|
Server : Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.2.17 System : Linux localhost 2.6.18-419.el5 #1 SMP Fri Feb 24 22:47:42 UTC 2017 x86_64 User : nobody ( 99) PHP Version : 5.2.17 Disable Function : NONE Directory : /usr/share/locale/ko/LC_MESSAGES/ |
Upload File : |
ޕ����p���
���œ��•���
������p ��g���q ��h���٠��|���B
��;��¿
��;��û
��A��7
��E��y��Ž���¿��©���N��ð���ø��•���é��…���������…�����œ���ž��ž���;��…���Ú��}���`��}���Þ��}���\�����Ú�� ��Z��‡���d��Š���ì��œ���w��›�����Œ���°��Œ���=
�����Ê
��„���J
��þ���Ï
����Î
��
��ã ��.���!����/"��Á���?#����$��(��%��Ì���.&��-��û&�����)(��ß���*)��ð���
*����û*��°���ý+��5��®,��R���ä-��G���7.��b���.��l���â.��L���O/��U���œ/��N���ò/��W���A0��`���™0��H���ú0��N���C1��E���’1��G���Ø1��N��� 2��d���o2��M���Ô2��O���"3��a���r3��X���Ô3��X���-4��V���†4��C��Ý4��»��!7��]���Ý8��¹���;9��^���õ9��_���T:��¼���´:��_���q;��¼���Ñ;��Z���Ž<��]���é<��?���G=��V���‡=��Ó��Þ=��¶��²@��Y���iC��]��ÃC��X���!F��Z���zF��Ï��ÕF��Õ��¥H��z���{J��|��öJ��†���sL��ƒ��úL��–��~N��
���P�����#P�����(P�����,P�����@P��
���DP��
���OP�����[P�����`P�����gP�����mP��
���tP��
���‚P�����P�����“P����™P��
���«Q�����¶Q��C��¼Q��€����S��z���S��Ž���üS��y��‹T��w��V��Š��}W��†��Y��®���Z��Ö���>[��F��\��µ���\]��œ���^��X��¯^��“���`��¯���œ`��¬���La��•���ùa�����b��“��� c��“���³c��’���Gd����Úd��™���òe��¢���Œf��ž���/g��Å���Îg��¨���”h��ª���=i��Ÿ���èi��¬���ˆj����5k��|��Nl��„��Ëm��–��Po��P��çp����8r��p��:s��’��«t����>v��‰��Sw��d��Ýx����Bz��J��K{��V��–|��ß���í}��n��Í~��n���<€��d���«€��k��������|��T���ü��R���Q‚��[���¤‚��c����ƒ��o���dƒ��S���Ôƒ��_���(„��H���ˆ„��N���Ñ„��W��� …��n���x…��U���ç…��X���=†��\���–†��d���ó†��k���X‡��V���ć��ú��ˆ��V��‹��f���m��ú���Ô��g���ÏŽ��h���7��ý��� ��h���ž��ü���‘��f���’��g���k’��V���Ó’��f���*“����‘“��˜��—��r���¬š��3�� ›��q���Sž��i���Åž��Z��/Ÿ��]��Š¡��¨���è£��$��‘¤�� ���¶¦��Ñ��W§��Ö��)©��
����«�����«�����«�����«�����/«�����3«�����D«�����U«�����\«�����c«�� ���j«�����t«��
���ˆ«�����•«�����›«��g��¡«��
��� �������������������������=���&���
������F���1���S���6���
���
�������D��� ���
���*���d���?���������������
���J�������C������g���5���7���_���V���f���^�������2������8���"���o����������A���h�������4�������K���l���n�������E�������������R�������G���!���P���)���b���.�������9���i���B���0���/����������@����������� ���W������'���
�����������������>�������\���#���X����������p���L���Y���M���������Q���<�������I���(���+�����������`�����������[������T�������%�������N���
���j���$���3�������]���c����������;���U��� ���������������Z������m���a���e���-�����������O���,������H���:���k�������������
Changing the "$BOOLEAN" boolean to true will allow this access:
"setsebool -P $BOOLEAN=1"
�
Changing the "$BOOLEAN" boolean to true will allow this access:
"setsebool -P $BOOLEAN=1."
�
Changing the "allow_ftpd_use_nfs" boolean to true will allow this access:
"setsebool -P allow_ftpd_use_nfs=1."
�
If ftp should be allowed to write to this directory you need to turn
on the $BOOLEAN boolean and change the file context of
the public directory to public_content_rw_t. Read the rsync_selinux
man page for further information:
"setsebool -P $BOOLEAN=1; chcon -t public_content_rw_t <path>"
�
If ftp should be allowed to write to this directory you need to turn
on the $BOOLEAN boolean and change the file context of
the public directory to public_content_rw_t. Read the samba_selinux
man page for further information:
"setsebool -P $BOOLEAN=1; chcon -t public_content_rw_t <path>"
�
If httpd scripts should be allowed to write to public directories you need to turn on the $BOOLEAN boolean and change the file context of the public directory to public_content_rw_t. Read the httpd_selinux
man page for further information:
"setsebool -P $BOOLEAN=1; chcon -t public_content_rw_t <path>"
�
If the ftp daemon should be allowed to write to this directory you need to turn
on the $BOOLEAN boolean and change the file context of
the public directory to public_content_rw_t. Read the ftpd_selinux
man page for further information:
"setsebool -P $BOOLEAN=1; chcon -t public_content_rw_t <path>"
�
If you allow the management of the kernel modules on your machine,
turn off the $BOOLEAN boolean: "setsebool -P
$BOOLEAN=0".
�
If you do not want SELinux preventing ftp from writing files anywhere on
the system you need to turn on the $BOOLEAN boolean: "setsebool -P
$BOOLEAN=1"
�
If you want a confined domain to use these files you will probably
need to relabel the file/directory with chcon. In some cases it is just
easier to relabel the system, to relabel execute: "touch
/.autorelabel; reboot"
�
If you want ftp to allow users access to their home directories
you need to turn on the $BOOLEAN boolean: "setsebool -P
$BOOLEAN=1"
�
If you want httpd to allow database connections you need to turn on the
$BOOLEAN boolean: "setsebool -P
$BOOLEAN=1"
�
If you want httpd to be able to run a particular shell script,
you can label it with chcon -t httpd_sys_script_exec_t SCRIPTFILE. If you
want httpd to be able execute any shell script you need to turn on
the $BOOLEAN boolean: "setsebool -P $BOOLEAN=1"
�
If you want httpd to connect to httpd/ftp ports you need to turn
on the $BOOLEAN boolean: "setsebool -P
$BOOLEAN=1"
�
If you want httpd to connect to network ports you need to turn on the
httpd_can_network_network_connect boolean: "setsebool -P
$BOOLEAN=1"
�
If you want named to run as a secondary server and accept zone
transfers you need to turn on the $BOOLEAN boolean: "setsebool -P
$BOOLEAN=1"
�
If you want ppp to be able to insert kernel modules you need to
turn on the $BOOLEAN boolean: "setsebool -P $BOOLEAN=1"
�
If you want samba to share home directories you need to turn on
the $BOOLEAN boolean: "setsebool -P $BOOLEAN=1"
�
If you want samba to share nfs file systems you need to turn on
the $BOOLEAN boolean: "setsebool -P $BOOLEAN=1"
�
If you want spamd to share home directories you need to turn on
the $BOOLEAN boolean: "setsebool -P $BOOLEAN=1"
�
If you want squid to connect to network ports you need to turn on
the $BOOLEAN boolean: "setsebool -P $BOOLEAN=1"
�
If you want the SSL Tunnel to run as a daemon you need to turn on
the $BOOLEAN boolean: "setsebool -P $BOOLEAN=1". You also need to
tell SELinux which port SSL Tunnel will be running on. semanage
port -a -t stunnel_port_t -p tcp $PORT_NUMBER
�
If you want the http daemon to share home directories you need to
turn on the $BOOLEAN boolean: "setsebool -P $BOOLEAN=1"
�
If you want the http daemon to use built in scripting you need to
enable the $BOOLEAN boolean: "setsebool -P
$BOOLEAN=1"
�
If you want the sasl authentication daemon to be able to read
the /etc/shadow file change the $BOOLEAN boolean: "setsebool -P
$BOOLEAN=1".
�
If you want to allow user programs to run as TCP Servers, you can turn on the user_tcp_server boolean, by executing:
setsebool -P $BOOLEAN=1
�
If you want to allow zebra to overwrite its configuration you must
turn on the $BOOLEAN boolean: "setsebool -P
$BOOLEAN=1"
�
If you want to export a public file systems using nfs you need to
turn on the $BOOLEAN boolean: "setsebool -P
$BOOLEAN=1".
�
If you want to export file systems using nfs you need to turn on
the $BOOLEAN boolean: "setsebool -P $BOOLEAN=1".
�
If you want to export writable file systems using nfs you need to turn on the $BOOLEAN boolean: "setsebool -P $BOOLEAN=1".
�
If you want to modify the way SELinux is running on your machine
you need to bring the machine to single user mode with enforcing
turned off. The turn off the secure_mode_policyload boolean:
"setsebool -P secure_mode_policyload=0".
�
SELinux denied cvs access to $TARGET_PATH.
If this is a CVS repository it has to have a file context label of
cvs_data_t. If you did not intend to use $TARGET_PATH as a cvs repository
it could indicate either a bug or it could signal a intrusion attempt.
�
SELinux denied rsync access to $TARGET_PATH.
If this is a RSYNC repository it has to have a file context label of
rsync_data_t. If you did not intend to use $TARGET_PATH as a rsync repository
it could indicate either a bug or it could signal a intrusion attempt.
�
SELinux denied samba access to $TARGET_PATH.
If you want to share this directory with samba it has to have a file context label of
samba_share_t. If you did not intend to use $TARGET_PATH as a samba repository
it could indicate either a bug or it could signal a intrusion attempt.
�
SELinux has denied kernel module utilities from modifying
kernel modules. This machine is hardened to not allow the kernel to
be modified, except in single user mode. If you did not try to
manage a kernel module, this probably signals an intrusion.
�
SELinux has denied the Point-to-Point Protocol daemon from
inserting a kernel module. If pppd is not setup to insert kernel
modules, this probably signals a intrusion attempt.
�
SELinux has denied the ftp daemon access to users home directories
($TARGET_PATH). Someone is attempting to login via your ftp daemon
to a user account. If you only setup ftp to allow anonymous ftp,
this could signal a intrusion attempt.
�
SELinux has denied the ftp daemon write access to directories outside
the home directory ($TARGET_PATH). Someone has logged in via
your ftp daemon and is trying to create or write a file. If you only setup
ftp to allow anonymous ftp, this could signal a intrusion attempt.
�
SELinux has denied the management tools from modifying the way the
SELinux policy runs. This machine is hardened if you did not run
any SELinux tools, this probably signals an intrusion.
�
SELinux has denied the named daemon from writing zone
files. Ordinarily, named is not required to write to these files.
Only secondary servers should be required to write to these
directories. If this machine is not a secondary server, this
could signal a intrusion attempt.
�
SELinux has denied the samba daemon access to nfs file
systems. Someone is attempting to access an nfs file system via
your samba daemon. If you did not setup samba to share nfs file
systems, this probably signals a intrusion attempt.
�
SELinux has denied the sasl authentication daemon from reading the
/etc/shadow file. If the sasl authentication daemon (saslauthd) is
not setup to read the /etc/shadow, this could signals an
intrusion.
�
SELinux has denied the squid daemon from connecting to
$PORT_NUMBER. By default squid policy is setup to deny squid
connections. If you did not setup squid to network connections,
this could signal a intrusion attempt.
�
SELinux has denied the zebra daemon from writing out its
configuration files. Ordinarily, zebra is not required to write
its configuration files. If zebra was not setup to write the
config files, this could signal a intrusion attempt.
�
SELinux has preventing the nfs daemon (nfsd) from writing files on the local system. If you have not exported any file systems (rw), this could signals an intrusion.
�
SELinux has preventing the nfs daemon (nfsd) from writing to
directories marked as public. Usually these directories are
shared between multiple network daemons, like nfs, apache, ftp
etc. If you have not exported any public file systems for
writing, this could signal an intrusion.
�
SELinux is preventing access to files with the default label, default_t.
�
SELinux is preventing access to files with the label, file_t.
�
SELinux is preventing the ftp daemon from reading users home directories ($TARGET_PATH).
�
SELinux is preventing the ftp daemon from writing files outside the home directory ($TARGET_PATH).
�
SELinux is preventing the http daemon from acting as a ftp server.
�
SELinux is preventing the http daemon from communicating with the terminal.
�
SELinux is preventing the http daemon from connecting to a database.
�
SELinux is preventing the http daemon from connecting to network port $PORT_NUMBER�
SELinux is preventing the http daemon from connecting to the itself or the relay ports
�
SELinux is preventing the http daemon from executing a shell script�
SELinux is preventing the http daemon from using built-in scripting.
�
SELinux is preventing the kernel modules from being loaded.
�
SELinux is preventing the modification of the running policy.
�
SELinux is preventing the named daemon from writing to the zone directory�
SELinux is preventing the nfs daemon from allowing clients to write to public directories.
�
SELinux is preventing the ppp daemon from inserting kernel modules.
�
SELinux is preventing the samba daemon from reading nfs file systems.
�
SELinux is preventing the sasl authentication server from reading the /etc/shadow file.
�
SELinux is preventing the squid daemon from connecting to network port $PORT_NUMBER�
SELinux is preventing the users from running TCP servers in the usedomain.
�
SELinux is preventing the zebra daemon from writing its configurations files
�
SELinux permission checks on files labeled default_t are being
denied. These files/directories have the default label on them. This can
indicate a labeling problem, especially if the files being referred
to are not top level directories. Any files/directories under standard system directories, /usr,
/var. /dev, /tmp, ..., should not be labeled with the default
label. The default label is for files/directories which do not have a label on a
parent directory. So if you create a new directory in / you might
legitimately get this label.
�
SELinux permission checks on files labeled file_t are being
denied. file_t is the context the SELinux kernel gives to files
that do not have a label. This indicates a serious labeling
problem. No files on an SELinux box should ever be labeled file_t.
If you have just added a new disk drive to the system you can
relabel it using the restorecon command. Otherwise you should
relabel the entire files system.
�
SELinux policy is preventing the ftp daemon from writing to a public
directory.
�
SELinux policy is preventing the ftp daemon from writing to a public
directory. If ftpd is not setup to allow anonymous writes, this
could signal a intrusion attempt.
�
SELinux policy is preventing the http daemon from writing to a public
directory.
�
SELinux policy is preventing the rsync daemon from writing to a public
directory.
�
SELinux policy is preventing the rsync daemon from writing to a public
directory. If rsync is not setup to allow anonymous writes, this
could signal a intrusion attempt.
�
SELinux policy is preventing the samba daemon from writing to a public
directory.
�
SELinux policy is preventing the samba daemon from writing to a public
directory. If samba is not setup to allow anonymous writes, this
could signal a intrusion attempt.
�
SELinux prevented a java plugin ($SOURCE_TYPE) from making the stack executable.
�
SELinux prevented a mplayer plugin ($SOURCE_TYPE) from making the stack executable.
�
SELinux prevented httpd $ACCESS access to http files.
�
SELinux prevented the CVS application from reading the shadow password file.
�
SELinux prevented the CVS application from reading the shadow password file.
The CVS application requires this access when it is configured for direct
connection (i.e., pserver) and to authenticate to the system password / shadow
files without PAM. It is possible that this access request signals an intrusion
attempt.
It is recommended that CVS be configured to use PAM, authenticate to a separate
user file, or use another protocol (e.g., ssh) instead of allowing this access.
See the CVS manual for more details on why this access is potentially insecure
(<a href="http://ximbiot.com/cvs/manual/cvs-1.11.22/cvs_2.html">http://ximbiot.com/cvs/manual/cvs-1.11.22/cvs_2.html</a>).
�
SELinux prevented the ftp daemon from $ACCESS files stored on a CIFS filesystem.
CIFS (Comment Internet File System) is a network filesystem similar to
SMB (<a href="http://www.microsoft.com/mind/1196/cifs.asp">http://www.microsoft.com/mind/1196/cifs.asp</a>)
The ftp daemon attempted to read one or more files or directories from
a mounted filesystem of this type. As CIFS filesystems do not support
fine-grained SELinux labeling, all files and directories in the
filesystem will have the same security context.
If you have not configured the ftp daemon to read files from a CIFS filesystem
this access attempt could signal an intrusion attempt.
�
SELinux prevented the ftp daemon from $ACCESS files stored on a CIFS filesytem.
�
SELinux prevented the ftp daemon from $ACCESS files stored on a NFS filesystem.
NFS (Network Filesystem) is a network filesystem commonly used on Unix / Linux
systems.
The ftp daemon attempted to read one or more files or directories from
a mounted filesystem of this type. As NFS filesystems do not support
fine-grained SELinux labeling, all files and directories in the
filesystem will have the same security context.
If you have not configured the ftp daemon to read files from a NFS filesystem
this access attempt could signal an intrusion attempt.
�
SELinux prevented the ftp daemon from $ACCESS files stored on a NFS filesytem.
�
SELinux prevented the gss daemon from reading unprivileged user temporary files.
�
SELinux prevented the java plugin ($SOURCE_TYPE) from making the stack
executable. An executable stack should not be required by any
software (see <a href="http://people.redhat.com/drepper/selinux-mem.html">SELinux Memory Protection Tests</a>
for more information). However, some versions of the Java plugin are known
to require this access to work properly. You should check for updates
to the software before allowing this access.
�
SELinux prevented the mplayer plugin ($SOURCE_TYPE) from making the stack
executable. An executable stack should not be required by any
software (see <a href="http://people.redhat.com/drepper/selinux-mem.html">SELinux Memory Protection Tests</a>
for more information). However, some versions of the mplayer plugin are known
to require this access to work properly. You should check for updates
to the software before allowing this access.
�
You can execute the following command as root to relabel your
computer system: "touch /.autorelabel; reboot"
�
You can generate a local policy module to allow this
access - see <a href="http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385">FAQ</a>
Or you can disable SELinux protection altogether. Disabling
SELinux protection is not recommended.
Please file a <a href="http://bugzilla.redhat.com/bugzilla/enter_bug.cgi">bug report</a>
against this package.
� If you want the http daemon to listen on the ftp port, you need to
enable the $BOOLEAN boolean: "setsebool -P $BOOLEAN=1"
� Changing the "$BOOLEAN" and
"$WRITE_BOOLEAN" booleans to true will allow this access:
"setsebool -P $BOOLEAN=1 $WRITE_BOOLEAN=1".
warning: setting the "$WRITE_BOOLEAN" boolean to true will
allow the ftp daemon to write to all public content (files and
directories with type public_content_t) in addition to writing to
files and directories on CIFS filesystems. � Changing the "allow_ftpd_use_nfs" and
"$WRITE_BOOLEAN" booleans to true will allow this access:
"setsebool -P allow_ftpd_use_nfs=1 $WRITE_BOOLEAN=1".
warning: setting the "$WRITE_BOOLEAN" boolean to true will
allow the ftp daemon to write to all public content (files and
directories with type public_content_t) in addition to writing to
files and directories on NFS filesystems. �Authorization�CRON�CVS�Domain Name Service�FTP�File Label�File System�Java�Kernel�Media�Memory�Network Ports�Networking�RSYNC�SAMBA�SELinux prevented the gss daemon from
reading unprivileged user temporary files (e.g., files in /tmp). Allowing this
access is low risk, but if you have not configured the gss daemon to
read these files this access request could signal an intrusion
attempt.�Web Server�Zebra�Project-Id-Version: ko
Report-Msgid-Bugs-To:
POT-Creation-Date: 2008-02-01 15:24-0500
PO-Revision-Date: 2007-01-17 10:43+1000
Last-Translator: Eunju Kim <eukim@redhat.com>
Language-Team: Korean <ko@li.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Generator: KBabel 1.9.1
�
"$BOOLEAN" ë¶€ìš¸ì„ trueë¡œ 변경하는 ê²ƒì€ ì´ëŸ¬í•œ 액세스를 허용합니다:
"setsebool -P $BOOLEAN=1"
�
"$BOOLEAN" ë¶€ìš¸ì„ trueë¡œ 변경하여 ì´ëŸ¬í•œ 액세스를 허용합니다:
"setsebool -P $BOOLEAN=1."
�
"allow_ftpd_use_nfs" ë¶€ìš¸ì„ trueë¡œ 변경하여 ì´ëŸ¬í•œ 액세스를 허용합니다:
"setsebool -P allow_ftpd_use_nfs=1."
�
ftpê°€ ì´ëŸ¬í•œ ë””ë ‰í† ë¦¬ì— ì“°ëŠ” ê²ƒì„ í—ˆìš©í•˜ì‹œë ¤ë©´ $BOOLEAN 부울ì„
ìž‘ë™ì‹œí‚¤ì‹œê³ 공개 ë””ë ‰í† ë¦¬ì˜ íŒŒì¼ ë¬¸ë§¥ì„ public_content_rw_të¡œ
변경하시기 ë°”ëžë‹ˆë‹¤. 보다 ìžì„¸í•œ ì •ë³´ëŠ” rsync_selinux 메뉴얼 페ì´ì§€ì—ì„œ
보실 수 있습니다:
"setsebool -P $BOOLEAN=1; chcon -t public_content_rw_t <path>"
�
ftpê°€ ì´ëŸ¬í•œ ë””ë ‰í† ë¦¬ì— ì“°ëŠ” ê²ƒì„ í—ˆìš©í•˜ì‹œë ¤ë©´ $BOOLEAN ë¶€ìš¸ì„ ìž‘ë™ì‹œí‚¤ì‹œê³
공개 ë””ë ‰í† ë¦¬ì˜ íŒŒì¼ ë¬¸ë§¥ì„ public_content_rw_të¡œ 변경하시기 ë°”ëžë‹ˆë‹¤.
보다 ìžì„¸í•œ ì •ë³´ëŠ” samba_selinux 메뉴얼 페ì´ì§€ë¥¼ ì½ì–´ë³´ì‹œê¸° ë°”ëžë‹ˆë‹¤:
"setsebool -P $BOOLEAN=1; chcon -t public_content_rw_t <path>"
�
httpd 스í¬ë¦½íŠ¸ê°€ 공개 ë””ë ‰í† ë¦¬ì— ì“°ëŠ” ê²ƒì„ í—ˆìš©í•˜ì‹œë ¤ë©´ $BOOLEAN ë¶€ìš¸ì„ ìž‘ë™ì‹œí‚¤ì…”야 하며 공개 ë””ë ‰í† ë¦¬ì˜ íŒŒì¼ ë‚´ìš©ì„ public_content_rw_të¡œ 변경하시기 ë°”ëžë‹ˆë‹¤. 보다 ìžì„¸í•œ ì •ë³´ëŠ” httpd_selinux 메뉴얼 페ì´ì§€ì—ì„œ
ì½ì–´ë³´ì‹œê¸° ë°”ëžë‹ˆë‹¤:
"setsebool -P $BOOLEAN=1; chcon -t public_content_rw_t <path>"
�
ftp ë°ëª¬ì´ ì´ ë””ë ‰í† ë¦¬ì— ì“°ëŠ” ê²ƒì„ í—ˆìš©í•˜ê³ ìž í•˜ì‹ ë‹¤ë©´
$BOOLEAN ë¶€ìš¸ì„ ìž‘ë™ì‹œí‚¤ì‹œê³ 공개 ë””ë ‰í† ë¦¬ì˜ íŒŒì¼ ë¬¸ë§¥ì„
public_content_rw_të¡œ 변경하시기 ë°”ëžë‹ˆë‹¤. 보다 ìžì„¸í•œ ì •ë³´ëŠ”
ftpd_selinux 메뉴얼 페ì´ì§€ë¥¼ ì½ì–´ë³´ì‹œê¸° ë°”ëžë‹ˆë‹¤:
"setsebool -P $BOOLEAN=1; chcon -t public_content_rw_t <path>"
�
ì»´í“¨í„°ì— ì»¤ë„ ëª¨ë“ˆì˜ ê´€ë¦¬ë¥¼ í—ˆìš©í•˜ì‹œê³ ìž í• ê²½ìš°,
$BOOLEAN ë¶€ìš¸ì„ ìž‘ë™ì‹œí‚¤ì§€ 않으셔야 합니다: "setsebool -P
$BOOLEAN=0".
�
SELinuxì—ì„œ ftpê°€ 시스템 ìƒì˜ ì–´ëŠê³³ì—나 파ì¼ì„ 쓰지 못하게 하는 ê²ƒì„ ì›í•˜ì§€ 않으실 경우
$BOOLEAN ë¶€ìš¸ì„ ìž‘ë™ì‹œí‚¤ì…”야 합니다: "setsebool -P
$BOOLEAN=1"
�
ì œí•œëœ ë„ë©”ì¸ì´ ì´ëŸ¬í•œ 파ì¼ì„ 사용하게 í•˜ì‹œë ¤ë©´ chconì„ ì‚¬ìš©í•˜ì—¬
ë””ë ‰í† ë¦¬ì˜ ë ˆì´ë¸”ì„ ë³€ê²½í•˜ì…”ì•¼ 합니다. ê²½ìš°ì— ë”°ë¼ì„œ ë ˆì´ë¸”ì„ ë³€ê²½í•˜ê¸° 위해
시스템 ë ˆì´ë¸”ì„ ë³€ê²½í•˜ëŠ” ê²ƒì´ ê°„íŽ¸í• ìˆ˜ ë„ ìžˆìŠµë‹ˆë‹¤: "touch
/.autorelabel; reboot"
�
ftpê°€ ì‚¬ìš©ìž í™ˆ ë””ë ‰í† ë¦¬ì— ì‚¬ìš©ìž ì•¡ì„¸ìŠ¤í•˜ëŠ” ê²ƒì„ í—ˆìš©í•˜ì‹œë ¤ë©´
$BOOLEAN ë¶€ìš¸ì„ ìž‘ë™ì‹œí‚¤ì…”야 합니다: "setsebool -P
$BOOLEAN=1"
�
httpdê°€ ë°ì´íƒ€ë² ì´ìŠ¤ ì—°ê²°ì„ í—ˆìš©í•˜ê²Œ í•˜ì‹œë ¤ë©´
$BOOLEAN ë¶€ìš¸ì„ ìž‘ë™ì‹œí‚¤ì…”야 합니다: "setsebool -P
$BOOLEAN=1"
�
httpdê°€ íŠ¹ì • 쉘 스í¬ë¦½ì„ ì‹¤í–‰í• ìˆ˜ 있게 í•˜ì‹œë ¤ë©´, ì´ë¥¼
chcon -t httpd_sys_script_exec_t SCRIPTFILEì„ ì‚¬ìš©í•˜ì—¬ ë ˆì´ë¸”합니다.
ì–´ë–¤ 쉘 스í¬ë¦½íŠ¸ë„ ì‹¤í–‰í• ìˆ˜ 있ë„ë¡ í•˜ê¸° 위해 httpd를 ì›í•˜ì‹¤ 경우, $BOOLEAN 부울ì„
ìž‘ë™ì‹œí‚¤ì…”야 합니다: "setsebool -P $BOOLEAN=1"
�
httpdê°€ httpd/ftp í¬íŠ¸ë¡œ 연결하게 í•˜ì‹œë ¤ë©´
$BOOLEAN ë¶€ìš¸ì„ ìž‘ë™ì‹œí‚¤ì…”야 합니다: "setsebool -P
$BOOLEAN=1"
�
httpdê°€ ë„¤íŠ¸ì›Œí¬ í¬íŠ¸ë¡œ 연결하게 í•˜ì‹œë ¤ë©´
httpd_can_network_network_connect ë¶€ìš¸ì„ ìž‘ë™ì‹œí‚¤ì…”야 합니다: "setsebool -P
$BOOLEAN=1"
�
namedê°€ 2ì°¨ 서버로 ìž‘ë™í•˜ê³ ì˜ì— ì „ì†¡ì„ ìˆ˜ìš©í•˜ê²Œ í•˜ì‹œë ¤ë©´
$BOOLEAN ë¶€ìš¸ì„ ìž‘ë™ì‹œí‚¤ì…”야 합니다: "setsebool -P
$BOOLEAN=1"
�
pppê°€ ì»¤ë„ ëª¨ë“ˆì„ ì‚½ìž…í• ìˆ˜ 있ë„ë¡ í•˜ì‹œë ¤ë©´
$BOOLEAN ë¶€ìš¸ì„ ìž‘ë™ì‹œí‚¤ì…”야 합니다: "setsebool -P $BOOLEAN=1"
�
sambaê°€ 홈 ë””ë ‰í† ë¦¬ë¥¼ ê³µìœ í•˜ê²Œ í•˜ì‹œë ¤ë©´
$BOOLEAN ë¶€ìš¸ì„ ìž‘ë™ì‹œí‚¤ì…”야 합니다: "setsebool -P $BOOLEAN=1"
�
sambaê°€ nfs íŒŒì¼ ì‹œìŠ¤í…œì„ ê³µìœ í•˜ê²Œ í•˜ì‹œë ¤ë©´
$BOOLEAN ë¶€ìš¸ì„ ìž‘ë™ì‹œí‚¤ì…”야 합니다: "setsebool -P $BOOLEAN=1"
�
spamdê°€ 홈 ë””ë ‰í† ë¦¬ë¥¼ ê³µìœ í•˜ê³ ìž í•˜ì‹¤ 경우
$BOOLEAN ë¶€ìš¸ì„ ìž‘ë™ì‹œí‚¤ì…”야 합니다: "setsebool -P $BOOLEAN=1"
�
squidê°€ ë„¤íŠ¸ì›Œí¬ í¬íŠ¸ì— 연결하게 í•˜ì‹œë ¤ë©´
$BOOLEAN ë¶€ìš¸ì„ ìž‘ë™ì‹œí‚¤ì…”야 합니다: "setsebool -P $BOOLEAN=1"
�
SSL í„°ë„ì´ ë°ëª¬ìœ¼ë¡œ 실행하게 í•˜ì‹œë ¤ë©´ $BOOLEAN 부울ì„
ìž‘ë™ì‹œí‚¤ì…”야 합니다: "setsebool -P $BOOLEAN=1". í¬íŠ¸ SSL í„°ë„ì´
실행ë˜ëŠ” SELinux를 ì•Œë ¤ì£¼ì–´ì•¼ 합니다. semanage
port -a -t stunnel_port_t -p tcp $PORT_NUMBER
�
http ë°ëª¬ì´ 홈 ë””ë ‰í† ë¦¬ë¥¼ ê³µìœ í•˜ê²Œ í•˜ì‹œë ¤ë©´
$BOOLEAN ë¶€ìš¸ì„ ìž‘ë™ì‹œí‚¤ì…”야 합니다: "setsebool -P
$BOOLEAN=1"
�
http ë°ëª¬ì´ ë‚´ìž¥ëœ ìŠ¤í¬ë¦½íŠ¸ë¥¼ 사용하게 í•˜ì‹œë ¤ë©´
$BOOLEAN ë¶€ìš¸ì„ í™œì„±í™”ì‹œí‚¤ì…”ì•¼ 합니다: "setsebool -P
$BOOLEAN=1"
�
sasl ì¸ì¦ ë°ëª¬ì´ /etc/shadow 파ì¼ì„ ì½ì„ 수 있게 í•˜ì‹œë ¤ë©´
$BOOLEAN ë¶€ìš¸ì„ ë³€ê²½í•˜ì‹ì‹œì˜¤: "setsebool -P
$BOOLEAN=1".
�
ì‚¬ìš©ìž í”„ë¡œê·¸ëž¨ì´ TCP 서버로 실행하는 ê²ƒì„ í—ˆìš©í•˜ì‹œë ¤ë©´, 다ìŒì„ 실행하여, user_tcp_server ë¶€ìš¸ì„ ìž‘ë™ì‹œí‚¤ì…”야 합니다:
setsebool -P $BOOLEAN=1
�
zebraê°€ ì„¤ì •ì„ ë®ì–´ì“°ê²Œ 하는 ê²ƒì„ í—ˆìš©í•˜ê³ ìž í•˜ì‹¤ 경우
$BOOLEAN ë¶€ìš¸ì„ ìž‘ë™ì‹œí‚¤ì…”야 합니다: "setsebool -P
$BOOLEAN=1"
�
nfs를 사용하여 공개 íŒŒì¼ ì‹œìŠ¤í…œì„ ë‚´ë³´ë‚´ê³ ìž í•˜ì‹ ë‹¤ë©´
$BOOLEAN ë¶€ìš¸ì„ ìž‘ë™ì‹œí‚¤ì…”야 합니다: "setsebool -P
$BOOLEAN=1".
�
nfs를 사용하여 íŒŒì¼ ì‹œìŠ¤í…œì„ ë‚´ë³´ë‚´ì‹œê³ ìž í• ê²½ìš°
$BOOLEAN ë¶€ìš¸ì„ ìž‘ë™ì‹œí‚¤ì…”야 합니다: "setsebool -P $BOOLEAN=1".
�
nfs를 사용하여 쓰기가능 í•œ íŒŒì¼ ì‹œìŠ¤í…œì„ ë‚´ë³´ë‚´ì‹œê³ ìž í• ê²½ìš° $BOOLEAN ë¶€ìš¸ì„ ìž‘ë™ì‹œí‚¤ì…”야 합니다: "setsebool -P $BOOLEAN=1".
�
컴퓨터ì—ì„œì˜ SELinux 실행 ë°©ë²•ì„ ìˆ˜ì •í•˜ê³ ìž í•˜ì‹¤ 경우 ê°•ì œë¥¼ í•´ì œí•˜ì—¬
싱글 ì‚¬ìš©ìž ëª¨ë“œë¡œ 컴퓨터를 실행합니다. secure_mode_policyload 부울ì„
ìž‘ë™ì‹œí‚¤ì§€ 않습니다:
"setsebool -P secure_mode_policyload=0".
�
SELinux는 $TARGET_PATHë¡œ cvs 액세스하는 ê²ƒì„ ê±°ë¶€í•©ë‹ˆë‹¤.
ì´ê²ƒì´ CVS 리í¬ì§€í„°ë¦¬ì¼ 경우 cvs_data_tì˜ íŒŒì¼ ë¬¸ë§¥ ë ˆì´ë¸”ì„
ê°€ì§€ê³ ìžˆì–´ì•¼ 합니다. cvs 리í¬ì§€í„°ë¦¬ë¡œ $TARGET_PATH를 ì‚¬ìš©í•˜ê³ ìž í•˜ì§€
않으실 경우 버그가 나타나거나 ë˜ëŠ” ì¹¨ìž…ì„ ì‹œë„했다는 ì‹ í˜¸ê°€ ë‚˜íƒ€ë‚ ìˆ˜ 있습니다.
�
SELinux는 $TARGET_PATHë¡œ rsync 액세스하는 ê²ƒì„ ê±°ë¶€í•©ë‹ˆë‹¤.
ì´ê²ƒì´ RSYNC 리í¬ì§€í„°ë¦¬ì¼ 경우 rsync_data_tì˜ íŒŒì¼ ë¬¸ë§¥ ë ˆì´ë¸”ì„
ê°€ì§€ê³ ìžˆì–´ì•¼ 합니다. rsync 리í¬ì§€í„°ë¦¬ë¡œ $TARGET_PATH를 ì‚¬ìš©í•˜ê³ ìž í•˜ì§€
않으실 경우 버그가 나타나거나 ë˜ëŠ” ì¹¨ìž…ì„ ì‹œë„했다는 ì‹ í˜¸ê°€ ë‚˜íƒ€ë‚ ìˆ˜ 있습니다.
�
SELinux는 $TARGET_PATHë¡œ samba 액세스하는 ê²ƒì„ ê±°ë¶€í•©ë‹ˆë‹¤.
ì´ ë””ë ‰í† ë¦¬ë¥¼ samba와 ê³µìœ í•˜ê³ ìž í•˜ì‹¤ 경우 samba_share_tì˜ íŒŒì¼ ë¬¸ë§¥ ë ˆì´ë¸”ì„
ê°€ì§€ê³ ìžˆì–´ì•¼ 합니다. samba 리í¬ì§€í„°ë¦¬ë¡œ $TARGET_PATH를 ì‚¬ìš©í•˜ê³ ìž í•˜ì§€
않으실 경우 버그가 나타나거나 ë˜ëŠ” ì¹¨ìž…ì„ ì‹œë„했다는 ì‹ í˜¸ê°€ ë‚˜íƒ€ë‚ ìˆ˜ 있습니다.
�
SELinux는 ì»¤ë„ ëª¨ë“ˆì„ ìˆ˜ì •í•˜ëŠ” 것으로 부터 ì»¤ë„ ëª¨ë“ˆ ìœ í‹¸ë¦¬í‹°ë¥¼
거부합니다. 싱글 ì‚¬ìš©ìž ëª¨ë“œë¥¼ ì œì™¸í•˜ê³ ì»¤ë„ì´ ìˆ˜ì •ë˜ì§€ 않게 하기 위해
컴퓨터 ë³´ì•ˆì´ ê°•í™”ë©ë‹ˆë‹¤. ì»¤ë„ ëª¨ë“ˆì„ ê´€ë¦¬í•˜ì§€ 않으실 경우,
침입 ì‹ í˜¸ê°€ ë‚˜íƒ€ë‚ ê²ƒìž…ë‹ˆë‹¤.
�
SELinux는 ì»¤ë„ ëª¨ë“ˆì„ ì‚½ìž…í•˜ëŠ” 것ì—ì„œ PPP(Point-to-Point Protocol) ë°ëª¬ì„
거부합니다. ì»¤ë„ ëª¨ë“ˆì„ ì‚½ìž…í•˜ê¸° 위해 pppdê°€ ì„¤ì •ë˜ì§€ ì•Šì€ ê²½ìš°,
ì¹¨ìž…ì„ ì‹œë„했다는 ì‹ í˜¸ê°€ ë‚˜íƒ€ë‚ ê²ƒìž…ë‹ˆë‹¤.
�
SELinux는 ftp ë°ëª¬ì´ ì‚¬ìš©ìž í™ˆ ë””ë ‰í† ë¦¬($TARGET_PATH)ë¡œ 액세스하는
ê²ƒì„ ê±°ë¶€í•©ë‹ˆë‹¤. 누군가가 ì—¬ëŸ¬ë¶„ì˜ ftp ë°ëª¬ì„ 사용하여 ì‚¬ìš©ìž ê³„ì •ìœ¼ë¡œ
로그ì¸ì„ ì‹œë„합니다. ìµëª…ì˜ ftp를 허용하기 위해 ftpë§Œì„ ì„¤ì •í•˜ì‹ ê²½ìš°,
ì¹¨ìž„ì„ ì‹œë„했다는 ì‹ í˜¸ê°€ ë‚˜íƒ€ë‚ ìˆ˜ 있습니다.
�
SELinux는 ì‚¬ìš©ìž í™ˆ ë””ë ‰í† ë¦¬($TARGET_PATH) ì™¸ë¶€ì˜ ë””ë ‰í† ë¦¬ë¡œ ftp ë°ëª¬ 쓰기 액세스를
거부합니다. 누군가가 ì—¬ëŸ¬ë¶„ì˜ ftp ë°ëª¬ì„ 통해 로그ì¸í•˜ì—¬ 파ì¼ì„
ìƒì„±í•˜ê±°ë‚˜ íŒŒì¼ ì“°ê¸°ë¥¼ í•˜ë ¤í•©ë‹ˆë‹¤. ìµëª…ì˜ ftp를 허용하기 위해 ftpë§Œì„ ì„¤ì •í•˜ì‹ ê²½ìš°,
ì¹¨ìž„ì„ ì‹œë„했다는 ì‹ í˜¸ê°€ ë‚˜íƒ€ë‚ ìˆ˜ 있습니다.
�
SELinux는 SELinux ì •ì±… 실행 ë°©ë²•ì„ ìˆ˜ì •í•˜ëŠ” 것으로 부터 관리 ë„구
거부합니다. ì–´ë–¤ SELinux ë„구ë¼ë„ 실행하지 않으실 경우 컴퓨터 보안ì€
ê°•í™”ë©ë‹ˆë‹¤, ì¹¨ìž…ì„ ì‹œë„했다는 ì‹ í˜¸ê°€ ë‚˜íƒ€ë‚ ê²ƒìž…ë‹ˆë‹¤.
�
SELinux는 ì˜ì— 파ì¼ì— 기ë¡í•˜ëŠ” 것으로 부터 named ë°ëª¬ì„ 거부합니다.
ì¼ë°˜ì 으로, named는 ì´ëŸ¬í•œ 파ì¼ì— 기ë¡í•˜ê¸° 위해 요구ë˜ì§€ 않습니다.
ì´ëŸ¬í•œ ë””ë ‰í† ë¦¬ì— ê¸°ë¡í•˜ê¸° 위해 2ì°¨ ì„œë²„ë§Œì´ ìš”êµ¬ë©ë‹ˆë‹¤. 컴퓨터ì—
2ì°¨ 서버가 없다면, ì¹¨ìž…ì„ ì‹œë„했다는 ì‹ í˜¸ê°€ ë‚˜íƒ€ë‚ ìˆ˜
있습니다.
�
SELinux는 samba ë°ëª¬ì´ nfs íŒŒì¼ ì‹œìŠ¤í…œì— ì•¡ì„¸ìŠ¤í•˜ëŠ” ê²ƒì„ ê±°ë¶€í•©ë‹ˆë‹¤.
누군가가 samba ë°ëª¬ì„ 통하여 nfsíŒŒì¼ ì‹œìŠ¤í…œì— ì•¡ì„¸ìŠ¤ë¥¼ ì‹œë„합니다.
nfs íŒŒì¼ ì‹œìŠ¤í…œì„ ê³µìœ í•˜ê¸° 위하여 samba를 ì„¤ì •í•˜ì§€ 않으셨다면,
ì¹¨ìž…ì„ ì‹œë„했다는 ì‹ í˜¸ê°€ ë‚˜íƒ€ë‚ ìˆ˜ 있습니다.
�
SELinux는 /etc/shadow 파ì¼ì„ ì½ëŠ” 것ì—ì„œ sasl ì¸ì¦ ë°ëª¬ì„
거부합니다. /etc/shadow 파ì¼ì„ ì½ê¸°ìœ„í•´ sasl ì¸ì¦ ë°ëª¬ (saslauthd)ì„
ì„¤ì •í•˜ì§€ 않으셨다면, 침입했다는 ì‹ í˜¸ê°€ ë‚˜íƒ€ë‚ ìˆ˜
있습니다.
�
SELinux는 $PORT_NUMBERë¡œ 연결하는 것으로 부터 squid ë°ëª¬ì„ 거부합니다.
squid ì—°ê²°ì„ ê±°ë¶€í•˜ê¸° 위해 기본 squid ì •ì±…ì´ ì„¤ì •ë˜ì–´ 있습니다.
ë„¤íŠ¸ì›Œí¬ ì—°ê²°ì„ ìœ„í•´ squid를 ì„¤ì •í•˜ì§€ 않으셨다면, ì¹¨ìž…ì„ ì‹œë„했다는 ì‹ í˜¸ê°€
ë‚˜íƒ€ë‚ ìˆ˜ 있습니다.
�
SELinux는 ì„¤ì • 파ì¼ì„ 기ë¡í•˜ëŠ” 것으로 부터 zebra ë°ëª¬ì„
거부합니다. ì¼ë°˜ì 으로 zebra는 ì„¤ì • 파ì¼ì„ 기ë¡í•˜ëŠ” 것ì„
요구하지 않습니다. zebraê°€ ì„¤ì • 파ì¼ì„ 기ë¡í•˜ëŠ” ê²ƒì´ ì„¤ì •ë˜ì§€
ì•Šì•˜ì„ ê²½ìš°, ì¹¨ìž…ì„ ì‹œë„했다는 ì‹ í˜¸ê°€ ë‚˜íƒ€ë‚ ìˆ˜ 있습니다.
�
SELinux는 nfs ë°ëª¬ (nfsd)ì´ ë¡œì»¬ 시스템ì—ì„œ 파ì¼ì„ 작성하지 못하게 합니다. ì–´ë–¤ íŒŒì¼ ì‹œìŠ¤í…œ(rw)ë„ ë‚´ë³´ë‚´ì§€ 않으셨다면, 침입했다는 ì‹ í˜¸ê°€ ë‚˜íƒ€ë‚ ìˆ˜ìžˆìŠµë‹ˆë‹¤.
�
SELinux는 nfs ë°ëª¬ì´ 공개로 í‘œì‹œëœ ë””ë ‰í† ë¦¬ì— ê¸°ë¡í•˜ì§€ 못하게
합니다. 주로 ì´ëŸ¬í•œ ë””ë ‰í† ë¦¬ëŠ” nfs, apache, ftp 등과 ê°™ì€ ë‹¤ì¤‘
ë„¤íŠ¸ì›Œí¬ ë°ëª¬ 사ì´ì—ì„œ ê³µìœ ë©ë‹ˆë‹¤. 기ë¡í•˜ê¸° 위해 ì–´ë–¤ 공개 íŒŒì¼ ì‹œìŠ¤í…œì„
내보내지 않으셨다면, 침입 ì‹ í˜¸ê°€ ë‚˜íƒ€ë‚ ìˆ˜ 있습니다.
�
SELinuxê°€ 기본 ë ˆì´ë¸” default_t를 사용하여 파ì¼ë¡œ 액세스하지 못하게 합니다.
�
SELinux는 ë ˆì´ë¸” file_t를 사용하여 파ì¼ì— 액세스하지 못하게 합니다.
�
SELinux는 ftp ë°ëª¬ì´ ì‚¬ìš©ìž í™ˆ ë””ë ‰í† ë¦¬ ($TARGET_PATH)를 ì½ì§€ 못하게 합니다.
�
SELinux는 ftp ë°ëª¬ì´ 홈 ë””ë ‰í† ë¦¬ ($TARGET_PATH) ì™¸ë¶€ì— ìžˆëŠ” 파ì¼ì„ 기ë¡í•˜ì§€ 못하게 합니다.
�
SELinux는 http ë°ëª¬ì´ ftp 서버로 작업하지 못하게 합니다.
�
SELinux는 http ë°ëª¬ì´ 터미ë„ê³¼ í†µì‹ í•˜ì§€ 못하게 합니다.
�
SELinux는 http ë°ëª¬ì´ ë°ì´íƒ€ë² ì´ìŠ¤ë¡œ 연결하지 못하게 합니다.
�
SELinux는 http ë°ëª¬ì´ ë„¤íŠ¸ì›Œí¬ í¬íŠ¸ $PORT_NUMBERë¡œ 연결하지 못하게 합니다�
SELinux는 http ë°ëª¬ì´ http ë°ëª¬ ìžì²´ ë˜ëŠ” 중계 í¬íŠ¸ë¡œ 연결하지 못하게 합니다
�
SELinux는 http ë°ëª¬ì´ 쉘 스í¬ë¦½íŠ¸ë¥¼ 실행하지 못하게 합니다�
SELinux는 http ë°ëª¬ì´ ë‚´ìž¥ëœ ìŠ¤í¬ë¦½íŠ¸ë¥¼ 사용하지 못하게 합니다.
�
SELinux는 ì»¤ë„ ëª¨ë“ˆì„ ì½ì–´ 오지 못하게 합니다.
�
SELinux는 실행 ì¤‘ì¸ ì •ì±…ì„ ìˆ˜ì •í•˜ì§€ 못하게 합니다.
�
SELinux는 named ë°ëª¬ì´ ì˜ì— ë””ë ‰í† ë¦¬ì— ìž‘ì„±í•˜ì§€ 못하게 합니다�
SELinux는 nfs ë°ëª¬ì´ 공개 ë””ë ‰í† ë¦¬ì— í´ë¼ì´ì–¸íŠ¸ê°€ 기ë¡í•˜ì§€ 못하게 합니다.
�
SELinux는 ppp ë°ëª¬ì´ ì»¤ë„ ëª¨ë“ˆì„ ì‚½ìž…í•˜ì§€ 못하게 합니다.
�
SELinux는 samba ë°ëª¬ì´ nfs íŒŒì¼ ì‹œìŠ¤í…œì„ ì½ì§€ 못하게 합니다.
�
SELinux는 sasl ì¸ì¦ 서버가 /etc/shadow 파ì¼ì„ ì½ì§€ 못하게 합니다.
�
SELinux는 squid ë°ëª¬ì´ ë„¤íŠ¸ì›Œí¬ í¬íŠ¸ $PORT_NUMBERë¡œ 연결하지 못하게 합니다�
SELinux는 사용ìžê°€ ì‚¬ìš©ìž ë„ë©”ì¸ì—ì„œ TCP 서버를 실행하지 못하게 합니다.
�
SELinux는 zebra ë°ëª¬ì´ ì„¤ì • 파ì¼ì„ 작성하지 못하게 합니다
�
SELinux 권한으로 default_të¡œ ë ˆì´ë¸” ëœ íŒŒì¼ì„ 확ì¸í•˜ëŠ” ê²ƒì´ ê±°ë¶€ë˜ì—ˆìŠµë‹ˆë‹¤.
ì´ëŸ¬í•œ 파ì¼/ë””ë ‰í† ë¦¬ëŠ” 기본 값으로 ë ˆì´ë¸”ë˜ì–´ 있습니다. 특히 파ì¼ì´ ì •ìƒ ìˆ˜ì¤€
ë””ë ‰í† ë¦¬ì— ìžˆì§€ ì•Šì„ ê²½ìš°, ì´ëŠ” ë ˆì´ë¸”ì— ë¬¸ì œê°€ ìžˆë‹¤ê³ ë‚˜íƒ€ë‚ ìˆ˜ 있습니다.
즉 표준 시스템 ë””ë ‰í† ë¦¬, /usr, /var. /dev, /tmp,..., ì•„ëž˜ì— ìžˆëŠ” 파ì¼/ë””ë ‰í† ë¦¬ëŠ” ëª¨ë‘ ê¸°ë³¸ê°’ìœ¼ë¡œ ë ˆì´ë¸”ë˜ì–´ì„œëŠ”
안ë©ë‹ˆë‹¤. 부모 ë””ë ‰í† ë¦¬ì— ë ˆì´ë¸”ë˜ì§€ ì•Šì€ íŒŒì¼/ë””ë ‰í† ë¦¬ì— ëŒ€í•´ì„œ 기본값으로 ë ˆì´ë¸”합니다.
/ ìƒì—ì„œ 새로운 ë””ë ‰í† ë¦¬ë¥¼ ìƒì„±í•˜ì‹œê³ ìž í• ê²½ìš° ë¬¸ì œì—†ì´ ì´ëŸ¬í•œ ë ˆì´ë¸”ì„ í•˜ì‹¤ 수
있습니다.
�
SELinux 권한으로 file_të¡œ ë ˆì´ë¸”ëœ íŒŒì¼ì„ 확ì¸í•˜ëŠ” ê²ƒì´ ê±°ë¶€ë˜ì—ˆìŠµë‹ˆë‹¤.
file_t는 ë ˆì´ë¸”ì´ ì—†ëŠ” 파ì¼ì—게 SELinux 커ë„ì´ ì œê³µí•˜ëŠ” 문맥으로 ì´ëŠ”
심ê°í•œ ë ˆì´ë¸” ë¬¸ì œë¥¼ ì¼ìœ¼í‚¬ 수 있습니다. SELinux ë°•ìŠ¤ì— ìžˆëŠ” 파ì¼ì€ file_të¡œ
ë ˆì´ë¸”ë˜ì–´ì„œëŠ” 안ë©ë‹ˆë‹¤. ì‹œìŠ¤í…œì— ìƒˆë¡œìš´ 디스켓 ë“œë¼ì´ë¸Œë¥¼ ì¶”ê°€ì‹œí‚¤ì‹ ê²½ìš°
restorecon ëª…ë ¹ì„ ì‚¬ìš©í•˜ì—¬ ì´ë¥¼ ìž¬ë ˆì´ë¸”하실 수 있습니다. ê·¸ë ‡ì§€ ì•Šì„ ê²½ìš°
ëª¨ë“ íŒŒì¼ ì‹œìŠ¤í…œì„ ë‹¤ì‹œ ë ˆì´ë¸”하셔야 합니다.
�
SELinux ì •ì±…ì€ ftp ë°ëª¬ì´ 공개 ë””ë ‰í† ë¦¬ì— ê¸°ë¡í•˜ì§€ 못하게
합니다.
�
SELinux ì •ì±…ì€ ftp ë°ëª¬ì´ 공개 ë””ë ‰í† ë¦¬ì— ê¸°ë¡í•˜ì§€ 못하게
합니다. ìµëª… 기ë¡ì„ 허용하기 위해 ftpdê°€ ì„¤ì •ë˜ì§€ ì•Šì•˜ì„ ê²½ìš°,
ì¹¨ìž…ì„ ì‹œë„하였다는 ì‹ í˜¸ê°€ ë‚˜íƒ€ë‚ ìˆ˜ 있습니다.
�
SELinux ì •ì±…ì€ http ë°ëª¬ì´ 공개 ë””ë ‰í† ë¦¬ì— ê¸°ë¡í•˜ì§€ 못하게
합니다.
�
SELinux ì •ì±…ì€ rsync ë°ëª¬ì´ 공개 ë””ë ‰í† ë¦¬ì— ê¸°ë¡í•˜ì§€ 못하게
합니다.
�
SELinux ì •ì±…ì€ rsync ë°ëª¬ì´ 공개 ë””ë ‰í† ë¦¬ì— ê¸°ë¡í•˜ì§€ 못하게
합니다. ìµëª… 기ë¡ì„ 허용하기 위해 rsyncì´ ì„¤ì •ë˜ì§€ ì•Šì•˜ì„ ê²½ìš°,
ì¹¨ìž…ì„ ì‹œë„하였다는 ì‹ í˜¸ê°€ ë‚˜íƒ€ë‚ ìˆ˜ 있습니다.
�
SELinux ì •ì±…ì€ samba ë°ëª¬ì´ 공개 ë””ë ‰í† ë¦¬ì— ê¸°ë¡í•˜ì§€ 못하게
합니다.
�
SELinux ì •ì±…ì€ samba ë°ëª¬ì´ 공개 ë””ë ‰í† ë¦¬ì— ê¸°ë¡í•˜ì§€ 못하게
합니다. ìµëª… 기ë¡ì„ 허용하기 위해 sambaê°€ ì„¤ì •ë˜ì§€ ì•Šì•˜ì„ ê²½ìš°,
ì¹¨ìž…ì„ ì‹œë„하였다는 ì‹ í˜¸ê°€ ë‚˜íƒ€ë‚ ìˆ˜ 있습니다.
�
SELinux는 ìžë°” í”ŒëŸ¬ê·¸ì¸ ($SOURCE_TYPE)ì´ ìŠ¤íƒì„ 실행 불가능하게 합니다.
�
SELinux는 mplayer í”ŒëŸ¬ê·¸ì¸ ($SOURCE_TYPE)ì´ ìŠ¤íƒì„ 실행 불가능하게 합니다.
�
SELinux는 http 파ì¼ë¡œ httpd $ACCESS 액세스하지 못하게 합니다.
�
SELinux는 CVS ì‘ìš© í”„ë¡œê·¸ëž¨ì´ ì„€ë„ìš° 암호 파ì¼ì„ ì½ì§€ 못하게 합니다.
�
SELinux는 CVS ì‘ìš© í”„ë¡œê·¸ëž¨ì´ ì„€ë„ìš° 암호 파ì¼ì„ ì½ì§€ 못하게 합니다.
CVS ì‘ìš© 프로그램ì—는 ì§ì ‘ ì—°ê²° (예, pserver)ì„ ì„¤ì •í• ë•Œì™€
PAM ì—†ì´ ì‹œìŠ¤í…œ 암호 / ì„€ë„ìš° 파ì¼ì„ ì¸ì¦í•˜ë ¤ í• ë•Œ ì´ëŸ¬í•œ 액세스가
필요합니다. ì´ëŸ¬í•œ 액세스를 ì‹œë„í• ê²½ìš° 침입 ì‹œë„ ì‹ í˜¸ê°€ ë‚˜íƒ€ë‚ ìˆ˜ 있습니다.
CVS는 PAMì„ ì‚¬ìš©í•˜ì—¬ ì„¤ì •í• ê²ƒê³¼ ë¶„ë¦¬ëœ ì‚¬ìš©ìž íŒŒì¼ì„ ì¸ì¦í• 것과 ë˜ëŠ”
ì´ëŸ¬í•œ 액세스를 허용하는 ë°ì‹ 다른 í”„ë¡œí† ì½œ(예, ssh)ì„ ì‚¬ìš©í• ê²ƒì„ ê¶Œìž¥í•©ë‹ˆë‹¤.
ì´ëŸ¬í•œ 액세스가 ìž ìž¬ì 으로 비보안ì ì¸ ì´ìœ ì— ëŒ€í•œ 보다 ìžì„¸í•œ ë‚´ìš©ì€ CVS 메뉴얼ì—ì„œ 확ì¸í•´ 보시기 ë°”ëžë‹ˆë‹¤.
(<a href="http://ximbiot.com/cvs/manual/cvs-1.11.22/cvs_2.html">http://ximbiot.com/cvs/manual/cvs-1.11.22/cvs_2.html</a>).
�
SELinux는 ftp ë°ëª¬ì´ CIFS íŒŒì¼ ì‹œìŠ¤í…œì— ì €ìž¥ëœ íŒŒì¼ì„ $ACCESS하지 못하게 합니다.
CIFS (Comment Internet File System)는 SMBê³¼ ìœ ì‚¬í•œ ë„¤íŠ¸ì›Œí¬ íŒŒì¼ ì‹œìŠ¤í…œ
입니다 (<a href="http://www.microsoft.com/mind/1196/cifs.asp">http://www.microsoft.com/mind/1196/cifs.asp</a>)
ftp ë°ëª¬ì€ ì´ëŸ¬í•œ ìœ í˜•ìœ¼ë¡œ ë§ˆìš´íŠ¸ëœ íŒŒì¼ ì‹œìŠ¤í…œì—ì„œ 하나 ì´ìƒì˜ íŒŒì¼ ë˜ëŠ”
ë””ë ‰í† ë¦¬ë¥¼ ì½ì–´ì˜¤ëŠ” ê²ƒì„ ì‹œë„합니다. CIFS íŒŒì¼ ì‹œìŠ¤í…œì´ ì •êµí•˜ê²Œ SELinux ë ˆì´ë¸”하는
ê²ƒì„ ì§€ì›í•˜ì§€ ì•ŠìŒìœ¼ë¡œì„œ íŒŒì¼ ì‹œìŠ¤í…œì— ìžˆëŠ” ëª¨ë“ íŒŒì¼ ë° ë””ë ‰í† ë¦¬ëŠ” ë™ì¼í•œ 보안
ë¬¸ë§¥ì„ ê°–ê²Œ ë©ë‹ˆë‹¤.
CIFS íŒŒì¼ ì‹œìŠ¤í…œì—ì„œ 파ì¼ì„ ì½ì–´ì˜¤ê¸° 위해 ftp ë°ëª¬ì„ ì„¤ì •í•˜ì§€ ì•Šìœ¼ì…¨ì„ ê²½ìš° ì´ëŸ¬í•œ 액세스를 ì‹œë„하면 ì¹¨ìž„ì„ ì‹œë„했다는 ì‹ í˜¸ê°€ ë‚˜íƒ€ë‚ ìˆ˜ 있습니다.
�
SELinux는 ftp ë°ëª¬ì´ CIFS íŒŒì¼ ì‹œìŠ¤í…œì— ì €ìž¥ëœ íŒŒì¼ì„ $ACCESS하지 못하게 합니다.
�
SELinux는 ftp ë°ëª¬ì´ NFS íŒŒì¼ ì‹œìŠ¤í…œì— ì €ìž¥ëœ íŒŒì¼ì„ $ACCESS하지 못하게 합니다.
NFS (Network Filesystem)는 Unix / Linux ìƒì—ì„œ 주로 사용ë˜ëŠ” ë„¤íŠ¸ì›Œí¬ íŒŒì¼ ì‹œìŠ¤í…œìž…ë‹ˆë‹¤.
ftp ë°ëª¬ì€ ì´ëŸ¬í•œ ìœ í˜•ìœ¼ë¡œ ë§ˆìš´íŠ¸ëœ íŒŒì¼ ì‹œìŠ¤í…œì—ì„œ 하나 ì´ìƒì˜ íŒŒì¼ ë˜ëŠ”
ë””ë ‰í† ë¦¬ë¥¼ ì½ì–´ì˜¤ê¸°ë¥¼ ì‹œë„합니다. NFS íŒŒì¼ ì‹œìŠ¤í…œì´ ì •êµí•˜ SELinux ë ˆì´ë¸”하는
ê²ƒì„ ì§€ì›í•˜ì§€ ì•ŠìŒìœ¼ë¡œì„œ íŒŒì¼ ì‹œìŠ¤í…œì— ìžˆëŠ” ëª¨ë“ íŒŒì¼ ë° ë””ë ‰í† ë¦¬ëŠ” ë™ì¼í•œ
보안 ë¬¸ë§¥ì„ ê°–ê²Œ ë©ë‹ˆë‹¤.
NFS íŒŒì¼ ì‹œìŠ¤í…œì—ì„œ 파ì¼ì„ ì½ì–´ì˜¤ê¸° 위해 ftp ë°ëª¬ì„ ì„¤ì •í•˜ì§€ 않으셨다면
ì´ëŸ¬í•œ 액세스를 ì‹œë„í–ˆì„ ë•Œ ì¹¨ìž„ì„ ì‹œë„했다는 ì‹ í˜¸ê°€ ë‚˜íƒ€ë‚ ìˆ˜ 있습니다.
�
SELinux는 ftp ë°ëª¬ì´ NFS íŒŒì¼ ì‹œìŠ¤í…œì— ì €ìž¥ëœ íŒŒì¼ì„ $ACCESS하지 못하게 합니다.
�
SELinux는 gss ë°ëª¬ì´ 권한없는 사용ìžì˜ ìž„ì‹œ 파ì¼ì„ ì½ì§€ 못하게 합니다.
�
SELinux는 ìžë°” í”ŒëŸ¬ê·¸ì¸ ($SOURCE_TYPE)리 스íƒì„ 실행 불가능하게
합니다. ì–´ë–¤ ì†Œí”„íŠ¸ì›¨ì–´ë„ ì‹¤í–‰ê°€ëŠ¥í•œ 스íƒì„ 필요하지 않습니다
(보다 ìžì„¸í•œ ì •ë³´ëŠ” <a href="http://people.redhat.com/drepper/selinux-mem.html">SELinux 메모리 보안 테스트</a>를 참조하시기 ë°”ëžë‹ˆë‹¤
하지만 ìžë°” 플러그ì¸ì˜ 몇몇 ë²„ì ¼ì€ ì˜¬ë°”ë¥´ê²Œ ìž‘ë™í•˜ê¸° 위해 ì´ëŸ¬í•œ 액세스를 필요로 합니다
ì´ëŸ¬í•œ 액세스를 허용하기 ì „ì— ì†Œí”„íŠ¸ì›¨ì–´ ì—…ë°ì´íŠ¸ 사í•ì„ 확ì¸í•´ 보시기
ë°”ëžë‹ˆë‹¤.
�
SELinux는 mplayer í”ŒëŸ¬ê·¸ì¸ ($SOURCE_TYPE)ì´ ìŠ¤íƒì„ 실행 불가능하게
합니다. ì–´ë–¤ ì†Œí”„íŠ¸ì›¨ì–´ë„ ì‹¤í–‰ê°€ëŠ¥í•œ 스íƒì„ 필요하지 않습니다
(보다 ìžì„¸í•œ ì •ë³´ëŠ” <a href="http://people.redhat.com/drepper/selinux-mem.html">SELinux 메모리 보안 테스트</a>를 참조하시기 ë°”ëžë‹ˆë‹¤)
하지만 mplayer 플러그ì¸ì˜ 몇몇 ë²„ì ¼ì€ ì˜¬ë°”ë¥´ê²Œ ìž‘ë™í•˜ê¸° 위해 ì´ëŸ¬í•œ 액세스를 필요로 합니다
ì´ëŸ¬í•œ 액세스를 허용하기 ì „ì— ì†Œí”„íŠ¸ì›¨ì–´ ì—…ë°ì´íŠ¸ 사í•ì„ 확ì¸í•´ 보시기
ë°”ëžë‹ˆë‹¤.
�
컴퓨터 ì‹œìŠ¤í…œì— ë ˆì´ë¸”하기 위하여 root ê³„ì •ìœ¼ë¡œ ë‹¤ìŒ ëª…ë ¹ì„ ì‚¬ìš©í•˜ì—¬
ì‹¤í–‰í• ìˆ˜ 있습니다: "touch /.autorelabel; reboot"
�
ì´ëŸ¬í•œ 액세스를 허용하기 위해 로컬 ì •ì±… ëª¨ë“ˆì„ ìƒì„±í•˜ì‹¤ 수 있습니다 -
<a href="http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385">FAQ</a>를 참조하시거나 - ë˜ëŠ”
ì‘ìš© í”„ë¡œê·¸ëž¨ì˜ SELinux ë³´ì•ˆì„ ì™„ì „ížˆ 비활성화시키실 수 있습니다. SELinux 보안ì„
비활성화시키는 ê²ƒì€ ê¶Œìž¥í•˜ì§€ 않습니다.
ì´ëŸ¬í•œ íŒ¨í‚¤ì§€ì— ëŒ€í•´ <a href="http://bugzilla.redhat.com/bugzilla/enter_bug.cgi">버그 리í¬íŠ¸</a>
를 ì œì¶œí•´ 주시기 ë°”ëžë‹ˆë‹¤.
� http ë°ëª¬ì´ ftp í¬íŠ¸ì— 있는 ê²ƒì„ ì²ì·¨í•˜ê²Œ í•˜ì‹œë ¤ë©´,
$BOOLEAN ë¶€ìš¸ì„ í™œì„±í™”ì‹œí‚¤ì…”ì•¼ 합니다: "setsebool -P $BOOLEAN=1"
� "$BOOLEAN" ë°
"$WRITE_BOOLEAN" ë¶€ìš¸ì„ trueë¡œ 변경하는 ê²ƒì€ ì´ëŸ¬í•œ 액세스를 허용하게 ë©ë‹ˆë‹¤:
"setsebool -P $BOOLEAN=1 $WRITE_BOOLEAN=1".
ê²½ê³ : "$WRITE_BOOLEAN" ë¶€ìš¸ì„ trueë¡œ ì„¤ì •í•˜ëŠ” 것ì€
ftp ë°ëª¬ì´ ëª¨ë“ ê³µê°œ ë‚´ìš© (public_content_t ìœ í˜•ìœ¼ë¡œ ëœ íŒŒì¼ ë° ë””ë ‰í† ë¦¬)ì—
쓰는 ê²ƒì„ í—ˆìš©í•˜ë©° CIFS íŒŒì¼ ì‹œìŠ¤í…œì— ìžˆëŠ” íŒŒì¼ ë° ë””ë ‰í† ë¦¬ì—
쓰는 ê²ƒë„ í—ˆìš©í•©ë‹ˆë‹¤. � "allow_ftpd_use_nfs" ë°
"$WRITE_BOOLEAN" ë¶€ìš¸ì„ trueë¡œ 변경하여 ì´ëŸ¬í•œ 액세스를 허용합니다:
"setsebool -P allow_ftpd_use_nfs=1 $WRITE_BOOLEAN=1".
ê²½ê³ : "$WRITE_BOOLEAN" ë¶€ìš¸ì„ trueë¡œ ì„¤ì •í•˜ëŠ” ê²ƒì€ ftp ë°ëª¬ì´
ëª¨ë“ ê³µê°œ ë‚´ìš© (public_content_t ìœ í˜•ìœ¼ë¡œ ëœ íŒŒì¼ ë° ë””ë ‰í† ë¦¬)ì— ì“°ëŠ” 것ì„
í—ˆìš©í•˜ê³ NFS íŒŒì¼ ì‹œìŠ¤í…œì— ìžˆëŠ” íŒŒì¼ ë° ë””ë ‰í† ë¦¬ì— ì“°ëŠ” 것ë„
허용합니다. �권한 부여�CRON�CVS�ë„ë©”ì¸ ì´ë¦„ 서버�FTP�íŒŒì¼ ë ˆì´ë¸”�íŒŒì¼ ì‹œìŠ¤í…œ�ìžë°”�커ë„�매체�메모리�ë„¤íŠ¸ì›Œí¬ í¬íŠ¸�네트워킹�RSYNC�SAMBA�SELinux는 gss ë°ëª¬ì´ ê¶Œí•œì´ ì—†ëŠ” ì‚¬ìš©ìž ìž„ì‹œ íŒŒì¼ (예, /tmpì— ìžˆëŠ” 파ì¼)ì„
ì½ì§€ 못하게 합니다. ì´ëŸ¬í•œ 액세스를 허용하는 것ì€
ìœ„í—˜ì´ ì 지만 파ì¼ì„ ì½ì–´ì˜¤ê¸° 위해 gss ë°ëª¬ì„ ì„¤ì •í•˜ì§€ 않으실 경우
ì´ ì•¡ì„¸ìŠ¤ëŠ” ì¹¨ìž…ì„ ì‹œë„했다는 ì‹ í˜¸ë¥¼ ìš”ì²í• 수
있습니다.�웹 서버�Zebra�