ʻO kekahi o nā kumu o ka kūleʻa nui o ka Linux OS i hoʻopili ʻia, nā polokalamu kelepona a me nā kikowaena ke kiʻekiʻe kiʻekiʻe o ka palekana o ka kernel, nā lawelawe pili a me nā noi. Akā inā i ka hoʻolālā o ka Linux kernel, a laila, ʻaʻole hiki ke loaʻa i loko o ia kahi ʻāpana kuleana no ka palekana e like me ia. Aia ma hea kahi ʻōnaehana palekana Linux e hūnā a he aha ia?
ʻO ka ʻaoʻao ma Linux Security Modules a me SELinux
ʻO ka Security Enhanced Linux kahi hoʻonohonoho o nā lula a me nā mīkini komo e pili ana i nā hiʻohiʻona pono a me ke kuleana e pale i nā ʻōnaehana Linux mai nā mea hoʻoweliweli a hoʻoponopono i nā hemahema o Discretionary Access Control (DAC), ka ʻōnaehana palekana Unix maʻamau. Ua hoʻokumu ʻia ka papahana i loko o ka ʻōpū o ka US National Security Agency, a ua hoʻomohala pololei ʻia e nā mea hana ʻaelike Secure Computing Corporation a me MITRE, a me kekahi mau hale noiʻi noiʻi.
Nā Module Palekana Linux
Ua hana ʻo Linus Torvalds i nā ʻōlelo he nui e pili ana i nā hanana NSA hou i hiki ke hoʻokomo ʻia i loko o ka kernel Linux mainline. Ua wehewehe ʻo ia i kahi kaiapuni maʻamau, me kahi hoʻonohonoho o nā interceptors e hoʻokele i nā hana me nā mea a me kahi hoʻonohonoho o kekahi mau kahua pale i nā hale ʻikepili kernel e mālama i nā ʻano pili. Hiki ke hoʻohana ʻia kēia kaiapuni e nā modula kernel loadable e hoʻokō i kekahi kumu hoʻohālike i makemake ʻia. Ua komo piha ʻo LSM i ka Linux kernel v2.6 i ka makahiki 2003.
Aia ka LSM framework i nā kahua kiaʻi i nā hale ʻikepili a kāhea aku i nā hana interception ma nā wahi koʻikoʻi i ka code kernel e hoʻopunipuni iā lākou a hana i ka mana komo. Hoʻohui pū ia i nā hana no ka hoʻopaʻa inoa ʻana i nā modula palekana. Aia i loko o ka /sys/kernel/security/lsm kahi papa inoa o nā modula hana ma ka ʻōnaehana. Mālama ʻia nā makau LSM i nā papa inoa, i kapa ʻia ma ke kauoha i kuhikuhi ʻia ma CONFIG_LSM. Hoʻokomo ʻia nā palapala kikoʻī e pili ana i nā makau i loko o ka faila poʻomanaʻo me/linux/lsm_hooks.h.
Ua hiki i ka subsystem LSM ke hoʻopau i ka hoʻohui piha ʻana o SELinux me ka mana like o ka stable Linux kernel v2.6. Aneane koke, ua lilo ʻo SELinux i ka maʻamau de facto no kahi Linux palekana a ua hoʻokomo ʻia i loko o nā māhele kaulana loa: RedHat Enterprise Linux, Fedora, Debian, Ubuntu.
SELinux Huaolelo
- ʻIkepili — ʻAʻole like ka mea hoʻohana SELinux me ka mea hoʻohana Unix/Linux mea hoʻohana maʻamau; hiki iā lākou ke noho pū ma ka ʻōnaehana like, akā ʻokoʻa loa i ke ʻano. Hiki i kēlā me kēia moʻokāki Linux maʻamau ke pili i hoʻokahi a ʻoi aku paha ma SELinux. ʻO ka ʻike SELinux kahi ʻāpana o ka pōʻaiapili palekana holoʻokoʻa, ka mea e hoʻoholo ai i nā kikowaena āu e hiki ai a hiki ʻole ke hui.
- Nā kāʻei kua - Ma SELinux, he domain ka pōʻaiapili hoʻokō o kekahi kumuhana, ʻo ia hoʻi he kaʻina hana. Hoʻoholo pololei ka domain i ke komo ʻana i loaʻa i kahi kaʻina hana. ʻO kahi domain kahi papa inoa o nā kaʻina hana a i ʻole nā kaʻina hana e hana me nā ʻano like ʻole. ʻO kekahi mau hiʻohiʻona o nā kāʻei kua he sysadm_t no ka hoʻokele ʻōnaehana, a me ka user_t kahi mea hoʻohana pono ʻole. Holo ka ʻōnaehana init ma ka domain init_t, a holo ka hana i kapa ʻia ma ka inoa inoa_t domain.
- Nā Wahi - He aha ka mea e lawelawe ai ma waena o nā kikowaena a me nā mea hoʻohana SELinux. Hoʻoholo nā kuleana i nā kāʻei kua hiki i ka mea hoʻohana ke komo a me ke ʻano o nā mea hiki iā lākou ke komo. Ke pale nei kēia ʻano hoʻokele hoʻokele i ka hoʻoweliweli o nā hoʻouka piʻi pono. Ua kākau ʻia nā kuleana ma ke ʻano palekana Role Based Access Control (RBAC) i hoʻohana ʻia ma SELinux.
- Nāʻano - He ʻano papa inoa Type Enforcement i hāʻawi ʻia i kahi mea a hoʻoholo i ka mea hiki ke komo iā ia. E like me ka wehewehe domain, koe wale no pili ia domain i kahi kaʻina hana, a pili ke ʻano i nā mea e like me nā papa kuhikuhi, nā faila, nā kumu, a pēlā aku.
- Nā kumuhana a me nā mea - He mau kumuhana nā kaʻina hana a holo i loko o kahi pōʻaiapili kikoʻī, a i ʻole kahua palekana. ʻO nā kumuwaiwai ʻōnaehana hana: nā faila, nā papa kuhikuhi, nā kumu, a me nā mea ʻē aʻe, he mau mea i hāʻawi ʻia i kekahi ʻano, ʻo ia hoʻi, kahi pae pilikino.
- Nā Kulekele SELinux - Hoʻohana ʻo SELinux i nā kulekele like ʻole e pale i ka ʻōnaehana. Hōʻike ke kulekele SELinux i ke komo ʻana o nā mea hoʻohana i nā kuleana, nā kuleana i nā domains, a me nā kāʻei i nā ʻano. ʻO ka mea mua, ua ʻae ʻia ka mea hoʻohana e loaʻa i kahi kuleana, a laila ʻae ʻia ke kuleana e komo i nā kikowaena. ʻO ka hope, hiki ke loaʻa i kahi kāʻei kapu i kekahi mau ʻano mea.
LSM a me ka hoʻolālā SELinux
ʻOiai ka inoa, ʻaʻole hiki ke hoʻouka ʻia nā LSM i nā modula Linux. Eia naʻe, e like me SELinux, ua hoʻopili pololei ʻia i loko o ka kernel. ʻO ka hoʻololi ʻana i ke code kumu LSM e pono ai i kahi hui kernel hou. Pono e hoʻohana ʻia ke koho kūpono i nā hoʻonohonoho kernel, inā ʻaʻole e hoʻāla ʻia ka code LSM ma hope o ka boot. Akā i kēia hihia, hiki ke hoʻohana ʻia e ke koho bootloader OS.
LSM hōʻike waihona
Hoʻolako ʻia ʻo LSM me nā makau i nā hana kernel koʻikoʻi i hiki ke kūpono no nā loiloi. ʻO kekahi o nā hiʻohiʻona nui o nā LSM ʻo ia ka hoʻopaʻa ʻana. No laila, hoʻokō ʻia nā loiloi maʻamau, a hoʻohui wale kēlā me kēia papa o LSM i nā mana a me nā mana hou. ʻO ia hoʻi, ʻaʻole hiki ke ʻōwili ʻia ka pāpā. Hōʻike ʻia kēia ma ke kiʻi; inā he hemahema ka hopena o ka nānā ʻana i ka DAC maʻamau, a laila ʻaʻole hiki ke pilikia i nā makau LSM.
Hoʻohana ʻo SELinux i ka hoʻolālā palekana Flask o ka ʻōnaehana noiʻi Fluke, ʻo ia hoʻi ke kumu o ka pono liʻiliʻi. ʻO ke kumu o kēia manaʻo, e like me kona inoa e hōʻike nei, ʻo ia ka hāʻawi ʻana i ka mea hoʻohana a i ʻole ka hana ʻana i nā kuleana wale nō e pono ai e hoʻokō i nā hana i manaʻo ʻia. Hoʻokō ʻia kēia kumumanaʻo me ka hoʻohana ʻana i ka paʻi paʻa ʻana, no laila ua hoʻokumu ʻia ka mana komo ma SELinux ma ka domain => type model.
Mahalo i ka paʻi paʻi ʻana, ua ʻoi aku ka nui o ka mana o ka SELinux ma mua o ke kumu DAC kuʻuna i hoʻohana ʻia ma nā ʻōnaehana hana Unix/Linux. No ka laʻana, hiki iā ʻoe ke kaupalena i ka helu awa pūnaewele e hoʻopili ai ka server ftp, e ʻae i ke kākau ʻana a me ka hoʻololi ʻana i nā faila ma kekahi waihona, akā ʻaʻole e holoi iā lākou.
ʻO nā mea nui o SELinux:
- Mea hoʻokō kulekele — ʻO ke ʻano kumu nui no ka hoʻonohonoho ʻana i ka mana komo.
- Pūnaehana palekana kulekele waihona.
- Ka launa pū me ka mea hoʻopuka hanana LSM.
- Selinuxfs - Pseudo-FS, like me / proc a kau ʻia ma /sys/fs/selinux. Hoʻopiha piha ʻia e ka Linux kernel i ka wā holo a loaʻa nā faila i loaʻa ka ʻike kūlana SELinux.
- Komo i ka Vector Cache — He mīkini kōkua no ka hoʻonui ʻana i ka huahana.
Pehea e hana ai ʻo SELinux
Ke hana nei nā mea a pau e like me kēia.
- ʻO kekahi kumuhana, ma nā huaʻōlelo SELinux, e hana i kahi hana i ʻae ʻia ma kahi mea ma hope o kahi nānā DAC, e like me ka mea i hōʻike ʻia ma ke kiʻi luna. Hele kēia noi e hana i kahi hana i ka mea hoʻopono hanana LSM.
- Mai laila mai, ua hāʻawi ʻia ka noi, me ke kumuhana a me ka pōʻaiapili palekana mea, i ka SELinux Abstraction a me Hook Logic module, nona ke kuleana no ka launa pū ʻana me ka LSM.
- ʻO ka mana hoʻoholo i ke komo ʻana o ke kumuhana i kahi mea ʻo ia ka Policy Enforcement Server a loaʻa iā ia ka ʻikepili mai SELinux AnHL.
- No ka hoʻoholo ʻana e pili ana i ke komo ʻana a i ʻole ka hōʻole ʻana, huli ʻia ke Kuleana Hoʻokō Kulekele i ka ʻōnaehana cache Access Vector Cache (AVC) no nā lula i hoʻohana nui ʻia.
- Inā ʻaʻole ʻike ʻia kahi hoʻonā no ka lula e pili ana i ka cache, a laila hāʻawi ʻia ka noi i ka ʻikepili kulekele palekana.
- Hoʻihoʻi ʻia ka hopena ʻimi mai ka waihona a me AVC i ka Pūnaewele hoʻokō kulekele.
- Inā pili ka kulekele i loaʻa i ka hana i noi ʻia, a laila ʻae ʻia ka hana. A i ʻole, pāpā ʻia ka hana.
Ka mālama ʻana i nā ʻōkuhi SELinux
Hoʻohana ʻo SELinux i kekahi o nā ʻano ʻekolu:
- Hoʻoikaika - E mālama pono i nā kulekele palekana.
- ʻAe ʻae - ʻae ʻia ka ʻae ʻana i nā kapu; ua hana ʻia kahi memo pili i loko o ka puke pai.
- Ua pio—ʻAʻole i mana nā kulekele palekana.
Hiki iā ʻoe ke ʻike i ke ʻano o SELinux me kēia kauoha.
[admin@server ~]$ getenforce
PermissiveKe hoʻololi nei i ke ʻano ma mua o ka hoʻomaka hou ʻana, no ka laʻana, hoʻonohonoho iā ia i ka hoʻokō ʻana, a i ʻole 1. ʻO ka ʻae ʻae e pili ana i ka helu helu 0.
[admin@server ~]$ setenfoce enforcing
[admin@server ~]$ setenfoce 1 #то же самое
Hiki iā ʻoe ke hoʻololi i ke ʻano ma ka hoʻoponopono ʻana i ka faila:
[admin@server ~]$ cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=kumu
ʻO ka ʻokoʻa me ka setenfoce ʻo ia ka wā e hoʻomaka ai ka ʻōnaehana hana, e hoʻonohonoho ʻia ka mode SELinux e like me ka waiwai o ka SELINUX parameter i ka faila hoʻonohonoho. Eia hou, hoʻololi i ka hoʻokō <=> disabled wale nō e hoʻoponopono i ka faila /etc/selinux/config a ma hope o ka reboot.
E nānā i kahi hōʻike kūlana pōkole:
[admin@server ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
No ka ʻike ʻana i nā hiʻohiʻona SELinux, hoʻohana kekahi mau pono hana maʻamau i ka -Z parameter.
[admin@server ~]$ ls -lZ /var/log/httpd/
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20200920
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20200927
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20201004
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20201011
[admin@server ~]$ ps -u apache -Z
LABEL PID TTY TIME CMD
system_u:system_r:httpd_t:s0 2914 ? 00:00:04 httpd
system_u:system_r:httpd_t:s0 2915 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0 2916 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0 2917 ? 00:00:00 httpd
...
system_u:system_r:httpd_t:s0 2918 ? 00:00:00 httpdKe hoʻohālikelike ʻia me ka hoʻopuka maʻamau o ls -l, aia kekahi mau māla hou i kēia ʻano:
<user>:<role>:<type>:<level>
ʻO ke kahua hope e hōʻike ana i kahi mea e like me ka hoʻonohonoho palekana a loaʻa i kahi hui o ʻelua mau mea:
- s0 - koʻikoʻi, kākau pū ʻia ma ke ʻano he waena haʻahaʻa-kiʻekiʻe
- c0, c1… c1023 - waeʻano.
Ke hoʻololi nei i ka hoʻonohonoho komo
E hoʻohana i ka semodule e hoʻouka, hoʻohui, a wehe i nā modula SELinux.
[admin@server ~]$ semodule -l |wc -l #список всех модулей
408
[admin@server ~]$ semodule -e abrt #enable - активировать модуль
[admin@server ~]$ semodule -d accountsd #disable - отключить модуль
[admin@server ~]$ semodule -r avahi #remove - удалить модульHui mua hoʻopaʻa inoa inoa hoʻohui i ka mea hoʻohana SELinux i ka mea hoʻohana ʻōnaehana hana, hōʻike ka lua i kahi papa inoa. ʻO ka mea hope loa, ʻo ke kauoha hope loa me ka -r hoʻololi e wehe i ka palapala ʻana o nā mea hoʻohana SELinux i nā moʻokāki OS. ʻO ka wehewehe ʻana i ka syntax no nā waiwai MLS/MCS Range ma ka ʻāpana mua.
[admin@server ~]$ semanage login -a -s user_u karol
[admin@server ~]$ semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
system_u system_u s0-s0:c0.c1023 *
[admin@server ~]$ semanage login -d karol
hui mea hoʻohana semanage hoʻohana ʻia e hoʻokele i nā palapala palapala ma waena o nā mea hoʻohana a me nā kuleana SELinux.
[admin@server ~]$ semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
guest_u user s0 s0 guest_r
staff_u staff s0 s0-s0:c0.c1023 staff_r sysadm_r
...
user_u user s0 s0 user_r
xguest_u user s0 s0 xguest_r
[admin@server ~]$ semanage user -a -R 'staff_r user_r'
[admin@server ~]$ semanage user -d test_uNā ʻāpana kauoha:
- -a hoʻohui i ka hoʻokomo palapala palapala maʻamau;
- -l papa inoa o nā mea hoʻohana like a me nā kuleana;
- -d holoi i ka mea hoʻohana i ke komo palapala palapala;
- -R papa inoa o nā kuleana i pili i ka mea hoʻohana;
Nā waihona, nā awa a me nā waiwai Boolean
Hāʻawi kēlā me kēia module SELinux i kahi hoʻonohonoho o nā lula kau inoa faila, akā hiki iā ʻoe ke hoʻohui i kāu mau lula inā pono. No ka laʻana, makemake mākou e loaʻa i ka kikowaena pūnaewele nā kuleana komo i ka waihona /srv/www.
[admin@server ~]$ semanage fcontext -a -t httpd_sys_content_t "/srv/www(/.*)?
[admin@server ~]$ restorecon -R /srv/www/Hoʻopaʻa inoa ke kauoha mua i nā lula hōʻailona hou, a hoʻonohonoho hou ka lua, a i ʻole e hoʻonohonoho i nā ʻano faila e like me nā lula o kēia manawa.
Pēlā nō, hōʻailona ʻia nā awa TCP/UDP ma ke ʻano e hiki ai i nā lawelawe kūpono ke hoʻolohe iā lākou. No ka laʻana, i mea e hoʻolohe ai ke kikowaena pūnaewele ma ke awa 8080, pono ʻoe e holo i ke kauoha.
[admin@server ~]$ semanage port -m -t http_port_t -p tcp 8080Loaʻa i kahi helu nui o nā modula SELinux nā ʻāpana e hiki ke lawe i nā waiwai Boolean. Hiki ke ʻike ʻia ka papa inoa holoʻokoʻa o ia mau ʻāpana me ka hoʻohana ʻana i getsebool -a. Hiki iā ʻoe ke hoʻololi i nā waiwai boolean me ka hoʻohana ʻana iā setsebool.
[admin@server ~]$ getsebool httpd_enable_cgi
httpd_enable_cgi --> on
[admin@server ~]$ setsebool -P httpd_enable_cgi off
[admin@server ~]$ getsebool httpd_enable_cgi
httpd_enable_homedirs --> off
Workshop, loaʻa ke komo i ka Pgadmin-web interface
E nānā i kahi laʻana kūpono: ua hoʻokomo mākou i ka pgadmin7.6-pūnaewele ma RHEL 4 e hoʻokele i ka waihona PostgreSQL. Hele iki mākou me nā hoʻonohonoho o pg_hba.conf, postgresql.conf a me config_local.py, hoʻonohonoho i nā ʻae waihona, hoʻokomo i nā modules Python i nalowale mai ka pip. Ua mākaukau nā mea a pau, hoʻomaka mākou a loaʻa 500 Kuloko kikowaena hewa.
Hoʻomaka mākou me nā mea kānalua maʻamau, nānā /var/log/httpd/error_log. Aia kekahi mau mea hoihoi ma laila.
[timestamp] [core:notice] [pid 23689] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
...
[timestamp] [wsgi:error] [pid 23690] [Errno 13] Permission denied: '/var/lib/pgadmin'
[timestamp] [wsgi:error] [pid 23690]
[timestamp] [wsgi:error] [pid 23690] HINT : You may need to manually set the permissions on
[timestamp] [wsgi:error] [pid 23690] /var/lib/pgadmin to allow apache to write to it.
I kēia manawa, e hoʻowalewale nui ʻia ka hapa nui o nā luna Linux e holo i ka setencorce 0, a ʻo ia ka hopena. ʻO kaʻoiaʻiʻo, ua hana wau i ka manawa mua. ʻOiaʻiʻo nō kahi ala i waho, akā mamao loa mai ka maikaʻi loa.
ʻOiai nā hoʻolālā paʻakikī, hiki i ka SELinux ke lilo i mea hoʻohana. E hoʻouka wale i ka pūʻolo setroubleshoot a nānā i ka log system.
[admin@server ~]$ yum install setroubleshoot
[admin@server ~]$ journalctl -b -0
[admin@server ~]$ service restart auditd
E ʻoluʻolu, pono e hoʻomaka hou ka lawelawe auditd i kēia ala, ʻaʻole hoʻohana i systemctl, ʻoiai ke kū ʻana o systemd i ka OS. I loko o ka log system e hōʻike ʻia ʻaʻole wale ka ʻoiaʻiʻo o ka pale ʻana, akā ke kumu a me ala e lanakila ai i ka pāpā.
Hoʻokō mākou i kēia mau kauoha:
[admin@server ~]$ setsebool -P httpd_can_network_connect 1
[admin@server ~]$ setsebool -P httpd_can_network_connect_db 1
Nānā mākou i ke komo ʻana i ka ʻaoʻao pūnaewele pgadmin4-pūnaewele, hana nā mea a pau.
Source: www.habr.com