ProHoster > Блог > Gudanarwa > Jagorar Mafari zuwa SELinux

Jagorar Mafari zuwa SELinux

Jagorar Mafari zuwa SELinux

Fassara labarin da aka shirya don ɗaliban kwas "Linux Tsaro"

SELinux ko Linux Ingantaccen Tsaro shine ingantacciyar hanyar sarrafa damar shiga da Hukumar Tsaro ta Amurka (NSA) ta ƙera don hana kutsawa masu muni. Yana aiwatar da tsarin kulawa da tilastawa (ko na tilas) (Turanci Ikon Samun damar Ingilishi, MAC) a saman tsarin da ake da shi na hankali (ko zaɓi) (Turanci Ƙwararrun Samun damar shiga, DAC), wato, karanta, rubuta, aiwatar da izini.

SELinux yana da hanyoyi guda uku:

  1. tilastawa - hana samun shiga bisa ka'idojin manufofi.
  2. Izini - Ajiye tarihin ayyukan da suka saba wa manufofin, waɗanda za a hana su a yanayin tilastawa.
  3. guragu - cikakken kashe SELinux.

Ta hanyar tsoho saituna suna ciki /etc/selinux/config

Canza hanyoyin SELinux

Don gano yanayin halin yanzu, gudu 

$ getenforce

Don canja yanayin zuwa izini gudanar da umarni mai zuwa 

$ setenforce 0

ko, don canza yanayin daga permissive a kan tilastawa, zartarwa 

$ setenforce 1

Idan kuna buƙatar kashe SELinux gaba ɗaya, to ana iya yin wannan ta hanyar fayil ɗin sanyi kawai 

$ vi /etc/selinux/config

Don kashe, canza ma'aunin SELINUX kamar haka:

SELINUX=disabled

Saita SELinux

Kowane fayil da tsari ana yiwa alama alama tare da mahallin SELinux, wanda ya ƙunshi ƙarin bayani kamar mai amfani, rawar, nau'in, da sauransu. Idan wannan shine karon farko na kunna SELinux, zaku fara buƙatar saita mahallin da lakabi. Tsarin sanya lakabi da mahallin ana kiransa tagging. Don fara yin alama, a cikin fayil ɗin sanyi muna canza yanayin zuwa permissive.

$ vi /etc/selinux/config
SELINUX=permissive

Bayan saita yanayin permissive, ƙirƙirar ɓoyayyun fayil mara komai a cikin tushen tare da sunan autorelabel

$ touch /.autorelabel

kuma zata sake kunna kwamfutar

$ init 6

Lura: Muna amfani da yanayin permissive don yin alama, tun lokacin amfani da yanayin tilastawa na iya haifar da tsarin rushewa yayin sake kunnawa.

Kada ku damu idan zazzagewar ta makale akan wasu fayil, yin alama yana ɗaukar ɗan lokaci. Da zarar an gama yin alama kuma an kunna tsarin ku, zaku iya zuwa fayil ɗin sanyi kuma saita yanayin tilastawada kuma gudu:

$ setenforce 1

Yanzu kun sami nasarar kunna SELinux akan kwamfutarka.

Kula da rajistan ayyukan

Wataƙila kun ci karo da wasu kurakurai yayin yin alama ko yayin da tsarin ke gudana. Don bincika idan SELinux ɗinku yana aiki daidai kuma idan ba ta toshe damar zuwa kowane tashar jiragen ruwa, aikace-aikacen, da sauransu, kuna buƙatar duba rajistan ayyukan. Login SELinux yana cikin /var/log/audit/audit.log, amma ba kwa buƙatar karanta duka don nemo kurakurai. Kuna iya amfani da audit2why utility don nemo kurakurai. Gudanar da umarni mai zuwa:

$ audit2why < /var/log/audit/audit.log

A sakamakon haka, za ku sami jerin kurakurai. Idan babu kurakurai a cikin log ɗin, to ba za a nuna saƙon ba.

Yana daidaita manufofin SELinux

Manufar SELinux wani tsari ne na ƙa'idodin da ke tafiyar da tsarin tsaro na SELinux. Manufa tana bayyana saitin dokoki don takamaiman yanayi. Yanzu za mu koyi yadda ake tsara manufofi don ba da damar shiga ayyukan da aka haramta.

1. Ma'auni mai ma'ana (canzawa)

Sauyawa (booleans) yana ba ku damar canza sassan manufofin a lokacin aiki, ba tare da ƙirƙirar sabbin manufofi ba. Suna ba ku damar yin canje-canje ba tare da sake kunnawa ko sake tattara manufofin SELinux ba.

Alal misali:
Bari mu ce muna son raba bayanin gida na mai amfani ta hanyar karantawa / rubuta FTP, kuma mun riga mun raba shi, amma lokacin da muka yi ƙoƙarin samun dama gare shi, ba mu ga kome ba. Wannan saboda manufar SELinux ta hana uwar garken FTP karatu da rubutawa zuwa ga adireshin gida na mai amfani. Muna buƙatar canza manufofin don uwar garken FTP ta sami damar shiga kundayen adireshi na gida. Bari mu ga ko akwai wasu maɓalli don wannan ta yin

$ semanage boolean -l

Wannan umarnin zai jera maɓallan da ke akwai tare da yanayinsu na yanzu (kunna ko kashe) da bayaninsu. Kuna iya tace bincikenku ta ƙara grep don nemo sakamakon ftp-kawai:

$ semanage boolean -l | grep ftp

kuma zaka sami wadannan

ftp_home_dir        -> off       Allow ftp to read & write file in user home directory

An kashe wannan canjin, don haka za mu kunna shi da shi setsebool $ setsebool ftp_home_dir on

Yanzu ftp daemon ɗin mu zai sami damar shiga kundin adireshin gida na mai amfani.
Lura: Hakanan zaka iya samun lissafin da ke akwai masu sauyawa ba tare da kwatance ba ta yin getsebool -a

2. Lakabi da mahallin

Wannan ita ce hanyar da ta fi dacewa don aiwatar da manufofin SELinux. Kowane fayil, babban fayil, tsari da tashar jiragen ruwa ana yiwa alama alama tare da mahallin SELinux:

  • Don fayiloli da manyan fayiloli, ana adana alamun a matsayin ƙarin sifofi akan tsarin fayil kuma ana iya duba su tare da umarni mai zuwa: 
    $ ls -Z /etc/httpd
  • Don matakai da tashoshin jiragen ruwa, kernel ne ke sarrafa alamar, kuma kuna iya duba waɗannan takubban kamar haka:

aiwatar

$ ps –auxZ | grep httpd

tashar jiragen ruwa

$ netstat -anpZ | grep httpd

Alal misali:
Yanzu bari mu kalli misali don ƙarin fahimtar lakabi da mahallin. Bari mu ce muna da sabar gidan yanar gizo wanda, maimakon directory /var/www/html/ использует /home/dan/html/. SELinux zai yi la'akari da wannan cin zarafin manufofin kuma ba za ku iya duba shafukan yanar gizon ku ba. Wannan saboda ba mu saita yanayin tsaro da ke da alaƙa da fayilolin HTML ba. Don duba tsohowar mahallin tsaro, yi amfani da umarni mai zuwa:

$ ls –lz /var/www/html
 -rw-r—r—. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/

Anan muka samu httpd_sys_content_t a matsayin mahallin don fayilolin html. Muna buƙatar saita wannan mahallin tsaro don kundin adireshinmu na yanzu, wanda a halin yanzu yana da mahallin mai zuwa:

-rw-r—r—. dan dan system_u:object_r:user_home_t:s0 /home/dan/html/

Madadin umarni don bincika mahallin tsaro na fayil ko kundin adireshi:

$ semanage fcontext -l | grep '/var/www'

Za mu kuma yi amfani da semanage don canza mahallin da zarar mun sami daidaitaccen mahallin tsaro. Don canza mahallin / gida/dan/html, gudanar da umarni masu zuwa:

$ semanage fcontext -a -t httpd_sys_content_t ‘/home/dan/html(/.*)?’
$ semanage fcontext -l | grep ‘/home/dan/html’
/home/dan/html(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
$ restorecon -Rv /home/dan/html

Bayan an canza mahallin ta amfani da semanage, umarnin maidowa zai ɗora tsoho mahallin don fayiloli da kundayen adireshi. Sabar gidan yanar gizon mu yanzu zata iya karanta fayiloli daga babban fayil ɗin /home/dan/htmlsaboda an canza yanayin tsaro na wannan babban fayil zuwa httpd_sys_content_t.

3. Ƙirƙirar manufofin gida

Akwai yanayi inda hanyoyin da ke sama ba su da amfani a gare ku kuma kuna samun kurakurai (avc/ denial) a audit.log. Lokacin da wannan ya faru, kuna buƙatar ƙirƙirar manufofin gida. Kuna iya samun duk kurakurai ta amfani da audit2why, kamar yadda aka bayyana a sama.

Kuna iya ƙirƙirar manufofin gida don warware kurakurai. Misali, muna samun kuskure mai alaƙa da httpd (apache) ko smbd (samba), muna grep kurakurai kuma mu ƙirƙira musu manufa:

apache
$ grep httpd_t /var/log/audit/audit.log | audit2allow -M http_policy
samba
$ grep smbd_t /var/log/audit/audit.log | audit2allow -M smb_policy

Yana da http_policy и smb_policy sune sunayen manufofin gida da muka kirkiro. Yanzu muna buƙatar ɗaukar waɗannan manufofin gida da aka ƙirƙira a cikin manufofin SELinux na yanzu. Ana iya yin haka kamar haka:

$ semodule –I http_policy.pp
$ semodule –I smb_policy.pp

An zazzage manufofin mu na gida kuma bai kamata mu ƙara karɓar wani avc ko denail a audit.log ba.

Wannan shine ƙoƙarina na taimaka muku fahimtar SELinux. Ina fatan cewa bayan karanta wannan labarin za ku ji daɗi da SELinux.

source: www.habr.com

Add a comment