èšäºã®ç¿»èš³ã¯ã³ãŒã¹ã®åŠçåãã«ç¹å¥ã«çšæãããŸãã
ããã§ã¯ãã»ãã¥ãªãã£ã匷åããã Linux ã«ãããçåœãå®å®ããã®ä»ãã¹ãŠã«é¢ããéèŠãªè³ªåãžã®çããåŸãããŸãã
ãç©äºã¯èŠãç®éããšã¯éããªããšããéèŠãªçå®ã¯åšç¥ã®äºå®ã§ã...ã
-ãã°ã©ã¹ã»ã¢ãã ã¹ã éæ²³ããããã€ã¯ ã¬ã€ã
å®å
šæ§ã ä¿¡é Œæ§ã®åäžã 察å¿ã ããªã·ãŒã é»ç€ºé²ã®åéšå£«ã®ã·ã¹ãã 管çè
ã ç£èŠãããã¯ã¢ãããå®è£
ãæ§æãæŽæ°ãªã©ã®æ¥åžžæ¥åã«å ããŠãç§ãã¡ã¯ã·ã¹ãã ã®ã»ãã¥ãªãã£ã«ã責任ãè² ããŸãã ãµãŒãããŒãã£ãããã€ããŒã匷åãããã»ãã¥ãªãã£ãç¡å¹ã«ããããšãæšå¥šããŠããã·ã¹ãã ã§ãã£ãŠãã ä»äºã®ãããªæ°ããã
ãã®ãžã¬ã³ãã«çŽé¢ããŠãäžéšã®ã·ã¹ãã 管çè
ã¯æ¬¡ã®æªçœ®ãè¬ããããšã決å®ããŸãã
ãéæ²³ããããã€ã¯ ã¬ã€ããã®ç²Ÿç¥ã«åºã¥ããŠãå¶åŸ¡ãšäœ¿çšã«é¢ããéèŠãªè³ªåã«å¯Ÿãã 42 ã®çããããã«ç€ºããŸãã
1. SELinux ã¯åŒ·å¶ã¢ã¯ã»ã¹å¶åŸ¡ã·ã¹ãã ã§ããããã¹ãŠã®ããã»ã¹ã«ã©ãã«ãããããšãæå³ããŸãã åãã¡ã€ã«ããã£ã¬ã¯ããªãã·ã¹ãã ãªããžã§ã¯ãã«ãã©ãã«ããããŸãã ããªã·ãŒ ã«ãŒã«ã¯ãã¿ã°ä»ãããã»ã¹ãšãªããžã§ã¯ãéã®ã¢ã¯ã»ã¹ãå¶åŸ¡ããŸãã ã«ãŒãã«ã¯ãããã®ã«ãŒã«ã匷å¶ããŸãã
2. æãéèŠãªæŠå¿µã¯æ¬¡ã® XNUMX ã€ã§ãã ã©ããªã³ã° â ããŒãã³ã° (ãã¡ã€ã«ãããã»ã¹ãããŒããªã©) ããã³ åã®åŒ·å¶ (ã¿ã€ãã«åºã¥ããŠããã»ã¹ãçžäºã«åé¢ããŸã)ã
3. æ£ããã©ãã«åœ¢åŒ user:role:type:level
(ãªãã·ã§ã³)ã
4. ãã«ãã¬ãã«ã®ã»ãã¥ãªãã£ãæäŸããç®ç (ãã«ãã¬ãã«ã»ãã¥ãªã㣠- MLS) ã¯ã䜿çšããããŒã¿ã®ã»ãã¥ãªã㣠ã¬ãã«ã«åºã¥ããŠããã»ã¹ (ãã¡ã€ã³) ã管çããŸãã ããšãã°ãæ©å¯ããã»ã¹ã¯æ¥µç§ããŒã¿ãèªã¿åãããšãã§ããŸããã
5. è€æ°ã«ããŽãªã®ã»ãã¥ãªãã£ã®ç¢ºä¿ (ãã«ãã«ããŽãªã»ãã¥ãªã㣠- MCS) åæ§ã®ããã»ã¹ãçžäºã«ä¿è·ããŸã (ä»®æ³ãã·ã³ãOpenShift ãšã³ãžã³ãSELinux ãµã³ãããã¯ã¹ãã³ã³ãããŒãªã©)ã
6. èµ·åæã« SELinux ã¢ãŒããå€æŽããããã®ã«ãŒãã« ãªãã·ã§ã³:
autorelabel=1
â ã·ã¹ãã ãåã©ãã«ä»ããå®è¡ããselinux=0
â ã«ãŒãã«ã SELinux ã€ã³ãã©ã¹ãã©ã¯ãã£ãããŒãããªãenforcing=0
â 蚱容ã¢ãŒãã§ããŒã
7. ã·ã¹ãã å šäœã®ã©ãã«ãä»ãçŽãå¿ èŠãããå Žåã¯ã次ã®ããã«ããŸãã
# touch /.autorelabel
#reboot
ã·ã¹ãã ã®ããŒãã³ã°ã«å€æ°ã®ãšã©ãŒãå«ãŸããŠããå ŽåãããŒãã³ã°ãæåãããã«ã¯èš±å®¹ã¢ãŒãã§èµ·åããå¿ èŠãããå ŽåããããŸãã
8. SELinux ãæå¹ãã©ããã確èªããã«ã¯: # getenforce
9. SELinux ãäžæçã«æå¹/ç¡å¹ã«ããã«ã¯: # setenforce [1|0]
10. SELinux ã¹ããŒã¿ã¹ã®ç¢ºèª: # sestatus
11. èšå®ãã¡ã€ã«: /etc/selinux/config
12. SELinux ã¯ã©ã®ããã«æ©èœããŸãã? Apache Web ãµãŒããŒã®ããŒãã³ã°ã®äŸã次ã«ç€ºããŸãã
- ãã€ããªè¡šçŸ:
/usr/sbin/httpdâhttpd_exec_t
- èšå®ãã£ã¬ã¯ããª:
/etc/httpdâhttpd_config_t
- ãã°ãã¡ã€ã«ã®ãã£ã¬ã¯ããª:
/var/log/httpd â httpd_log_t
- ã³ã³ãã³ããã£ã¬ã¯ããª:
/var/www/html â httpd_sys_content_t
- èµ·åã¹ã¯ãªãã:
/usr/lib/systemd/system/httpd.service â httpd_unit_file_d
- ããã»ã¹ïŒ
/usr/sbin/httpd -DFOREGROUND â httpd_t
- ããŒã:
80/tcp, 443/tcp â httpd_t, http_port_t
ã³ã³ããã¹ãå
ã§å®è¡ãããããã»ã¹ httpd_t
ãã©ãã«ä»ããªããžã§ã¯ããšå¯Ÿè©±ã§ãã httpd_something_t
.
13. å€ãã®ã³ãã³ãã¯åŒæ°ãåãåããŸã -Z
ã³ã³ããã¹ãã衚瀺ãäœæãå€æŽããã«ã¯:
ls -Z
id -Z
ps -Z
netstat -Z
cp -Z
mkdir -Z
ã³ã³ããã¹ãã¯ã芪ãã£ã¬ã¯ããªã®ã³ã³ããã¹ãã«åºã¥ããŠãã¡ã€ã«ãäœæããããšãã«ç¢ºç«ãããŸã (äžéšã®äŸå€ãé€ããŸã)ã RPM ã¯ãã€ã³ã¹ããŒã«æãšåæ§ã«ã³ã³ããã¹ãã確ç«ã§ããŸãã
14. SELinux ãšã©ãŒã«ã¯äž»ã« 15 ã€ã®åå ãããã以äžã®ãã€ã³ã 21 ïœ XNUMX ã§è©³ãã説æããŸãã
- ã©ãã«ä»ãã®åé¡
- SELinux ãç¥ã£ãŠããå¿ èŠãããããšã®ãã
- SELinux ããªã·ãŒ/ã¢ããªã±ãŒã·ã§ã³ã®ãšã©ãŒ
- ããªãã®æ å ±ãæŒæŽ©ããå¯èœæ§ããããŸã
15. ã©ããªã³ã°ã®åé¡: ãã¡ã€ã«ã次ã®å Žæã«ããå Žå /srv/myweb
æ£ããããŒã¯ãããŠããªãå Žåãã¢ã¯ã»ã¹ãæåŠãããå¯èœæ§ããããŸãã ãããä¿®æ£ããæ¹æ³ã¯æ¬¡ã®ãšããã§ãã
- ã©ãã«ãç¥ã£ãŠããå Žå:
# semanage fcontext -a -t httpd_sys_content_t '/srv/myweb(/.*)?'
- åçã®ããŒãã³ã°ãæã€ãã¡ã€ã«ãç¥ã£ãŠããå Žå:
# semanage fcontext -a -e /srv/myweb /var/www
- ã³ã³ããã¹ãã®åŸ©å
(äž¡æ¹ã®å Žå):
# restorecon -vR /srv/myweb
16. ã©ãã«ä»ãã®åé¡: ãã¡ã€ã«ãã³ããŒãã代ããã«ç§»åãããšããã¡ã€ã«ã¯å ã®ã³ã³ããã¹ããä¿æããŸãã ãã®åé¡ã解決ããã«ã¯:
- ã³ã³ããã¹ã ã³ãã³ãã次ã®ã©ãã«ã§å€æŽããŸãã
# chcon -t httpd_system_content_t /var/www/html/index.html
- ã³ã³ããã¹ã ã³ãã³ãããªã³ã¯ ã©ãã«ã§å€æŽããŸãã
# chcon --reference /var/www/html/ /var/www/html/index.html
- ã³ã³ããã¹ãã埩å
ããŸã (ã©ã¡ãã®å Žåã)ã
# restorecon -vR /var/www/html/
17. ãã ç¥ã£ãŠããã¹ãSELinuxHTTPD ãããŒã 8585 ã§ãªãã¹ã³ããŠããããšã SELinux ã«äŒããŸãã
# semanage port -a -t http_port_t -p tcp 8585
18. ç¥ã£ãŠããã¹ãSELinux SELinux ããªã·ãŒãäžæžããããããšãç¥ããªããŠããå®è¡æã« SELinux ããªã·ãŒã®äžéšãå€æŽã§ããããã«ããããŒã«å€ã ããšãã°ãhttpd ã§é»åã¡ãŒã«ãéä¿¡ããå Žåã¯ã次ã®ããã«å
¥åããŸãã # setsebool -P httpd_can_sendmail 1
19. ç¥ã£ãŠããã¹ãSELinux SELinux èšå®ãæå¹/ç¡å¹ã«ããããã®è«çå€:
- ãã¹ãŠã®ããŒã«å€ã衚瀺ããã«ã¯:
# getsebool -a
- ããããã®èª¬æãåç
§ããã«ã¯:
# semanage boolean -l
- ããŒã«å€ãèšå®ããã«ã¯:
# setsebool [_boolean_] [1|0]
- æ°žç¶çã«ã€ã³ã¹ããŒã«ããã«ã¯ãè¿œå ããŸã
-P
ã äŸãã°ã# setsebool httpd_enable_ftp_server 1 -P
20. SELinux ããªã·ãŒ/ã¢ããªã±ãŒã·ã§ã³ã«ã¯ã次ã®ãããªãšã©ãŒãå«ãŸããå ŽåããããŸãã
- ç°åžžãªã³ãŒããã¹
- èšå®
- æšæºåºåã®ãªãã€ã¬ã¯ã
- ãã¡ã€ã«èšè¿°åã®ãªãŒã¯
- å®è¡å¯èœã¡ã¢ãª
- ã©ã€ãã©ãªã®æ§ç¯ãäžåå
ãã±ããããªãŒãã³ããŸã (Bugzilla ã«ã¯ã¬ããŒããéä¿¡ããªãã§ãã ãããBugzilla ã«ã¯ SLA ããããŸãã)ã
21. ããªãã®æ å ±ãæŒæŽ©ããå¯èœæ§ããããŸããã¡ã€ã³ãå¶éããŠæ¬¡ã®ããšãè©Šã¿ãŠããå Žå:
- ã«ãŒãã«ã¢ãžã¥ãŒã«ãããŒããã
- 匷å¶SELinuxã¢ãŒããç¡å¹ã«ãã
- æžã蟌ã¿å
etc_t/shadow_t
- iptables ã«ãŒã«ãå€æŽãã
22. ããªã·ãŒ ã¢ãžã¥ãŒã«ãéçºããããã® SELinux ããŒã«:
# yum -y install setroubleshoot setroubleshoot-server
åèµ·åãŸãã¯åèµ·å auditd
åãä»ãåŸã
23. 䜿çš
journalctl
ã«é¢é£ä»ãããããã¹ãŠã®ãã°ã®ãªã¹ãã衚瀺ããã«ã¯ setroubleshoot
:
# journalctl -t setroubleshoot --since=14:20
24. äœ¿çš journalctl
ç¹å®ã® SELinux ã¿ã°ã«é¢é£ä»ãããããã¹ãŠã®ãã°ãäžèŠ§è¡šç€ºããŸãã äŸãã°ïŒ
# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0
25. SELinux ãšã©ãŒãçºçããå Žåã¯ããã°ã䜿çšããŠãã ããã setroubleshoot
ããã€ãã®å¯èœãªè§£æ±ºçãæäŸããŸãã
ããšãã°ããã journalctl
:
Jun 14 19:41:07 web1 setroubleshoot: SELinux is preventing httpd from getattr access on the file /var/www/html/index.html. For complete message run: sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e
# sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e
SELinux is preventing httpd from getattr access on the file /var/www/html/index.html.
***** Plugin restorecon (99.5 confidence) suggests ************************
If you want to fix the label,
/var/www/html/index.html default label should be httpd_syscontent_t.
Then you can restorecon.
Do
# /sbin/restorecon -v /var/www/html/index.html
26. ãã®ã³ã°: SELinux ã¯ããŸããŸãªå Žæã«æ å ±ãèšé²ããŸãã
- / var / log / messages
- /var/log/audit/audit.log
- /var/lib/setroubleshoot/setroubleshoot_database.xml
27. ãã®ã³ã°: ç£æ»ãã°å ã® SELinux ãšã©ãŒãæ€çŽ¢ããŸãã
# ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today
28. ç¹å®ã®ãµãŒãã¹ã® SELinux Access Vector Cache (AVC) ã¡ãã»ãŒãžãæ€çŽ¢ããã«ã¯:
# ausearch -m avc -c httpd
29. ãŠãŒãã£ãªã㣠audit2allow
çŠæ¢ãããæäœã®ãã°ããæ
å ±ãåéããSELinux æš©éããªã·ãŒ ã«ãŒã«ãçæããŸãã äŸãã°ïŒ
- ã¢ã¯ã»ã¹ãæåŠãããçç±ã«ã€ããŠäººéãå€èªã§ãã説æãäœæããã«ã¯ã次ã®æé ãå®è¡ããŸãã
# audit2allow -w -a
- æåŠãããã¢ã¯ã»ã¹ãèš±å¯ããã¿ã€ã匷å¶ã«ãŒã«ã衚瀺ããã«ã¯ã次ã®æé ãå®è¡ããŸãã
# audit2allow -a
- ã«ã¹ã¿ã ã¢ãžã¥ãŒã«ãäœæããã«ã¯:
# audit2allow -a -M mypolicy
- ãªãã·ã§ã³
-M
æå®ãããååã§ã¿ã€ã匷å¶ãã¡ã€ã« (.te) ãäœæããã«ãŒã«ãããªã·ãŒ ããã±ãŒãž (.pp) ã«ã³ã³ãã€ã«ããŸããmypolicy.pp mypolicy.te
- ã«ã¹ã¿ã ã¢ãžã¥ãŒã«ãã€ã³ã¹ããŒã«ããã«ã¯:
# semodule -i mypolicy.pp
30. å¥ã®ããã»ã¹ (ãã¡ã€ã³) ãèš±å¯ã¢ãŒãã§åäœããããã«æ§æããã«ã¯: # semanage permissive -a httpd_t
31. ãã¡ã€ã³ãèš±å¯ããªãããã«ããã«ã¯: # semanage permissive -d httpd_t
32. ãã¹ãŠã®èš±å¯ãã¡ã€ã³ãç¡å¹ã«ããã«ã¯: # semodule -d permissivedomains
33. MLS SELinux ããªã·ãŒãæå¹ã«ãã: # yum install selinux-policy-mls
в /etc/selinux/config:
SELINUX=permissive
SELINUXTYPE=mls
SELinux ãèš±å¯ã¢ãŒãã§å®è¡ãããŠããããšã確èªããŸãã # setenforce 0
ã¹ã¯ãªããã䜿çšãã fixfiles
次åã®åèµ·åæã«ãã¡ã€ã«ã®ã©ãã«ãå€æŽãããããã«ããã«ã¯ã次ã®ããã«ããŸãã
# fixfiles -F onboot # reboot
34. ç¹å®ã® MLS ç¯å²ãæã€ãŠãŒã¶ãŒãäœæããŸãã # useradd -Z staff_u john
ã³ãã³ãã®äœ¿çš useradd
ãæ°ãããŠãŒã¶ãŒãæ¢åã® SELinux ãŠãŒã¶ãŒã«ãããããŸã (ãã®å Žåã staff_u
).
35. SELinux ãš Linux ãŠãŒã¶ãŒéã®ãããã³ã°ã衚瀺ããã«ã¯: # semanage login -l
36. ãŠãŒã¶ãŒã®ç¹å®ã®ç¯å²ãå®çŸ©ããŸãã # semanage login --modify --range s2:c100 john
37. ãŠãŒã¶ãŒã®ããŒã ãã£ã¬ã¯ã㪠ã©ãã«ãä¿®æ£ããã«ã¯ (å¿
èŠãªå Žå): # chcon -R -l s2:c100 /home/john
38. çŸåšã®ã«ããŽãªã衚瀺ããã«ã¯: # chcat -L
39. ã«ããŽãªãå€æŽããããç¬èªã®ã«ããŽãªã®äœæãéå§ããã«ã¯ã次ã®ããã«ãã¡ã€ã«ãç·šéããŸãã
/etc/selinux/_<
selinuxtype>
_/setrans.conf
40. ç¹å®ã®ãã¡ã€ã«ãããŒã«ãããã³ãŠãŒã¶ãŒ ã³ã³ããã¹ãã§ã³ãã³ããŸãã¯ã¹ã¯ãªãããå®è¡ããã«ã¯ã次ã®æé ãå®è¡ããŸãã
# runcon -t initrc_t -r system_r -u user_u yourcommandhere
-t
ãã¡ã€ã«ã³ã³ããã¹ã-r
圹å²ã®ã³ã³ããã¹ã-u
ãŠãŒã¶ãŒã³ã³ããã¹ã
41. SELinux ãç¡å¹ã«ããŠå®è¡ãããŠããã³ã³ãã:
- ããããã³:
# podman run --security-opt label=disable âŠ
- ããã«ãŒïŒ
# docker run --security-opt label=disable âŠ
42. ã³ã³ããã«ã·ã¹ãã ãžã®ãã«ã¢ã¯ã»ã¹ãäžããå¿ èŠãããå Žå:
- ããããã³:
# podman run --privileged âŠ
- ããã«ãŒïŒ
# docker run --privileged âŠ
ãããŠä»ãããªãã¯ãã§ã«çããç¥ã£ãŠããŸãã ã§ãããããããã¯ã«ãªããã« SELinux ãæå¹ã«ããŠãã ããã
ãªã³ã¯ïŒ
SELinuxã® byãã³ãŠã©ã«ã·ã¥ SELinux ããªã·ãŒé©çšã®ããã®èŠèŠçãªããŠã㌠ã¬ã€ããæäŸ ãã³ã»ãŠã©ã«ã·ã¥èäžè¬äººåãã®ã»ãã¥ãªãã£åŒ·åããã Linux byããŒãã¹ã»ãã£ã¡ãã³ SELinux å¡ãçµµ byãã€ãªã³ã»ããã£ãŒ SELinux ãŠãŒã¶ãŒããã³ç®¡çè ã¬ã€ãâRed Hat Enterprise Linux 7
åºæïŒ habr.com