Pulogalamu ya ProHoster > Blog > Ulamuliro > Buku Loyamba la SELinux

Buku Loyamba la SELinux

Buku Loyamba la SELinux

Kumasulira kwa nkhani yokonzedwa kwa ophunzira a maphunziro "Linux Security"

SELinux kapena Security Enhanced Linux ndi njira yopititsira patsogolo mwayi wopezeka wopangidwa ndi US National Security Agency (NSA) kuti apewe kulowerera koyipa. Imagwiritsa ntchito njira yokakamiza (kapena yovomerezeka) yolowera (Chingerezi Chofunikira Kufikira Control, MAC) pamwamba pamitundu yomwe ilipo (kapena yosankha) (English Discretionary Access Control, DAC), ndiko kuti, zilolezo zowerenga, kulemba, kuchita.

SELinux ili ndi mitundu itatu:

  1. Kukakamiza - Kukanidwa mwayi wopezeka potengera malamulo a ndondomeko.
  2. Wololera - kusunga chipika cha zochita zomwe zimaphwanya ndondomekoyi, zomwe zingakhale zoletsedwa mumayendedwe okakamiza.
  3. wolumala - kuletsa kwathunthu kwa SELinux.

Mwachikhazikitso zokonda zili mkati /etc/selinux/config

Kusintha mawonekedwe a SELinux

Kuti mudziwe mawonekedwe apano, thamangani 

$ getenforce

Kuti musinthe mawonekedwe kukhala olola yendetsani lamulo lotsatirali 

$ setenforce 0

kapena, kusintha mode kuchokera kuvomereza pa kukakamiza, kuchita 

$ setenforce 1

Ngati mukufuna kuletsa SELinux kwathunthu, ndiye kuti izi zitha kuchitika kudzera mufayilo yosinthira 

$ vi /etc/selinux/config

Kuti mulepheretse, sinthani gawo la SELINUX motere:

SELINUX=disabled

Kupanga SELinux

Fayilo iliyonse ndi ndondomeko zimalembedwa ndi SELinux, yomwe ili ndi zina zowonjezera monga wosuta, udindo, mtundu, ndi zina. Ngati iyi ndi nthawi yanu yoyamba kuthandizira SELinux, choyamba muyenera kukonza nkhani ndi malemba. Njira yogawa zilembo ndi nkhani zimadziwika kuti tagging. Kuti tiyambe kuyika chizindikiro, mu fayilo yosintha timasintha mawonekedwe kuvomereza.

$ vi /etc/selinux/config
SELINUX=permissive

Pambuyo kukhazikitsa akafuna kuvomereza, pangani fayilo yobisika yopanda kanthu muzu ndi dzina autorelabel

$ touch /.autorelabel

ndikuyambitsanso kompyuta

$ init 6

Zindikirani: Timagwiritsa ntchito mode kuvomereza polemba, popeza kugwiritsa ntchito mode kukakamiza zitha kuchititsa kuti makina awonongeke panthawi yoyambiranso.

Osadandaula ngati kutsitsa kukakamira pafayilo ina, kuyika chizindikiro kumatenga nthawi. Mukamaliza kulemba chizindikiro ndipo makina anu atsegulidwa, mutha kupita ku fayilo yosinthira ndikukhazikitsa mawonekedwe kukakamizakomanso kuthamanga:

$ setenforce 1

Tsopano mwatsegula SELinux pa kompyuta yanu.

Kuyang'anira zipika

Mutha kukhala kuti mwakumanapo ndi zolakwika pakuyika chizindikiro kapena makinawo akugwira ntchito. Kuti muwone ngati SELinux yanu ikugwira ntchito moyenera komanso ngati sikukulepheretsani kupeza doko, ntchito, ndi zina zotero, muyenera kuyang'ana zipika. Tsamba la SELinux lili mkati /var/log/audit/audit.log, koma simuyenera kuwerenga zonse kuti mupeze zolakwika. Mutha kugwiritsa ntchito audit2why kuti mupeze zolakwika. Yendetsani lamulo ili:

$ audit2why < /var/log/audit/audit.log

Zotsatira zake, mudzalandira mndandanda wa zolakwika. Ngati panalibe zolakwika mu chipika, ndiye kuti palibe mauthenga omwe adzasonyezedwe.

Kukonza SELinux Policy

Ndondomeko ya SELinux ndi malamulo omwe amayendetsa chitetezo cha SELinux. Ndondomeko imatanthawuza ndondomeko ya malamulo a chilengedwe. Tsopano tiphunzira momwe tingakhazikitsire ndondomeko kuti tilole kupeza ntchito zoletsedwa.

1. Miyezo yomveka (masiwichi)

Kusintha (booleans) kumakulolani kuti musinthe magawo a ndondomeko panthawi yothamanga, popanda kupanga ndondomeko zatsopano. Amakulolani kuti musinthe popanda kuyambiranso kapena kubwezeretsanso mfundo za SELinux.

Chitsanzo:
Tiyerekeze kuti tikufuna kugawana chikwatu chanyumba ya wogwiritsa ntchito kudzera pa FTP kuwerenga / kulemba, ndipo tagawana kale, koma tikayesa kuyipeza, sitiwona chilichonse. Izi ndichifukwa choti mfundo za SELinux zimalepheretsa seva ya FTP kuti isawerenge ndi kulemba ku bukhu lanyumba la wogwiritsa ntchito. Tiyenera kusintha ndondomeko kuti seva ya FTP ipeze zolemba zapakhomo. Tiyeni tiwone ngati pali zosintha zilizonse pakuchita izi

$ semanage boolean -l

Lamuloli lilemba masiwichi omwe alipo ndi momwe alili pano (otsegula kapena kuzimitsa) ndi kufotokozera. Mutha kuyeretsa kusaka kwanu powonjezera grep kuti mupeze zotsatira za ftp-okha:

$ semanage boolean -l | grep ftp

ndipo mudzapeza zotsatirazi

ftp_home_dir        -> off       Allow ftp to read & write file in user home directory

Kusinthaku ndikoletsedwa, chifukwa chake tithandizira setsebool $ setsebool ftp_home_dir on

Tsopano daemon yathu ya ftp idzatha kupeza chikwatu chakunyumba kwa wogwiritsa ntchito.
Zindikirani: Mutha kupezanso mndandanda wazosintha zomwe zilipo popanda kufotokozera pochita getsebool -a

2. Zolemba ndi nkhani

Iyi ndiye njira yodziwika kwambiri yogwiritsira ntchito mfundo za SELinux. Fayilo iliyonse, chikwatu, njira ndi doko zimalembedwa ndi SELinux:

  • Pamafayilo ndi zikwatu, zilembo zimasungidwa ngati mawonekedwe owonjezera pamafayilo ndipo zitha kuwonedwa ndi lamulo ili: 
    $ ls -Z /etc/httpd
  • Pazinthu ndi madoko, zolembera zimayendetsedwa ndi kernel, ndipo mutha kuwona zolemba izi motere:

ndondomeko

$ ps –auxZ | grep httpd

doko

$ netstat -anpZ | grep httpd

Chitsanzo:
Tsopano tiyeni tiwone chitsanzo kuti timvetsetse bwino zilembo ndi nkhani. Tinene kuti tili ndi seva yapaintaneti, m'malo mwa chikwatu /var/www/html/ использует /home/dan/html/. SELinux iwona izi ngati kuphwanya malamulo ndipo simungathe kuwona masamba anu. Izi ndichifukwa choti sitinakhazikitse chitetezo chokhudzana ndi mafayilo a HTML. Kuti muwone zomwe zili zotetezedwa, gwiritsani ntchito lamulo ili:

$ ls –lz /var/www/html
 -rw-r—r—. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/

Apa ife tiri nazo httpd_sys_content_t monga nkhani ya mafayilo a html. Tiyenera kuyika chitetezo ichi pa chikwatu chathu chapano, chomwe chili ndi mawu awa:

-rw-r—r—. dan dan system_u:object_r:user_home_t:s0 /home/dan/html/

Lamulo lina loyang'ana chitetezo cha fayilo kapena chikwatu:

$ semanage fcontext -l | grep '/var/www'

Tidzagwiritsanso ntchito semanage kuti tisinthe nkhaniyo tikapeza zotetezedwa zolondola. Kuti musinthe nkhani ya /home/dan/html, yesani malamulo awa:

$ semanage fcontext -a -t httpd_sys_content_t ‘/home/dan/html(/.*)?’
$ semanage fcontext -l | grep ‘/home/dan/html’
/home/dan/html(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
$ restorecon -Rv /home/dan/html

Nkhaniyo ikasinthidwa pogwiritsa ntchito semanage, lamulo lobwezeretsa lidzakweza mafayilo ndi zolemba. Seva yathu yapaintaneti tsopano izitha kuwerenga mafayilo kuchokera mufoda /home/dan/htmlchifukwa chitetezo cha fodayi chasinthidwa kukhala httpd_sys_content_t.

3. Pangani ndondomeko zapafupi

Pakhoza kukhala zochitika zomwe njira zomwe zili pamwambazi zilibe ntchito kwa inu ndipo mumapeza zolakwika (avc/denial) mu audit.log. Izi zikachitika, muyenera kupanga ndondomeko yakomweko. Mutha kupeza zolakwika zonse pogwiritsa ntchito audit2why, monga tafotokozera pamwambapa.

Mukhoza kupanga ndondomeko yapafupi kuti muthetse zolakwika. Mwachitsanzo, timapeza zolakwika zokhudzana ndi httpd (apache) kapena smbd (samba), timalemba zolakwikazo ndikuzipangira ndondomeko:

apache
$ grep httpd_t /var/log/audit/audit.log | audit2allow -M http_policy
samba
$ grep smbd_t /var/log/audit/audit.log | audit2allow -M smb_policy

ndi http_policy и smb_policy ndi mayina a ndondomeko za komweko zomwe tidapanga. Tsopano tikufunika kuyika ndondomeko zapakhomo zomwe zakhazikitsidwa mu ndondomeko yamakono ya SELinux. Izi zitha kuchitika motere:

$ semodule –I http_policy.pp
$ semodule –I smb_policy.pp

Mfundo za m'dera lathu zidatsitsidwa ndipo sitiyeneranso kulandira avc kapena denail mu audit.log.

Uku kunali kuyesa kwanga kukuthandizani kumvetsetsa SELinux. Ndikukhulupirira kuti mutawerenga nkhaniyi mudzakhala omasuka ndi SELinux.

Source: www.habr.com

Kuwonjezera ndemanga