Kumasulira kwa nkhaniyi kunakonzedwa makamaka kwa ophunzira a maphunzirowo
Apa mupeza mayankho a mafunso ofunikira okhudza moyo, chilengedwe ndi chilichonse mu Linux chokhala ndi chitetezo chokwanira.
"Chowonadi chofunikira ndichakuti zinthu sizikhala zomwe zimawoneka kuti ndizodziwika bwino ..."
-Douglas Adams, Upangiri wa Hitchhiker ku Galaxy
Chitetezo. Kuchulukitsa kudalirika. Kulemberana makalata. Ndondomeko. Okwera Mahatchi Anayi a Apocalypse sysadmin. Kuphatikiza pa ntchito zathu zatsiku ndi tsiku - kuyang'anira, kusungirako zosunga zobwezeretsera, kukhazikitsa, kukonza, kukonzanso, ndi zina zotero - tilinso ndi udindo wa chitetezo cha machitidwe athu. Ngakhale machitidwe omwe opereka chipani chachitatu amalimbikitsa kuti tizimitsa chitetezo chowonjezereka. Zimamveka ngati ntchito
Poyang'anizana ndi vutoli, oyang'anira machitidwe ena asankha kuchitapo kanthu
Mu mzimu wa The Hitchhiker's Guide to the Galaxy, nazi mayankho 42 a mafunso ofunikira okhudza kuwongolera ndi kugwiritsa ntchito.
1. SELinux ndi njira yokakamiza yolowera, zomwe zikutanthauza kuti njira iliyonse imakhala ndi chizindikiro. Fayilo iliyonse, chikwatu ndi chinthu chadongosolo chilinso ndi zilembo. Malamulo a ndondomeko amawongolera mwayi wopezeka pakati pa ma tag ndi zinthu. Kernel imatsatira malamulo awa.
2. Mfundo ziwiri zofunika kwambiri ndi izi: Kulemba - zizindikiro (mafayilo, njira, madoko, etc.) ndi Type kukakamiza (zomwe zimalekanitsa njira kuchokera kwa wina ndi mzake kutengera mitundu).
3. Zolemba zolondola user:role:type:level
(posankha).
4. Cholinga chopereka chitetezo chamagulu ambiri (Multi-Level Security - MLS) ndikuwongolera njira (ma domain) potengera kuchuluka kwa chitetezo cha data yomwe adzagwiritse ntchito. Mwachitsanzo, njira yachinsinsi siyingathe kuwerenga zambiri zachinsinsi.
5. Kuonetsetsa chitetezo chamagulu ambiri (Multi-Category Security - MCS) amateteza njira zofanana kwa wina ndi mzake (mwachitsanzo, makina enieni, OpenShift injini, SELinux sandboxes, zitsulo, etc.).
6. Zosankha za Kernel zosintha mitundu ya SELinux pa boot:
autorelabel=1
β imapangitsa kuti pulogalamuyo iyambe kulembetsansoselinux=0
β kernel sichimayika zida za SELinuxenforcing=0
β kutsitsa mumalowedwe ololedwa
7. Ngati mukufuna kulembetsanso dongosolo lonse:
# touch /.autorelabel
#reboot
Ngati choyikapo chizindikiro chili ndi zolakwika zambiri, mungafunike kuyambiranso munjira yololera kuti mulembenso bwino.
8. Kuti muwone ngati SELinux yayatsidwa: # getenforce
9. Kuti mutsegule / kuletsa SELinux kwakanthawi: # setenforce [1|0]
10. Kuwona mawonekedwe a SELinux: # sestatus
11. Fayilo yosinthira: /etc/selinux/config
12. Kodi SELinux imagwira ntchito bwanji? Nachi chitsanzo cholemba pa seva ya Apache:
- Zoyimira za binary:
/usr/sbin/httpdβhttpd_exec_t
- Chikwatu chosinthira:
/etc/httpdβhttpd_config_t
- Log file directory:
/var/log/httpd β httpd_log_t
- Mndandanda wazinthu:
/var/www/html β httpd_sys_content_t
- Yambitsani script:
/usr/lib/systemd/system/httpd.service β httpd_unit_file_d
- Ndondomeko:
/usr/sbin/httpd -DFOREGROUND β httpd_t
- Madoko:
80/tcp, 443/tcp β httpd_t, http_port_t
Njira ikugwira ntchito httpd_t
, imatha kulumikizana ndi chinthu cholembedwa httpd_something_t
.
13. Malamulo ambiri amavomereza kukangana -Z
kuwona, kupanga ndi kusintha nkhani:
ls -Z
id -Z
ps -Z
netstat -Z
cp -Z
mkdir -Z
Zolemba zimakhazikitsidwa mafayilo akapangidwa kutengera zomwe zili patsamba la makolo awo (kupatulapo zina). Ma RPM amatha kukhazikitsa zochitika ngati pakukhazikitsa.
14. Pali zifukwa zinayi zazikulu za zolakwika za SELinux, zomwe zafotokozedwa mwatsatanetsatane mu mfundo 15-21 pansipa:
- Zolemba zolemba
- Chifukwa cha chinachake chimene SELinux chiyenera kudziwa
- Zolakwika mu SELinux policy/application
- Zambiri zanu zitha kusokonezedwa
15. Kulemba vuto: ngati mafayilo anu ali mkati /srv/myweb
zolembedwa molakwika, mwayi ungakanidwe. Nazi njira zina zokonzera izi:
- Ngati mukudziwa chizindikiro:
# semanage fcontext -a -t httpd_sys_content_t '/srv/myweb(/.*)?'
- Ngati mukudziwa fayilo yokhala ndi zilembo zofanana:
# semanage fcontext -a -e /srv/myweb /var/www
- Kubwezeretsanso nkhani (pazochitika zonse ziwiri):
# restorecon -vR /srv/myweb
16. Vuto la zilembo: ngati mutasuntha fayiloyo m'malo moikopera, fayiloyo idzasungabe mawu ake oyambirira. Kukonza vutoli:
- Sinthani lamulo la nkhani ndi chizindikiro:
# chcon -t httpd_system_content_t /var/www/html/index.html
- Sinthani lamulo lachidziwitso ndi chizindikiro cholumikizira:
# chcon --reference /var/www/html/ /var/www/html/index.html
- Bwezerani mawu ozungulira (pazochitika zonse ziwiri):
# restorecon -vR /var/www/html/
17. ngati SELinux muyenera kudziwakuti HTTPD ikumvetsera pa doko 8585, auzeni SELinux:
# semanage port -a -t http_port_t -p tcp 8585
18. SELinux muyenera kudziwa Makhalidwe a Boolean omwe amalola kuti magawo a mfundo za SELinux asinthidwe panthawi yothamanga popanda kudziwa kuti mfundo za SELinux zalembedwa. Mwachitsanzo, ngati mukufuna httpd kutumiza imelo, lowetsani: # setsebool -P httpd_can_sendmail 1
19. SELinux muyenera kudziwa zomveka zothandizira / kulepheretsa zoikamo za SELinux:
- Kuti muwone zikhalidwe zonse za boolean:
# getsebool -a
- Kuti muwone kufotokozera kwa aliyense:
# semanage boolean -l
- Kukhazikitsa mtengo wa boolean:
# setsebool [_boolean_] [1|0]
- Kuyika kokhazikika, onjezani
-P
. Mwachitsanzo:# setsebool httpd_enable_ftp_server 1 -P
20. Ndondomeko / ntchito za SELinux zitha kukhala ndi zolakwika, kuphatikiza:
- Njira zama code zosazolowereka
- Zosintha
- Kuwongolera stdout
- Mafayilo ofotokozera atsikira
- Kukonzekera kukumbukira
- Malaibulale osamangidwa bwino
Tsegulani matikiti (musapereke lipoti ku Bugzilla; Bugzilla ilibe SLA).
21. Zambiri zanu zitha kusokonezedwangati muli ndi madomeni oletsa kuyesa:
- Kwezani ma module a kernel
- Letsani kukakamiza kwa SELinux mode
- Lembani ku
etc_t/shadow_t
- Sinthani malamulo a iptables
22. Zida za SELinux zopangira ma module a mfundo:
# yum -y install setroubleshoot setroubleshoot-server
Yambitsaninso kapena yambitsaninso auditd
pambuyo kukhazikitsa.
23. Gwiritsani ntchito
journalctl
kuwonetsa mndandanda wa zipika zonse zogwirizana nazo setroubleshoot
:
# journalctl -t setroubleshoot --since=14:20
24. Gwiritsani ntchito journalctl
kuti mulembe zipika zonse zogwirizana ndi tag inayake ya SELinux. Mwachitsanzo:
# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0
25. Ngati cholakwika cha SELinux chikachitika, gwiritsani ntchito chipikacho setroubleshoot
kupereka mayankho angapo zotheka.
Mwachitsanzo, kuchokera journalctl
:
Jun 14 19:41:07 web1 setroubleshoot: SELinux is preventing httpd from getattr access on the file /var/www/html/index.html. For complete message run: sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e
# sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e
SELinux is preventing httpd from getattr access on the file /var/www/html/index.html.
***** Plugin restorecon (99.5 confidence) suggests ************************
If you want to fix the label,
/var/www/html/index.html default label should be httpd_syscontent_t.
Then you can restorecon.
Do
# /sbin/restorecon -v /var/www/html/index.html
26. Kudula mitengo: SELinux imalemba zambiri m'malo ambiri:
- / var / log / mauthenga
- /var/log/audit/audit.log
- /var/lib/setroubleshoot/setroubleshoot_database.xml
27. Kudula mitengo: kufunafuna zolakwika za SELinux mu chipika chowerengera:
# ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today
28. Kuti mupeze mauthenga a SELinux Access Vector Cache (AVC) pa ntchito inayake:
# ausearch -m avc -c httpd
29. Zothandiza audit2allow
amasonkhanitsa zidziwitso kuchokera ku zipika za ntchito zoletsedwa kenako ndikupanga malamulo ovomerezeka a SELinux. Mwachitsanzo:
- Kupanga malongosoledwe owerengeka ndi anthu a chifukwa chomwe mwayi amakanidwa:
# audit2allow -w -a
- Kuti muwone lamulo loletsa kutsatiridwa lomwe limalola kuletsedwa kulowa:
# audit2allow -a
- Kuti mupange module yokhazikika:
# audit2allow -a -M mypolicy
- Yankho
-M
imapanga fayilo yokakamiza (.te) yokhala ndi dzina lotchulidwa ndikulemba lamulolo kukhala phukusi lalamulo (.pp):mypolicy.pp mypolicy.te
- Kuti muyike module yokhazikika:
# semodule -i mypolicy.pp
30. Kukonza njira ina (domain) kuti igwire ntchito mololeza: # semanage permissive -a httpd_t
31. Ngati simukufunanso kuti domeniyo ikhale yololera: # semanage permissive -d httpd_t
32. Kuletsa madomeni onse ololedwa: # semodule -d permissivedomains
33. Kuthandizira mfundo za MLS SELinux: # yum install selinux-policy-mls
Π² /etc/selinux/config:
SELINUX=permissive
SELINUXTYPE=mls
Onetsetsani kuti SELinux ikuyenda mololeza: # setenforce 0
Gwiritsani ntchito script fixfiles
kuti muwonetsetse kuti mafayilo alembedwanso pakuyambiranso kotsatira:
# fixfiles -F onboot # reboot
34. Pangani wogwiritsa ndi mtundu wina wa MLS: # useradd -Z staff_u john
Kugwiritsa ntchito lamulo useradd
, mapu wogwiritsa ntchito watsopano kwa wogwiritsa ntchito wa SELinux (pankhaniyi, staff_u
).
35. Kuti muwone mapu pakati pa ogwiritsa ntchito a SELinux ndi Linux: # semanage login -l
36. Tanthauzirani mtundu wina wa wogwiritsa ntchito: # semanage login --modify --range s2:c100 john
37. Kukonza chikwatu cha wosuta kunyumba (ngati kuli kofunikira): # chcon -R -l s2:c100 /home/john
38. Kuti muwone magulu apano: # chcat -L
39. Kuti musinthe magawo kapena kuyamba kupanga zanu, sinthani fayilo motere:
/etc/selinux/_<
selinuxtype>
_/setrans.conf
40. Kuyendetsa lamulo kapena script mu fayilo inayake, gawo, ndi mawonekedwe a ogwiritsa ntchito:
# runcon -t initrc_t -r system_r -u user_u yourcommandhere
-t
nkhani ya fayilo-r
nkhani ya udindo-u
nkhani ya ogwiritsa
41. Zotengera zomwe zikuyenda ndi SELinux zayimitsidwa:
- Podman:
# podman run --security-opt label=disable β¦
- Docker:
# docker run --security-opt label=disable β¦
42. Ngati mukufuna kupatsa chidebecho mwayi wokwanira kudongosolo:
- Podman:
# podman run --privileged β¦
- Docker:
# docker run --privileged β¦
Ndipo tsopano mukudziwa kale yankho. Chifukwa chake chonde: musachite mantha ndikuyatsa SELinux.
Zolemba:
SELinux byDan Walsh Mawonekedwe anu amomwe mungawongolere pakukhazikitsa mfundo za SELinux nawonso ndi Dan WalshSecurity Enhanced Linux kwa anthu wamba byThomas Cameron Buku la SELinux Coloring byMΓ‘irΓn Duffy Buku la SELinux User's and Administrator's Red Hat Enterprise Linux 7
Source: www.habr.com