çµã¿èŸŒã¿ãã¢ãã€ã« ããã€ã¹ããµãŒããŒäžã§ Linux OS ã倧ããªæåãåããçç±ã® XNUMX ã€ã¯ãã«ãŒãã«ãé¢é£ãµãŒãã¹ãããã³ã¢ããªã±ãŒã·ã§ã³ã®ã»ãã¥ãªãã£ãããªãé«ãããšã§ãã ãããããã
Linux ã»ãã¥ãªã㣠ã¢ãžã¥ãŒã«ãš SELinux ã®èæ¯
Security Enhanced Linux ã¯ãæœåšçãªè åšãã Linux ã·ã¹ãã ãä¿è·ããåŸæ¥ã® Unix ã»ãã¥ãªã㣠ã·ã¹ãã ã§ããéæã¢ã¯ã»ã¹å¶åŸ¡ (DAC) ã®æ¬ ç¹ãä¿®æ£ãããå¿ é ããã³ããŒã«ããŒã¹ã®ã¢ã¯ã»ã¹ ã¢ãã«ã«åºã¥ãäžé£ã®ã«ãŒã«ãšã¢ã¯ã»ã¹ ã¡ã«ããºã ã§ãã ãã®ãããžã§ã¯ãã¯ç±³åœåœå®¶å®å šä¿éå±ã®å éšã§å§ãŸããäž»ã«è«è² æ¥è ã® Secure Computing Corporation ãš MITREãããã³å€æ°ã®ç 究æ©é¢ã«ãã£ãŠçŽæ¥éçºãããŸããã
Linux ã»ãã¥ãªã㣠ã¢ãžã¥ãŒã«
Linus Torvalds ã¯ãNSA ã®æ°ããéçºãã¡ã€ã³ã©ã€ã³ã® Linux ã«ãŒãã«ã«çµã¿èŸŒãŸããããã«ããããã«ã€ããŠå€ãã®ã³ã¡ã³ããæ®ããŸããã 圌ã¯ããªããžã§ã¯ãã®æäœãå¶åŸ¡ããäžé£ã®ã€ã³ã¿ãŒã»ãã¿ãŒãšã察å¿ããå±æ§ãæ ŒçŽããããã®ã«ãŒãã« ããŒã¿æ§é å
ã®ç¹å®ã®ä¿è·ãã£ãŒã«ãã®ã»ãããåããäžè¬çãªç°å¢ã«ã€ããŠèª¬æããŸããã ãã®ç°å¢ã¯ãããŒãå¯èœãªã«ãŒãã« ã¢ãžã¥ãŒã«ã«ãã£ãŠäœ¿çšãããå¿
èŠãªã»ãã¥ãªã㣠ã¢ãã«ãå®è£
ã§ããŸãã LSM 㯠2.6 幎㫠Linux ã«ãŒãã« v2003 ã«å®å
šã«åå
¥ããŸããã
LSM ãã¬ãŒã ã¯ãŒã¯ã«ã¯ãããŒã¿æ§é å ã®ã¬ãŒã ãã£ãŒã«ããšãã«ãŒãã« ã³ãŒãã®éèŠãªãã€ã³ãã§ã€ã³ã¿ãŒã»ããé¢æ°ãåŒã³åºããŠãã€ã³ã¿ãŒã»ããé¢æ°ãæäœããŠã¢ã¯ã»ã¹å¶åŸ¡ãå®è¡ããæ©èœãå«ãŸããŠããŸãã ãŸããã»ãã¥ãªãã£ã¢ãžã¥ãŒã«ãç»é²ããæ©èœãè¿œå ãããŸãã /sys/kernel/security/lsm ã€ã³ã¿ãŒãã§ã€ã¹ã«ã¯ãã·ã¹ãã äžã®ã¢ã¯ãã£ããªã¢ãžã¥ãŒã«ã®ãªã¹ããå«ãŸããŠããŸãã LSM ããã¯ã¯ãCONFIG_LSM ã§æå®ãããé åºã§åŒã³åºããããªã¹ãã«æ ŒçŽãããŸãã ããã¯ã«é¢ãã詳现ãªããã¥ã¡ã³ãã¯ãããã㌠ãã¡ã€ã« include/linux/lsm_hooks.h ã«å«ãŸããŠããŸãã
LSM ãµãã·ã¹ãã ã«ãããSELinux ãšå®å®ãã Linux ã«ãŒãã« v2.6 ã®åãããŒãžã§ã³ãšã®å®å šãªçµ±åãå¯èœã«ãªããŸããã ã»ãŒå³åº§ã«ãSELinux ã¯å®å šãª Linux ç°å¢ã®äºå®äžã®æšæºãšãªããæã人æ°ã®ãããã£ã¹ããªãã¥ãŒã·ã§ã³ (RedHat Enterprise LinuxãFedoraãDebianãUbuntu) ã«çµã¿èŸŒãŸããŸããã
SELinuxçšèªé
- ã¢ã€ãã³ãã£ã㣠â SELinux ãŠãŒã¶ãŒã¯éåžžã® Unix/Linux ãŠãŒã¶ãŒ ID ãšåãã§ã¯ãªããåãã·ã¹ãã äžã«å ±åã§ããŸãããæ¬è³ªçã«ã¯ãŸã£ããç°ãªããŸãã åæšæº Linux ã¢ã«ãŠã³ãã¯ãSELinux ã® XNUMX ã€ä»¥äžã«å¯Ÿå¿ã§ããŸãã SELinux ID ã¯ã»ãã¥ãªã㣠ã³ã³ããã¹ãå šäœã®äžéšã§ãããåå ã§ãããã¡ã€ã³ãšåå ã§ããªããã¡ã€ã³ã決å®ããŸãã
- ãã¡ã€ã³ - SELinux ã§ã¯ããã¡ã€ã³ã¯ãµããžã§ã¯ããã€ãŸãããã»ã¹ã®å®è¡ã³ã³ããã¹ãã§ãã ãã¡ã€ã³ã¯ãããã»ã¹ãæã€ã¢ã¯ã»ã¹æš©ãçŽæ¥æ±ºå®ããŸãã ãã¡ã€ã³ã¯åºæ¬çã«ãããã»ã¹ãå®è¡ã§ããããšããŸãã¯ããã»ã¹ãããŸããŸãªã¿ã€ãã§å®è¡ã§ããããšã®ãªã¹ãã§ãã ãã¡ã€ã³ã®äŸãšããŠã¯ãã·ã¹ãã 管ççšã® sysadm_t ããéåžžã®éç¹æš©ãŠãŒã¶ãŒ ãã¡ã€ã³ã§ãã user_t ãªã©ããããŸãã init ã·ã¹ãã 㯠init_t ãã¡ã€ã³ã§å®è¡ãããæå®ãããããã»ã¹ã¯named_t ãã¡ã€ã³ã§å®è¡ãããŸãã
- åœ¹å² â ãã¡ã€ã³ãš SELinux ãŠãŒã¶ãŒã®éã®ä»²ä»è ãšããŠæ©èœãããã®ã ããŒã«ã«ãã£ãŠããŠãŒã¶ãŒãæå±ã§ãããã¡ã€ã³ãšã¢ã¯ã»ã¹ã§ãããªããžã§ã¯ãã®çš®é¡ã決ãŸããŸãã ãã®ã¢ã¯ã»ã¹å¶åŸ¡ã¡ã«ããºã ã¯ãæš©éææ Œæ»æã®è åšãé²ããŸãã ããŒã«ã¯ãSELinux ã§äœ¿çšãããããŒã«ããŒã¹ã®ã¢ã¯ã»ã¹å¶åŸ¡ (RBAC) ã»ãã¥ãªã㣠ã¢ãã«ã«æžã蟌ãŸããŸãã
- ã¿ã€ã â ãªããžã§ã¯ãã«å²ãåœãŠããããªããžã§ã¯ãã«ã¢ã¯ã»ã¹ã§ãããŠãŒã¶ãŒã決å®ããã¿ã€ã匷å¶ãªã¹ãå±æ§ã ãã¡ã€ã³å®çŸ©ãšäŒŒãŠããŸããããã¡ã€ã³ã¯ããã»ã¹ã«é©çšãããã¿ã€ãã¯ãã£ã¬ã¯ããªããã¡ã€ã«ããœã±ãããªã©ã®ãªããžã§ã¯ãã«é©çšãããŸãã
- äž»é¡ãšãªããžã§ã¯ã - ããã»ã¹ã¯ãµããžã§ã¯ãã§ãããç¹å®ã®ã³ã³ããã¹ããŸãã¯ã»ãã¥ãªã㣠ãã¡ã€ã³ã§å®è¡ãããŸãã ãªãã¬ãŒãã£ã³ã° ã·ã¹ãã ãªãœãŒã¹: ãã¡ã€ã«ããã£ã¬ã¯ããªããœã±ãããªã©ã¯ãç¹å®ã®ã¿ã€ããã€ãŸããã©ã€ãã·ãŒ ã¬ãã«ãå²ãåœãŠããããªããžã§ã¯ãã§ãã
- SELinux ããªã·ãŒ â SELinux ã¯ãã·ã¹ãã ãä¿è·ããããã«ããŸããŸãªããªã·ãŒã䜿çšããŸãã SELinux ããªã·ãŒã¯ããŠãŒã¶ãŒã®ããŒã«ãžã®ã¢ã¯ã»ã¹ãããŒã«ãããã¡ã€ã³ãžã®ã¢ã¯ã»ã¹ãããã³ãã¡ã€ã³ããã¿ã€ããžã®ã¢ã¯ã»ã¹ãå®çŸ©ããŸãã ãŸãããŠãŒã¶ãŒã«ããŒã«ãååŸããæš©éãäžãããã次ã«ãã®ããŒã«ããã¡ã€ã³ã«ã¢ã¯ã»ã¹ããæš©éãäžããããŸãã æåŸã«ããã¡ã€ã³ã¯ç¹å®ã®çš®é¡ã®ãªããžã§ã¯ãã«ã®ã¿ã¢ã¯ã»ã¹ã§ããŸãã
LSM ãš SELinux ã®ã¢ãŒããã¯ãã£
ãã®ååã«ãããããããLSM ã¯éåžžãããŒãå¯èœãª Linux ã¢ãžã¥ãŒã«ã§ã¯ãããŸããã ãã ããSELinux ãšåæ§ã«ãã«ãŒãã«ã«çŽæ¥çµ±åãããŸãã LSM ãœãŒã¹ ã³ãŒããå€æŽããã«ã¯ãæ°ããã«ãŒãã« ã³ã³ãã€ã«ãå¿ èŠã§ãã ã«ãŒãã«èšå®ã§å¯Ÿå¿ãããªãã·ã§ã³ãæå¹ã«ããå¿ èŠããããŸããæå¹ã«ããªããšãããŒãåŸã« LSM ã³ãŒããã¢ã¯ãã£ãã«ãªããŸããã ãã ãããã®å Žåã§ããOS ããŒãããŒã㌠ãªãã·ã§ã³ã«ãã£ãŠæå¹ã«ããããšãã§ããŸãã
LSMãã§ãã¯ã¹ã¿ãã¯
LSM ã«ã¯ããã§ãã¯ã«é¢é£ããã³ã¢ ã«ãŒãã«é¢æ°ã®ããã¯ãè£ åãããŠããŸãã LSM ã®äž»ãªç¹åŸŽã® XNUMX ã€ã¯ãLSM ãã¹ã¿ãã¯ãããŠããããšã§ãã ãããã£ãŠãæšæºãã§ãã¯ã¯åŒãç¶ãå®è¡ãããLSM ã®åå±€ã¯è¿œå ã®å¶åŸ¡ãšå¶åŸ¡ãè¿œå ããã ãã§ãã ããã¯ãçŠæ¢ãå ã«æ»ãããšãã§ããªãããšãæå³ããŸãã ããã¯å³ã«ç€ºãããŠãããã«ãŒãã³ã® DAC ãã§ãã¯ã®çµæã倱æã®å Žåãåé¡ã¯ LSM ããã¯ã«ããå°éããŸããã
SELinux ã¯ãFluke ç 究ãªãã¬ãŒãã£ã³ã° ã·ã¹ãã ã® Flask ã»ãã¥ãªã㣠ã¢ãŒããã¯ãã£ãç¹ã«æå°ç¹æš©ã®ååãæ¡çšããŠããŸãã ãã®æŠå¿µã®æ¬è³ªã¯ããã®ååã瀺ãããã«ãæå³ããã¢ã¯ã·ã§ã³ãå®è¡ããããã«å¿ èŠãªæš©éã®ã¿ããŠãŒã¶ãŒãŸãã¯ããã»ã¹ã«ä»äžããããšã§ãã ãã®ååã¯ã匷å¶çãªã¢ã¯ã»ã¹ ã¿ã€ãã³ã°ã䜿çšããŠå®è£ ãããŠãããããSELinux ã®ã¢ã¯ã»ã¹å¶åŸ¡ã¯ãã¡ã€ã³ => ã¿ã€ã ã¢ãã«ã«åºã¥ããŠããŸãã
匷å¶ã¢ã¯ã»ã¹ ã¿ã€ãã³ã°ã®ãããã§ãSELinux ã¯ãUnix/Linux ãªãã¬ãŒãã£ã³ã° ã·ã¹ãã ã§äœ¿çšãããŠããåŸæ¥ã® DAC ã¢ãã«ãããã¯ããã«åªããã¢ã¯ã»ã¹å¶åŸ¡æ©èœãåããŠããŸãã ããšãã°ãFTP ãµãŒããŒãæ¥ç¶ãããããã¯ãŒã¯ ããŒãçªå·ãå¶éããããç¹å®ã®ãã©ã«ããŒãžã®ãã¡ã€ã«ã®æžã蟌ã¿ãšå€æŽã¯èš±å¯ããŸãããåé€ã¯çŠæ¢ãããããããšãã§ããŸãã
SELinux ã®äž»ãªã³ã³ããŒãã³ãã¯æ¬¡ã®ãšããã§ãã
- ããªã·ãŒæœè¡ãµãŒã㌠â ã¢ã¯ã»ã¹å¶åŸ¡ãçµç¹åããããã®äž»èŠãªã¡ã«ããºã ã
- ã·ã¹ãã ã»ãã¥ãªãã£ããªã·ãŒããŒã¿ããŒã¹ã
- LSM ã€ãã³ã ã€ã³ã¿ãŒã»ãã¿ãŒãšã®å¯Ÿè©±ã
- ã»ãªããã¯ã¹ - æ¬äŒŒ FSã/proc ãšåãã§ã/sys/fs/selinux ã«ããŠã³ããããŸãã å®è¡æã« Linux ã«ãŒãã«ã«ãã£ãŠåçã«èšå®ãããSELinux ã¹ããŒã¿ã¹æ å ±ãå«ããã¡ã€ã«ãå«ãŸããŸãã
- ãã¯ã¿ãŒãã£ãã·ã¥ãžã®ã¢ã¯ã»ã¹ â çç£æ§ãåäžãããããã®è£å©çãªã¡ã«ããºã ã
SELinux ã®ä»çµã¿
ãã¹ãŠã¯ãã®ããã«æ©èœããŸãã
- äžã®å³ã«ç€ºãããã«ãSELinux çšèªã§ç¹å®ã®ãµããžã§ã¯ãã¯ãDAC ãã§ãã¯åŸã«ãªããžã§ã¯ãã«å¯ŸããŠèš±å¯ãããã¢ã¯ã·ã§ã³ãå®è¡ããŸãã ãã®æäœãå®è¡ãããªã¯ãšã¹ãã¯ãLSM ã€ãã³ã ã€ã³ã¿ãŒã»ãã¿ã«éãããŸãã
- ããããããªã¯ãšã¹ãã¯ããµããžã§ã¯ãããã³ãªããžã§ã¯ãã®ã»ãã¥ãªã㣠ã³ã³ããã¹ããšãšãã«ãLSM ãšã®å¯Ÿè©±ãæ åœãã SELinux æœè±¡åããã³ãã㯠ããžã㯠ã¢ãžã¥ãŒã«ã«æž¡ãããŸãã
- ãµããžã§ã¯ãã®ãªããžã§ã¯ããžã®ã¢ã¯ã»ã¹ã«é¢ããææ決å®æš©é㯠Policy Enforcement Server ã§ãããSELinux AnHL ããããŒã¿ãåãåããŸãã
- ã¢ã¯ã»ã¹ãŸãã¯æåŠã決å®ããããã«ãPolicy Enforcement Server ã¯ãæã䜿çšãããã«ãŒã«ã® Access Vector Cache (AVC) ãã£ãã·ã¥ ãµãã·ã¹ãã ãå©çšããŸãã
- 察å¿ããã«ãŒã«ã®ãœãªã¥ãŒã·ã§ã³ããã£ãã·ã¥å ã«èŠã€ãããªãå Žåããªã¯ãšã¹ãã¯ã»ãã¥ãªã㣠ããªã·ãŒ ããŒã¿ããŒã¹ã«æž¡ãããŸãã
- ããŒã¿ããŒã¹ãš AVC ããã®æ€çŽ¢çµæã Policy Enforcement Server ã«è¿ãããŸãã
- èŠã€ãã£ãããªã·ãŒãèŠæ±ãããã¢ã¯ã·ã§ã³ãšäžèŽããå Žåãæäœã¯èš±å¯ãããŸãã ãã以å€ã®å Žåã¯æäœãçŠæ¢ããŸãã
SELinuxèšå®ã®ç®¡ç
SELinux ã¯ã次㮠XNUMX ã€ã®ã¢ãŒãã®ããããã§åäœããŸãã
- åŒ·å¶ - ã»ãã¥ãªã㣠ããªã·ãŒãå³å®ããŸãã
- Permissive - å¶éã®éåã¯èš±å¯ãããŠããã察å¿ããã¡ã¢ããžã£ãŒãã«ã«äœæãããŸãã
- ç¡å¹ - ã»ãã¥ãªã㣠ããªã·ãŒã¯æå¹ã§ã¯ãããŸããã
次ã®ã³ãã³ãã䜿çšããŠãSELinux ãã©ã®ã¢ãŒãã«ãããã確èªã§ããŸãã
[admin@server ~]$ getenforce
Permissive
åèµ·åããåã«ã¢ãŒããå€æŽããŸããããšãã°ã匷å¶ãŸã㯠1 ã«èšå®ããŸããpermissive ãã©ã¡ãŒã¿ã¯æ°å€ã³ãŒã 0 ã«å¯Ÿå¿ããŸãã
[admin@server ~]$ setenfoce enforcing
[admin@server ~]$ setenfoce 1 #ÑП же ÑаЌПе
ãã¡ã€ã«ãç·šéããŠã¢ãŒããå€æŽããããšãã§ããŸãã
[admin@server ~]$ cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=ã¿ãŒã²ãã
setenfoce ãšã®éãã¯ããªãã¬ãŒãã£ã³ã° ã·ã¹ãã ã®èµ·åæã«ãæ§æãã¡ã€ã«ã® SELINUX ãã©ã¡ãŒã¿ã®å€ã«åŸã£ãŠ SELinux ã¢ãŒããèšå®ãããããšã§ãã ããã«ã<=> ãç¡å¹ã«ããå€æŽã¯ã/etc/selinux/config ãã¡ã€ã«ãç·šéããåèµ·åããåŸã«ã®ã¿æå¹ã«ãªããŸãã
ç°¡åãªã¹ããŒã¿ã¹ ã¬ããŒãã衚瀺ããŸãã
[admin@server ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
SELinux å±æ§ã衚瀺ããã«ã¯ãäžéšã®æšæºãŠãŒãã£ãªãã£ã§ã¯ -Z ãã©ã¡ãŒã¿ã䜿çšããŸãã
[admin@server ~]$ ls -lZ /var/log/httpd/
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20200920
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20200927
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20201004
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20201011
[admin@server ~]$ ps -u apache -Z
LABEL PID TTY TIME CMD
system_u:system_r:httpd_t:s0 2914 ? 00:00:04 httpd
system_u:system_r:httpd_t:s0 2915 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0 2916 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0 2917 ? 00:00:00 httpd
...
system_u:system_r:httpd_t:s0 2918 ? 00:00:00 httpd
ls -l ã®éåžžã®åºåãšæ¯èŒãããšã次ã®åœ¢åŒã®è¿œå ãã£ãŒã«ããããã€ããããŸãã
<user>:<role>:<type>:<level>
æåŸã®ãã£ãŒã«ãã¯ã»ãã¥ãªãã£åé¡ã®ãããªãã®ã瀺ãã次㮠XNUMX ã€ã®èŠçŽ ã®çµã¿åããã§æ§æãããŸãã
- s0 - éèŠåºŠãäœã¬ãã«ãšé«ã¬ãã«ã®ééãšãè¡šèšãããŸãã
- c0ãc1⊠c1023 - ã«ããŽãªã
ã¢ã¯ã»ã¹æ§æã®å€æŽ
semodule ã䜿çšããŠãSELinux ã¢ãžã¥ãŒã«ãããŒããè¿œå ãåé€ããŸãã
[admin@server ~]$ semodule -l |wc -l #ÑпОÑПк вÑеÑ
ЌПЎÑлей
408
[admin@server ~]$ semodule -e abrt #enable - акÑОвОÑПваÑÑ ÐŒÐŸÐŽÑлÑ
[admin@server ~]$ semodule -d accountsd #disable - ПÑклÑÑОÑÑ ÐŒÐŸÐŽÑлÑ
[admin@server ~]$ semodule -r avahi #remove - ÑЎалОÑÑ ÐŒÐŸÐŽÑлÑ
äžè» ãã°ã€ã³ã管çãã SELinux ãŠãŒã¶ãŒããªãã¬ãŒãã£ã³ã° ã·ã¹ãã ãŠãŒã¶ãŒã«æ¥ç¶ããXNUMX ã€ç®ã¯ãªã¹ãã衚瀺ããŸãã æåŸã«ã-r ã¹ã€ãããæå®ããæåŸã®ã³ãã³ãã¯ãSELinux ãŠãŒã¶ãŒã® OS ã¢ã«ãŠã³ããžã®ãããã³ã°ãåé€ããŸãã MLS/MCS ç¯å²å€ã®æ§æã®èª¬æã¯åã®ã»ã¯ã·ã§ã³ã«ãããŸãã
[admin@server ~]$ semanage login -a -s user_u karol
[admin@server ~]$ semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
system_u system_u s0-s0:c0.c1023 *
[admin@server ~]$ semanage login -d karol
ããŒã ãŠãŒã¶ãŒã管çãã SELinux ãŠãŒã¶ãŒãšããŒã«éã®ãããã³ã°ã管çããããã«äœ¿çšãããŸãã
[admin@server ~]$ semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
guest_u user s0 s0 guest_r
staff_u staff s0 s0-s0:c0.c1023 staff_r sysadm_r
...
user_u user s0 s0 user_r
xguest_u user s0 s0 xguest_r
[admin@server ~]$ semanage user -a -R 'staff_r user_r'
[admin@server ~]$ semanage user -d test_u
ã³ãã³ããã©ã¡ãŒã¿:
- -a ã«ã¹ã¿ã ããŒã« ãããã³ã° ãšã³ããªãè¿œå ããŸãã
- -l äžèŽãããŠãŒã¶ãŒãšããŒã«ã®ãªã¹ãã
- -d ãŠãŒã¶ãŒ ããŒã« ãããã³ã° ãšã³ããªãåé€ããŸãã
- -R ãŠãŒã¶ãŒã«ã¢ã¿ãããããŠããããŒã«ã®ãªã¹ãã
ãã¡ã€ã«ãããŒããããã³ããŒã«å€
å SELinux ã¢ãžã¥ãŒã«ã¯ãã¡ã€ã«ã®ã¿ã°ä»ãã«ãŒã«ã®ã»ãããæäŸããŸãããå¿ èŠã«å¿ããŠç¬èªã®ã«ãŒã«ãè¿œå ããããšãã§ããŸãã ããšãã°ãWeb ãµãŒããŒã« /srv/www ãã©ã«ããŒãžã®ã¢ã¯ã»ã¹æš©ãæãããããšããŸãã
[admin@server ~]$ semanage fcontext -a -t httpd_sys_content_t "/srv/www(/.*)?
[admin@server ~]$ restorecon -R /srv/www/
æåã®ã³ãã³ãã¯æ°ããããŒãã³ã° ã«ãŒã«ãç»é²ããXNUMX çªç®ã®ã³ãã³ãã¯çŸåšã®ã«ãŒã«ã«åŸã£ãŠãã¡ã€ã« ã¿ã€ãããªã»ããããŸãã¯èšå®ããŸãã
åæ§ã«ãTCP/UDP ããŒãã¯ãé©åãªãµãŒãã¹ã®ã¿ãããŒãããªãã¹ã³ã§ããããã«ããŒã¯ãããŸãã ããšãã°ãWeb ãµãŒããŒãããŒã 8080 ã§ãªãã¹ã³ããã«ã¯ã次ã®ã³ãã³ããå®è¡ããå¿ èŠããããŸãã
[admin@server ~]$ semanage port -m -t http_port_t -p tcp 8080
ããªãã®æ°ã® SELinux ã¢ãžã¥ãŒã«ã«ã¯ãããŒã«å€ãåãåãããšãã§ãããã©ã¡ãŒã¿ãŒããããŸãã ãã®ãããªãã©ã¡ãŒã¿ãŒã®ãªã¹ãå šäœã¯ãgetsebool -a ã䜿çšããŠè¡šç€ºã§ããŸãã setsebool ã䜿çšããŠããŒã«å€ãå€æŽã§ããŸãã
[admin@server ~]$ getsebool httpd_enable_cgi
httpd_enable_cgi --> on
[admin@server ~]$ setsebool -P httpd_enable_cgi off
[admin@server ~]$ getsebool httpd_enable_cgi
httpd_enable_homedirs --> off
ã¯ãŒã¯ã·ã§ãããPgadmin-Web ã€ã³ã¿ãŒãã§ã€ã¹ãžã®ã¢ã¯ã»ã¹ãååŸããŸãã
å®éã®äŸãèŠãŠã¿ãŸããããPostgreSQL ããŒã¿ããŒã¹ã管çããããã«ãRHEL 7.6 ã« pgadmin4-web ãã€ã³ã¹ããŒã«ããŸããã ç§ãã¡ã¯å°ãæ©ããŸãã
ãŸããå
žåçãªçããããã®ããå§ããŠã/var/log/httpd/error_log ããã§ãã¯ããŸãã ããã«ã¯ããã€ãã®èå³æ·±ããšã³ããªããããŸãã
[timestamp] [core:notice] [pid 23689] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
...
[timestamp] [wsgi:error] [pid 23690] [Errno 13] Permission denied: '/var/lib/pgadmin'
[timestamp] [wsgi:error] [pid 23690]
[timestamp] [wsgi:error] [pid 23690] HINT : You may need to manually set the permissions on
[timestamp] [wsgi:error] [pid 23690] /var/lib/pgadmin to allow apache to write to it.
ãã®æç¹ã§ãã»ãšãã©ã® Linux 管çè 㯠setencorce 0 ãå®è¡ããããªãã§ãããããããã§çµããã§ãã ççŽã«èšã£ãŠãç§ã¯åããŠãããããŸããã ãã¡ããããã解決çã§ã¯ãããŸãããæåãšã¯çšé ãã§ãã
SELinux ã¯ãèšèšãç ©éã§ããã«ããããããããŠãŒã¶ãŒãã¬ã³ããªãŒã§ãã setroubleshoot ããã±ãŒãžãã€ã³ã¹ããŒã«ããã·ã¹ãã ãã°ã衚瀺ããã ãã§ãã
[admin@server ~]$ yum install setroubleshoot
[admin@server ~]$ journalctl -b -0
[admin@server ~]$ service restart auditd
OS ã« systemd ãååšããå Žåã§ããauditd ãµãŒãã¹ã¯ systemctl ã䜿çšããã«ãã®æ¹æ³ã§åèµ·åããå¿ èŠãããããšã«æ³šæããŠãã ããã ã·ã¹ãã ãã°å 衚瀺ãããŸã ãããã¯ããäºå®ã ãã§ãªãããã®çç±ã çŠæ¢ãå æããæ¹æ³.
次ã®ã³ãã³ããå®è¡ããŸãã
[admin@server ~]$ setsebool -P httpd_can_network_connect 1
[admin@server ~]$ setsebool -P httpd_can_network_connect_db 1
pgadmin4-web Web ããŒãžãžã®ã¢ã¯ã»ã¹ã確èªãããšããã¹ãŠãæ©èœããŸãã
åºæïŒ habr.com