\u5982\u4f55\u5728\u4e0a\u914d\u7f6e\u57fa\u4e8e\u89d2\u8272\u7684\u8bbf\u95ee\u63a7\u5236\uff08rbac\uff09<\/p>\n
\u5f15\u8a00\uff1a
\u5728\u591a\u7528\u6237\u73af\u5883\u4e0b\uff0c\u786e\u4fdd\u7cfb\u7edf\u5b89\u5168\u6027\u548c\u6570\u636e\u7684\u9690\u79c1\u6027\u6210\u4e3a\u4e00\u9879\u91cd\u8981\u4efb\u52a1\u3002\u800c\u5728Linux\u7cfb\u7edf\u4e2d\uff0c\u89d2\u8272\u4e3a\u57fa\u7840\u7684\u8bbf\u95ee\u63a7\u5236\uff08Role-Based Access Control\uff0c\u7b80\u79f0RBAC\uff09\u88ab\u5e7f\u6cdb\u91c7\u7528\u6765\u7ba1\u7406\u7528\u6237\u6743\u9650\u548c\u8d44\u6e90\u8bbf\u95ee\u3002\u672c\u6587\u5c06\u4ecb\u7ecd\u5982\u4f55\u5728Linux\u7cfb\u7edf\u4e0a\u914d\u7f6eRBAC\uff0c\u5e76\u63d0\u4f9b\u4e00\u4e9b\u4ee3\u7801\u793a\u4f8b\u6765\u5e2e\u52a9\u8bfb\u8005\u66f4\u597d\u5730\u7406\u89e3\u5b9e\u73b0\u8fc7\u7a0b\u3002<\/p>\n
\u7b2c\u4e00\u6b65\uff1a\u5b89\u88c5\u5fc5\u8981\u7684\u8f6f\u4ef6\u5305
\u9996\u5148\uff0c\u6211\u4eec\u9700\u8981\u5b89\u88c5\u5fc5\u8981\u7684\u8f6f\u4ef6\u5305\u4ee5\u542f\u7528RBAC\u529f\u80fd\u3002\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u5728Linux\u7cfb\u7edf\u4e0a\u5b89\u88c5SELinux\uff08Security Enhanced Linux\uff09\u548cPAM\uff08Pluggable Authentication Modules\uff09\uff1a<\/p>\n
sudo apt-get install selinux pam<\/pre>\n\u767b\u5f55\u540e\u590d\u5236 <\/p>\n
\u5b8c\u6210\u5b89\u88c5\u540e\uff0c\u6211\u4eec\u53ef\u4ee5\u7ee7\u7eed\u8fdb\u884c\u4e0b\u4e00\u6b65\u64cd\u4f5c\u3002<\/p>\n
\u7b2c\u4e8c\u6b65\uff1a\u521b\u5efa\u7528\u6237\u548c\u89d2\u8272
\u5728Linux\u7cfb\u7edf\u4e2d\uff0c\u6bcf\u4e2a\u7528\u6237\u53ef\u4ee5\u88ab\u5206\u914d\u5230\u4e00\u4e2a\u6216\u591a\u4e2a\u89d2\u8272\u3002\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528adduser\u547d\u4ee4\u521b\u5efa\u65b0\u7528\u6237\uff0c\u5e76\u4f7f\u7528usermod\u547d\u4ee4\u5c06\u7528\u6237\u6dfb\u52a0\u5230\u76f8\u5e94\u7684\u89d2\u8272\u4e2d\u3002<\/p>\nsudo adduser user1\nsudo usermod -aG role1 user1<\/pre>\n\u767b\u5f55\u540e\u590d\u5236 <\/p>\n
\u4e0a\u8ff0\u4ee3\u7801\u4e2d\uff0c\u6211\u4eec\u521b\u5efa\u4e86\u4e00\u4e2a\u540d\u4e3auser1\u7684\u65b0\u7528\u6237\uff0c\u5e76\u5c06\u5176\u6dfb\u52a0\u5230\u540d\u4e3arole1\u7684\u89d2\u8272\u4e2d\u3002\u4f60\u53ef\u4ee5\u6839\u636e\u81ea\u5df1\u7684\u9700\u6c42\u521b\u5efa\u66f4\u591a\u7684\u7528\u6237\u548c\u89d2\u8272\u3002<\/p>\n
\u7b2c\u4e09\u6b65\uff1a\u914d\u7f6e\u89d2\u8272\u7b56\u7565\u6587\u4ef6
\u89d2\u8272\u7b56\u7565\u6587\u4ef6\u5b9a\u4e49\u4e86\u6bcf\u4e2a\u89d2\u8272\u7684\u6743\u9650\u548c\u8d44\u6e90\u8bbf\u95ee\u7b56\u7565\u3002\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528\u6587\u672c\u7f16\u8f91\u5668\u6253\u5f00\/etc\/selinux\/policy.conf\u6587\u4ef6\uff0c\u5e76\u6dfb\u52a0\u89d2\u8272\u7b56\u7565\u3002<\/p>\nsudo nano \/etc\/selinux\/policy.conf<\/pre>\n\u767b\u5f55\u540e\u590d\u5236 <\/p>\n
\u5728\u6587\u4ef6\u672b\u5c3e\u6dfb\u52a0\u4ee5\u4e0b\u5185\u5bb9\uff1a<\/p>\n
role role1 types type1, type2, type3<\/pre>\n\u767b\u5f55\u540e\u590d\u5236 <\/p>\n
\u4e0a\u8ff0\u4ee3\u7801\u4e2d\uff0c\u6211\u4eec\u5b9a\u4e49\u4e86\u540d\u4e3arole1\u7684\u89d2\u8272\uff0c\u4ee5\u53ca\u89d2\u8272\u53ef\u4ee5\u8bbf\u95ee\u7684\u8d44\u6e90\u7c7b\u578b\u3002<\/p>\n
\u7b2c\u56db\u6b65\uff1a\u914d\u7f6ePAM\u6a21\u5757
PAM\u6a21\u5757\u662f\u4e00\u4e2a\u53ef\u63d2\u62d4\u7684\u8eab\u4efd\u9a8c\u8bc1\u6a21\u5757\uff0c\u7528\u4e8e\u5bf9\u7528\u6237\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1\u548c\u6388\u6743\u3002\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528\u6587\u672c\u7f16\u8f91\u5668\u6253\u5f00\/etc\/pam.d\/common-auth\u6587\u4ef6\uff0c\u5e76\u6dfb\u52a0PAM\u6a21\u5757\u914d\u7f6e\u3002<\/p>\nsudo nano \/etc\/pam.d\/common-auth<\/pre>\n\u767b\u5f55\u540e\u590d\u5236 <\/p>\n
\u5728\u6587\u4ef6\u5f00\u5934\u6dfb\u52a0\u4ee5\u4e0b\u5185\u5bb9\uff1a<\/p>\n
auth [success=done new_authtok_reqd=ok default=ignore] pam_selinux_permit.so\nauth required pam_deny.so<\/pre>\n\u767b\u5f55\u540e\u590d\u5236 <\/p>\n
\u4e0a\u8ff0\u4ee3\u7801\u4e2d\uff0c\u6211\u4eec\u4f7f\u7528pam_selinux_permit.so\u6a21\u5757\u5141\u8bb8SELinux\u8bbe\u7f6e\u8bbf\u95ee\u6743\u9650\uff0c\u5e76\u4f7f\u7528pam_deny.so\u6a21\u5757\u7981\u6b62\u5bf9\u4e0d\u5177\u5907\u8bbf\u95ee\u6743\u9650\u7684\u7528\u6237\u8fdb\u884c\u6388\u6743\u3002<\/p>\n
\u7b2c\u4e94\u6b65\uff1a\u91cd\u542f\u7cfb\u7edf
\u5b8c\u6210\u4e0a\u8ff0\u914d\u7f6e\u540e\uff0c\u6211\u4eec\u9700\u8981\u91cd\u542fLinux\u7cfb\u7edf\u4ee5\u4f7fRBAC\u914d\u7f6e\u751f\u6548\u3002<\/p>\nsudo reboot<\/pre>\n\u767b\u5f55\u540e\u590d\u5236 <\/p>\n
\u91cd\u542f\u540e\uff0cRBAC\u529f\u80fd\u5c06\u88ab\u542f\u7528\uff0c\u7528\u6237\u5c06\u6309\u7167\u5176\u6240\u5c5e\u89d2\u8272\u7684\u8bbf\u95ee\u6743\u9650\u8fdb\u884c\u6388\u6743\u3002<\/p>\n
\u4ee3\u7801\u793a\u4f8b\uff1a
\u4ee5\u4e0b\u662f\u4e00\u4e2a\u7b80\u5355\u7684RBAC\u4ee3\u7801\u793a\u4f8b\uff0c\u7528\u4e8e\u6f14\u793a\u5982\u4f55\u4f7f\u7528RBAC\u914d\u7f6e\u7528\u6237\u6743\u9650\u63a7\u5236\u3002<\/p>\nimport os\n\ndef check_access(user, resource):\n output = os.system(\"id -Z\")\n if user in output and resource in allowed_resources:\n return True\n else:\n return False\n\nuser = \"user1\"\nallowed_resources = [\"file1\", \"file2\", \"file3\"]\n\nif check_access(user, \"file2\"):\n print(\"\u7528\u6237\u6709\u6743\u9650\u8bbf\u95ee\u8d44\u6e90\")\nelse:\n print(\"\u7528\u6237\u65e0\u6743\u9650\u8bbf\u95ee\u8d44\u6e90\")<\/pre>\n\u767b\u5f55\u540e\u590d\u5236 <\/p>\n
\u4e0a\u8ff0\u4ee3\u7801\u4e2d\uff0ccheck_access\u51fd\u6570\u7528\u4e8e\u68c0\u67e5\u7528\u6237\u662f\u5426\u5177\u6709\u8bbf\u95ee\u8d44\u6e90\u7684\u6743\u9650\u3002\u5982\u679c\u7528\u6237\u5728\u6307\u5b9a\u7684\u89d2\u8272\u4e2d\uff0c\u5e76\u4e14\u6240\u9700\u8d44\u6e90\u5728\u5141\u8bb8\u8bbf\u95ee\u7684\u8d44\u6e90\u5217\u8868\u4e2d\uff0c\u5219\u51fd\u6570\u8fd4\u56deTrue\uff0c\u5426\u5219\u8fd4\u56deFalse\u3002<\/p>\n
\u7ed3\u8bba\uff1a
\u901a\u8fc7\u914d\u7f6e\u57fa\u4e8e\u89d2\u8272\u7684\u8bbf\u95ee\u63a7\u5236\uff08RBAC\uff09\uff0c\u6211\u4eec\u53ef\u4ee5\u66f4\u597d\u5730\u7ba1\u7406\u7528\u6237\u6743\u9650\u548c\u8d44\u6e90\u8bbf\u95ee\uff0c\u5e76\u63d0\u9ad8\u7cfb\u7edf\u7684\u5b89\u5168\u6027\u548c\u6570\u636e\u7684\u9690\u79c1\u6027\u3002\u5728\u672c\u6587\u4e2d\uff0c\u6211\u4eec\u4ecb\u7ecd\u4e86\u5728Linux\u7cfb\u7edf\u4e0a\u914d\u7f6eRBAC\u7684\u6b65\u9aa4\uff0c\u5e76\u63d0\u4f9b\u4e86\u4e00\u4e2a\u7b80\u5355\u7684\u4ee3\u7801\u793a\u4f8b\u6765\u5e2e\u52a9\u8bfb\u8005\u66f4\u597d\u5730\u7406\u89e3\u5b9e\u73b0\u8fc7\u7a0b\u3002\u8bfb\u8005\u53ef\u4ee5\u6839\u636e\u81ea\u5df1\u7684\u9700\u6c42\u6765\u6269\u5c55\u548c\u4fee\u6539RBAC\u914d\u7f6e\uff0c\u4ee5\u5b9e\u73b0\u66f4\u7cbe\u786e\u7684\u6743\u9650\u63a7\u5236\u3002<\/p>\n\u4ee5\u4e0a\u5c31\u662f\u5982\u4f55\u5728Linux\u4e0a\u914d\u7f6e\u57fa\u4e8e\u89d2\u8272\u7684\u8bbf\u95ee\u63a7\u5236\uff08RBAC\uff09\u7684\u8be6\u7ec6\u5185\u5bb9\uff0c\u66f4\u591a\u8bf7\u5173\u6ce8\u7c73\u4e91\u5176\u5b83\u76f8\u5173\u6587\u7ae0\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"
\u5982\u4f55\u5728\u4e0a\u914d\u7f6e\u57fa\u4e8e\u89d2\u8272\u7684\u8bbf\u95ee\u63a7\u5236\uff08rbac\uff09 \u5f15\u8a00\uff1a\u5728\u591a\u7528\u6237\u73af\u5883\u4e0b\uff0c\u786e\u4fdd\u7cfb\u7edf\u5b89\u5168\u6027\u548c\u6570\u636e\u7684\u9690\u79c1\u6027\u6210\u4e3a\u4e00\u9879\u91cd\u8981\u4efb\u52a1\u3002\u800c\u5728Linux\u7cfb\u7edf\u4e2d\uff0c\u89d2\u8272\u4e3a\u57fa\u7840\u7684\u8bbf\u95ee\u63a7\u5236\uff08Role-Based Access Control\uff0c\u7b80\u79f0RBAC\uff09\u88ab\u5e7f\u6cdb\u91c7\u7528\u6765\u7ba1\u7406\u7528\u6237\u6743\u9650\u548c\u8d44\u6e90\u8bbf\u95ee\u3002\u672c\u6587\u5c06\u4ecb\u7ecd\u5982\u4f55\u5728Linux\u7cfb\u7edf\u4e0a\u914d\u7f6eRBAC\uff0c\u5e76\u63d0\u4f9b\u4e00\u4e9b\u4ee3\u7801\u793a\u4f8b\u6765\u5e2e\u52a9\u8bfb\u8005\u66f4\u597d\u5730\u7406\u89e3\u5b9e\u73b0\u8fc7\u7a0b\u3002 \u7b2c\u4e00\u6b65\uff1a\u5b89\u88c5\u5fc5\u8981\u7684\u8f6f\u4ef6\u5305\u9996\u5148\uff0c\u6211\u4eec\u9700\u8981\u5b89\u88c5\u5fc5\u8981\u7684\u8f6f\u4ef6\u5305\u4ee5\u542f\u7528RBAC\u529f\u80fd\u3002\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u5728Linux\u7cfb\u7edf\u4e0a\u5b89\u88c5SELinux\uff08Security Enhanced Linux\uff09\u548cPAM\uff08Pluggable Authentication Modules\uff09\uff1a sudo apt-get install selinux pam \u767b\u5f55\u540e\u590d\u5236 \u5b8c\u6210\u5b89\u88c5\u540e\uff0c\u6211\u4eec\u53ef\u4ee5\u7ee7\u7eed\u8fdb\u884c\u4e0b\u4e00\u6b65\u64cd\u4f5c\u3002 \u7b2c\u4e8c\u6b65\uff1a\u521b\u5efa\u7528\u6237\u548c\u89d2\u8272\u5728Linux\u7cfb\u7edf\u4e2d\uff0c\u6bcf\u4e2a\u7528\u6237\u53ef\u4ee5\u88ab\u5206\u914d\u5230\u4e00\u4e2a\u6216\u591a\u4e2a\u89d2\u8272\u3002\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528adduser\u547d\u4ee4\u521b\u5efa\u65b0\u7528\u6237\uff0c\u5e76\u4f7f\u7528usermod\u547d\u4ee4\u5c06\u7528\u6237\u6dfb\u52a0\u5230\u76f8\u5e94\u7684\u89d2\u8272\u4e2d\u3002 sudo adduser user1 sudo usermod -aG role1 user1 \u767b\u5f55\u540e\u590d\u5236 \u4e0a\u8ff0\u4ee3\u7801\u4e2d\uff0c\u6211\u4eec\u521b\u5efa\u4e86\u4e00\u4e2a\u540d\u4e3auser1\u7684\u65b0\u7528\u6237\uff0c\u5e76\u5c06\u5176\u6dfb\u52a0\u5230\u540d\u4e3arole1\u7684\u89d2\u8272\u4e2d\u3002\u4f60\u53ef\u4ee5\u6839\u636e\u81ea\u5df1\u7684\u9700\u6c42\u521b\u5efa\u66f4\u591a\u7684\u7528\u6237\u548c\u89d2\u8272\u3002 \u7b2c\u4e09\u6b65\uff1a\u914d\u7f6e\u89d2\u8272\u7b56\u7565\u6587\u4ef6\u89d2\u8272\u7b56\u7565\u6587\u4ef6\u5b9a\u4e49\u4e86\u6bcf\u4e2a\u89d2\u8272\u7684\u6743\u9650\u548c\u8d44\u6e90\u8bbf\u95ee\u7b56\u7565\u3002\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528\u6587\u672c\u7f16\u8f91\u5668\u6253\u5f00\/etc\/selinux\/policy.conf\u6587\u4ef6\uff0c\u5e76\u6dfb\u52a0\u89d2\u8272\u7b56\u7565\u3002 sudo nano \/etc\/selinux\/policy.conf \u767b\u5f55\u540e\u590d\u5236 \u5728\u6587\u4ef6\u672b\u5c3e\u6dfb\u52a0\u4ee5\u4e0b\u5185\u5bb9\uff1a role role1 types type1, type2, type3 \u767b\u5f55\u540e\u590d\u5236 \u4e0a\u8ff0\u4ee3\u7801\u4e2d\uff0c\u6211\u4eec\u5b9a\u4e49\u4e86\u540d\u4e3arole1\u7684\u89d2\u8272\uff0c\u4ee5\u53ca\u89d2\u8272\u53ef\u4ee5\u8bbf\u95ee\u7684\u8d44\u6e90\u7c7b\u578b\u3002 \u7b2c\u56db\u6b65\uff1a\u914d\u7f6ePAM\u6a21\u5757PAM\u6a21\u5757\u662f\u4e00\u4e2a\u53ef\u63d2\u62d4\u7684\u8eab\u4efd\u9a8c\u8bc1\u6a21\u5757\uff0c\u7528\u4e8e\u5bf9\u7528\u6237\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1\u548c\u6388\u6743\u3002\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528\u6587\u672c\u7f16\u8f91\u5668\u6253\u5f00\/etc\/pam.d\/common-auth\u6587\u4ef6\uff0c\u5e76\u6dfb\u52a0PAM\u6a21\u5757\u914d\u7f6e\u3002 sudo nano \/etc\/pam.d\/common-auth \u767b\u5f55\u540e\u590d\u5236 \u5728\u6587\u4ef6\u5f00\u5934\u6dfb\u52a0\u4ee5\u4e0b\u5185\u5bb9\uff1a auth [success=done new_authtok_reqd=ok default=ignore] pam_selinux_permit.so auth required pam_deny.so […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[],"class_list":["post-15980","post","type-post","status-publish","format-standard","hentry","category-os"],"_links":{"self":[{"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/posts\/15980","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/comments?post=15980"}],"version-history":[{"count":0,"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/posts\/15980\/revisions"}],"wp:attachment":[{"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/media?parent=15980"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/categories?post=15980"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/tags?post=15980"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}