SELinux cheat sheet rau cov thawj tswj hwm: 42 cov lus teb rau cov lus nug tseem ceeb

Cov lus txhais ntawm tsab xov xwm tau npaj tshwj xeeb rau cov tub ntxhais kawm ntawm chav kawm "Linux Administrator".

Ntawm no koj yuav tau txais cov lus teb rau cov lus nug tseem ceeb txog lub neej, ntug thiab txhua yam hauv Linux nrog kev ruaj ntseg zoo dua.

"Qhov tseeb tseem ceeb uas txhua yam tsis yog qhov lawv zoo li yog qhov kev paub ..."

- Douglas Adams, Hitchhiker's Guide to the Galaxy

Kev nyab xeeb. Muaj kev ntseeg siab. Kev sau ntawv. Txoj cai. Plaub Horsemen ntawm Apocalypse sysadmin. Ntxiv rau peb cov haujlwm niaj hnub - kev saib xyuas, thaub qab, kev siv, kev teeb tsa, kev hloov kho, thiab lwm yam - peb kuj muaj lub luag haujlwm rau kev ruaj ntseg ntawm peb lub tshuab. Txawm tias cov kab ke uas tus kws kho mob thib peb pom zoo kom peb lov tes taw kev ruaj ntseg zoo dua. Nws zoo li ua haujlwm Ethan Hunt los ntawm "Mission: Impossible."

Tau ntsib nrog qhov teeb meem no, qee tus thawj tswj hwm txiav txim siab coj ntsiav tshuaj xiav, vim lawv xav tias lawv yuav tsis paub cov lus teb rau lo lus nug loj ntawm lub neej, lub qab ntuj khwb thiab tag nrho cov ntawd. Thiab raws li peb txhua tus paub, cov lus teb yog 42.

Nyob rau hauv tus ntsuj plig ntawm Hitchhiker Phau Ntawv Qhia rau Galaxy, ntawm no yog 42 cov lus teb rau cov lus nug tseem ceeb txog kev tswj thiab siv. SELinux ntawm koj lub tshuab.

1. SELinux yog lub kaw lus yuam kev nkag, uas txhais tau hais tias txhua tus txheej txheem muaj daim ntawv lo. Txhua cov ntaub ntawv, phau ntawv teev npe thiab cov khoom siv tseem muaj cov ntawv sau. Txoj cai tswj kev nkag mus ntawm cov txheej txheem tagged thiab cov khoom. Lub kernel tswj cov cai no.

2. Ob lub ntsiab lus tseem ceeb tshaj plaws yog: Labelling - cov cim (cov ntaub ntawv, txheej txheem, chaw nres nkoj, thiab lwm yam) thiab Hom kev tswj hwm (uas cais cov txheej txheem los ntawm ib leeg raws li hom).

3. Kho daim ntawv lo hom ntawv user:role:type:level (yeem).

4. Lub hom phiaj ntawm kev muab kev ruaj ntseg ntau theem (Multi-Level Security - MLS) yog los tswj cov txheej txheem (domains) raws li qib kev ruaj ntseg ntawm cov ntaub ntawv lawv yuav siv. Piv txwv li, cov txheej txheem zais cia tsis tuaj yeem nyeem cov ntaub ntawv zais cia sab saum toj.

5. Ua kom muaj kev ruaj ntseg ntau yam (Multi-Category Security - MCS) tiv thaiv cov txheej txheem zoo sib xws ntawm ib leeg (piv txwv li, tshuab virtual, OpenShift xyaw, SELinux sandboxes, ntim khoom, thiab lwm yam).

6. Kernel xaiv rau hloov SELinux hom ntawm khau raj:

• autorelabel=1 → ua rau lub kaw lus khiav relabeling
• selinux=0 → lub kernel tsis thauj khoom SELinux infrastructure
• enforcing=0 → loading nyob rau hauv permissive hom

7. Yog hais tias koj xav tau relabel tag nrho cov system:

# touch /.autorelabel
#reboot

Yog tias lub cim cim muaj ntau qhov yuam kev, koj yuav tsum tau khau raj hauv hom kev tso cai rau kev hais kom ua tiav.

8. Txhawm rau xyuas seb SELinux tau qhib: # getenforce

9. Txhawm rau qhib / kaw ib ntus SELinux: # setenforce [1|0]

10. Tshawb xyuas SELinux xwm txheej: # sestatus

11. Configuration file: /etc/selinux/config

12. SELinux ua haujlwm li cas? Nov yog ib qho piv txwv cim rau Apache web server:

• Binary sawv cev: /usr/sbin/httpd→httpd_exec_t
• Configuration directory: /etc/httpd→httpd_config_t
• Daim ntawv teev cov ntaub ntawv: /var/log/httpd → httpd_log_t
• Cov ntsiab lus directory: /var/www/html → httpd_sys_content_t
• Tua tawm tsab ntawv: /usr/lib/systemd/system/httpd.service → httpd_unit_file_d
• Txheej Txheem: /usr/sbin/httpd -DFOREGROUND → httpd_t
• Chaw nres nkoj: 80/tcp, 443/tcp → httpd_t, http_port_t

Cov txheej txheem khiav hauv cov ntsiab lus httpd_t, tuaj yeem cuam tshuam nrog cov khoom sau npe httpd_something_t.

13. Ntau cov lus txib lees txais kev sib cav -Z saib, tsim thiab hloov cov ntsiab lus:

• ls -Z
• id -Z
• ps -Z
• netstat -Z
• cp -Z
• mkdir -Z

Cov ntsiab lus raug tsim thaum cov ntaub ntawv raug tsim raws li cov ntsiab lus ntawm lawv niam txiv cov npe (nrog qee qhov kev zam). RPMs tuaj yeem tsim cov ntsiab lus raws li lub sijhawm teeb tsa.

14. Muaj plaub qhov laj thawj tseem ceeb ntawm SELinux yuam kev, uas tau piav qhia ntau ntxiv hauv cov ntsiab lus 15-21 hauv qab no:

• Labeling teeb meem
• Vim muaj qee yam uas SELinux xav paub
• Kev ua yuam kev hauv SELinux txoj cai / daim ntawv thov
• Koj cov ntaub ntawv yuav raug cuam tshuam

15. Labeling teeb meem: yog tias koj cov ntaub ntawv nyob hauv /srv/myweb raug cim tsis raug, kev nkag yuav raug tsis lees paub. Nov yog qee txoj hauv kev los kho qhov no:

• Yog koj paub daim ntawv lo:
  # semanage fcontext -a -t httpd_sys_content_t '/srv/myweb(/.*)?'
• Yog tias koj paub cov ntaub ntawv nrog cov cim sib npaug:
  # semanage fcontext -a -e /srv/myweb /var/www
• Restoring cov ntsiab lus (rau ob qho xwm txheej):
  # restorecon -vR /srv/myweb

16. Labeling teeb meem: yog tias koj txav cov ntaub ntawv es tsis txhob luam nws, cov ntaub ntawv yuav khaws nws cov ntsiab lus qub. Yuav kho qhov teeb meem no:

• Hloov cov ntsiab lus hais kom ua nrog daim ntawv lo:
  # chcon -t httpd_system_content_t /var/www/html/index.html
• Hloov cov ntsiab lus hais kom ua nrog cov ntawv txuas:
  # chcon --reference /var/www/html/ /var/www/html/index.html
• Rov qab cov ntsiab lus teb (rau ob qho xwm txheej): # restorecon -vR /var/www/html/

17. Yog hais tias tus SELinux koj yuav tsum paubtias HTTPD tab tom mloog ntawm chaw nres nkoj 8585, qhia SELinux:

# semanage port -a -t http_port_t -p tcp 8585

18. SELinux koj yuav tsum paub Boolean qhov tseem ceeb uas tso cai rau qee qhov ntawm SELinux txoj cai hloov pauv thaum lub sijhawm ua haujlwm yam tsis muaj kev paub txog SELinux txoj cai raug sau dua. Piv txwv li, yog tias koj xav tau httpd xa email, sau: # setsebool -P httpd_can_sendmail 1

19. SELinux koj yuav tsum paub Cov txiaj ntsig zoo rau kev ua kom / tsis ua haujlwm SELinux nqis:

• Txhawm rau pom tag nrho cov txiaj ntsig boolean: # getsebool -a
• Txhawm rau saib cov lus piav qhia ntawm txhua tus: # semanage boolean -l
• Txhawm rau teeb tsa tus nqi boolean: # setsebool [_boolean_] [1|0]
• Rau kev txhim kho mus tas li, ntxiv -P. Piv txwv li: # setsebool httpd_enable_ftp_server 1 -P

20. SELinux cov cai / daim ntawv thov yuav muaj qhov yuam kev, suav nrog:

• Cov kev cai txawv txawv
• Configurations
• Redirecting stdout
• Cov ntaub ntawv piav qhia leaks
• executable nco
• Cov tsev qiv ntawv ua tau tsis zoo

Qhib daim pib (tsis txhob xa daim ntawv qhia rau Bugzilla; Bugzilla tsis muaj SLA).

21. Koj cov ntaub ntawv yuav raug cuam tshuamyog tias koj tau txwv cov chaw sim ua:

• Load kernel modules
• Disable enforced SELinux hom
• Sau rau etc_t/shadow_t
• Hloov cov cai iptables

22. SELinux cov cuab yeej rau kev txhim kho txoj cai modules:

# yum -y install setroubleshoot setroubleshoot-server

Reboot lossis rov pib dua auditd tom qab installation.

23. Siv

journalctl

los tso saib ib daim ntawv teev tag nrho cov cav txuam nrog setroubleshoot:

# journalctl -t setroubleshoot --since=14:20

24. Siv journalctl los sau tag nrho cov cav uas cuam tshuam nrog ib qho tshwj xeeb SELinux tag. Piv txwv li:

# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0

25. Yog tias qhov yuam kev SELinux tshwm sim, siv lub cav setroubleshoot muab ntau txoj kev daws teeb meem.
Piv txwv li, los ntawm journalctl:

Jun 14 19:41:07 web1 setroubleshoot: SELinux is preventing httpd from getattr access on the file /var/www/html/index.html. For complete message run: sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e

# sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e
SELinux is preventing httpd from getattr access on the file /var/www/html/index.html.

***** Plugin restorecon (99.5 confidence) suggests ************************

If you want to fix the label,
/var/www/html/index.html default label should be httpd_syscontent_t.
Then you can restorecon.
Do
# /sbin/restorecon -v /var/www/html/index.html

26. Nkag mus: SELinux sau cov ntaub ntawv hauv ntau qhov chaw:

• / var / log / messages
• /var/log/audit/audit.log
• /var/lib/setroubleshoot/setroubleshoot_database.xml

27. Logging: nrhiav SELinux yuam kev hauv kev tshawb xyuas cov ntaub ntawv:

# ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today

28. Txhawm rau nrhiav SELinux Access Vector Cache (AVC) cov lus rau ib qho kev pabcuam tshwj xeeb:

# ausearch -m avc -c httpd

29. Тилита audit2allow sau cov ntaub ntawv los ntawm cov cav ntawm kev txwv tsis pub ua haujlwm thiab tom qab ntawd tsim SELinux kev tso cai txoj cai. Piv txwv li:

• Txhawm rau tsim cov lus piav qhia uas tib neeg nyeem tau ntawm vim li cas kev nkag mus tsis pom zoo: # audit2allow -w -a
• Txhawm rau saib hom kev tswj hwm txoj cai uas tso cai tsis pom zoo nkag mus: # audit2allow -a
• Tsim ib qho kev cai module: # audit2allow -a -M mypolicy
• Xaiv -M tsim ib hom kev tswj hwm cov ntaub ntawv (.te) nrog lub npe teev thiab sau cov cai rau hauv pob ntawv txoj cai (.pp): mypolicy.pp mypolicy.te
• Txhawm rau nruab ib qho kev cai module: # semodule -i mypolicy.pp

30. Txhawm rau teeb tsa cov txheej txheem cais (domain) ua haujlwm hauv hom kev tso cai: # semanage permissive -a httpd_t

31. Yog tias koj tsis xav kom lub chaw tso cai ntxiv lawm: # semanage permissive -d httpd_t

32. Txhawm rau lov tes taw txhua qhov chaw tso cai: # semodule -d permissivedomains

33. Enabling MLS SELinux txoj cai: # yum install selinux-policy-mls
в /etc/selinux/config:

SELINUX=permissive
SELINUXTYPE=mls

Xyuas kom tseeb tias SELinux tab tom khiav hauv hom kev tso cai: # setenforce 0
Siv ib tsab ntawv fixfilestxhawm rau xyuas kom meej tias cov ntaub ntawv raug relabeled ntawm lub reboot tom ntej:

# fixfiles -F onboot # reboot

34. Tsim ib tus neeg siv nrog ib qho tshwj xeeb MLS ntau yam: # useradd -Z staff_u john

Siv cov lus txib useradd, daim ntawv qhia tus neeg siv tshiab rau tus neeg siv SELinux uas twb muaj lawm (hauv qhov no, staff_u).

35. Txhawm rau saib daim ntawv qhia ntawm SELinux thiab Linux cov neeg siv: # semanage login -l

36. Txheeb xyuas qhov tshwj xeeb rau tus neeg siv: # semanage login --modify --range s2:c100 john

37. Txhawm rau kho tus neeg siv daim ntawv teev npe hauv tsev (yog tias tsim nyog): # chcon -R -l s2:c100 /home/john

38. Saib cov qeb tam sim no: # chcat -L

39. Txhawm rau hloov pawg lossis pib tsim koj tus kheej, hloov cov ntaub ntawv raws li hauv qab no:

/etc/selinux/_<selinuxtype>_/setrans.conf

40. Txhawm rau khiav cov lus txib lossis tsab ntawv hauv cov ntaub ntawv tshwj xeeb, lub luag haujlwm, thiab cov ntsiab lus ntawm cov neeg siv:

# runcon -t initrc_t -r system_r -u user_u yourcommandhere

• -t ntaub ntawv ntsiab lus
• -r lub luag haujlwm ntsiab lus
• -u cov ntsiab lus siv

41. Thawv khiav nrog SELinux neeg xiam:

• Podman: # podman run --security-opt label=disable …
• Docker: # docker run --security-opt label=disable …

42. Yog tias koj xav tau muab lub ntim puv nkag mus rau qhov system:

• Podman: # podman run --privileged …
• Docker: # docker run --privileged …

Thiab tam sim no koj twb paub cov lus teb. Yog li thov: tsis txhob ntshai thiab pab SELinux.

Links:

• SELinux by Dan Walsh
• Koj qhov pom kev yuav ua li cas-qhia rau SELinux txoj cai tswjfwm thiab los ntawm Dan Walsh
• Kev ruaj ntseg Enhanced Linux rau mere mortals by Thomas Cameron
• Phau Ntawv Xim Xim SELinux by Máirín Duffy
• SELinux Tus Neeg Siv thiab Tus Thawj Coj Cov Lus Qhia - Red Hat Enterprise Linux 7

Tau qhov twg los: www.hab.com