknetworking,wehaveanotherproblem.
Thecommandkill-9-1killseverytaskonthesystem.
Whendonebyataskinacontainer,thisshouldonlykilltasksinthesamecontainer.
Thatbehaviorisnowfixedintheupstreamkernel,butnotintheFedora10kernelweareusing.
Soeverytaskwillbesenta-9signal.
IntheSELinux-protectedcontainers,SELinuxstopsthesignalsfrompassingthecontainerboundary,sokill-9-1isactuallysafe.
ButinSmacktasksbydefaultarelabeled_justasthenetworkis,sosinceweallowedthecontainertowrite_toallowwritingtothenetwork,andsincekillingataskisconsideredawriteaccessbySmack,youarealsoallowingthecontaineradmintokillanytasksonthewholesystem.
Anothershortcoming(whichisalsopresentintheSELinuxcontainers)hastodowithUnix98pseudo-terminals.
Opentwographicalterminals.
Inthefirst,startupvs1andlookunder/dev/pts.
Youwillseeatleasttwoentries,0and1,onebelongingtoeachterminal.
Fromthevs1containeryouareabletowriteintotheentrycorrespondingtotheotherterminal.
WiththeFedorakerneltherearetwosolutions.
Youcanusethedevicewhitelistcgrouptodenythecontainertheabilitytoopenthedevices.
However,thiswillhavetobedonebyhandeachtimethedeveloperWorksibm.
com/developerWorks/SecureLinuxcontainerscookbookPage10of12containerisstartedinordertograntitaccesstoitsterminal;oryoucanachievethesameeffectbyapplyingSELinuxandSmacklabels.
Thenewer2.
6.
29kernelsupportsdevptsnamespaces.
Acontainerwillremount/dev/pts,afterwhichitwillbeunabletoaccessthedevptsentriesbelongingtothehostorothercontainers.
ConclusionThisarticleshowcasedthebasictoolsforcreatingLSM-protectedcontainers,butmuchworkremainstobedone:ForSmack,youmustchoosefilestolabelashost.
ForSELinux,youshouldfine-tuneandthenpushacontainerinterfaceintotheupstreamreferencepolicy.
Whilesuchworkisongoing,anduntilmoreexperienceisgainedwithLSM-protectedcontainers,youshouldnotputallyourtrustinthesemechanismstoprotectagainstanuntrustedrootuser.
Althoughtherearenoestablishedbestpracticesforcreatingcontainersyet(thatIknowof),thereareafewideasworthstartingwith.
First,rememberyouareconsolidatingtwosomewhatcontradictorygoals:Youwanttominimizeduplicationamongcontainers(andthehost)whileneedingtoensureisolation.
Onewaytoachievethesegoalscouldbetocreateasinglefullminimalrootfsinwhichnocontainerrunsandlabelingitatypewhichallcontainerscanread.
Thenuseacustomversionofthelxc-sshdscripttocreateeachactualcontainerbasedontheprototype,creatingread-onlymountsformostofthecontainer'sfilesystemwhileprovidingaprivatewritableplaceforthecontainertostorefiles,saylike/scratch.
Sinceeachcontainerhasaprivatemountsnamespace,itcanbind-mountanyfilesordirectorieswhichitneedstobeprivateand/orwriteablefromitsprivateshareddirectory.
Forinstance,ifitwantsaprivate/lib,itcanmount--bind/scratch/rootfs/lib/lib.
Likewise,theadmincanensurethateverycontainerdoesmount--bind/scratch/shadow/etc/shadowatstartup.
OneclearlimitationoftheapproachIdemonstratedherewithbothSELinuxandSmackisthatthecontaineradministratorcannotexploitLSMtocontrolinformationflowwithinhisowncontainer.
Rather,forsimplicity,alltasksinthecontaineraretreatedthesamebyMACpolicy.
Inanotherarticle,IhopetoexplorehowtoallowcontaineradministratorstospecifytheirownLSMpolicieswithoutallowingthemtoescapetheirowncontraints.
ThismaterialisbaseduponworksupportedbytheDefenseAdvancedResearchProjectsAgencyunderitsAgreementNo.
HR0011-07-9-0002.
AcknowledgmentsCaseySchaufler,theauthorofSmack,helpedingettingtheSmack-protectedcontainerofftheground,andDanWalshwaskindenoughtoprovidefeedbackontheSELinuxpolicy.
ibm.
com/developerWorks/developerWorksSecureLinuxcontainerscookbookPage11of12DownloadableresourcesDescriptionNameSizeCodeforthisarticlecode.
zip3KBdeveloperWorksibm.
com/developerWorks/SecureLinuxcontainerscookbookPage12of12Relatedtopics"LXC:Linuxcontainertools"(developerWorks,February2009)isastep-by-stepguidetocreatingLinuxcontainers.
Therefpolicy--SELinuxReferencePolicydevelopmentmaillistiswhereyou'llfindthepolicymoduleweusedinthisarticle.
"SELinuxfromscratch"(developerWorks,May2006)isadetailedintroductiontoSELinux.
PlanetSELinuxisanaggregationofblogpostsfrommembersoftheSELinuxdevelopmentcommunity.
"Smackforsimplifiedaccesscontrol"(LWN.
net,August2007)isanearlywriteupontheSmacksubmission.
LinuxResourceContainersprojectonSourceForge.
netisarepositoryofcodeforapplicationcontainerimplementationintheLinuxkernel,astagingareaforcodethatmaybesenttothelinux-kernelmailinglist.
OthercontainertechnologiesincludeSolarisZones(Solaris)BSDjails(FreeBSD)Linux-Vserver(Linux)OpenVZ(Linux)InthedeveloperWorksLinuxzone,findmoreresourcesforLinuxdevelopers(includingdeveloperswhoarenewtoLinux),andscanourmostpopulararticlesandtutorials.
SeeallLinuxtipsandLinuxtutorialsondeveloperWorks.
SELinuxcontainerspolicyCopyrightIBMCorporation2009(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)
HallynFebruary03,2009Lightweightcontainers,otherwiseknownasVirtualPrivateServers(VPS)orJails,areoftenthoughtofasasecuritytoolsdesignedtoconfineuntrustedapplicationsorusers;butaspresentlyconstructed,thesecontainersdonotprovideadequatesecurityguarantees.
BystrengtheningthesecontainersusingSELinuxorSmackpolicy,amuchmoresecurecontainercanbeimplementedinLinux.
ThisarticleshowsyouhowtocreateamoresecureLinux-Security-Modules-protectedcontainer.
BoththeSELinuxandSmackpolicyareconsideredworksinprogress,tobeimproveduponwithhelpfromtheirrespectivecommunities.
Acommonresponsewhensomeonefirsthearsaboutcontainersis"HowdoIcreateasecurecontainer"ThisarticleanswersthatquestionbyshowingyouhowtouseLinuxSecurityModules(LSM)toimprovethesecurityofcontainers.
Inparticular,itshowsyouhowtospecifyasecuritygoalandmeetitwithboththeSmackandSELinuxsecuritymodules.
ForbackgroundreadingonLinuxContainers,see"LXC:Linuxcontainertools"(developerWorks,February2009).
LinuxcontainersarereallyaconceptualartificebuiltatopseveralLinuxtechnologies:Resourcenamespacesallowthemanipulationoflookupsofprocesses,files,SYSVIPCresources,networkinterfaces,andmore,allinsideofcontainers.
Controlgroupsallowresourcelimitstobeplacedoncontainers.
Capabilityboundingsetslimittheprivilegeavailabletocontainers.
Thesetechnologiesmustbecoordinatedinordertoprovidetheillusionofcontainers.
Twoprojectsalreadyprovidethisfunctionality:LibvirtisalargeprojectthatcancreatevirtualmachinesusingtheXenhypervisor,qemuemulator,andkvm,andalsousinglightweightcontainers.
Liblxcisasmallersetoflibrariesanduserspacecommandswritteninparttohelpkerneldevelopersquicklyandeasilytestthecontainersfunctionality.
developerWorksibm.
com/developerWorks/SecureLinuxcontainerscookbookPage2of12Because"LXC:Linuxcontainertools"waswrittenusingliblxcasitsfoundation,Iwillcontinuewithliblxchere;however,anythingwedoherecanjustaseasilybedoneusinglibvirt'scontainersupport.
Majorplayer1:LSMBeforewestart,ifyouknowlittleabouttheLSM,hereisaquickreview.
AccordingtotheWikipediaentry:LinuxSecurityModules(LSM)isaframeworkthatallowstheLinuxkerneltosupportavarietyofcomputersecuritymodelswhileavoidingfavoritismtowardanysinglesecurityimplementation.
TheframeworkislicensedunderthetermsoftheGNUGeneralPublicLicenseandisstandardpartoftheLinuxkernelsinceLinux2.
6.
.
.
.
LSMwasdesignedtoprovidethespecificneedsofeverythingneededtosuccessfullyimplementamandatoryaccesscontrolmodule,whileimposingthefewestpossiblechangestotheLinuxkernel.
LSMavoidstheapproachofsystemcallinterpositionasusedinSystracebecauseitdoesnotscaletomultiprocessorkernelsandissubjecttoTOCTTOU(race)attacks.
Instead,LSMinserts"hooks"(upcallstothemodule)ateverypointinthekernelwhereauser-levelsystemcallisabouttoresultinaccesstoanimportantinternalkernelobjectsuchasinodesandtaskcontrolblocks.
.
.
.
Theprojectisnarrowlyscopedtosolvetheproblemofaccesscontroltoavoidimposingalargeandcomplexchangepatchonthemainstreamkernel.
Itisnotintendedasageneral"hook"or"upcall"mechanism,nordoesitsupportvirtualization.
.
.
.
LSM'saccesscontrolgoalisverycloselyrelatedtotheproblemofsystemauditing,butissubtlydifferent.
Auditingrequiresthateveryattemptataccessberecorded.
LSMcannotdeliverthat,becauseitwouldrequireagreatmanymorehooks,soastodetectcaseswherethekernel"shortcircuits"failingsystemcallsandreturnsanerrorcodebeforegettingnearsignificantobjects.
Systemsecurityconsistsoftwosomewhatcontradictorygoals.
Thefirstistoachievecompleteandfine-grainedaccesscontrol.
Ateverypointthatinformationcanbeleakedorcorrupted,youmustbeabletoexertcontrol.
Controlsthataretoocoarseisthesameasbeinguncontrolled.
Forinstance,if(attheextreme)allfilesmustbeclassifiedasonetypeandanyonefilemustbeworld-readable,thenallfilesmustbeworld-readable.
Ontheotherhand,configurationmustalsobesimple,otherwiseadministratorswilloftendefaulttogivingtoomuchaccess(andIcan'temphasizethisenough--thisisthesameasbeinguncontrolled).
Forinstance,ifmakingaprogramworkrequiresthousandsofaccessrules,thenchancesareanadminwillgivetheprogramtoomanyaccessrightsratherthantestingwhethereachaccessrulewasreallyneeded.
ThetwoprimarysecuritymodulesinLinuxeachtakeadifferentviewonhowtohandlethisbalance.
SELinuxbeginsbycontrollingeverythingwhileusinganimpressivepolicylanguagetosimplifypolicymanagement.
Smackisprimarilyconcernedwithprovidingasimpleaccesscontrol.
ibm.
com/developerWorks/developerWorksSecureLinuxcontainerscookbookPage3of12Majorplayer2:SELinuxSELinuxisbyfarthemostwell-knownMACsystemforLinux(mandatoryaccesscontrol).
Whileitcertainlystillhasitsdetractors,thefactthatthepopularFedoradistributionhasbeendeployedwithSELinuxenforcingforyearsisatremendoustestamenttoitssuccess.
SELinuxisconfiguredusingamodularpolicylanguagewhichallowsaninstalledpolicytobeeasilyupdatedbyusers.
Thelanguagealsoprovidesinterfaces,allowingmorehigh-levelstatementstobeusedtorepresentacollectionoflow-level"allow"statements.
Inthisarticle,wewillbeusinganewinterfacetodefinecontainers.
Whiletheinterfaceitselfwillbequitelargeduetothemanyaccessrightsyoumustgivethecontainer,usingtheinterfacetocreateanewcontainerwillbeverysimple.
Hopefullytheinterfacecanbecomeapartofthecoredistributedpolicy.
Majorplayer3:SmackSmackistheSimplifiedMandatoryAccessControlKernel.
Itbeginsbylabelingallprocesses,files,andnetworktrafficwithsimpletextlabels.
Newlycreatedfilesarecreatedwiththelabelofthecreatingprocess.
Afewdefaulttypesalwaysexistwithclearlydefinedaccessrules.
Aprocesscanalwaysreadandwriteobjectsofthesamelabel.
PrivilegetobypasstheSmackaccessrulesarecontrolledusingPOSIXcapabilities,soataskcarryingCAP_MAC_OVERRIDEcanoverridetherules;ataskcarryingCAP_MAC_ADMINcanchangetherulesandlabels.
"POSIXfilecapabilities:Parcelingthepowerofroot"(Relatedtopics)demonstratestheseprivileges.
OursecuritygoalInsteadofsimplyblindlyapplyingpolicyandhopingtoendupwithsomethinguseful,let'sbeginbydefiningaclearsecuritygoal.
ThesimplicityofSmackactuallylimitsthegoalswecanachieve,butwe'llpursuethefollowinggoal:1.
CreatecontainerswithsegregatedfilesystemsprovidingWebandsshservices.
2.
Containerswillbeprotectedfromeachother.
Acontainerdesignatedvs1cannotreadfilesownedbyanothercontainervs2orkillitstasks.
3.
Thehostcanprotectitskeyfilesfromcontainers.
4.
TheoutsideworldcanreachtheWebserversandsshserversonthecontainers.
ThegeneralsetupInthisarticlewe'lldotwoexperiments--firstwe'llsetupcontainersprotectedbySELinux,thencontainersprotectedbySmack.
Theexperimentswillsharemuchofthepreliminarysetup.
Youcanusearealmachinetodotheseexperiments,butyoumayfinditeasierormorecomfortingtouseavirtualmachine.
Touseqemuorkvm,youcancreateaharddiskusingqemu-imgcreatevm.
img10G.
BootthevirtualmachinefromCDROMusingacommandlikekvm-hdavm.
img-cdromcdrom.
iso-bootd-m512M.
AgoodchoiceforaCDROMimageistogotofedoraproject.
org/get-fedoraanddownloadaninstallationDVDforFedora10fori386.
SubstitutethefilenameyoudownloadfordeveloperWorksibm.
com/developerWorks/SecureLinuxcontainerscookbookPage4of12cdrom.
isointhepreviouscommand.
Youcanmostlyusetheinstallationdefaults,butmakesuretounselectofficeandproductivityandselectsoftwaredevelopment.
You'llalsowanttoinstallthebridge-utils,debootstrap,andncurses-develrpms,probablyusingtheyumpackagemanager.
Nowyouneedtocompileacustomkernel.
Downloadthekernel-sourcesrpm,patchitwithenable-netns.
patch(seetheDownloadsection)toprovidenetworknamespaces(whichwillbeupstreamasof2.
6.
29butnotinFedora10),changetheconfiguration,thencompletethecompilationandinstallation,byfollowingthefollowinginstructionsasroot:yumdownloader--sourcekernelrpm-ikernel*cdrpmbuildrpmbuild-bcSPECS/kernel-*cdBUILD/kernel-2.
6.
27/linux-2.
6*patch-p1Networkingoptionsmenus).
FortheSmackexperiment,alsogointotheSecurityoptionsmenu,deselectSELinux,andselectthenextoption,Smack.
Youmayalsoneedtoswitchthedefaultbootentryin/boot/grub/grub.
confbackto0insteadof1.
Nowwewanttotryoutliblxc.
"LXC:Linuxcontainertools"describesthebasicusageofliblxcindetail,sowe'llglossoverithere.
Simplyusethecontainer_setup.
shscript(seetheDownloadsection)tosetupthebridgeonwhichcontainernetworkdeviceswilltalk.
Itwillalsoclearyourfirewall,whichbydefaultisn'tsetuptohandlethebridge,aswellassetuptheSmackpolicy(whichwe'llcreatelaterinthefile/etc/smackaccesses)ifyouaredoingtheSmackexperiment.
You'llneedtoruncontainer_setup.
shaftereachrebootorifyouknowhow,makeitrunatbootautomatically.
Nowyourmachineisready!
Let'stryoutliblxc.
Youcandownloadthelatestsourceusingcvsfromlxc.
sf.
netandcompileitusingthefollowing:cvs-d:pserver:anonymous@lxc.
cvs.
sourceforge.
net:/cvsroot/lxclogincvs-z3-d:pserver:anonymous@lxc.
cvs.
sourceforge.
net:/cvsroot/lxcco-Plxccdlxc.
/bootstrap&&.
/configure&&make&&makeinstallNowifyoulookattheREADME,you'llseetherearequiteafewoptionsforgettingstarted.
Containerscanbeextremelylightweightbecausetheycansharemanyresourceswithyoursystem--includingthefilesystem.
Butourgoalistoprovidesomesimpleisolationsowewillusethescriptlxc-debiantocreateafulldebianchrootimageforeachcontainer.
Beginbycreatingacontainernamedvsplain:ibm.
com/developerWorks/developerWorksSecureLinuxcontainerscookbookPage5of12mkdir/vsplaincd/vsplainlxc-debiancreatecontainername:vsplainhostname:vsplainIP10.
0.
2.
20gateway:10.
0.
2.
2Theconfigurationforthiscontainerisstoredunderthedirectory/usr/local/var/lxc/vsplain.
Ifyoulookatthefilecalledcgroup,you'llseesomelinesbeginningwithdevices.
.
Thesearedirectivestothedeviceswhitelistcgroupwhichwillmediatedevicecreation,read,andwritebythecontainer.
Startthiscontainerusingthecommandlxc-start-nvsplain.
You'llbepresentedwithaloginprompt.
Logintothecontainerusingusernamerootwithnopassword.
Finally,whenyourcontainerisupandrunning,youwillwanttoapt-getinstallopenssh-serverapt-getinstallapacheNowyoucansshfromthekvmhosttothecontainerandlookatitsWebpageusing10.
0.
2.
20forvsplain'sipaddressand10.
0.
2.
15forthehost's.
Youcanshutthecontainerdownatanytimefromarootterminalonthekvmhostusingthecommandlxc-stop-nvsplain.
Atthispoint,youmaywanttosaveyourselfsometimebycloningtwonewvirtualmachinesfromthistemplate.
Shutdownyourvmanddo:cpvm.
imgselinux.
imgcpvm.
imgsmack.
imgSELinux-protectedcontainersTheSELinuxpolicyforcontainerswe'llusewillconsistofapolicymodule;themodulehasbeenpostedtorefpolicy--SELinuxReferencePolicydevelopmentmaillist.
Downloadthepolicyintoadirectory/root/vs,intofilescalledvs.
if,vs.
fc,andvs.
terespectively.
Compileandinstallthenewmoduleasfollows:cp-r/usr/share/selinux/devel/usr/share/selinux/vscp/root/vs.
/usr/share/selinux/vs/cd/usr/share/selinux/vsmake&&semodule-ivs.
ppThencreatecontainers/vs1and/vs2usinglxc-debianandrelabeltheirfilesystemsusingdeveloperWorksibm.
com/developerWorks/SecureLinuxcontainerscookbookPage6of12mkdir/vs1;cd/vs1lxc-debiancreatecontainername:vs1hostname:vs1address:10.
0.
2.
21gateway:10.
0.
2.
2arch:2(i386)mkdir/vs2;cd/vs2lxc-debiancreatecontainername:vs2hostname:vs2address:10.
0.
2.
22gateway:10.
0.
2.
2arch:2(i386)fixfilesrelabel/vs1fixfilesrelabel/vs2Whenyoustartyourcontainers(forinstancebyusinglxc-start-nvs1),you'lllikelygetafewauditmessagesaboutSELinuxaccessdenials.
Don'tworry--thecontainerstartsupfinewithnetworkservicesenabledandthecontainersarenowisolated.
Ifyouhelpcontainervs1cheatusingmount--bind//vs1/rootfs.
vs1/mntbeforestartingthecontainer,you'llfindthateventhoughyouaretherootuser,ls/mnt/rootwillberefused.
Toseehowthisworks,let'slookatthevs.
ifinterfacefile.
Thisdefinesaninterfacecalledcontainerwhichtakesoneargument,thebasenameforthecontainertodefine.
Thevs.
tefilecallsthisfunctiontwicewiththecontainernamesvs1,vs2.
Intheinterface,$1isexpandedtotheargument,so$1_tbecomesvs1_twhenwecallcontainer(vs1).
(Fromhereonlet'sassumewearedefiningvs1).
Themostimportantlinesarethoseinvolvingvs1_exec_t.
Thecontainerrunsintypevs1_t.
Itentersthistypewhenunconfined_texecutesthecontainer's/sbin/initwhichisoftypevs1_exec_t.
Mostoftherestofthepolicymerelyistheretograntthecontainersufficientprivilegetoaccessbitsofthesystem:networkports,devices,consoles,etc.
Theinterfaceisaslongasitisduetothefine-grainednatureoftheexistingSELinuxreferencepolicy.
Aswe'reabouttosee,theSmack-protectedcontainerwillhaveamuchsimplerpolicy;inreturn,itwillpromisemuchlessflexibleprotectionfrommisbehavingsystemservices.
Thereisonemorethingyouneedtodo.
Youmayhavenotedthatwhilethecontainerisnotabletooverwriteits$1_exec_t,thatis/sbin/init.
Butwhatitcandoissomethinglikemv/sbin/sbin.
bakmkdir/sbintouch/sbin/initTheresulting/sbin/initwillbeoftypevs1_file_t.
WhydoyouthinkthecontaineradminwouldwanttodothisBecauseitwouldlaunchthecontainer,includingthesshdaemon,intheunconfined_tdomain,givinghimaprivilegedshellandallowinghimtoescapetheSELinuxconstraintsweweretryingtoenforce.
Topreventthis,youactuallywanttostartthecontainerthroughacustomscriptandrelabelsbin/inittovs1_exec_tbeforestartingthecontainer.
Infact,youcancopyapristinecopyofinitbackintoibm.
com/developerWorks/developerWorksSecureLinuxcontainerscookbookPage7of12thecontainerandrelabelthatifthecontaineradministratordidn'tmind.
Butwe'lljustrelabeltheexistinginit:cat>>/vs1/vs1.
sh>/vs1/vs1.
sh/proc/self/attr/currentlxc-start-nvs1/bin/dropmacadmin/sbin/initEOFchmodu+x/vs1/vs1.
shOnemorethingwillletvs1writetothetmpfsfilesystemitisgoingtomount:sed-i's/defaults/defaults,smackfsroot=vs1,smackfsdef=vs1/'\/vs1/rootfs.
vs1/etc/fstabThiswillcausethetmpfsfilesystemmountedat/dev/shmtocarrythevs1labelsothatvs1canwritetoit.
Otherwise,vs1initscriptswon'tbeabletocreatethe/dev/shm/networkdirectoryituseswhilesettingupthenetwork.
Similarly,ifyouwanttousearam-based/tmp,you'llwantthosesameoptions.
Nowagainlet'shelpvs1cheat.
Createvs2thesamewayyoucreatedvs1,substitutingvs2forvs1ateachstep.
Thenbind-mounttherootfilesystemundervs1's/mnt:mount--bind/vs1/vs1mount--make-runbindable/vs1mount--rbind//vs1/rootfs.
vs1/mntibm.
com/developerWorks/developerWorksSecureLinuxcontainerscookbookPage9of12Startthecontainerusingvs1.
sh.
NotethatyoucanstillseetheWebpageonvs1andvs2fromthekvmhost.
Notealsothatvs1cannotaccessvs2overthenetwork.
Italsocan'tlookthroughvs2'sfiles:vs1:~#ls/mnt/(directorylisting)vs1:~#ls/mnt/vs2/rootfs.
vs2ls:/mnt/vs2/rootfs.
vs2:Permissiondeniedvs1:~#mkdir/cgroupvs1:~#mount-tcgroupcgroup/cgroupvs1:~#ls/cgroupls:/mnt/vs3:Permissiondeniedvs1:~#mknod/dev/sda1b81mknod:`/dev/sda1':Operationnotpermittedvs1:~#mount/mnt/dev/sda1/tmpmount:permissiondeniedItcanlookthroughthehostfilesystem.
Anythingwewanttoprotectagainst,wecanlabelwiththehostlabel.
That'swhatwedidwiththecgroupfilesystemwhichiswhyls/cgroupfailed.
Finally,thedeviceswhitelistcgroupispreventingusfromcreatingadiskdevice,aswellasmountingitifitexists(asitdoesthrough/mnt).
Ofcourse,thewaywe'vesetthisup,thecontaineradmincanremove/mnt/dev/sda1,aswellmessupthehostinanynumberofways,sootherthanasdemonstrationthisbindmountisobviouslynotdesirable!
NotethatwhileontheSELinuxsystem,thedefault(andeasy)routewastoallowthecontainerstotalktoeachotheroverthenetwork,theinverseistrueinSmack.
Allowingcontainerstotalktoeachotheriscurrentlyveryhardtodo.
AnabilitytosetlabelsonIPaddressesiscomingsoonthoughandshouldallowustosetuppolicytoallowcontainerstocommunicate.
RelatedtohowwesetupSmacknetworking,wehaveanotherproblem.
Thecommandkill-9-1killseverytaskonthesystem.
Whendonebyataskinacontainer,thisshouldonlykilltasksinthesamecontainer.
Thatbehaviorisnowfixedintheupstreamkernel,butnotintheFedora10kernelweareusing.
Soeverytaskwillbesenta-9signal.
IntheSELinux-protectedcontainers,SELinuxstopsthesignalsfrompassingthecontainerboundary,sokill-9-1isactuallysafe.
ButinSmacktasksbydefaultarelabeled_justasthenetworkis,sosinceweallowedthecontainertowrite_toallowwritingtothenetwork,andsincekillingataskisconsideredawriteaccessbySmack,youarealsoallowingthecontaineradmintokillanytasksonthewholesystem.
Anothershortcoming(whichisalsopresentintheSELinuxcontainers)hastodowithUnix98pseudo-terminals.
Opentwographicalterminals.
Inthefirst,startupvs1andlookunder/dev/pts.
Youwillseeatleasttwoentries,0and1,onebelongingtoeachterminal.
Fromthevs1containeryouareabletowriteintotheentrycorrespondingtotheotherterminal.
WiththeFedorakerneltherearetwosolutions.
Youcanusethedevicewhitelistcgrouptodenythecontainertheabilitytoopenthedevices.
However,thiswillhavetobedonebyhandeachtimethedeveloperWorksibm.
com/developerWorks/SecureLinuxcontainerscookbookPage10of12containerisstartedinordertograntitaccesstoitsterminal;oryoucanachievethesameeffectbyapplyingSELinuxandSmacklabels.
Thenewer2.
6.
29kernelsupportsdevptsnamespaces.
Acontainerwillremount/dev/pts,afterwhichitwillbeunabletoaccessthedevptsentriesbelongingtothehostorothercontainers.
ConclusionThisarticleshowcasedthebasictoolsforcreatingLSM-protectedcontainers,butmuchworkremainstobedone:ForSmack,youmustchoosefilestolabelashost.
ForSELinux,youshouldfine-tuneandthenpushacontainerinterfaceintotheupstreamreferencepolicy.
Whilesuchworkisongoing,anduntilmoreexperienceisgainedwithLSM-protectedcontainers,youshouldnotputallyourtrustinthesemechanismstoprotectagainstanuntrustedrootuser.
Althoughtherearenoestablishedbestpracticesforcreatingcontainersyet(thatIknowof),thereareafewideasworthstartingwith.
First,rememberyouareconsolidatingtwosomewhatcontradictorygoals:Youwanttominimizeduplicationamongcontainers(andthehost)whileneedingtoensureisolation.
Onewaytoachievethesegoalscouldbetocreateasinglefullminimalrootfsinwhichnocontainerrunsandlabelingitatypewhichallcontainerscanread.
Thenuseacustomversionofthelxc-sshdscripttocreateeachactualcontainerbasedontheprototype,creatingread-onlymountsformostofthecontainer'sfilesystemwhileprovidingaprivatewritableplaceforthecontainertostorefiles,saylike/scratch.
Sinceeachcontainerhasaprivatemountsnamespace,itcanbind-mountanyfilesordirectorieswhichitneedstobeprivateand/orwriteablefromitsprivateshareddirectory.
Forinstance,ifitwantsaprivate/lib,itcanmount--bind/scratch/rootfs/lib/lib.
Likewise,theadmincanensurethateverycontainerdoesmount--bind/scratch/shadow/etc/shadowatstartup.
OneclearlimitationoftheapproachIdemonstratedherewithbothSELinuxandSmackisthatthecontaineradministratorcannotexploitLSMtocontrolinformationflowwithinhisowncontainer.
Rather,forsimplicity,alltasksinthecontaineraretreatedthesamebyMACpolicy.
Inanotherarticle,IhopetoexplorehowtoallowcontaineradministratorstospecifytheirownLSMpolicieswithoutallowingthemtoescapetheirowncontraints.
ThismaterialisbaseduponworksupportedbytheDefenseAdvancedResearchProjectsAgencyunderitsAgreementNo.
HR0011-07-9-0002.
AcknowledgmentsCaseySchaufler,theauthorofSmack,helpedingettingtheSmack-protectedcontainerofftheground,andDanWalshwaskindenoughtoprovidefeedbackontheSELinuxpolicy.
ibm.
com/developerWorks/developerWorksSecureLinuxcontainerscookbookPage11of12DownloadableresourcesDescriptionNameSizeCodeforthisarticlecode.
zip3KBdeveloperWorksibm.
com/developerWorks/SecureLinuxcontainerscookbookPage12of12Relatedtopics"LXC:Linuxcontainertools"(developerWorks,February2009)isastep-by-stepguidetocreatingLinuxcontainers.
Therefpolicy--SELinuxReferencePolicydevelopmentmaillistiswhereyou'llfindthepolicymoduleweusedinthisarticle.
"SELinuxfromscratch"(developerWorks,May2006)isadetailedintroductiontoSELinux.
PlanetSELinuxisanaggregationofblogpostsfrommembersoftheSELinuxdevelopmentcommunity.
"Smackforsimplifiedaccesscontrol"(LWN.
net,August2007)isanearlywriteupontheSmacksubmission.
LinuxResourceContainersprojectonSourceForge.
netisarepositoryofcodeforapplicationcontainerimplementationintheLinuxkernel,astagingareaforcodethatmaybesenttothelinux-kernelmailinglist.
OthercontainertechnologiesincludeSolarisZones(Solaris)BSDjails(FreeBSD)Linux-Vserver(Linux)OpenVZ(Linux)InthedeveloperWorksLinuxzone,findmoreresourcesforLinuxdevelopers(includingdeveloperswhoarenewtoLinux),andscanourmostpopulararticlesandtutorials.
SeeallLinuxtipsandLinuxtutorialsondeveloperWorks.
SELinuxcontainerspolicyCopyrightIBMCorporation2009(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)
- providingpermissiondenied相关文档
- 协商permissiondenied
- 4.permissiondenied
- termpermissiondenied
- Settingpermissiondenied
- 用户permissiondenied
- 5.permissiondenied
CloudCone月付$48,MC机房可小时付费
CloudCone商家在前面的文章中也有多次介绍,他们家的VPS主机还是蛮有特点的,和我们熟悉的DO、Linode、VuLTR商家很相似可以采用小时时间计费,如果我们不满意且不需要可以删除机器,这样就不扣费,如果希望用的时候再开通。唯独比较吐槽的就是他们家的产品太过于单一,一来是只有云服务器,而且是机房就唯一的MC机房。CloudCone 这次四周年促销活动期间,商家有新增独立服务器业务。同样的C...
80VPS:香港服务器月付420元;美国CN2 GIA独服月付650元;香港/日本/韩国/美国多IP站群服务器750元/月
80vps怎么样?80vps最近新上了香港服务器、美国cn2服务器,以及香港/日本/韩国/美国多ip站群服务器。80vps之前推荐的都是VPS主机内容,其实80VPS也有独立服务器业务,分布在中国香港、欧美、韩国、日本、美国等地区,可选CN2或直连优化线路。如80VPS香港独立服务器最低月付420元,美国CN2 GIA独服月付650元起,中国香港、日本、韩国、美国洛杉矶多IP站群服务器750元/月...
新加坡云服务器 1核2Gg 46元/月 香港云服务器 1核2G 74元/月 LightNode
LightNode是一家成立于2002年,总部位于香港的VPS服务商。提供基于KVM虚拟化技术.支持CentOS、Ubuntu或者Windows等操作系统。公司名:厦门靠谱云股份有限公司官方网站:https://www.lightnode.com拥有高质量香港CN2 GIA与东南亚节点(河内、曼谷、迪拜等)。最低月付7.71美金,按时付费,可随时取消。灵活满足开发建站、游戏应用、外贸电商等需求。首...
permissiondenied为你推荐
-
沙滩捡12块石头价值近百万圣经中约旦河边的十二个石头摩拜超15分钟加钱摩拜单车不是按骑行时间收费吗,我怎么只要开锁就要支付一元(而且只骑十几分钟)摩根币摩根币到底是什么是不是骗局mathplayer西南交大网页上的 Mathplayer 安装了为什么还是用不了?www.vtigu.com如图,已知四边形ABCD是平行四边形,下列条件:①AC=BD,②AB=AD,③∠1=∠2④AB⊥BC中,能说明平行四边形www.vtigu.com如图所示的RT三角形ABC中,角B=90°(初三二次根式)30 如图所示的RT三角形ABC中,角B=90°,点p从点B开始沿BA边以1厘米每秒的速度向A移动;同时,点Q也从点B开始沿BC边以2厘米每秒的速度向点C移动。问:几秒后三角形PBQ的面积为35平方厘米?PQ的距离是多少www.544qq.COM跪求:天时达T092怎么下载QQbaqizi.cc曹操跟甄洛是什么关系梦遗姐男人梦遗,女人会吗?175qq.comhttp://www.qq10008.com/这个网页是真的吗?