An shirya fassarar labarin musamman ga ɗaliban kwas ɗin .
Anan zaku sami amsoshin tambayoyi masu mahimmanci game da rayuwa, sararin samaniya da duk abin da ke cikin Linux tare da ingantaccen tsaro.
"Muhimmin gaskiyar cewa abubuwa ba koyaushe suke kamar yadda suke gani ba shine ilimin gama gari..."
- Douglas Adams, Jagorar Hitchhiker zuwa Galaxy
Tsaro. Ingantacciyar aminci. Sadarwa. Siyasa. Doki huɗu na Apocalypse sysadmin. Baya ga ayyukanmu na yau da kullun - saka idanu, adanawa, aiwatarwa, daidaitawa, sabuntawa, da sauransu - muna kuma alhakin tsaron tsarin mu. Hatta waɗancan tsarin inda mai ba da sabis na ɓangare na uku ke ba da shawarar mu kashe ingantaccen tsaro. Yana jin kamar aiki daga "Mission: Ba zai yiwu ba."
An fuskanci wannan matsala, wasu masu kula da tsarin sun yanke shawarar ɗauka , domin suna ganin ba za su taɓa sanin amsar babbar tambaya ta rayuwa, sararin samaniya da dukan waɗannan abubuwa ba. Kuma kamar yadda muka sani, amsar ita ce 42.
A cikin ruhun Jagoran Hitchhiker zuwa Galaxy, anan akwai amsoshi 42 ga muhimman tambayoyi game da sarrafawa da amfani. akan tsarin ku.
1. SELinux shine tsarin kulawar samun damar tilastawa, wanda ke nufin cewa kowane tsari yana da lakabi. Kowane fayil, kundin adireshi da abun tsarin kuma yana da alamomi. Dokokin siyasa suna sarrafa damar shiga tsakanin matakai masu alamar da abubuwa. Kwayar tana aiwatar da waɗannan dokoki.
2. Mahimman ra'ayoyi guda biyu sune: Lakabi - alamomi (fayil, matakai, tashar jiragen ruwa, da dai sauransu) da Nau'in tilastawa (wanda ke keɓance matakai daga juna dangane da nau'ikan).
3. Daidaitaccen tsarin lakabi user:role:type:level (na zaɓi).
4. Makasudin samar da tsaro a matakai daban-daban (Matsakaicin Matsayin Tsaro - MLS) shine sarrafa matakai (domains) dangane da matakin tsaro na bayanan da za su yi amfani da su. Misali, tsarin sirri ba zai iya karanta manyan bayanan sirri ba.
5. Tabbatar da tsaro nau'i-nau'i da yawa (Tsaro na Rukunin Multi-MCS) yana kare irin wannan tsari daga juna (misali, inji mai kama-da-wane, injunan OpenShift, SELinux sandboxes, kwantena, da sauransu).
6. Zaɓuɓɓukan Kernel don canza yanayin SELinux a taya:
autorelabel=1→ yana sa tsarin aiwatar da relabelingselinux=0→ kwaya baya ɗaukar kayan aikin SELinuxenforcing=0→ loading a yanayin da aka yarda
7. Idan kana buƙatar sake yiwa tsarin duka suna:
# touch /.autorelabel
#reboot
Idan alamar tsarin ta ƙunshi ɗimbin kurakurai, ƙila za ku buƙaci yin taya a yanayin izini don yin nasara.
8. Don bincika idan an kunna SELinux: # getenforce
9. Don kunna / kashe SELinux na ɗan lokaci: # setenforce [1|0]
10. Duba halin SELinux: # sestatus
11. Fayil na tsari: /etc/selinux/config
12. Ta yaya SELinux ke aiki? Ga misalin alamar sabar gidan yanar gizon Apache:
- Wakilin binary:
/usr/sbin/httpd→httpd_exec_t - Kundin tsarin aiki:
/etc/httpd→httpd_config_t - Log directory fayil:
/var/log/httpd → httpd_log_t - Kundin abun ciki:
/var/www/html → httpd_sys_content_t - Rubutun ƙaddamarwa:
/usr/lib/systemd/system/httpd.service → httpd_unit_file_d - Tsarin:
/usr/sbin/httpd -DFOREGROUND → httpd_t - Tashoshi:
80/tcp, 443/tcp → httpd_t, http_port_t
Tsari yana gudana cikin mahallin httpd_t, zai iya hulɗa tare da abu mai lakabi httpd_something_t.
13. Yawancin umarni suna karɓar hujja -Z don dubawa, ƙirƙira da canza mahallin:
ls -Zid -Zps -Znetstat -Zcp -Zmkdir -Z
Ana kafa abubuwan da ake magana lokacin da aka ƙirƙiri fayiloli bisa mahallin tarihin iyayensu (tare da wasu keɓantacce). RPMs na iya kafa mahallin kamar lokacin shigarwa.
14. Akwai manyan dalilai guda huɗu na kurakuran SELinux, waɗanda aka bayyana dalla-dalla a cikin maki 15-21 da ke ƙasa:
- Matsalolin lakabi
- Saboda wani abu da SELinux ke buƙatar sani
- Kuskure a cikin manufofin SELinux/application
- Ana iya lalata bayanin ku
15. Matsalar lakabi: idan fayilolinku suna ciki /srv/myweb an yi musu alama ba daidai ba, ana iya hana shiga. Ga wasu hanyoyin gyara wannan:
- Idan kun san alamar:
# semanage fcontext -a -t httpd_sys_content_t '/srv/myweb(/.*)?' - Idan kun san fayil mai daidaitattun alamomi:
# semanage fcontext -a -e /srv/myweb /var/www - Maido da mahallin (na lokuta biyu):
# restorecon -vR /srv/myweb
16. Matsalar lakabi: idan kun matsar da fayil ɗin maimakon kwafa shi, fayil ɗin zai riƙe ainihin mahallin sa. Don gyara wannan matsalar:
- Canja umarnin mahallin tare da lakabin:
# chcon -t httpd_system_content_t /var/www/html/index.html - Canja umarnin mahallin tare da alamar mahaɗin:
# chcon --reference /var/www/html/ /var/www/html/index.html - Mayar da mahallin (na lokuta biyu):
# restorecon -vR /var/www/html/
17. idan SELinux kuna buƙatar sanicewa HTTPD yana sauraron tashar jiragen ruwa 8585, gaya wa SELinux:
# semanage port -a -t http_port_t -p tcp 8585
18. SELinux kuna buƙatar sani Ƙimar Boolean waɗanda ke ba da damar canza sassan manufofin SELinux a lokacin aiki ba tare da sanin manufar SELinux da aka sake rubutawa ba. Misali, idan kuna son httpd ya aika imel, shigar da: # setsebool -P httpd_can_sendmail 1
19. SELinux kuna buƙatar sani dabi'u masu ma'ana don kunna / kashe saitunan SELinux:
- Don ganin duk ƙimar boolean:
# getsebool -a - Don ganin bayanin kowane:
# semanage boolean -l - Don saita ƙimar boolean:
# setsebool [_boolean_] [1|0] - Don shigarwa na dindindin, ƙara
-P. Alal misali:# setsebool httpd_enable_ftp_server 1 -P
20. Manufofin SELinux/ aikace-aikace na iya ƙunsar kurakurai, gami da:
- Hannun lambar da ba a saba gani ba
- Tsarin tsari
- Juyawa stdout
- Mai kwatancen fayil yana zubewa
- Ƙwaƙwalwar da za a iya aiwatarwa
- Wuraren da aka gina da kyau
Buɗe tikiti (kada a ƙaddamar da rahoto ga Bugzilla; Bugzilla ba shi da SLA).
21. Ana iya lalata bayanin kuidan kuna da ƙayyadaddun yanki na ƙoƙarin:
- Load kayan kwaya
- Kashe yanayin SELinux da aka tilasta
- Rubuta zuwa
etc_t/shadow_t - Canza dokokin iptables
22. SELinux kayan aikin don haɓaka tsarin manufofin:
# yum -y install setroubleshoot setroubleshoot-server
Sake yi ko sake farawa auditd bayan shigarwa.
23. Amfani
journalctl don nuna jerin duk rajistan ayyukan da ke da alaƙa da setroubleshoot:
# journalctl -t setroubleshoot --since=14:20
24. Amfani journalctl don lissafin duk rajistan ayyukan da ke da alaƙa da takamaiman alamar SELinux. Misali:
# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0
25. Idan kuskuren SELinux ya faru, yi amfani da log ɗin setroubleshoot bayar da dama yiwu mafita.
Misali, daga journalctl:
Jun 14 19:41:07 web1 setroubleshoot: SELinux is preventing httpd from getattr access on the file /var/www/html/index.html. For complete message run: sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e
# sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e
SELinux is preventing httpd from getattr access on the file /var/www/html/index.html.
***** Plugin restorecon (99.5 confidence) suggests ************************
If you want to fix the label,
/var/www/html/index.html default label should be httpd_syscontent_t.
Then you can restorecon.
Do
# /sbin/restorecon -v /var/www/html/index.html26. Shiga: SELinux yana rikodin bayanai a wurare da yawa:
- / var / log / saƙonni
- /var/log/audit/audit.log
- /var/lib/setroubleshoot/setroubleshoot_database.xml
27. Shiga: neman kurakuran SELinux a cikin log ɗin dubawa:
# ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today
28. Don nemo saƙonnin SELinux Access Vector Cache (AVC) don takamaiman sabis:
# ausearch -m avc -c httpd
29. Mai amfani audit2allow tattara bayanai daga rajistan ayyukan da aka haramta sannan ya haifar da ka'idojin izinin SELinux. Misali:
- Don ƙirƙirar bayanin abin da mutum zai iya karantawa na dalilin da yasa aka hana shiga:
# audit2allow -w -a - Don duba nau'in dokar tilastawa wanda ke ba da damar hana shiga:
# audit2allow -a - Don ƙirƙirar ƙirar al'ada:
# audit2allow -a -M mypolicy - Zaɓi
-Mya ƙirƙiri nau'in fayil na tilastawa (.te) tare da ƙayyadadden suna kuma ya haɗa ƙa'idar cikin fakitin manufofin (.pp):mypolicy.pp mypolicy.te - Don shigar da tsarin al'ada:
# semodule -i mypolicy.pp
30. Don saita tsari daban (yanki) don yin aiki a yanayin izini: # semanage permissive -a httpd_t
31. Idan ba ku ƙara son yankin ya zama mai izini ba: # semanage permissive -d httpd_t
32. Don musaki duk yankuna masu izini: # semodule -d permissivedomains
33. Ƙaddamar da manufofin MLS SELinux: # yum install selinux-policy-mls
в /etc/selinux/config:
SELINUX=permissive
SELINUXTYPE=mls
Tabbatar cewa SELinux yana gudana cikin yanayin izini: # setenforce 0
Yi amfani da rubutun fixfilesdon tabbatar da cewa an yi wa fayilolin lakabin akan sake yi na gaba:
# fixfiles -F onboot # reboot
34. Ƙirƙiri mai amfani tare da takamaiman kewayon MLS: # useradd -Z staff_u john
Amfani da umarnin useradd, taswirar sabon mai amfani zuwa mai amfani da SELinux na yanzu (a wannan yanayin, staff_u).
35. Don duba taswirar tsakanin SELinux da masu amfani da Linux: # semanage login -l
36. Ƙayyade takamaiman kewayon mai amfani: # semanage login --modify --range s2:c100 john
37. Don gyara lakabin littafin adireshin gida na mai amfani (idan ya cancanta): # chcon -R -l s2:c100 /home/john
38. Don duba rukunoni na yanzu: # chcat -L
39. Don canza rukunoni ko fara ƙirƙirar naku, shirya fayil ɗin kamar haka:
/etc/selinux/_<selinuxtype>_/setrans.conf
40. Don gudanar da umarni ko rubutun a cikin takamaiman fayil, matsayi, da mahallin mai amfani:
# runcon -t initrc_t -r system_r -u user_u yourcommandhere
-tmahallin fayil-rrawar mahallin-umahallin mai amfani
41. An kashe kwantena masu gudana tare da SELinux:
- Podman:
# podman run --security-opt label=disable … - Docker:
# docker run --security-opt label=disable …
42. Idan kana buƙatar ba kwantena cikakken damar shiga tsarin:
- Podman:
# podman run --privileged … - Docker:
# docker run --privileged …
Kuma yanzu kun riga kun san amsar. Don haka don Allah: kar a firgita kuma kunna SELinux.
Tunani:
- by
- by Dan Walsh
- by
- by
source: www.habr.com