Otu n'ime ihe kpatara nnukwu ihe ịga nke ọma nke Linux OS na agbakwunyere, ngwaọrụ mkpanaka na sava bụ oke nchekwa nke kernel, ọrụ na ngwa ndị metụtara ya. Ma ọ bụrụ na architecture nke Linux kernel, mgbe ahụ ọ gaghị ekwe omume ịhụ na ya square maka nchekwa dị ka ndị dị otú ahụ. Ebee ka usoro nchekwa nchekwa Linux dị na gịnị ka ọ gụnyere?
Ihe ndabere na modul nchekwa Linux na SELinux
Nchekwa Linux bụ usoro iwu na usoro ịnweta dabere na amanyere iwu na ụdị ohere ịnweta ọrụ iji kpuchido sistemu Linux site na ihe iyi egwu nwere ike dozie ma mezie adịghị ike nke Njikwa Nweta ikike (DAC), usoro nchekwa Unix ọdịnala. Ọrụ a sitere na eriri afọ nke US National Security Agency, ndị ọrụ nkwekọrịta Secure Computing Corporation na MITER rụpụtara ya, yana ọtụtụ ụlọ nyocha nyocha.
Modul nchekwa Linux
Linus Torvalds kwuru ọtụtụ okwu gbasara mmepe NSA ọhụrụ ka e wee tinye ha na kernel Linux bụ isi. Ọ kọwara gburugburu ebe obibi n'ozuzu ya, nke nwere usoro nke interceptors iji chịkwaa ọrụ na ihe yana otu ebe nchekwa ụfọdụ na nhazi data kernel iji chekwaa àgwà ndị kwekọrọ. Enwere ike iji gburugburu ebe a site na modul kernel loadable iji mejuputa ụdị nchekwa ọ bụla achọrọ. LSM batara na Linux kernel v2.6 na 2003.
Usoro LSM na-agụnye ogige nche na nhazi data yana oku na-arụ ọrụ nkwụsịtụ na isi ihe dị mkpa na koodu kernel iji mee ka ha na-arụ ọrụ nchịkwa. Ọ na-agbakwụnye ọrụ maka ịdenye modul nche. The /sys/kernel/security/lsm interface nwere ndepụta nke modul na-arụ ọrụ na sistemụ. A na-echekwa nko LSM na ndetu ndị a na-akpọ n'usoro akọwapụtara na CONFIG_LSM. Agụnyere akwụkwọ zuru ezu na nko n'ime faịlụ nkụnye eji isi mee gụnyere/linux/lsm_hooks.h.
LSM subsystem mere ka o kwe omume ịmezue njikọ zuru oke nke SELinux na otu ụdị nke Linux kernel v2.6. Ihe fọrọ nke nta ka ọ bụrụ ozugbo, SELinux ghọrọ ọkọlọtọ de facto maka gburugburu Linux echekwara ma tinye ya na nkesa kachasị ewu ewu: RedHat Enterprise Linux, Fedora, Debian, Ubuntu.
Nkọwa okwu SELinux
- njirimara - Onye ọrụ SELinux abụghị otu onye ọrụ Unix/Linux na-emebu; ha nwere ike ibikọ ọnụ n'otu sistemu mana ha dị iche na isi. Akaụntụ Linux ọkọlọtọ ọ bụla nwere ike ịdekọrịta otu ma ọ bụ karịa na SELinux. Ihe njirimara SELinux bụ akụkụ nke nchekwa nchekwa zuru oke, nke na-ekpebi ngalaba ị nwere ike na enweghị ike ịbanye.
- Ngalaba - Na SELinux, ngalaba bụ ọnọdụ mmezu nke isiokwu, ya bụ usoro. Ngalaba na-ekpebi ozugbo ịnweta usoro nwere. Ngalaba bụ isi ndepụta nke usoro nwere ike ime ma ọ bụ ihe usoro nwere ike iji ụdị dị iche iche mee. Ụfọdụ ihe atụ nke ngalaba bụ sysadm_t maka nchịkwa sistemu, yana user_t nke bụ ngalaba onye ọrụ enweghị oke. Sistemu init na-agba na ngalaba init_t, na usoro aha ya na-aga na ngalaba aha_t.
- Ọrụ - Gịnị na-eje ozi dị ka intermediary n'etiti ngalaba na SELinux ọrụ. Ọrụ na-ekpebi ngalaba ndị ọrụ nwere ike ịbanye na ụdị ihe ha nwere ike ịnweta. Usoro njikwa ohere a na-egbochi ihe iyi egwu nke mbuso agha ihe ùgwù. Edere ọrụ n'ime ụkpụrụ nchekwa Role Based Access Control (RBAC) ejiri na SELinux.
- Ụdị - A Ụdị mmanye ndepụta àgwà na e kenyere ihe na-ekpebi onye nwere ike ịnweta ya. Yiri nkọwa ngalaba, belụsọ na ngalaba ahụ metụtara usoro, na ụdị na-emetụta ihe dịka akwụkwọ ndekọ aha, faịlụ, sọket, wdg.
- Isiokwu na ihe - Usoro bụ isiokwu ma na-agba ọsọ na ọnọdụ akọwapụtara, ma ọ bụ ngalaba nchekwa. Akụrụngwa sistemụ arụmọrụ: faịlụ, akwụkwọ ndekọ aha, sọket, wdg, bụ ihe ekenyere otu ụdị, n'okwu ndị ọzọ, ọkwa nzuzo.
- Amụma SELinux - SELinux na-eji usoro atumatu dị iche iche chebe usoro ahụ. Amụma SELinux na-akọwa ohere nke ndị ọrụ na-arụ ọrụ, ọrụ na ngalaba, na ngalaba na ụdị. Nke mbụ, onye ọrụ nyere ikike ịnweta ọrụ, mgbe ahụ a na-enye ọrụ ahụ ikike ịnweta ngalaba. N'ikpeazụ, ngalaba nwere ike ịnweta naanị ụdị ihe ụfọdụ.
LSM na SELinux architecture
N'agbanyeghị aha ahụ, LSM abụghị modul Linux a na-ebukarị ibu. Agbanyeghị, dị ka SELinux, etinyere ya ozugbo na kernel. Mgbanwe ọ bụla na koodu isi mmalite LSM chọrọ nchịkọta kernel ọhụrụ. A ghaghị ịgbanye nhọrọ kwekọrọ na ntọala kernel, ma ọ bụghị ya, koodu LSM agaghị arụ ọrụ mgbe ebuchara ya. Mana ọbụlagodi na nke a, enwere ike ime ya site na nhọrọ bootloader OS.
Ntụle nlele LSM
LSM nwere nko na ọrụ kernel nwere ike ịdị mkpa maka nlele. Otu n'ime ihe ndị bụ isi nke LSM bụ na a na-achịkọta ha. Ya mere, a ka na-eme nlele ọkọlọtọ, na oyi akwa LSM ọ bụla na-agbakwụnye njikwa na njikwa ndị ọzọ. Nke a pụtara na enweghị ike iweghachi mmachibido iwu ahụ. E gosipụtara nke a na ọnụ ọgụgụ ahụ; ọ bụrụ na nsonaazụ nke nyocha DAC na-aga n'ihu bụ ọdịda, mgbe ahụ okwu ahụ agaghị erute ọbụna nko LSM.
SELinux nakweere ụkpụrụ nchekwa nchekwa Flask nke sistemu nyocha Fluke, ọkachasị ụkpụrụ nke obere ihe ùgwù. Isi ihe dị na echiche a, dị ka aha ya na-egosi, bụ inye onye ọrụ ma ọ bụ hazie naanị ikike ndị dị mkpa iji mee ihe ndị a chọrọ. A na-etinye ụkpụrụ a site na iji ntinye ntinye mmanye, yabụ njikwa nweta na SELinux dabere na ngalaba => ụdị ụdị.
Ekele maka ntinye ikike mmanye, SELinux nwere ikike njikwa ohere dị ukwuu karịa ụdị DAC ọdịnala ejiri na sistemụ arụmọrụ Unix/Linux. Dịka ọmụmaatụ, ịnwere ike ịgbachi nọmba ọdụ ụgbọ mmiri netwọk nke sava ftp ga-ejikọta na, nye ohere ide na ịgbanwe faịlụ na folda ụfọdụ, mana ọ bụghị ihichapụ ha.
Ihe ndị bụ isi nke SELinux bụ:
- Ihe nkesa mmanye iwu - Isi usoro maka ịhazi njikwa ohere.
- nchekwa data amụma nchekwa.
- Mmekọrịta ya na onye na-eme ihe omume LSM.
- Selinuxfs - Pseudo-FS, dị ka /proc ma tinye ya na /sys/fs/selinux. Ndị kernel Linux bi na ya n'oge ọ na-agba ọsọ yana faịlụ nwere ozi ọkwa SELinux.
- Nweta cache vector - Usoro inyeaka maka ịba ụba arụpụtaghị ihe.
Kedu ka SELinux si arụ ọrụ
Ihe niile na-arụ ọrụ dị ka nke a.
- Otu isiokwu, na usoro SELinux, na-eme ihe anabatara na ihe mgbe nlele DAC gasịrị, dị ka egosiri na foto dị n'elu. Arịrịọ a maka ịrụ ọrụ na-agara onye na-eme ihe omume LSM.
- Site n'ebe ahụ, a na-enyefe arịrịọ ahụ, yana isiokwu na ihe nchekwa ihe, na SELinux Abstraction na Hook Logic modul, bụ nke na-ahụ maka mmekọrịta na LSM.
- Ikike ime mkpebi na ịnweta isiokwu na ihe bụ Server Enforcement Server na ọ na-enweta data sitere na SELinux AnHL.
- Iji mee mkpebi gbasara ịnweta ma ọ bụ ịgọnarị, Server Enforcement Server tụgharịrị gaa na ntinye caching vector cache (AVC) maka iwu ndị kacha eji.
- Ọ bụrụ na achọtaghị ngwọta maka iwu kwekọrọ na cache, mgbe ahụ, a na-enyefe arịrịọ ahụ na nchekwa data amụma nchekwa.
- A na-eweghachi nsonaazụ ọchụchọ sitere na nchekwa data yana AVC na Server Enforcement Server.
- Ọ bụrụ na iwu achọtara dabara na ihe a rịọrọ, mgbe ahụ, a na-ahapụ ọrụ ahụ. Ma ọ bụghị ya, amachibidoro ọrụ ahụ.
Ijikwa ntọala SELinux
SELinux na-arụ ọrụ n'otu n'ime ụdị atọ:
- Mmanye - Mgbochi siri ike na amụma nchekwa.
- Ikwenye - A na-ahapụ imebi ihe mgbochi; a na-eme ndetu kwekọrọ na akwụkwọ akụkọ.
- Agbanyụrụ - Amụma nchekwa adịghị arụ ọrụ.
Ị nwere ike ịhụ ụdị ọnọdụ SELinux dị na iwu a.
[admin@server ~]$ getenforce
PermissiveỊgbanwe ọnọdụ ahụ tupu ịmalitegharịa, dịka ọmụmaatụ, ịtọ ya ka ọ bụrụ mmanye, ma ọ bụ 1. Paramita na-enye ohere dabara na koodu ọnụọgụ 0.
[admin@server ~]$ setenfoce enforcing
[admin@server ~]$ setenfoce 1 #то же самое
Ị nwekwara ike ịgbanwe ọnọdụ site na dezie faịlụ:
[admin@server ~]$ cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=Ekwadoro
Ihe dị iche na setenfoce bụ na mgbe akpụkpọ ụkwụ arụ ọrụ, a ga-edozi ọnọdụ SELinux dịka uru nke SELINUX parameter dị na faịlụ nhazi. Na mgbakwunye, mgbanwe na mmanye <=> nwere nkwarụ na-arụ ọrụ naanị site na dezie faịlụ /etc/selinux/config na mgbe ịmalitegharị.
Lelee mkpesa ọkwa dị nkenke:
[admin@server ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
Ka ilele njirimara SELinux, ụfọdụ ụlọ ọrụ ọkọlọtọ na-eji oke -Z.
[admin@server ~]$ ls -lZ /var/log/httpd/
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20200920
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20200927
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20201004
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20201011
[admin@server ~]$ ps -u apache -Z
LABEL PID TTY TIME CMD
system_u:system_r:httpd_t:s0 2914 ? 00:00:04 httpd
system_u:system_r:httpd_t:s0 2915 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0 2916 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0 2917 ? 00:00:00 httpd
...
system_u:system_r:httpd_t:s0 2918 ? 00:00:00 httpdE jiri ya tụnyere mmepụta ls -l nkịtị, enwere ọtụtụ mpaghara agbakwunyere n'ụdị a:
<user>:<role>:<type>:<level>
Ogige ikpeazụ na-egosi ihe dị ka nhazi nchekwa na mejupụtara ngwakọta nke ihe abụọ:
- s0 - mkpa, edekwara ya dị ka oge etiti-oke larịị
- c0, c1… c1023 - ngalaba.
Ịgbanwe nhazi ohere
Jiri semodule ka ibu, gbakwunye na wepu modul SELinux.
[admin@server ~]$ semodule -l |wc -l #список всех модулей
408
[admin@server ~]$ semodule -e abrt #enable - активировать модуль
[admin@server ~]$ semodule -d accountsd #disable - отключить модуль
[admin@server ~]$ semodule -r avahi #remove - удалить модульOtu nke mbụ semanage nbanye jikọọ onye ọrụ SELinux na onye ọrụ sistemụ arụmọrụ, nke abụọ gosipụtara ndepụta. N'ikpeazụ, iwu ikpeazụ na -r switch na-ewepụ maapụ nke ndị ọrụ SELinux na akaụntụ OS. Nkọwa nke syntax maka ụkpụrụ MLS/MCS dị na ngalaba gara aga.
[admin@server ~]$ semanage login -a -s user_u karol
[admin@server ~]$ semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
system_u system_u s0-s0:c0.c1023 *
[admin@server ~]$ semanage login -d karol
otu semanage onye ọrụ ejiri iji jikwaa eserese n'etiti ndị ọrụ SELinux na ọrụ.
[admin@server ~]$ semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
guest_u user s0 s0 guest_r
staff_u staff s0 s0-s0:c0.c1023 staff_r sysadm_r
...
user_u user s0 s0 user_r
xguest_u user s0 s0 xguest_r
[admin@server ~]$ semanage user -a -R 'staff_r user_r'
[admin@server ~]$ semanage user -d test_uAkara iwu:
- -a tinye omenala maapụ ntinye;
- -l ndepụta nke ndị ọrụ na ọrụ dakọtara;
- -d hichapụ ntinye nkewa ọrụ onye ọrụ;
- -R ndepụta ọrụ agbakwunyere na onye ọrụ;
Faịlụ, ọdụ ụgbọ mmiri na uru Boolean
Modul SELinux ọ bụla na-enye usoro iwu mkpado faịlụ, mana ị nwekwara ike itinye iwu nke gị ma ọ bụrụ na ọ dị mkpa. Dịka ọmụmaatụ, anyị chọrọ ka sava weebụ nwee ikike ịnweta nchekwa / srv/www.
[admin@server ~]$ semanage fcontext -a -t httpd_sys_content_t "/srv/www(/.*)?
[admin@server ~]$ restorecon -R /srv/www/Iwu nke mbụ na-edeba aha iwu akara ọhụrụ, na nke abụọ na-emegharị, ma ọ bụ kama ịtọ, ụdị faịlụ dịka iwu dị ugbu a si dị.
N'otu aka ahụ, ọdụ ụgbọ mmiri TCP/UDP na-akara n'ụzọ na ọ bụ naanị ọrụ kwesịrị ekwesị nwere ike ige ntị na ha. Dịka ọmụmaatụ, ka sava weebụ wee gee ntị na ọdụ ụgbọ mmiri 8080, ịkwesịrị ịme iwu ahụ.
[admin@server ~]$ semanage port -m -t http_port_t -p tcp 8080Ọnụ ọgụgụ dị ịrịba ama nke SELinux modul nwere paramita ndị nwere ike iwere ụkpụrụ Boolean. Enwere ike ịhụ ndepụta niile nke paramita dị otú ahụ site na iji getsebool -a. Ị nwere ike ịgbanwe ụkpụrụ boolean site na iji setsebool.
[admin@server ~]$ getsebool httpd_enable_cgi
httpd_enable_cgi --> on
[admin@server ~]$ setsebool -P httpd_enable_cgi off
[admin@server ~]$ getsebool httpd_enable_cgi
httpd_enable_homedirs --> off
Ụlọ ọrụ, nweta ohere na Pgadmin-web interface
Ka anyị lee ihe atụ bara uru: anyị rụnyere pgadmin7.6-web na RHEL 4 iji nye nchekwa data PostgreSQL. Anyị jere ije ntakịrị ya na ntọala pg_hba.conf, postgresql.conf na config_local.py, tọọ ikike nchekwa, tinye modul Python na-efu site na pip. Ihe niile dị njikere, anyị na-amalite na-enweta Njehie nkesa nke 500.
Anyị na-amalite site na ndị a na-enyo enyo, ịlele /var/log/httpd/error_log. Enwere ndenye na-adọrọ mmasị n'ebe ahụ.
[timestamp] [core:notice] [pid 23689] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
...
[timestamp] [wsgi:error] [pid 23690] [Errno 13] Permission denied: '/var/lib/pgadmin'
[timestamp] [wsgi:error] [pid 23690]
[timestamp] [wsgi:error] [pid 23690] HINT : You may need to manually set the permissions on
[timestamp] [wsgi:error] [pid 23690] /var/lib/pgadmin to allow apache to write to it.
N'oge a, a ga-anwa ọtụtụ ndị nchịkwa Linux ka ha na-agba ọsọ setencorce 0, nke ahụ ga-abụkwa njedebe ya. N'eziokwu, m mere nke ahụ na nke mbụ ya. Nke a bụ n'ezie ụzọ ọpụpụ, ma dị anya site na nke kacha mma.
N'agbanyeghị atụmatụ ndị siri ike, SELinux nwere ike ịbụ enyi na enyi. Naanị tinye ngwungwu setroubleshoot wee lelee ndekọ sistemụ.
[admin@server ~]$ yum install setroubleshoot
[admin@server ~]$ journalctl -b -0
[admin@server ~]$ service restart auditd
Biko mara na ekwesịrị ịmalitegharị ọrụ nyocha ahụ n'ụzọ dị otu a, ọ bụghị iji systemctl, n'agbanyeghị ọnụnọ sistemụd na OS. Na ndekọ usoro ga-egosi ọ bụghị naanị eziokwu nke igbochi, kamakwa ihe kpatara ya na ụzọ imeri mmachibido iwu.
Anyị na-eme iwu ndị a:
[admin@server ~]$ setsebool -P httpd_can_network_connect 1
[admin@server ~]$ setsebool -P httpd_can_network_connect_db 1
Anyị na-elele ịnweta ibe weebụ pgadmin4-web, ihe niile na-arụ ọrụ.
isi: www.habr.com