Cov lus txhais ntawm tsab xov xwm tau npaj tshwj xeeb rau cov tub ntxhais kawm ntawm chav kawm
Ntawm no koj yuav tau txais cov lus teb rau cov lus nug tseem ceeb txog lub neej, ntug thiab txhua yam hauv Linux nrog kev ruaj ntseg zoo dua.
"Qhov tseeb tseem ceeb uas txhua yam tsis yog qhov lawv zoo li yog qhov kev paub ..."
- Douglas Adams, Hitchhiker's Guide to the Galaxy
Kev nyab xeeb. Muaj kev ntseeg siab. Kev sau ntawv. Txoj cai. Plaub Horsemen ntawm Apocalypse sysadmin. Ntxiv rau peb cov haujlwm niaj hnub - kev saib xyuas, thaub qab, kev siv, kev teeb tsa, kev hloov kho, thiab lwm yam - peb kuj muaj lub luag haujlwm rau kev ruaj ntseg ntawm peb lub tshuab. Txawm tias cov kab ke uas tus kws kho mob thib peb pom zoo kom peb lov tes taw kev ruaj ntseg zoo dua. Nws zoo li ua haujlwm
Tau ntsib nrog qhov teeb meem no, qee tus thawj tswj hwm txiav txim siab coj
Nyob rau hauv tus ntsuj plig ntawm Hitchhiker Phau Ntawv Qhia rau Galaxy, ntawm no yog 42 cov lus teb rau cov lus nug tseem ceeb txog kev tswj thiab siv.
1. SELinux yog lub kaw lus yuam kev nkag, uas txhais tau hais tias txhua tus txheej txheem muaj daim ntawv lo. Txhua cov ntaub ntawv, phau ntawv teev npe thiab cov khoom siv tseem muaj cov ntawv sau. Txoj cai tswj kev nkag mus ntawm cov txheej txheem tagged thiab cov khoom. Lub kernel tswj cov cai no.
2. Ob lub ntsiab lus tseem ceeb tshaj plaws yog: Labelling - cov cim (cov ntaub ntawv, txheej txheem, chaw nres nkoj, thiab lwm yam) thiab Hom kev tswj hwm (uas cais cov txheej txheem los ntawm ib leeg raws li hom).
3. Kho daim ntawv lo hom ntawv user:role:type:level
(yeem).
4. Lub hom phiaj ntawm kev muab kev ruaj ntseg ntau theem (Multi-Level Security - MLS) yog los tswj cov txheej txheem (domains) raws li qib kev ruaj ntseg ntawm cov ntaub ntawv lawv yuav siv. Piv txwv li, cov txheej txheem zais cia tsis tuaj yeem nyeem cov ntaub ntawv zais cia sab saum toj.
5. Ua kom muaj kev ruaj ntseg ntau yam (Multi-Category Security - MCS) tiv thaiv cov txheej txheem zoo sib xws ntawm ib leeg (piv txwv li, tshuab virtual, OpenShift xyaw, SELinux sandboxes, ntim khoom, thiab lwm yam).
6. Kernel xaiv rau hloov SELinux hom ntawm khau raj:
autorelabel=1
→ ua rau lub kaw lus khiav relabelingselinux=0
→ lub kernel tsis thauj khoom SELinux infrastructureenforcing=0
→ loading nyob rau hauv permissive hom
7. Yog hais tias koj xav tau relabel tag nrho cov system:
# touch /.autorelabel
#reboot
Yog tias lub cim cim muaj ntau qhov yuam kev, koj yuav tsum tau khau raj hauv hom kev tso cai rau kev hais kom ua tiav.
8. Txhawm rau xyuas seb SELinux tau qhib: # getenforce
9. Txhawm rau qhib / kaw ib ntus SELinux: # setenforce [1|0]
10. Tshawb xyuas SELinux xwm txheej: # sestatus
11. Configuration file: /etc/selinux/config
12. SELinux ua haujlwm li cas? Nov yog ib qho piv txwv cim rau Apache web server:
- Binary sawv cev:
/usr/sbin/httpd→httpd_exec_t
- Configuration directory:
/etc/httpd→httpd_config_t
- Daim ntawv teev cov ntaub ntawv:
/var/log/httpd → httpd_log_t
- Cov ntsiab lus directory:
/var/www/html → httpd_sys_content_t
- Tua tawm tsab ntawv:
/usr/lib/systemd/system/httpd.service → httpd_unit_file_d
- Txheej Txheem:
/usr/sbin/httpd -DFOREGROUND → httpd_t
- Chaw nres nkoj:
80/tcp, 443/tcp → httpd_t, http_port_t
Cov txheej txheem khiav hauv cov ntsiab lus httpd_t
, tuaj yeem cuam tshuam nrog cov khoom sau npe httpd_something_t
.
13. Ntau cov lus txib lees txais kev sib cav -Z
saib, tsim thiab hloov cov ntsiab lus:
ls -Z
id -Z
ps -Z
netstat -Z
cp -Z
mkdir -Z
Cov ntsiab lus raug tsim thaum cov ntaub ntawv raug tsim raws li cov ntsiab lus ntawm lawv niam txiv cov npe (nrog qee qhov kev zam). RPMs tuaj yeem tsim cov ntsiab lus raws li lub sijhawm teeb tsa.
14. Muaj plaub qhov laj thawj tseem ceeb ntawm SELinux yuam kev, uas tau piav qhia ntau ntxiv hauv cov ntsiab lus 15-21 hauv qab no:
- Labeling teeb meem
- Vim muaj qee yam uas SELinux xav paub
- Kev ua yuam kev hauv SELinux txoj cai / daim ntawv thov
- Koj cov ntaub ntawv yuav raug cuam tshuam
15. Labeling teeb meem: yog tias koj cov ntaub ntawv nyob hauv /srv/myweb
raug cim tsis raug, kev nkag yuav raug tsis lees paub. Nov yog qee txoj hauv kev los kho qhov no:
- Yog koj paub daim ntawv lo:
# semanage fcontext -a -t httpd_sys_content_t '/srv/myweb(/.*)?'
- Yog tias koj paub cov ntaub ntawv nrog cov cim sib npaug:
# semanage fcontext -a -e /srv/myweb /var/www
- Restoring cov ntsiab lus (rau ob qho xwm txheej):
# restorecon -vR /srv/myweb
16. Labeling teeb meem: yog tias koj txav cov ntaub ntawv es tsis txhob luam nws, cov ntaub ntawv yuav khaws nws cov ntsiab lus qub. Yuav kho qhov teeb meem no:
- Hloov cov ntsiab lus hais kom ua nrog daim ntawv lo:
# chcon -t httpd_system_content_t /var/www/html/index.html
- Hloov cov ntsiab lus hais kom ua nrog cov ntawv txuas:
# chcon --reference /var/www/html/ /var/www/html/index.html
- Rov qab cov ntsiab lus teb (rau ob qho xwm txheej):
# restorecon -vR /var/www/html/
17. Yog hais tias tus SELinux koj yuav tsum paubtias HTTPD tab tom mloog ntawm chaw nres nkoj 8585, qhia SELinux:
# semanage port -a -t http_port_t -p tcp 8585
18. SELinux koj yuav tsum paub Boolean qhov tseem ceeb uas tso cai rau qee qhov ntawm SELinux txoj cai hloov pauv thaum lub sijhawm ua haujlwm yam tsis muaj kev paub txog SELinux txoj cai raug sau dua. Piv txwv li, yog tias koj xav tau httpd xa email, sau: # setsebool -P httpd_can_sendmail 1
19. SELinux koj yuav tsum paub Cov txiaj ntsig zoo rau kev ua kom / tsis ua haujlwm SELinux nqis:
- Txhawm rau pom tag nrho cov txiaj ntsig boolean:
# getsebool -a
- Txhawm rau saib cov lus piav qhia ntawm txhua tus:
# semanage boolean -l
- Txhawm rau teeb tsa tus nqi boolean:
# setsebool [_boolean_] [1|0]
- Rau kev txhim kho mus tas li, ntxiv
-P
. Piv txwv li:# setsebool httpd_enable_ftp_server 1 -P
20. SELinux cov cai / daim ntawv thov yuav muaj qhov yuam kev, suav nrog:
- Cov kev cai txawv txawv
- Configurations
- Redirecting stdout
- Cov ntaub ntawv piav qhia leaks
- executable nco
- Cov tsev qiv ntawv ua tau tsis zoo
Qhib daim pib (tsis txhob xa daim ntawv qhia rau Bugzilla; Bugzilla tsis muaj SLA).
21. Koj cov ntaub ntawv yuav raug cuam tshuamyog tias koj tau txwv cov chaw sim ua:
- Load kernel modules
- Disable enforced SELinux hom
- Sau rau
etc_t/shadow_t
- Hloov cov cai iptables
22. SELinux cov cuab yeej rau kev txhim kho txoj cai modules:
# yum -y install setroubleshoot setroubleshoot-server
Reboot lossis rov pib dua auditd
tom qab installation.
23. Siv
journalctl
los tso saib ib daim ntawv teev tag nrho cov cav txuam nrog setroubleshoot
:
# journalctl -t setroubleshoot --since=14:20
24. Siv journalctl
los sau tag nrho cov cav uas cuam tshuam nrog ib qho tshwj xeeb SELinux tag. Piv txwv li:
# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0
25. Yog tias qhov yuam kev SELinux tshwm sim, siv lub cav setroubleshoot
muab ntau txoj kev daws teeb meem.
Piv txwv li, los ntawm journalctl
:
Jun 14 19:41:07 web1 setroubleshoot: SELinux is preventing httpd from getattr access on the file /var/www/html/index.html. For complete message run: sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e
# sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e
SELinux is preventing httpd from getattr access on the file /var/www/html/index.html.
***** Plugin restorecon (99.5 confidence) suggests ************************
If you want to fix the label,
/var/www/html/index.html default label should be httpd_syscontent_t.
Then you can restorecon.
Do
# /sbin/restorecon -v /var/www/html/index.html
26. Nkag mus: SELinux sau cov ntaub ntawv hauv ntau qhov chaw:
- / var / log / messages
- /var/log/audit/audit.log
- /var/lib/setroubleshoot/setroubleshoot_database.xml
27. Logging: nrhiav SELinux yuam kev hauv kev tshawb xyuas cov ntaub ntawv:
# ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today
28. Txhawm rau nrhiav SELinux Access Vector Cache (AVC) cov lus rau ib qho kev pabcuam tshwj xeeb:
# ausearch -m avc -c httpd
29. Тилита audit2allow
sau cov ntaub ntawv los ntawm cov cav ntawm kev txwv tsis pub ua haujlwm thiab tom qab ntawd tsim SELinux kev tso cai txoj cai. Piv txwv li:
- Txhawm rau tsim cov lus piav qhia uas tib neeg nyeem tau ntawm vim li cas kev nkag mus tsis pom zoo:
# audit2allow -w -a
- Txhawm rau saib hom kev tswj hwm txoj cai uas tso cai tsis pom zoo nkag mus:
# audit2allow -a
- Tsim ib qho kev cai module:
# audit2allow -a -M mypolicy
- Xaiv
-M
tsim ib hom kev tswj hwm cov ntaub ntawv (.te) nrog lub npe teev thiab sau cov cai rau hauv pob ntawv txoj cai (.pp):mypolicy.pp mypolicy.te
- Txhawm rau nruab ib qho kev cai module:
# semodule -i mypolicy.pp
30. Txhawm rau teeb tsa cov txheej txheem cais (domain) ua haujlwm hauv hom kev tso cai: # semanage permissive -a httpd_t
31. Yog tias koj tsis xav kom lub chaw tso cai ntxiv lawm: # semanage permissive -d httpd_t
32. Txhawm rau lov tes taw txhua qhov chaw tso cai: # semodule -d permissivedomains
33. Enabling MLS SELinux txoj cai: # yum install selinux-policy-mls
в /etc/selinux/config:
SELINUX=permissive
SELINUXTYPE=mls
Xyuas kom tseeb tias SELinux tab tom khiav hauv hom kev tso cai: # setenforce 0
Siv ib tsab ntawv fixfiles
txhawm rau xyuas kom meej tias cov ntaub ntawv raug relabeled ntawm lub reboot tom ntej:
# fixfiles -F onboot # reboot
34. Tsim ib tus neeg siv nrog ib qho tshwj xeeb MLS ntau yam: # useradd -Z staff_u john
Siv cov lus txib useradd
, daim ntawv qhia tus neeg siv tshiab rau tus neeg siv SELinux uas twb muaj lawm (hauv qhov no, staff_u
).
35. Txhawm rau saib daim ntawv qhia ntawm SELinux thiab Linux cov neeg siv: # semanage login -l
36. Txheeb xyuas qhov tshwj xeeb rau tus neeg siv: # semanage login --modify --range s2:c100 john
37. Txhawm rau kho tus neeg siv daim ntawv teev npe hauv tsev (yog tias tsim nyog): # chcon -R -l s2:c100 /home/john
38. Saib cov qeb tam sim no: # chcat -L
39. Txhawm rau hloov pawg lossis pib tsim koj tus kheej, hloov cov ntaub ntawv raws li hauv qab no:
/etc/selinux/_<
selinuxtype>
_/setrans.conf
40. Txhawm rau khiav cov lus txib lossis tsab ntawv hauv cov ntaub ntawv tshwj xeeb, lub luag haujlwm, thiab cov ntsiab lus ntawm cov neeg siv:
# runcon -t initrc_t -r system_r -u user_u yourcommandhere
-t
ntaub ntawv ntsiab lus-r
lub luag haujlwm ntsiab lus-u
cov ntsiab lus siv
41. Thawv khiav nrog SELinux neeg xiam:
- Podman:
# podman run --security-opt label=disable …
- Docker:
# docker run --security-opt label=disable …
42. Yog tias koj xav tau muab lub ntim puv nkag mus rau qhov system:
- Podman:
# podman run --privileged …
- Docker:
# docker run --privileged …
Thiab tam sim no koj twb paub cov lus teb. Yog li thov: tsis txhob ntshai thiab pab SELinux.
Links:
SELinux byDan Walsh Koj qhov pom kev yuav ua li cas-qhia rau SELinux txoj cai tswjfwm thiab los ntawm Dan WalshKev ruaj ntseg Enhanced Linux rau mere mortals byThomas Cameron Phau Ntawv Xim Xim SELinux byMáirín Duffy SELinux Tus Neeg Siv thiab Tus Thawj Coj Cov Lus Qhia - Red Hat Enterprise Linux 7
Tau qhov twg los: www.hab.com