Chimodzi mwazifukwa zopambana kwambiri za Linux OS pa ophatikizidwa, zida zam'manja ndi maseva ndi kuchuluka kwa chitetezo cha kernel, mautumiki okhudzana ndi ntchito. Koma ngati
Mbiri ya Linux Security Modules ndi SELinux
Security Enhanced Linux ndi mndandanda wa malamulo ndi njira yofikira yotengera njira zovomerezeka komanso zotengera njira zotetezera machitidwe a Linux ku ziwopsezo zomwe zingachitike ndikukonza zofooka za Discretionary Access Control (DAC), dongosolo lachitetezo lachikhalidwe la Unix. Ntchitoyi idachokera m'matumbo a US National Security Agency, ndipo makontrakitala a Secure Computing Corporation ndi MITER, komanso ma laboratories angapo ofufuza, adakhudzidwa mwachindunji ndi chitukukochi.
Linux Security Modules
Linus Torvalds adapereka zolemba zingapo pazatsopano za NSA kuti zitha kuphatikizidwa munthambi yayikulu ya Linux kernel. Analongosola malo omwe ali nawo, omwe ali ndi ma interceptors oyendetsa ntchito pa zinthu ndi seti ya madera ena otetezera m'mapangidwe a deta ya kernel kuti asungidwe zomwe zimagwirizana. Malowa amatha kugwiritsidwa ntchito ndi ma kernel modules kuti agwiritse ntchito mtundu uliwonse wachitetezo womwe mukufuna. LSM idalowa kwathunthu Linux kernel v2.6 mu 2003.
Dongosolo la LSM limaphatikizapo minda ya alonda pamapangidwe a data ndi kuyimbira foni pamalo ofunikira mu code ya kernel kuti muwayendetse ndikuwongolera mwayi. Ikuwonjezeranso magwiridwe antchito polembetsa ma module achitetezo. Mawonekedwe a /sys/kernel/security/lsm ali ndi mndandanda wa ma module omwe akugwira ntchito mudongosolo. Nkhokwe za LSM zimasungidwa pamndandanda womwe umatchedwa mu dongosolo la CONFIG_LSM. Zolemba zatsatanetsatane za hook zikuphatikizidwa mufayilo yamutu yophatikiza/linux/lsm_hooks.h.
Dongosolo laling'ono la LSM linapangitsa kuti athe kumaliza kuphatikiza kwathunthu kwa SELinux ya mtundu womwewo wa Linux kernel v2.6. Nthawi yomweyo, SELinux idakhala muyezo wamalo otetezedwa a Linux ndipo idakhala gawo la magawo otchuka kwambiri: RedHat Enterprise Linux, Fedora, Debian, Ubuntu.
Kafotokozedwe ka mawu
- Kuzindikira - Wogwiritsa ntchito SELinux sali wofanana ndi id yodziwika bwino ya Unix / Linux, amatha kukhalira limodzi pamakina omwewo, koma amasiyana kwambiri. Akaunti iliyonse ya Linux yokhazikika imatha kufanana ndi imodzi kapena zingapo mu SELinux. Chidziwitso cha SELinux ndi gawo lachitetezo chonse chomwe chimatsimikizira madera omwe mungathe komanso omwe simungalowe nawo.
- Madomeni - Mu SELinux, madambwe ndi momwe amachitira mutuwo, mwachitsanzo, njira. Dongosolo limatanthauzira mwachindunji mwayi womwe njira ili nawo. Domain kwenikweni ndi mndandanda wazomwe zitha kuchita kapena zomwe ndondomeko ingachite ndi mitundu yosiyanasiyana. Zitsanzo zina za madambwe ndi sysadm_t ya kasamalidwe ka makina, ndi user_t yomwe ndi malo osagwiritsidwa ntchito nthawi zonse. Dongosolo la init limayenda mu init_t domain, ndipo njira yotchulidwa imayenda mu domain_t.
- Ntchito - Chinachake chomwe chimagwira ntchito ngati mkhalapakati pakati pa madambwe ndi ogwiritsa ntchito a SELinux. Maudindo amatanthauzira madera omwe wogwiritsa ntchito atha kukhala nawo komanso mitundu ya zinthu zomwe wogwiritsa atha kuzipeza. Njira yotereyi yowongolera mwayi imalepheretsa kuwopseza kwa mwayi wowonjezereka. Maudindo amalembedwa munjira yachitetezo cha Role Based Access Control (RBAC) yomwe imagwiritsidwa ntchito mu SELinux.
- Mitundu - Lembani mndandanda wa Enforcement mndandanda womwe umaperekedwa ku chinthu ndikusankha yemwe angachipeze. Zofanana ndi kufotokozera dera, kupatula kuti chigawocho chikugwiritsidwa ntchito ku ndondomekoyi, pamene mtunduwo umagwiritsidwa ntchito ku zinthu monga zolemba, mafayilo, sockets, ndi zina zotero.
- Mitu ndi zinthu - Njira ndi mitu ndipo zimayendetsedwa mumtundu wina, kapena dera lachitetezo. Zida zamakina ogwiritsira ntchito: mafayilo, maupangiri, sockets, ndi zina, ndi zinthu zomwe zimapatsidwa mtundu wina, mwa kuyankhula kwina, mulingo wachinsinsi.
- Ndondomeko za SELinux - SELinux imagwiritsa ntchito ndondomeko zosiyanasiyana pofuna kuteteza dongosolo. Ndondomeko ya SELinux imatanthawuza mwayi wogwiritsa ntchito maudindo, maudindo ku madera, ndi madera ku mitundu. Choyamba, wogwiritsa ntchito amaloledwa kupeza gawo, ndiye kuti udindowo umaloledwa kupeza madera. Pomaliza, dera litha kukhala ndi mwayi wopeza mitundu ina ya zinthu.
Zomangamanga za LSM ndi SELinux
Ngakhale dzinali, ma LSM sakhala ma module a Linux omwe amatha kutsitsa. Komabe, monga SELinux, imaphatikizidwa mwachindunji mu kernel. Kusintha kulikonse ku code code ya LSM kumafuna kuphatikiza kwa kernel. Njira yofananira iyenera kuyatsidwa muzokonda za kernel, apo ayi nambala ya LSM sidzatsegulidwa pambuyo pa boot. Koma ngakhale mu nkhani iyi, ikhoza kuthandizidwa ndi njira ya OS bootloader.
Macheke a LSM
LSM ili ndi zokowera mu core kernel function zomwe zingakhale zofunikira pamacheke. Chimodzi mwazinthu zazikulu za LSM ndikuti ndizokhazikika. Chifukwa chake, macheke wamba amachitidwabe, ndipo gawo lililonse la LSM limangowonjezera zowongolera ndi zowongolera. Izi zikutanthauza kuti chiletsocho sichingabwererenso. Izi zikuwonetsedwa pachithunzichi, ngati zotsatira za kafukufuku wanthawi zonse wa DAC zikulephera, ndiye kuti sizifika ngakhale zingwe za LSM.
SELinux idatengera kamangidwe kachitetezo ka Flask kachitidwe ka kafukufuku wa Fluke, makamaka mfundo yamwayi wocheperako. Chofunikira cha lingaliro ili, monga momwe dzina lawo likusonyezera, ndikupereka wogwiritsa ntchito kapena kukonza maufulu okhawo omwe ali ofunikira kuti akwaniritse zomwe akufuna. Mfundoyi ikugwiritsidwa ntchito pogwiritsa ntchito kulemba mokakamiza, kotero kuti SELinux kuwongolera kolowera kumakhazikitsidwa pa domain => mtundu wa mtundu.
Kupyolera mu kulemba mokakamiza, SELinux ili ndi mphamvu zowonjezera zowonjezera kuposa momwe DAC imagwiritsidwira ntchito mu machitidwe a Unix / Linux. Mwachitsanzo, mutha kuchepetsa nambala ya doko ya netiweki yomwe ichitike pa seva ya ftp, kulola kulemba ndikusintha mafayilo mufoda inayake, koma osawachotsa.
Zigawo zazikulu za SELinux ndi:
- Seva Yotsatira Ndondomeko - Njira yayikulu yokonzekera kuwongolera kolowera.
- Database ya ndondomeko zotetezera dongosolo.
- Kuyanjana ndi omvera zochitika za LSM.
- Selinuxfs - Pseudo-FS, yofanana ndi /proc ndikuyika mu /sys/fs/selinux. Imakhala ndi kernel ya Linux panthawi yothamanga ndipo imakhala ndi mafayilo omwe ali ndi zambiri za SELinux.
- Pezani Vector Cache - Njira yothandizira kupititsa patsogolo ntchito.
Momwe SELinux Imagwirira Ntchito
Zonsezi zimagwira ntchito motere.
- Mutu, m'mawu a SELinux, umachita zololedwa pa chinthu pambuyo pa cheke cha DAC, monga momwe tawonetsera pachithunzi chapamwamba. Pempho la opareshonili limapita kwa omvera zochitika za LSM.
- Kuchokera pamenepo, pempholi, pamodzi ndi chitetezo cha phunziro ndi chinthu, zimaperekedwa ku SELinux Abstraction ndi Hook Logic module yomwe imayang'anira kuyanjana ndi LSM.
- Policy Enforcement Server ndiye amene amapanga zisankho pakupeza chinthucho, ndipo imalandira deta kuchokera ku SELinux AnHL.
- Kuti mupange chigamulo chokhudza kupeza, kapena kuletsa, Seva Yolimbikitsa Mapulani imatanthawuza kachipangizo kamene kamagwiritsidwa ntchito kwambiri ndi malamulo a Access Vector Cache (AVC).
- Ngati yankho la lamulo lofananira silipezeka mu cache, ndiye pempholo limaperekedwa ku database ya chitetezo.
- Zotsatira zakusaka kuchokera ku database ndi AVC zimabwezeretsedwa ku Policy Enforcement Server.
- Ngati ndondomeko yopezeka ikugwirizana ndi zomwe mwafunsidwa, ndiye kuti ntchitoyi imaloledwa. Apo ayi, ntchitoyi ndi yoletsedwa.
Kuwongolera Zokonda za SELinux
SELinux imagwira ntchito imodzi mwa njira zitatu:
- Kukakamiza - Kukhazikitsa mwamphamvu malamulo achitetezo.
- Zololeza - Kuphwanya zoletsa kumaloledwa, chizindikiro chofananira chimapangidwa mu chipika.
- Oyimitsidwa - Ndondomeko zachitetezo sizikugwira ntchito.
Mutha kuwona momwe SELinux ilili ndi lamulo ili.
[admin@server ~]$ getenforce
Permissive
Kusintha mawonekedwe musanayambe kuyambiranso, mwachitsanzo, ikani kukakamiza, kapena 1. Chizindikiro chololeza chimagwirizana ndi nambala ya nambala 0.
[admin@server ~]$ setenfoce enforcing
[admin@server ~]$ setenfoce 1 #ΡΠΎ ΠΆΠ΅ ΡΠ°ΠΌΠΎΠ΅
Mutha kusinthanso mawonekedwe posintha fayilo:
[admin@server ~]$ cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=chandamale
Kusiyanitsa ndi setenfoce ndikuti pamene makina opangira opaleshoni ayamba, mawonekedwe a SELinux adzakhazikitsidwa molingana ndi mtengo wa SELINUX parameter mu fayilo yokonzekera. Kuonjezera apo, kukakamiza <=> kusintha kolemala kumagwira ntchito pokhapokha pokonza fayilo /etc/selinux/config ndipo mutatha kuyambiranso.
Onani lipoti lachidule:
[admin@server ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
Kuti muwone mawonekedwe a SELinux, zida zina zamagetsi zimagwiritsa ntchito -Z.
[admin@server ~]$ ls -lZ /var/log/httpd/
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20200920
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20200927
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20201004
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20201011
[admin@server ~]$ ps -u apache -Z
LABEL PID TTY TIME CMD
system_u:system_r:httpd_t:s0 2914 ? 00:00:04 httpd
system_u:system_r:httpd_t:s0 2915 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0 2916 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0 2917 ? 00:00:00 httpd
...
system_u:system_r:httpd_t:s0 2918 ? 00:00:00 httpd
Poyerekeza ndi zotuluka za ls -l, pali magawo ena owonjezera pamawonekedwe awa:
<user>:<role>:<type>:<level>
Gawo lomaliza likuwonetsa china chake ngati sitampu yachitetezo ndipo imakhala ndi zinthu ziwiri:
- s0 - kufunikira, komwe kudalembedwanso mumgawo wocheperako
- c0, c1β¦ c1023 ndiye gulu.
Kusintha kofikira
Gwiritsani ntchito semodule kuti muyike ma module a SELinux, onjezani ndi kuwachotsa.
[admin@server ~]$ semodule -l |wc -l #ΡΠΏΠΈΡΠΎΠΊ Π²ΡΠ΅Ρ
ΠΌΠΎΠ΄ΡΠ»Π΅ΠΉ
408
[admin@server ~]$ semodule -e abrt #enable - Π°ΠΊΡΠΈΠ²ΠΈΡΠΎΠ²Π°ΡΡ ΠΌΠΎΠ΄ΡΠ»Ρ
[admin@server ~]$ semodule -d accountsd #disable - ΠΎΡΠΊΠ»ΡΡΠΈΡΡ ΠΌΠΎΠ΄ΡΠ»Ρ
[admin@server ~]$ semodule -r avahi #remove - ΡΠ΄Π°Π»ΠΈΡΡ ΠΌΠΎΠ΄ΡΠ»Ρ
Gulu loyamba semanage login imagwirizanitsa wogwiritsa ntchito SELinux ndi wogwiritsa ntchito makina ogwiritsira ntchito, yachiwiri imatchula. Pomaliza, lamulo lomaliza ndi -r switch limachotsa mapu a ogwiritsa ntchito a SELinux ku maakaunti a OS. Kufotokozera kwa syntax ya MLS/MCS Range values ββββili m'gawo lapitalo.
[admin@server ~]$ semanage login -a -s user_u karol
[admin@server ~]$ semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
system_u system_u s0-s0:c0.c1023 *
[admin@server ~]$ semanage login -d karol
timu wogwiritsa ntchito amagwiritsidwa ntchito kuyang'anira mapu pakati pa ogwiritsa ntchito a SELinux ndi maudindo.
[admin@server ~]$ semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
guest_u user s0 s0 guest_r
staff_u staff s0 s0-s0:c0.c1023 staff_r sysadm_r
...
user_u user s0 s0 user_r
xguest_u user s0 s0 xguest_r
[admin@server ~]$ semanage user -a -R 'staff_r user_r'
[admin@server ~]$ semanage user -d test_u
Zosankha zamalamulo:
- -a onjezerani kalembedwe ka mapu;
- -l mndandanda wa ogwiritsa ntchito ofanana ndi maudindo;
- -d chotsani zolemba zamapu;
- -R mndandanda wa maudindo omwe amaperekedwa kwa wogwiritsa ntchito;
Mafayilo, madoko ndi ma booleans
Gawo lililonse la SELinux limapereka malamulo olembera mafayilo, koma mutha kuwonjezeranso malamulo anu ngati pakufunika. Mwachitsanzo, tikufuna kuti seva yapaintaneti ikhale ndi ufulu wopeza /srv/www foda.
[admin@server ~]$ semanage fcontext -a -t httpd_sys_content_t "/srv/www(/.*)?
[admin@server ~]$ restorecon -R /srv/www/
Lamulo loyamba limalembetsa malamulo atsopano olembera, ndipo lachiwiri limakhazikitsanso, kapena m'malo mwake limawulula, mitundu ya mafayilo malinga ndi malamulo omwe alipo.
Momwemonso, madoko a TCP / UDP amalembedwa m'njira yoti mautumiki oyenerera okha angamvetsere. Mwachitsanzo, kuti seva yapaintaneti imvetsere pa doko 8080, muyenera kuyendetsa lamulo.
[admin@server ~]$ semanage port -m -t http_port_t -p tcp 8080
Ma module ambiri a SELinux ali ndi magawo omwe amatha kutenga ma boolean. Mndandanda wonse wazosankha zotere zitha kuwoneka ndi getsebool -a. Makhalidwe a Boolean amatha kusinthidwa pogwiritsa ntchito setsebool.
[admin@server ~]$ getsebool httpd_enable_cgi
httpd_enable_cgi --> on
[admin@server ~]$ setsebool -P httpd_enable_cgi off
[admin@server ~]$ getsebool httpd_enable_cgi
httpd_enable_homedirs --> off
Practicum, pezani mawonekedwe a Pgadmin-web
Ganizirani chitsanzo kuchokera muzochita, tidayika pgadmin7.6-web pa RHEL 4 kuyang'anira database ya PostgreSQL. Tinadutsa pang'ono
Timayamba ndi omwe akuwakayikira, fufuzani /var/log/httpd/error_log. Pali zolemba zosangalatsa kumeneko.
[timestamp] [core:notice] [pid 23689] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
...
[timestamp] [wsgi:error] [pid 23690] [Errno 13] Permission denied: '/var/lib/pgadmin'
[timestamp] [wsgi:error] [pid 23690]
[timestamp] [wsgi:error] [pid 23690] HINT : You may need to manually set the permissions on
[timestamp] [wsgi:error] [pid 23690] /var/lib/pgadmin to allow apache to write to it.
Pakadali pano, olamulira ambiri a Linux adzayesedwa mwamphamvu kuti ayendetse setencorce 0, ndikuchita nawo. Kunena zowona, aka kanali koyamba kuchita izi. Izi, ndithudi, ndi njira yotulukira, koma kutali ndi zabwino kwambiri.
Ngakhale ndizovuta kupanga, SELinux ikhoza kukhala yosavuta kugwiritsa ntchito. Ingoikani phukusi la setroubleshoot ndikuwona chipika chadongosolo.
[admin@server ~]$ yum install setroubleshoot
[admin@server ~]$ journalctl -b -0
[admin@server ~]$ service restart auditd
Dziwani kuti ntchito yowunikira iyenera kuyambiranso motere, osati ndi systemctl, ngakhale kukhalapo kwa systemd mu OS. Mu dongosolo log zidzawonetsedwa osati mfundo yotsekereza, komanso chifukwa ndi njira yogonjetsera chiletsocho.
Timapereka malamulo awa:
[admin@server ~]$ setsebool -P httpd_can_network_connect 1
[admin@server ~]$ setsebool -P httpd_can_network_connect_db 1
Timayang'ana mwayi wopezeka patsamba la pgadmin4-web, zonse zimagwira ntchito.
Source: www.habr.com