ProHoster > Блог > Kev tswj hwm > Phau Ntawv Qhia Beginner rau SELinux

Phau Ntawv Qhia Beginner rau SELinux

Phau Ntawv Qhia Beginner rau SELinux

Kev txhais cov lus uas tau npaj rau cov menyuam kawm ntawv "Linux Kev Ruaj Ntseg"

SELinux lossis Security Enhanced Linux yog ib qho kev txhim kho kev nkag mus rau kev tswj hwm kev tsim kho los ntawm US National Security Agency (NSA) los tiv thaiv kev ua phem phem. Nws siv tus qauv yuam kev (lossis yuav tsum tau) nkag mus rau kev tswj tus qauv (English Mandatory Access Control, MAC) nyob rau sab saum toj ntawm qhov kev txiav txim siab uas twb muaj lawm (lossis xaiv) qauv (English Discretionary Access Control, DAC), uas yog, tso cai nyeem, sau, ua.

SELinux muaj peb hom:

  1. Kev tswj hwm - nkag mus tsis lees raws li txoj cai tswjfwm.
  2. Kev Tso Cai - khaws ib daim ntawv teev cov kev ua txhaum cai, uas yuav txwv tsis pub nyob rau hauv txoj cai hom.
  3. xiam oob qhab - ua tiav kev ua tsis tiav ntawm SELinux.

Los ntawm lub neej ntawd cov chaw nyob hauv /etc/selinux/config

Hloov SELinux hom

Txhawm rau paub txog hom tam sim no, khiav 

$ getenforce

Txhawm rau hloov hom rau permissive khiav cov lus txib hauv qab no 

$ setenforce 0

los yog, hloov hom los ntawm permissive rau yuam, ua 

$ setenforce 1

Yog tias koj xav tau kom lov tes taw SELinux, ces qhov no tsuas yog ua tau los ntawm cov ntaub ntawv teeb tsa 

$ vi /etc/selinux/config

Txhawm rau lov tes taw, hloov SELINUX parameter raws li hauv qab no:

SELINUX=disabled

Teeb tsa SELinux

Txhua cov ntaub ntawv thiab cov txheej txheem raug cim nrog SELinux cov ntsiab lus, uas muaj cov ntaub ntawv ntxiv xws li cov neeg siv, lub luag haujlwm, hom, thiab lwm yam. Yog tias qhov no yog koj thawj zaug ua kom SELinux, thawj zaug koj yuav tsum tau teeb tsa cov ntsiab lus thiab cov ntawv sau. Cov txheej txheem ntawm kev muab cov ntawv sau thiab cov ntsiab lus yog hu ua tagging. Txhawm rau pib kos, hauv cov ntaub ntawv teeb tsa peb hloov hom rau permissive.

$ vi /etc/selinux/config
SELINUX=permissive

Tom qab teeb tsa hom permissive, tsim cov ntaub ntawv khoob khoob hauv lub hauv paus nrog lub npe autorelabel

$ touch /.autorelabel

thiab reboot lub computer

$ init 6

Lus Cim: Peb siv hom permissive rau cov cim, txij li thaum siv hom yuam tej zaum yuav ua rau lub cev poob thaum reboot.

Tsis txhob txhawj yog tias qhov rub tawm tau daig ntawm qee cov ntaub ntawv, kos npe yuav siv sijhawm ib ntus. Thaum kos npe tiav thiab koj lub kaw lus tau pib, koj tuaj yeem mus rau cov ntaub ntawv teeb tsa thiab teeb tsa hom yuamthiab kuj khiav:

$ setenforce 1

Tam sim no koj tau ua tiav ua tiav SELinux ntawm koj lub computer.

Saib xyuas cov cav

Tej zaum koj yuav tau ntsib qee qhov yuam kev thaum kos npe lossis thaum lub kaw lus ua haujlwm. Txhawm rau xyuas seb koj li SELinux puas ua haujlwm raug thiab yog tias nws tsis thaiv kev nkag mus rau ib qho chaw nres nkoj, daim ntawv thov, thiab lwm yam, koj yuav tsum tau saib cov cav. Lub SELinux cav nyob rau hauv /var/log/audit/audit.log, tab sis koj tsis tas yuav nyeem tag nrho cov khoom kom pom qhov yuam kev. Koj tuaj yeem siv audit2why utility los nrhiav qhov yuam kev. Khiav cov lus txib hauv qab no:

$ audit2why < /var/log/audit/audit.log

Yog li ntawd, koj yuav tau txais ib daim ntawv teev cov yuam kev. Yog tias tsis muaj qhov yuam kev hauv lub cav, ces tsis muaj lus yuav tshwm sim.

Configuring SELinux Txoj Cai

Ib txoj cai SELinux yog cov txheej txheem uas tswj hwm SELinux kev ruaj ntseg mechanism. Ib txoj cai txhais cov txheej txheem rau ib puag ncig tshwj xeeb. Tam sim no peb yuav kawm yuav ua li cas teeb tsa txoj cai tso cai nkag mus rau cov kev pabcuam txwv.

1. Logical qhov tseem ceeb (switches)

Cov keyboards (booleans) tso cai rau koj hloov qee qhov ntawm txoj cai ntawm lub sijhawm khiav, tsis tas yuav tsim cov cai tshiab. Lawv tso cai rau koj hloov pauv yam tsis tau rov pib dua lossis rov ua dua SELinux cov cai.

Piv Txwv:
Cia peb hais tias peb xav qhia tus neeg siv cov npe hauv tsev ntawm FTP nyeem / sau, thiab peb twb tau qhia nws, tab sis thaum peb sim nkag mus, peb tsis pom dab tsi. Qhov no yog vim SELinux txoj cai txwv tsis pub FTP neeg rau zaub mov los ntawm kev nyeem ntawv thiab sau ntawv rau tus neeg siv cov npe hauv tsev. Peb yuav tsum tau hloov txoj cai kom FTP neeg rau zaub mov tuaj yeem nkag mus rau cov npe hauv tsev. Cia saib seb puas muaj cov keyboards rau qhov no los ntawm kev ua

$ semanage boolean -l

Cov lus txib no yuav sau cov keyboards muaj nrog lawv lub xeev tam sim no (rau lossis tawm) thiab piav qhia. Koj tuaj yeem kho koj qhov kev tshawb nrhiav los ntawm kev ntxiv grep txhawm rau nrhiav ftp-tsuas cov txiaj ntsig:

$ semanage boolean -l | grep ftp

thiab koj yuav pom cov hauv qab no

ftp_home_dir        -> off       Allow ftp to read & write file in user home directory

Qhov kev hloov no yog neeg xiam oob qhab, yog li peb yuav pab nws nrog setsebool $ setsebool ftp_home_dir on

Tam sim no peb ftp daemon yuav nkag tau rau tus neeg siv lub tsev directory.
Nco tseg: Koj tuaj yeem tau txais cov npe ntawm cov keyboards muaj yam tsis muaj kev piav qhia los ntawm kev ua getsebool -a

2. Cov ntawv sau thiab cov ntsiab lus

Nov yog txoj hauv kev zoo tshaj plaws los siv txoj cai SELinux. Txhua cov ntaub ntawv, nplaub tshev, txheej txheem thiab chaw nres nkoj raug cim nrog SELinux cov ntsiab lus:

  • Rau cov ntaub ntawv thiab cov folders, cov ntawv sau tau muab khaws cia ua cov cwj pwm txuas ntxiv ntawm cov ntaub ntawv kaw lus thiab tuaj yeem saib nrog cov lus txib hauv qab no: 
    $ ls -Z /etc/httpd
  • Rau cov txheej txheem thiab cov chaw nres nkoj, daim ntawv lo yog tswj hwm los ntawm cov ntsiav, thiab koj tuaj yeem saib cov ntawv no raws li hauv qab no:

txheej txheem

$ ps –auxZ | grep httpd

chaw nres nkoj

$ netstat -anpZ | grep httpd

Piv Txwv:
Tam sim no cia saib ib qho piv txwv kom nkag siab zoo dua cov ntawv thiab cov ntsiab lus. Cia peb hais tias peb muaj lub vev xaib server uas, tsis yog cov npe /var/www/html/ использует /home/dan/html/. SELinux yuav txiav txim siab qhov no ua txhaum txoj cai thiab koj yuav tsis tuaj yeem saib koj cov nplooj ntawv web. Qhov no yog vim peb tsis tau teeb tsa cov ntsiab lus kev nyab xeeb cuam tshuam nrog cov ntaub ntawv HTML. Txhawm rau saib cov ntsiab lus kev ruaj ntseg, siv cov lus txib hauv qab no:

$ ls –lz /var/www/html
 -rw-r—r—. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/

Ntawm no peb tau txais httpd_sys_content_t raws li cov ntsiab lus rau cov ntaub ntawv html. Peb yuav tsum tau teeb tsa qhov kev nyab xeeb no rau peb cov npe tam sim no, uas tam sim no muaj cov ntsiab lus hauv qab no:

-rw-r—r—. dan dan system_u:object_r:user_home_t:s0 /home/dan/html/

Lwm cov lus txib los xyuas qhov kev nyab xeeb ntawm cov ntaub ntawv lossis cov npe:

$ semanage fcontext -l | grep '/var/www'

Peb tseem yuav siv semanage los hloov cov ntsiab lus ib zaug peb tau pom qhov tseeb kev ruaj ntseg ntsiab lus. Txhawm rau hloov cov ntsiab lus ntawm /home/dan/html, khiav cov lus txib hauv qab no:

$ semanage fcontext -a -t httpd_sys_content_t ‘/home/dan/html(/.*)?’
$ semanage fcontext -l | grep ‘/home/dan/html’
/home/dan/html(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
$ restorecon -Rv /home/dan/html

Tom qab cov ntsiab lus hloov pauv siv semanage, cov lus txib restorecon yuav thauj cov ntsiab lus qub rau cov ntaub ntawv thiab cov npe. Peb lub vev xaib server tam sim no yuav tuaj yeem nyeem cov ntaub ntawv los ntawm cov ntawv tais ceev tseg /home/dan/htmlvim hais tias cov ntsiab lus kev ruaj ntseg rau daim nplaub tshev no tau hloov mus rau httpd_sys_content_t.

3. Tsim cov cai hauv zos

Tej zaum yuav muaj cov xwm txheej uas cov hau kev saum toj no tsis muaj txiaj ntsig rau koj thiab koj tau txais qhov yuam kev (avc/denial) hauv audit.log. Thaum qhov no tshwm sim, koj yuav tsum tsim ib txoj cai hauv zos. Koj tuaj yeem pom txhua qhov yuam kev siv audit2why, raws li tau piav qhia saum toj no.

Koj tuaj yeem tsim ib txoj cai hauv zos los daws qhov yuam kev. Piv txwv li, peb tau txais qhov yuam kev ntsig txog httpd (apache) lossis smbd (samba), peb grep qhov yuam kev thiab tsim ib txoj cai rau lawv:

apache
$ grep httpd_t /var/log/audit/audit.log | audit2allow -M http_policy
samba
$ grep smbd_t /var/log/audit/audit.log | audit2allow -M smb_policy

nws yog http_policy и smb_policy yog cov npe ntawm cov cai hauv zos uas peb tsim. Tam sim no peb yuav tsum thauj cov cai tsim hauv zos rau hauv txoj cai SELinux tam sim no. Qhov no tuaj yeem ua tau raws li hauv qab no:

$ semodule –I http_policy.pp
$ semodule –I smb_policy.pp

Peb cov cai hauv zos tau rub tawm thiab peb yuav tsum tsis txhob txais ib qho avc lossis denail hauv audit.log.

Nov yog kuv qhov kev sim los pab koj nkag siab SELinux. Kuv vam tias tom qab nyeem tsab xov xwm no koj yuav xis nyob nrog SELinux.

Tau qhov twg los: www.hab.com

Ntxiv ib saib