Linux with Operating System Concepts

344
◾
Linux with Operating System Concepts
impact symbolic links but not the files they link to (-h). If you have changed the context of 
an object, you can restore it using 
restorecon
item as in 
restorecon /tmp/
file-
name
from the above instruction.
8.8.3 Rules
With the contexts defined, this leads us to the rules. A rule is a mapping of a context to the 
allowable (or disallowable) actions of the user onto the object. For instance, we might have 
the following rule available for users to be able to access files within their home directory:
allow user_t user_home_t:file {create read write unlink};
This allows any user whose type is user_t to create, read (open), save or write to, or 
remove a link from a file.
Aside from 
allow
rules, we will also define 
type enforcement
rules. There are four types: 
type transition rules, type change rules, type member rules, and typebounds rules. Other 
types of rules include 
role allow
rules that define whether a change in a role is allowed, 
and 
access vector
rules (AV rules) that specify the access controls allowable for a process.
As an example, let us consider a type transition rule. We use this rule to specify that an 
object can be moved from a source type to a target type. The syntax of a type transition rule is
type_transition 
source_type target_type
:
class default_type
[
object_name
];
The object_name is optional and might be included if we are dealing with a specified 
object (file).
Let us define as an example the transition and allow rules necessary for a user to create a 
file in their home directory. The user’s process will be denoted as user_t, the directory will 
be denoted as user_home_t, and the new file will be denoted as user_home_t.
type_transition user_t user_home_t:file user_home_t;
We can then follow this rule with the permissions available for the creation action on 
both the directory (/var/log) and the file itself (wtmp).
allow user_t user_home_t:dir {read getattr lock search
ioctl add_name remove_name write};
allow user_t user_home_t:file {create open getattr setattr
read write append rename link unlink ioctl lock};
We see here that the directory needs permissions such as the ability to be read, get its 
attributes, lock it, search it, add a named entity, remove an item, or write to it. The sec-
ond allow rule applies to files, permitting a file to be created, opened, read from, written 
to, appended, renamed, linked to, unlinked from, and locked. You might notice that the 
names of these access rights listed in the above rules are the names of system calls (refer 
back to Table 8.1).

Installing Linux
◾
345
Rules are placed together to make up a policy. Policies already exist for a number of 
scenarios. Policies are placed into policy packages and are found in the files under /etc/
selinux/targeted/modules/active/modules. These are binary files and not editable directly. 
Instead, you can modify a policy package using the program 
audit2allow
. You can also 
create your own policies using 
checkpolicy
. The checkpolicy program will examine a 
given policy configuration and, if there are no errors, compile it into a binary file that can 
be loaded into the kernel for execution. We omit the details of creating or modifying poli-
cies here as they are both complex and dangerous. A warning from Red Hat’s Customer 
Portal says that policy compilation could render your system inoperable!
8.9 CHAPTER REVIEW
Concepts and terms introduced in this chapter:
• Address space—the range of allowable memory addresses for a given process. 
Typically memory is divided into user address space and privileged or system address 
space. Within user address space, memory is further divided up among users and 
their individual processes.
• Device driver—a program that receives commands from the operating system and 
then translates these commands into program code that a given device (e.g., disk 
drive, printer) can understand.
• Dual booting—placing multiple operating systems on a computer’s hard-disk drive 
so that the user can boot to either (any) of the operating systems.
• Frame—the division of main memory into fixed-sized storage units. One page fits 
precisely into one frame.
• Hybrid kernel—a type of kernel that combines features of the monolithic kernel and 
the microkernel.
• Installation type—in Linux, the decision of the installation type will dictate what 
software packages are initially installed. Installation types include desktop, minimal 
desktop, minimal (text based), server, database server, developer (programmer), and 
others.
• Kernel—the core component of the operating system responsible for most basic oper-
ating system functions such as user interface, memory management, resource man-
agement, and scheduling. Applications make requests of the kernel via system calls.
• Live boot—the ability to run a computer off of some media (e.g., optical disk, USB 
drive) rather than booting the operating system from hard disk. A live boot may have 
restrictions such as the inability to change system settings or install software.
• Logical volume manager—an approach to partitioning the file system whereby parti-
tions are made logically through software rather than physically. This allows resizing 
and repartitioning without much risk of destroying data.

346
◾
Linux with Operating System Concepts
• Microkernel—a type of kernel whereby the kernel is kept to as small a size as pos-
sible by handing over a number of kernel duties to software servers. The microkernel 
approach to building operating systems has the potential for greater efficiency and 
fewer errors.
• Module—a means of keeping a monolithic kernel from becoming too complicated 
by breaking some kernel operations into separate components called modules. The 
modules loaded into a kernel can be altered at run time through insmod and rmmod, 
and the currently loaded modules can also be altered at run time through modprobe.
• Monolithic kernel—the opposite extreme of the microkernel where the kernel is a 
single, large, stand-alone unit. While the monolithic kernel requires fewer system 
calls than the microkernel, thus improving run-time efficiency, the monolithic kernel 
is challenging to program and modify.
• Operating system installation—the process of installing a new operating system onto 
a computer.
• Page—a fixed-size piece of a program. Programs are divided into pages so that pages 
are loaded into memory only as needed. Since a page is equal to a frame in size, the 
operating system must locate available frames when loading new pages. Pages not 
currently in memory are saved in virtual memory on the swap space.
• Page table—a data structure stored in memory and maintained by the operating system 
so that the logical memory addresses can be translated into physical memory addresses 
as pages may be distributed throughout memory in a seemingly random way.
• Partition—a logical division of the disk storage space to hold one portion of the oper-
ating system such as the kernel and core programs or the user directories or the swap 
space.
• Privileged mode—one of the two modes that most computers have; the privileged 
mode permits access to all instructions, memory, and resources. Only the operating 
system can operate in privileged mode.
• SELinux—security-enhanced Linux is a complex addition to recent Linux distribu-
tions to permit the use of mandatory access control policies over the simpler permis-
sions already available in Linux. SELinux allows you to define users, roles, types, 
contexts, and rules that map the permissible operations available for a given context.
• Swap space—an area of the file system reserved for program pages that are not cur-
rently being used. Also known as virtual memory.
• Swapping—the process of moving pages from swap space to memory (and memory 
to swap space if a frame needs to be freed up for a new page).
• System call—a function call made between a running application or nonkernel por-
tion of the operating system and the operating system kernel. Linux has between 300 
and 400 system calls.

Installing Linux
◾
347
• User mode—when a computer is in user mode, commands issued of the processor are 
limited so that, for instance, access to devices and memory is restricted. Any such com-
mand is treated as a request to invoke the operating system, switch to privileged mode, 
and determine if the command can be carried out based on the user’s access rights.
• Virtual machine—the simulation of a computer by means of a virtual machine soft-
ware program and a virtual machine data file. The simulation mimics the capabili-
ties of the hardware and operating system installed into the virtual machine data file.
• Virtual memory—the extension of main memory onto swap space so that the com-
puter can run programs physically larger in size than that of memory.
REVIEW PROBLEMS
1. What questions should you ask before installing an operating system?
2. Why is it safer to install an operating system into a virtual machine rather than onto 
a computer that already has an operating system?
3. When establishing a dual-boot computer, why should you back up your data files 
before installing the second operating system?
4. How does user mode differ from privileged mode?
5. What is address space? Can users access the operating system’s address space?
6. What is a system call?
7. The monolithic kernel requires fewer system calls than the microkernel. In what way 
does this make the monolithic kernel more efficient than the microkernel?
8. One complaint with monolithic kernels is that they are very complex that can lead to 
surprising errors. What solution is used in Linux to reduce the complexity and also 
the inefficiency of a monolithic kernel?
9. What are the advantages and disadvantages of using a logical volume manager rather 
than creating physical disk partitions?
10. What might happen in creating physical disk partitions if you make a partition too 
small?
11. What might happen in creating physical disk partitions if you make a partition too 
large?
12. Research CentOS 6.0 and find out the minimum size needed for the /(root) partition 
and the /var partition. What did you find?
13. When installing Linux, you are asked to select the installation type (e.g., Desktop, 
Minimal, and Server). If you select Desktop but later wish to use your computer as a 
Server, would you have to reinstall the operating system? Explain.

348
◾
Linux with Operating System Concepts
14. In your CentOS installation, you specified a root password. In Ubuntu you did not. 
How then, in Ubuntu, are you able to perform system administrative tasks?
15. Compare the installation process of CentOS to Ubuntu in terms of which steps you 
had to perform and the order that they were performed. For instance, were any steps 
required by one and not used in the other?
16. Why is page swapping inefficient?
17. Assume that the operating system needs to swap in a page but needs to free a frame 
for this. It has selected one of the two possible pages to discard. Page 1 has been modi-
fied (i.e., the values stored in memory are different from what is stored on disk) while 
Page 2 has not been modified. Which page should the operating system discard and 
why?
18. What is a page fault?
19. Determine the memory size of your computer. Now, research some software and 
identify one or two titles that are larger in size than that of your computer’s memory. 
Without virtual memory, could you run this program? With virtual memory, could 
you run this program?
20. Assume we have the following page table and answer the questions below. Assume a 
page/frame size is 4096 bytes.

Download 5,65 Mb.

Do'stlaringiz bilan baham: