Mpempe akwụkwọ aghụghọ SELinux maka ndị na-ahụ maka sistemụ: 42 azịza ajụjụ ndị dị mkpa

A haziri nsụgharị nke isiokwu ahụ kpọmkwem maka ụmụ akwụkwọ nke usoro ahụ "Onye nchịkwa Linux".

N'ebe a, ị ga-enweta azịza nye ajụjụ ndị dị mkpa gbasara ndụ, eluigwe na ala na ihe niile dị na Linux nwere nchekwa dị mma.

"Eziokwu dị mkpa na ọ bụghị mgbe niile ka ọ dị ka ọ bụ ihe ọmụma nkịtị..."

- Douglas Adams, Ntuziaka Hitchhiker na Galaxy

Nchekwa. Enwekwu ntụkwasị obi. Nkwekọrịta. Iwu. Ndị na-agba ịnyịnya anọ nke apocalypse sysadmin. Na mgbakwunye na ọrụ anyị kwa ụbọchị - nlekota oru, nkwado ndabere na mpaghara, mmejuputa iwu, nhazi, imelite, wdg - anyị na-ahụ maka nchekwa nke usoro anyị. Ọbụna sistemu ndị ahụ ebe onye na-eweta ndị ọzọ na-atụ aro ka anyị gbanyụọ nchekwa emelitere. Ọ dị ka ọrụ Ethan Hunt sitere na "Ezigbo: agaghị ekwe omume."

N'ịnọgide na nsogbu a chere, ụfọdụ ndị na-ahụ maka sistemụ na-ekpebi ime ọgwụ na-acha anụnụ anụnụ, n'ihi na ha chere na ha agaghị ama azịza nke nnukwu ajụjụ nke ndụ, eluigwe na ala na ihe niile. Ma dị ka anyị niile maara, azịza ya bụ 42.

N'ime mmụọ nke The Hitchhiker's Guide to the Galaxy, ebe a bụ azịza 42 maka ajụjụ dị mkpa gbasara njikwa na ojiji. SELinux na sistemụ gị.

1. SELinux bụ usoro njikwa ikike nke mmanye, nke pụtara na usoro ọ bụla nwere akara. Faịlụ ọ bụla, akwụkwọ ndekọ aha na ihe sistemụ nwekwara akara. Iwu iwu na-achịkwa ohere n'etiti usoro mkpado na ihe. kernel na-akwado iwu ndị a.

2. Echiche abụọ kachasị mkpa bụ: Na-ede aha - akara (faịlụ, usoro, ọdụ ụgbọ mmiri, wdg) na Ụdị mmanye (nke na-ekewapụta usoro site na ibe ya dabere na ụdị).

3. Usoro akara ziri ezi user:role:type:level (nhọrọ).

4. Ebumnuche nke inye nchekwa nchekwa ọtụtụ ọkwa (Nchekwa ọtụtụ ọkwa - MLS) bụ ijikwa usoro (ngalaba) dabere na ọkwa nchekwa nke data ha ga-eji. Dịka ọmụmaatụ, usoro nzuzo enweghị ike ịgụ data nzuzo kacha elu.

5. Na-ahụ maka nchekwa nke ọtụtụ ụdị (Nchekwa ọtụtụ ụdị - MCS) na-echebe usoro ndị yiri ya site na ibe ya (dịka ọmụmaatụ, igwe mebere, igwe OpenShift, igbe ájá SELinux, igbe, wdg).

6. Nhọrọ kernel maka ịgbanwe ụdị SELinux na buut:

• autorelabel=1 → na-eme ka sistemụ na-agba ọsọ relabeling
• selinux=0 → kernel anaghị ebu akụrụngwa SELinux
• enforcing=0 → na-ebunye n'ụdị ikike

7. Ọ bụrụ na ịchọrọ ịmegharị sistemụ ahụ niile:

# touch /.autorelabel
#reboot

Ọ bụrụ na akara sistemụ nwere ọtụtụ mperi, ị nwere ike ịbuba n'ụdị ikike maka ikwu okwu ka ọ gaa nke ọma.

8. Iji lelee ma agbanyere SELinux: # getenforce

9. Iji gbanye/ gbanyụọ SELinux nwa oge: # setenforce [1|0]

10. Lelee ọkwa SELinux: # sestatus

11. Faịlụ nhazi: /etc/selinux/config

12. Kedu ka SELinux si arụ ọrụ? Nke a bụ akara ngosi maka sava weebụ Apache:

• Nnọchite anya ọnụọgụ abụọ: /usr/sbin/httpd→httpd_exec_t
• Ndekọ nhazi: /etc/httpd→httpd_config_t
• Ndekọ faịlụ ndekọ: /var/log/httpd → httpd_log_t
• Ndekọ ọdịnaya: /var/www/html → httpd_sys_content_t
• Edemede mmalite: /usr/lib/systemd/system/httpd.service → httpd_unit_file_d
• Usoro: /usr/sbin/httpd -DFOREGROUND → httpd_t
• ọdụ ụgbọ mmiri: 80/tcp, 443/tcp → httpd_t, http_port_t

Usoro na-agba ọsọ na gburugburu httpd_t, nwere ike imekọrịta ihe na ihe akpọrọ httpd_something_t.

13. Ọtụtụ iwu na-anabata arụmụka -Z ilele, mepụta na gbanwee ọnọdụ:

• ls -Z
• id -Z
• ps -Z
• netstat -Z
• cp -Z
• mkdir -Z

A na-ehiwe ọnọdụ mgbe emepụtara faịlụ dabere na ọnọdụ ndekọ ndekọ aha nne na nna ha (na ụfọdụ ewepụrụ). RPM nwere ike guzobe ọnọdụ dịka n'oge ntinye.

14. Enwere isi ihe anọ kpatara njehie SELinux, nke akọwara n'ụzọ zuru ezu na isi 15-21 n'okpuru:

• Okwu mkpado
• N'ihi ihe SELinux kwesịrị ịma
• Njehie na amụma/ngwa SELinux
• Enwere ike imebi ozi gị

15. Nsogbu ịde aha: ọ bụrụ na faịlụ gị dị /srv/myweb akara na ezighi ezi, enwere ike ịgọnarị ohere. Lee ụzọ ụfọdụ isi dozie nke a:

• Ọ bụrụ na ị maara akara:
  # semanage fcontext -a -t httpd_sys_content_t '/srv/myweb(/.*)?'
• Ọ bụrụ na ị maara faịlụ nwere akara dakọtara:
  # semanage fcontext -a -e /srv/myweb /var/www
• Iweghachi ihe gbara ya gburugburu (maka ikpe abụọ):
  # restorecon -vR /srv/myweb

16. Nsogbu ịde aha: ọ bụrụ na ị bugharịa faịlụ ahụ kama iṅomi ya, faịlụ ahụ ga-ejigide ọnọdụ mbụ ya. Iji dozie nsogbu a:

• Jiri akara jiri gbanwee iwu okirikiri:
  # chcon -t httpd_system_content_t /var/www/html/index.html
• Jiri akara njikọ gbanwee iwu okirikiri:
  # chcon --reference /var/www/html/ /var/www/html/index.html
• Weghachite ihe gbara ya gburugburu (maka ikpe abụọ ahụ): # restorecon -vR /var/www/html/

17. ma ọ bụrụ na SELinux ịkwesịrị ịmana HTTPD na-ege ntị na ọdụ ụgbọ mmiri 8585, gwa SELinux:

# semanage port -a -t http_port_t -p tcp 8585

18. SELinux ịkwesịrị ịma Ụkpụrụ Boolean nke na-enye ohere ịgbanwe akụkụ nke amụma SELinux n'oge oge na-enweghị ihe ọmụma nke iwu SELinux na-edegharị. Dịka ọmụmaatụ, ọ bụrụ na ịchọrọ httpd izipu email, tinye: # setsebool -P httpd_can_sendmail 1

19. SELinux ịkwesịrị ịma ụkpụrụ ezi uche dị na ya iji mee ka / gbanyụọ ntọala SELinux:

• Ka ịhụ ụkpụrụ boolean niile: # getsebool -a
• Ka ịhụ nkọwa nke ọ bụla: # semanage boolean -l
• Iji tọọ uru boolean: # setsebool [_boolean_] [1|0]
• Maka nrụnye na-adịgide adịgide, tinye -P. Dịka ọmụmaatụ: # setsebool httpd_enable_ftp_server 1 -P

20. Amụma/ngwa SELinux nwere ike ịnwe mperi, gụnyere:

• Ụzọ koodu na-adịghị ahụkebe
• Nhazi
• stdout na-atụgharị
• Ihe nkọwa faịlụ na-agbapụta
• Ebe nchekwa enwere ike ime
• Ọbá akwụkwọ ndị arụrụghị nke ọma

Tiketi mepere emepe (enyefela akụkọ na Bugzilla; Bugzilla enweghị SLA).

21. Enwere ike imebi ozi gịọ bụrụ na ị nwere amachibidoro ngalaba na-agbalị:

• Bulite modul kernel
• Gbanyụọ ọnọdụ SELinux amanye
• Dee na etc_t/shadow_t
• Gbanwee iwu iptables

22. Ngwa SELinux maka ịmepụta modul amụma:

# yum -y install setroubleshoot setroubleshoot-server

Malitegharịa ekwentị ma ọ bụ malitegharịa auditd mgbe echichi.

23. Jiri

journalctl

iji gosipụta ndepụta ndekọ niile metụtara setroubleshoot:

# journalctl -t setroubleshoot --since=14:20

24. Jiri journalctl iji depụta ndekọ niile metụtara otu mkpado SELinux. Ọmụmaatụ:

# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0

25. Ọ bụrụ na njehie SELinux emee, jiri ndekọ setroubleshoot na-enye ọtụtụ ngwọta nwere ike ime.
Dịka ọmụmaatụ, site na journalctl:

Jun 14 19:41:07 web1 setroubleshoot: SELinux is preventing httpd from getattr access on the file /var/www/html/index.html. For complete message run: sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e

# sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e
SELinux is preventing httpd from getattr access on the file /var/www/html/index.html.

***** Plugin restorecon (99.5 confidence) suggests ************************

If you want to fix the label,
/var/www/html/index.html default label should be httpd_syscontent_t.
Then you can restorecon.
Do
# /sbin/restorecon -v /var/www/html/index.html

26. Ịbanye: SELinux na-edekọ ozi n'ọtụtụ ebe:

• / var / log / ozi
• /var/log/audit/audit.log
• /var/lib/setroubleshoot/setroubleshoot_database.xml

27. Nbanye: na-achọ njehie SELinux na ndekọ nyocha:

# ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today

28. Ịchọta ozi SELinux Access Vector Cache (AVC) maka otu ọrụ:

# ausearch -m avc -c httpd

29. Ịbara uru audit2allow na-anakọta ozi site na ndekọ nke arụmọrụ amachibidoro wee mepụta iwu ikike ikike SELinux. Ọmụmaatụ:

• Iji mepụta nkọwa mmadụ nwere ike ịgụ maka ihe kpatara anabataghị ohere: # audit2allow -w -a
• Ka ilele ụdị iwu mmanye na-enye ohere ị nwetaghị: # audit2allow -a
• Iji mepụta modul omenala: # audit2allow -a -M mypolicy
• Nhọrọ -M jiri aha a kapịrị ọnụ mepụta ụdị faịlụ mmanye (.te) wee chịkọta iwu n'ime ngwugwu amụma (.pp): mypolicy.pp mypolicy.te
• Iji wụnye modul omenala: # semodule -i mypolicy.pp

30. Iji hazie usoro dị iche (ngalaba) ka ọ rụọ ọrụ na ọnọdụ ikike: # semanage permissive -a httpd_t

31. Ọ bụrụ na ịchọghịzi ka ngalaba ahụ nwee ikike: # semanage permissive -d httpd_t

32. Iji gbanyụọ ngalaba niile anabatara: # semodule -d permissivedomains

33. Na-enyere MLS SELinux amụma: # yum install selinux-policy-mls
в /etc/selinux/config:

SELINUX=permissive
SELINUXTYPE=mls

Gbaa mbọ hụ na SELinux na-agba ọsọ na ọnọdụ ikike: # setenforce 0
Jiri edemede fixfilesiji hụ na a na-edegharị faịlụ ndị ahụ na nrụgharị ọzọ:

# fixfiles -F onboot # reboot

34. Mepụta onye ọrụ nwere oke MLS: # useradd -Z staff_u john

Iji iwu useradd, maapụ onye ọrụ ọhụrụ maka onye ọrụ SELinux dị adị (n'ọnọdụ a, staff_u).

35. Ka ilele maapụ n'etiti ndị ọrụ SELinux na Linux: # semanage login -l

36. Kọwaa otu oke maka onye ọrụ: # semanage login --modify --range s2:c100 john

37. Iji dozie akara ndekọ ụlọ onye ọrụ (ọ bụrụ na ọ dị mkpa): # chcon -R -l s2:c100 /home/john

38. Ka ilele ngalaba dị ugbu a: # chcat -L

39. Ka ịgbanwee edemede ma ọ bụ malite ịmepụta nke gị, dezie faịlụ dị ka ndị a:

/etc/selinux/_<selinuxtype>_/setrans.conf

40. Iji mee iwu ma ọ bụ edemede n'otu faịlụ, ọrụ, na ọnọdụ onye ọrụ:

# runcon -t initrc_t -r system_r -u user_u yourcommandhere

• -t onodu faịlụ
• -r ọnọdụ ọrụ
• -u gburugburu onye ọrụ

41. Ngwunye akpa na SELinux na-agba ọsọ:

• Podman: # podman run --security-opt label=disable …
• Docker: # docker run --security-opt label=disable …

42. Ọ bụrụ na ịchọrọ ịnye akpa ahụ ohere zuru ezu na sistemụ:

• Podman: # podman run --privileged …
• Docker: # docker run --privileged …

Ma ugbu a, ị maraworị azịza ya. Yabụ biko: atụla ụjọ wee mee ka SELinux rụọ ọrụ.

Ntughari:

• SELinux by Dan Walsh
• Otu esi eduzi anya gị maka mmanye iwu SELinux nke Dan Walsh dere
• Nchekwa Linux emelitere maka mmadụ nkịtị by Ọ bụ Thomas Cameron
• Akwụkwọ agba agba SELinux by Mairín Duffy
• Ntuziaka onye ọrụ SELinux na onye nchịkwa — Red Hat Enterprise Linux 7

isi: www.habr.com