Ib qho ntawm cov laj thawj rau kev ua tiav zoo kawg nkaus ntawm Linux OS ntawm kev kos, cov khoom siv mobile thiab cov servers yog qhov kev ruaj ntseg ntawm cov ntsiav, cov kev pabcuam cuam tshuam thiab kev siv. Tab sis yog tias mus rau lub architecture ntawm Linux ntsiav, ces nws yog tsis yooj yim sua mus nrhiav ib tug square nyob rau hauv nws lub luag hauj lwm rau kev ruaj ntseg, xws li. Linux kev ruaj ntseg subsystem zais qhov twg thiab nws muaj dab tsi?
Keeb kwm ntawm Linux Security Modules thiab SELinux
Kev Ruaj Ntseg Txhim Kho Linux yog txheej txheej ntawm cov cai thiab kev nkag mus rau cov txheej txheem raws li qhov yuav tsum tau ua thiab cov qauv kev nkag mus rau lub luag haujlwm los tiv thaiv Linux systems los ntawm kev hem thawj thiab txhim kho qhov tsis muaj zog ntawm Kev Tswj Xyuas Kev Ruaj Ntseg (DAC), cov txheej txheem kev ruaj ntseg Unix. Txoj haujlwm no tau tshwm sim hauv lub plab zom mov ntawm US National Security Agency, thiab cov neeg cog lus ruaj ntseg Computing Corporation thiab MITER, nrog rau ntau lub chaw soj ntsuam kev tshawb fawb, tau koom ncaj qha rau hauv txoj kev loj hlob.
Linux Security Modules
Linus Torvalds tau pab ntau cov ntawv sau tseg ntawm NSA tshiab kev txhim kho kom lawv tuaj yeem suav nrog hauv ceg tseem ceeb ntawm Linux ntsiav. Nws tau piav qhia txog ib puag ncig ib puag ncig, nrog cov txheej txheem cuam tshuam rau kev tswj hwm kev ua haujlwm ntawm cov khoom thiab cov txheej txheem ntawm qee qhov kev tiv thaiv hauv cov ntaub ntawv kernel cov qauv rau khaws cia cov yam ntxwv sib xws. Qhov ib puag ncig no tuaj yeem siv los ntawm cov khoom siv thauj khoom uas tuaj yeem siv los siv cov qauv kev nyab xeeb uas xav tau. LSM tau nkag mus rau Linux kernel v2.6 hauv 2003.
LSM lub moj khaum suav nrog cov chaw zov me nyuam hauv cov ntaub ntawv cov qauv thiab kev cuam tshuam kev hu xov tooj ntawm cov ntsiab lus tseem ceeb hauv cov kab lis kev cai los tswj lawv thiab tswj kev nkag mus. Nws kuj ntxiv functionality rau sau npe kev ruaj ntseg modules. Lub /sys/kernel/security/lsm interface muaj ib daim ntawv teev cov active modules nyob rau hauv lub system. LSM hooks tau khaws cia rau hauv cov npe uas tau hu ua qhov kev txiav txim tau teev tseg hauv CONFIG_LSM. Cov ntaub ntawv sib txuas kom ntxaws muaj nyob rau hauv include/linux/lsm_hooks.h header file.
Lub LSM subsystem tau ua kom tiav tag nrho kev koom ua ke ntawm SELinux ntawm tib lub version ntawm Linux ntsiav v2.6 ruaj khov. Qhov tseeb tam sim ntawd, SELinux tau dhau los ua tus qauv de facto rau ib puag ncig Linux ruaj ntseg thiab tau los ua ib feem ntawm kev faib khoom nrov tshaj plaws: RedHat Enterprise Linux, Fedora, Debian, Ubuntu.
Glossary
- Tus kheej - Tus neeg siv SELinux tsis zoo ib yam li Unix / Linux tus neeg siv id ib txwm, lawv tuaj yeem koom ua ke ntawm tib lub kaw lus, tab sis lawv txawv kiag li hauv cov ntsiab lus. Txhua tus qauv Linux tus account tuaj yeem sib xws rau ib lossis ntau dua hauv SELinux. SELinux tus kheej yog ib feem ntawm tag nrho cov ntsiab lus kev ruaj ntseg uas txiav txim siab seb qhov twg koj tuaj yeem tuaj yeem koom tsis tau.
- Domains - Hauv SELinux, tus sau yog qhov ua tiav cov ntsiab lus ntawm qhov kev kawm, piv txwv li cov txheej txheem. Tus sau ncaj qha txhais cov kev nkag tau uas muaj txheej txheem. Ib lub npe yog ib daim ntawv teev cov txheej txheem dab tsi tuaj yeem ua lossis ua dab tsi uas tus txheej txheem tuaj yeem ua nrog ntau hom. Qee qhov piv txwv ntawm cov npe yog sysadm_t rau kev tswj hwm, thiab user_t uas yog tus neeg siv tsis tu ncua. Lub init system khiav hauv init_t sau, thiab cov txheej txheem muaj npe khiav hauv lub npe name_t.
- Cov luag hauj lwm - Ib yam dab tsi uas ua haujlwm nruab nrab ntawm cov thawj coj thiab cov neeg siv SELinux. Lub luag haujlwm txhais tau hais tias tus neeg siv khoom tuaj yeem koom nrog thiab hom khoom dab tsi uas tus neeg siv nkag tau. Xws li kev tswj hwm kev nkag mus tiv thaiv kev hem thawj ntawm kev tsim nyog nce kev tawm tsam. Lub luag haujlwm tau sau rau hauv Txoj Cai Tswjfwm Saib Xyuas Kev Ruaj Ntseg (RBAC) siv hauv SELinux.
- TipΡ - Hom Enforcement list attribute uas muab rau ib yam khoom thiab txiav txim seb leej twg yuav nkag tau rau nws. Zoo ib yam li kev txhais cov npe, tshwj tsis yog tias tus sau siv rau cov txheej txheem, thaum hom siv rau cov khoom xws li cov npe, cov ntaub ntawv, qhov (socket), thiab lwm yam.
- Yam khoom thiab yam khoom - Cov txheej txheem yog cov ntsiab lus thiab khiav hauv ib lub ntsiab lus tshwj xeeb, lossis thaj chaw ruaj ntseg. Cov kev pab cuam kev khiav hauj lwm: cov ntaub ntawv, cov npe, cov qhov (socket), thiab lwm yam., yog cov khoom uas tau muab rau qee yam, hauv lwm lo lus, qib kev zais cia.
- SELinux Txoj Cai - SELinux siv ntau txoj cai los tiv thaiv lub kaw lus. SELinux txoj cai txhais cov neeg siv nkag mus rau lub luag haujlwm, lub luag haujlwm rau cov npe, thiab cov npe rau hom. Ua ntej, tus neeg siv tau tso cai kom tau txais lub luag haujlwm, tom qab ntawd lub luag haujlwm tau tso cai nkag mus rau cov npe. Thaum kawg, tus sau tsuas tuaj yeem nkag mus rau qee yam khoom.
LSM thiab SELinux architecture
Txawm tias lub npe, LSMs tsis yog feem ntau loadable Linux modules. Txawm li cas los xij, ib yam li SELinux, nws ncaj qha mus rau hauv lub ntsiav. Ib qho kev hloov pauv rau LSM qhov chaws yuav tsum tau muab sau ua ke kernel tshiab. Cov kev xaiv sib raug yuav tsum tau qhib rau hauv cov ntsiav tshuaj, txwv tsis pub LSM code yuav tsis qhib tom qab khau raj. Tab sis txawm nyob rau hauv cov ntaub ntawv no, nws yuav enabled los ntawm lub OS bootloader xaiv.
Pawg ntawm LSM cov tshev
LSM yog nruab nrog cov hooks hauv core kernel functions uas tej zaum yuav cuam tshuam rau kev kuaj xyuas. Ib qho ntawm cov yam ntxwv tseem ceeb ntawm LSM yog tias lawv yog pawg raws li. Yog li, cov qauv kuaj xyuas tseem ua tau, thiab txhua txheej LSM tsuas yog ntxiv cov kev tswj hwm thiab kev tswj hwm ntxiv. Qhov no txhais tau hais tias qhov txwv tsis pub tuaj yeem thim rov qab. Qhov no tau pom nyob rau hauv daim duab, yog tias qhov tshwm sim ntawm DAC niaj hnub kuaj xyuas yog qhov ua tsis tiav, ces nws yuav tsis ncav cuag LSM hooks.
SELinux tau txais txiaj ntsig Flask kev ruaj ntseg architecture ntawm Fluke kev tshawb fawb kev ua haujlwm, tshwj xeeb yog lub hauv paus ntsiab lus ntawm txoj cai tsawg kawg nkaus. Lub ntsiab lus ntawm lub tswv yim no, raws li lawv lub npe qhia, yog tso cai rau tus neeg siv lossis cov txheej txheem tsuas yog cov cai uas tsim nyog rau kev siv cov phiaj xwm phiaj xwm. Lub hauv paus ntsiab lus no yog siv los siv yuam kev ntaus ntawv, yog li SELinux txoj kev tswj xyuas kev nkag mus yog nyob ntawm tus sau => hom qauv.
Los ntawm kev tswj hwm kev ntaus ntawv, SELinux muaj peev xwm tswj tau ntau dua li cov qauv DAC ib txwm siv hauv Unix / Linux operating systems. Piv txwv li, koj tuaj yeem txwv qhov chaw nres nkoj network uas yuav tshwm sim rau ftp server, tso cai sau ntawv thiab hloov cov ntaub ntawv hauv ib lub nplaub tshev, tab sis tsis rho tawm lawv.
Cov khoom tseem ceeb ntawm SELinux yog:
- Txoj cai tswj hwm Server - Lub ntsiab mechanism rau kev tswj kev nkag.
- Database ntawm kev ruaj ntseg cov cai.
- Kev sib tham nrog LSM qhov xwm txheej mloog.
- Selinuxfs - Pseudo-FS, tib yam li /proc thiab mounted hauv /sys/fs/selinux. Populated dynamically los ntawm Linux kernel ntawm runtime thiab muaj cov ntaub ntawv uas muaj SELinux cov ntaub ntawv xwm txheej.
- Nkag mus Vector Cache - Cov cuab yeej pabcuam los txhim kho kev ua haujlwm.
Yuav ua li cas SELinux ua haujlwm
Tag nrho cov no ua haujlwm raws li hauv qab no.
- Ib qho kev kawm, hauv SELinux cov ntsiab lus, ua qhov kev tso cai ntawm ib qho khoom tom qab DAC kos, raws li pom hauv daim duab saum toj kawg nkaus. Qhov kev thov ua haujlwm no mus rau LSM qhov kev tshwm sim mloog.
- Los ntawm qhov ntawd, qhov kev thov, nrog rau kev ruaj ntseg ntawm cov ntsiab lus thiab cov khoom, raug xa mus rau SELinux Abstraction thiab Hook Logic module lub luag haujlwm rau kev cuam tshuam nrog LSM.
- Txoj Cai Tswjfwm Saib Xyuas Txoj Cai yog tus txiav txim siab txoj cai ntawm kev nkag mus rau cov khoom, thiab nws tau txais cov ntaub ntawv los ntawm SELinux AnHL.
- Txhawm rau txiav txim siab txog kev nkag mus, lossis txwv tsis pub, Txoj Cai Tswjfwm Saib Xyuas Kev Nyab Xeeb hais txog lub caching subsystem ntawm feem ntau siv Access Vector Cache (AVC) cov cai.
- Yog tias qhov kev daws teeb meem tsis pom nyob rau hauv lub cache, qhov kev thov raug xa mus rau cov ntaub ntawv pov thawj txoj cai ruaj ntseg.
- Cov txiaj ntsig tshawb fawb los ntawm cov ntaub ntawv thiab AVC raug xa rov qab mus rau Txoj Cai Tswjfwm Ntiag Tug.
- Yog tias txoj cai pom tau zoo raws li qhov kev thov, ces kev ua haujlwm raug tso cai. Txwv tsis pub, kev ua haujlwm raug txwv.
Tswj SELinux Settings
SELinux ua haujlwm hauv ib qho ntawm peb hom:
- Kev tswj hwm - Kev tswj hwm nruj ntawm cov cai tswj kev ruaj ntseg.
- Permissive - Kev ua txhaum ntawm kev txwv yog tso cai, cov cim sib raug yog ua nyob rau hauv lub cav.
- Disabled - Cov cai tswj kev nyab xeeb tsis siv.
Koj tuaj yeem pom dab tsi hom SELinux nyob nrog cov lus txib hauv qab no.
[admin@server ~]$ getenforce
PermissiveHloov hom ua ntej reboot, piv txwv li, teem nws rau kev tswj hwm, los yog 1. Qhov kev tso cai tsis raug raws li tus lej lej 0.
[admin@server ~]$ setenfoce enforcing
[admin@server ~]$ setenfoce 1 #ΡΠΎ ΠΆΠ΅ ΡΠ°ΠΌΠΎΠ΅
Koj tuaj yeem hloov hom los ntawm kev kho cov ntaub ntawv:
[admin@server ~]$ cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE = lub hom phiaj
Qhov txawv nrog setenfoce yog tias thaum lub operating system khau raj, SELinux hom yuav raug teeb tsa raws li tus nqi ntawm SELINUX parameter hauv cov ntaub ntawv teeb tsa. Tsis tas li ntawd, kev tswj hwm <=> kev hloov pauv tsis siv neeg tsuas yog los ntawm kev kho cov ntaub ntawv /etc/selinux/config thiab tom qab rov pib dua.
Saib daim ntawv qhia txog xwm txheej:
[admin@server ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
Txhawm rau saib SELinux tus cwj pwm, qee qhov khoom siv hluav taws xob siv qhov kev xaiv -Z.
[admin@server ~]$ ls -lZ /var/log/httpd/
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20200920
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20200927
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20201004
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20201011
[admin@server ~]$ ps -u apache -Z
LABEL PID TTY TIME CMD
system_u:system_r:httpd_t:s0 2914 ? 00:00:04 httpd
system_u:system_r:httpd_t:s0 2915 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0 2916 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0 2917 ? 00:00:00 httpd
...
system_u:system_r:httpd_t:s0 2918 ? 00:00:00 httpdPiv nrog rau cov zis ls -l ib txwm muaj, muaj ob peb qhov chaw ntxiv hauv cov qauv hauv qab no:
<user>:<role>:<type>:<level>
Daim teb kawg qhia txog ib yam dab tsi zoo li lub cim kev ruaj ntseg thiab muaj kev sib xyaw ntawm ob lub ntsiab lus:
- s0 - qhov tseem ceeb, kuj tau sau tseg nyob rau hauv qis qis-siab lub sijhawm
- c0, c1β¦ c1023 yog qeb.
Hloov kev nkag mus rau configuration
Siv semodule thauj khoom SELinux modules, ntxiv thiab tshem tawm lawv.
[admin@server ~]$ semodule -l |wc -l #ΡΠΏΠΈΡΠΎΠΊ Π²ΡΠ΅Ρ
ΠΌΠΎΠ΄ΡΠ»Π΅ΠΉ
408
[admin@server ~]$ semodule -e abrt #enable - Π°ΠΊΡΠΈΠ²ΠΈΡΠΎΠ²Π°ΡΡ ΠΌΠΎΠ΄ΡΠ»Ρ
[admin@server ~]$ semodule -d accountsd #disable - ΠΎΡΠΊΠ»ΡΡΠΈΡΡ ΠΌΠΎΠ΄ΡΠ»Ρ
[admin@server ~]$ semodule -r avahi #remove - ΡΠ΄Π°Π»ΠΈΡΡ ΠΌΠΎΠ΄ΡΠ»ΡThawj pab semanage tus ID nkag mus koom nrog tus neeg siv SELinux nrog tus neeg siv kev khiav haujlwm, tus thib ob sau nws. Thaum kawg, cov lus txib kawg nrog -r hloov tshem tawm daim ntawv qhia ntawm SELinux cov neeg siv rau OS nyiaj. Kev piav qhia ntawm cov syntax ntawm MLS/MCS Range qhov tseem ceeb yog nyob rau hauv nqe lus dhau los.
[admin@server ~]$ semanage login -a -s user_u karol
[admin@server ~]$ semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
system_u system_u s0-s0:c0.c1023 *
[admin@server ~]$ semanage login -d karol
pab neeg neeg siv semanage siv los tswj kev sib tham ntawm SELinux cov neeg siv thiab lub luag haujlwm.
[admin@server ~]$ semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
guest_u user s0 s0 guest_r
staff_u staff s0 s0-s0:c0.c1023 staff_r sysadm_r
...
user_u user s0 s0 user_r
xguest_u user s0 s0 xguest_r
[admin@server ~]$ semanage user -a -R 'staff_r user_r'
[admin@server ~]$ semanage user -d test_uCommand Parameters:
- -ib ntxiv ib txoj hauj lwm kev cai kos npe nkag;
- -l daim ntawv teev cov neeg siv sib txuam thiab lub luag haujlwm;
- -d tshem tawm kev cai lub luag haujlwm daim ntawv qhia nkag;
- -R daim ntawv teev cov luag haujlwm txuas nrog rau tus neeg siv;
Cov ntaub ntawv, chaw nres nkoj thiab booleans
Txhua qhov SELinux module muab cov txheej txheem cim cov ntaub ntawv, tab sis koj tuaj yeem ntxiv koj cov cai yog tias xav tau. Piv txwv li, peb xav kom lub web server muaj cai nkag mus rau /srv/www folder.
[admin@server ~]$ semanage fcontext -a -t httpd_sys_content_t "/srv/www(/.*)?
[admin@server ~]$ restorecon -R /srv/www/Thawj cov lus txib sau npe tshiab cov cai cim, thiab qhov thib ob rov pib dua, lossis nthuav tawm, hom ntaub ntawv raws li cov cai tam sim no.
Ib yam li ntawd, TCP / UDP cov chaw nres nkoj raug cim rau hauv txoj hauv kev uas tsuas yog cov kev pabcuam tsim nyog tuaj yeem mloog lawv. Piv txwv li, txhawm rau kom lub vev xaib server mloog ntawm chaw nres nkoj 8080, koj yuav tsum tau khiav ib qho lus txib.
[admin@server ~]$ semanage port -m -t http_port_t -p tcp 8080Tus lej tseem ceeb ntawm SELinux modules muaj qhov ntsuas uas tuaj yeem coj tus nqi boolean. Tag nrho cov npe ntawm cov kev xaiv no tuaj yeem pom nrog getsebool -a. Boolean qhov tseem ceeb tuaj yeem hloov pauv siv setsebool.
[admin@server ~]$ getsebool httpd_enable_cgi
httpd_enable_cgi --> on
[admin@server ~]$ setsebool -P httpd_enable_cgi off
[admin@server ~]$ getsebool httpd_enable_cgi
httpd_enable_homedirs --> off
Xyaum, nkag mus rau Pgadmin-web interface
Xav txog ib qho piv txwv los ntawm kev xyaum, peb tau teeb tsa pgadmin7.6-web ntawm RHEL 4 los tswj hwm PostgreSQL database. Peb dhau ib qho me me nrog kev teeb tsa pg_hba.conf, postgresql.conf thiab config_local.py, teeb tsa txoj cai rau cov folders, ntsia cov Python modules uas ploj lawm los ntawm pip. Txhua yam yog npaj txhij, khiav thiab tau txais 500 Internal Server yuam kev.
Peb pib nrog cov neeg raug liam, kos /var/log/httpd/error_log. Muaj qee qhov nthuav nkag nyob ntawd.
[timestamp] [core:notice] [pid 23689] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
...
[timestamp] [wsgi:error] [pid 23690] [Errno 13] Permission denied: '/var/lib/pgadmin'
[timestamp] [wsgi:error] [pid 23690]
[timestamp] [wsgi:error] [pid 23690] HINT : You may need to manually set the permissions on
[timestamp] [wsgi:error] [pid 23690] /var/lib/pgadmin to allow apache to write to it.
Lub sijhawm no, feem ntau Linux cov thawj coj yuav raug ntxias kom khiav setencorce 0, thiab ua tiav nrog nws. Yuav kom ncaj ncees, qhov no yog thawj zaug kuv tau ua. Qhov no, ntawm chav kawm, kuj yog ib txoj kev tawm, tab sis deb ntawm qhov zoo tshaj plaws.
Txawm hais tias tus qauv tsim tsis yooj yim, SELinux tuaj yeem ua tus neeg siv khoom zoo. Tsuas yog nruab lub setroubleshoot pob thiab saib lub kaw lus kaw.
[admin@server ~]$ yum install setroubleshoot
[admin@server ~]$ journalctl -b -0
[admin@server ~]$ service restart auditd
Nco ntsoov tias qhov kev kuaj xyuas kev pabcuam yuav tsum tau rov pib dua li no, thiab tsis yog nrog systemctl, txawm tias muaj qhov systemd hauv OS. Hauv qhov system log yuav qhia tsis tsuas yog qhov tseeb ntawm kev thaiv, tab sis kuj yog vim li cas thiab txoj kev kov yeej txoj kev txwv.
Peb ua cov lus txib no:
[admin@server ~]$ setsebool -P httpd_can_network_connect 1
[admin@server ~]$ setsebool -P httpd_can_network_connect_db 1
Peb tshawb xyuas kev nkag mus rau pgadmin4-web web page, txhua yam ua haujlwm.
Tau qhov twg los: www.hab.com