SELinux pepa fa'a'ole'ole mo fa'atonu fa'atonu: 42 tali i fesili taua

O le faaliliuga o le tusiga na saunia faapitoa mo tamaiti aoga o le vasega "Linux Pule".

O iinei e te maua ai tali i fesili taua e uiga i le olaga, le atulaulau ma mea uma i Linux ma faʻaleleia atili le saogalemu.

"O le mea moni taua o mea e le o taimi uma e foliga mai ai o le malamalama masani..."

-Kalasi Atamu, Le Ta'iala a le Hitchhiker i le Galaxy

Saogalemu. Faʻateleina le faʻalagolago. Tusitusi. Faiga fa'avae. E toafa o solofanua o le Apocalypse sysadmin. I le faaopoopo atu ia matou galuega i aso taitasi - mataʻituina, faʻasaʻo, faʻatinoga, faʻatulagaina, faʻafouina, ma isi - matou te nafa foi ma le saogalemu o matou faiga. E oo lava i faiga ia e fautuaina ai e le vaega lona tolu e matou te tapeina le saogalemu. E pei o se galuega Ethan Hunt mai le “Misiona: Impossible.”

I le feagai ai ma lenei faʻafitauli, o nisi pule faʻatonu e filifili e ave piliki lanumoana, ona latou te manatu o le a latou le iloa lava le tali i le fesili tele o le olaga, le atulaulau ma mea uma lava. Ma e pei ona tatou iloa uma, o lena tali e 42.

I le agaga ole The Hitchhiker's Guide to the Galaxy, o tali nei e 42 i fesili taua e uiga i le pulea ma le faʻaaogaina. SELinux i luga o au faiga.

1. SELinux ose faiga fa'atonu fa'atonu, o lona uiga o fa'agasologa uma e iai se fa'ailoga. O faila ta'itasi, fa'atonuga ma meafaitino e iai fo'i fa'ailoga. O tulafono fa'avae e pulea le avanoa i le va o faiga fa'ailoga ma mea. O le fatu e faʻamalosia nei tulafono.

2. O manatu sili ona taua e lua o: Faaigoaina - fa'ailoga (faila, faiga, taulaga, ma isi) ma Faiga faamalosia (lea e vavaeeseina ai faiga mai le tasi ma le isi e faʻatatau i ituaiga).

3. Fa'ailoga sa'o user:role:type:level (filifiliga).

4. Le fa'amoemoega o le tu'uina atu o le tele o tulaga saogalemu (Saogalemu Tulaga Tele - MLS) o le pulea lea o faiga (domains) e faʻavae i luga o le maualuga o le saogalemu o faʻamaumauga o le a latou faʻaogaina. Mo se faʻataʻitaʻiga, e le mafai e se faiga faalilolilo ona faitau faʻamatalaga faalilolilo pito i luga.

5. Fa'amautinoa le saogalemu o vaega e tele (Saogalemu Tele-vaega - MCS) puipuia faiga tutusa mai le tasi ma le isi (mo se faʻataʻitaʻiga, masini masini, OpenShift engines, SELinux sandboxes, containers, etc.).

6. Kernel filifiliga mo le suia o SELinux modes i le taʻavale:

• autorelabel=1 → mafua ai le faiga e toe fa'aigoaina
• selinux=0 → e le utaina e le fatu le atinaʻe SELinux
• enforcing=0 → utaina i faiga faataga

7. Afai e te manaʻomia le toe faʻailogaina o le polokalama atoa:

# touch /.autorelabel
#reboot

Afai o lo'o i ai i le faiga fa'ailoga se numera tele o mea sese, atonu e te mana'omia le fa'ataga i le fa'ataga fa'ataga mo le fa'ailoga e manuia.

8. Ina ia siaki pe ua mafai SELinux: # getenforce

9. Ina ia mafai mo sina taimi / faʻamalo SELinux: # setenforce [1|0]

10. Siaki le tulaga SELinux: # sestatus

11. Faiga faila: /etc/selinux/config

12. E faʻafefea ona galue SELinux? O se faʻataʻitaʻiga faʻailoga mo le Apache web server:

• Fa'atusa fa'alua: /usr/sbin/httpd→httpd_exec_t
• Fa'atonuga fa'atonu: /etc/httpd→httpd_config_t
• Fa'ailoga faila faila: /var/log/httpd → httpd_log_t
• Fa'atonuga o mea: /var/www/html → httpd_sys_content_t
• Fa'alauiloa tusitusiga: /usr/lib/systemd/system/httpd.service → httpd_unit_file_d
• Taualumaga: /usr/sbin/httpd -DFOREGROUND → httpd_t
• Taulaga: 80/tcp, 443/tcp → httpd_t, http_port_t

Fa'agasologa o lo'o fa'agasolo ile fa'amatalaga httpd_t, e mafai ona fegalegaleai ma se mea ua faailogaina httpd_something_t.

13. E tele poloaiga e talia se finauga -Z e va'ai, fai ma suia le fa'amatalaga:

• ls -Z
• id -Z
• ps -Z
• netstat -Z
• cp -Z
• mkdir -Z

E fa'atūina fa'amatalaga pe a fai faila e fa'atatau i le fa'asinomaga o la latou fa'atonu matua (fa'atasi ai ma nisi o tuusaunoaga). E mafai e RPM ona fa'avae tulaga e pei o le taimi fa'apipi'i.

14. E fa mafuaʻaga autu o SELinux sese, lea o loʻo faʻamatalaina atili auiliili i vaega 15-21 i lalo:

• Fa'ailoga fa'ailoga
• Ona o se mea e manaʻomia ona iloa e SELinux
• Sese ile SELinux policy/application
• O au faʻamatalaga e ono faʻafefeteina

15. Fa'afitauli fa'ailoga: pe a iai au faila i totonu /srv/myweb fa'ailoga sese, e ono fa'afitia le avanoa. O nisi nei o auala e faaleleia ai lenei mea:

• Afai e te iloa le igoa:
  # semanage fcontext -a -t httpd_sys_content_t '/srv/myweb(/.*)?'
• Afai e te iloa se faila e tutusa faʻailoga:
  # semanage fcontext -a -e /srv/myweb /var/www
• Toe fa'afo'isia le tala (mo tulaga uma e lua):
  # restorecon -vR /srv/myweb

16. Fa'ailoga fa'ailoga: afai e te fesiitai le faila nai lo le kopiina, o le faila o le a tumau pea lona talaaga. Ina ia foia lenei faafitauli:

• Suia le fa'atonuga o fa'amatalaga i le fa'ailoga:
  # chcon -t httpd_system_content_t /var/www/html/index.html
• Suia le fa'atonuga o fa'amatalaga i le fa'ailoga feso'ota'iga:
  # chcon --reference /var/www/html/ /var/www/html/index.html
• Toe fa'afo'i le tala (mo tulaga uma e lua): # restorecon -vR /var/www/html/

17. ana SELinux e tatau ona e iloao loʻo faʻalogo HTTPD i luga o le taulaga 8585, taʻu atu ia SELinux:

# semanage port -a -t http_port_t -p tcp 8585

18. SELinux e tatau ona e iloa Tulaga Boolean e mafai ai ona sui vaega o le SELinux policy i le taimi e aunoa ma le iloa o le SELinux policy o loʻo soloia. Mo se faʻataʻitaʻiga, afai e te manaʻo i le httpd e lafo le imeli, ulufale: # setsebool -P httpd_can_sendmail 1

19. SELinux e tatau ona e iloa tulaga taua mo le faʻatagaina / faʻagata SELinux faʻatulagaga:

• Ina ia va'ai uma tau o le boolean: # getsebool -a
• Ina ia vaʻai i faʻamatalaga o mea taʻitasi: # semanage boolean -l
• Ina ia seti se tau o le boolean: # setsebool [_boolean_] [1|0]
• Mo se fa'apipi'i tumau, fa'aopoopo -P. Mo se faʻataʻitaʻiga: # setsebool httpd_enable_ftp_server 1 -P

20. SELinux faiga faʻavae / talosaga e ono iai ni mea sese, e aofia ai:

• Ala fa'ailoga e le masani ai
• Fa'atonuga
• Toe fa'atonu stdout
• O lo'o lia'i le fa'amatalaga faila
• Manatua fa'atinoina
• Faletusi le lelei ona fausia

Tatala tiketi (aua le tuʻuina atu se lipoti ia Bugzilla; Bugzilla e leai se SLA).

21. O au faʻamatalaga e ono faʻafefeteinape afai e iai sau vaega fa'asaina e taumafai e:

• Fa'auta'u modules kernel
• Ta'e le faiga SELinux fa'amalosia
• Tusi i etc_t/shadow_t
• Suia tulafono iptables

22. SELinux meafaigaluega mo le atinaʻeina o faiga faʻavae:

# yum -y install setroubleshoot setroubleshoot-server

Toe fa'afou pe toe amata auditd ina ua uma ona faapipiiina.

23. Faaaoga

journalctl

e fa'aali se lisi o ogalaau uma e feso'ota'i ma setroubleshoot:

# journalctl -t setroubleshoot --since=14:20

24. Faaaoga journalctl e lisi uma ogalaau e fesoʻotaʻi ma se faʻailoga SELinux faʻapitoa. Faataitaiga:

# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0

25. Afai e tupu se SELinux sese, faʻaaoga le ogalaau setroubleshoot ofoina atu le tele o fofo talafeagai.
Mo se faataitaiga, mai journalctl:

Jun 14 19:41:07 web1 setroubleshoot: SELinux is preventing httpd from getattr access on the file /var/www/html/index.html. For complete message run: sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e

# sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e
SELinux is preventing httpd from getattr access on the file /var/www/html/index.html.

***** Plugin restorecon (99.5 confidence) suggests ************************

If you want to fix the label,
/var/www/html/index.html default label should be httpd_syscontent_t.
Then you can restorecon.
Do
# /sbin/restorecon -v /var/www/html/index.html

26. Fa'amauina: SELinux fa'amaumau fa'amatalaga i le tele o nofoaga:

• / var / log / feʻau
• /var/log/audit/audit.log
• /var/lib/setroubleshoot/setroubleshoot_database.xml

27. Fa'amaumauga: su'e mo SELinux mea sese i le su'ega su'etusi:

# ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today

28. E su'e fe'au SELinux Access Vector Cache (AVC) mo se auaunaga fa'apitoa:

# ausearch -m avc -c httpd

29. Тилита audit2allow aoina fa'amatalaga mai ogalaau o fa'agaioiga fa'asaina ona fa'atupuina lea o tulafono fa'atagaga a le SELinux. Faataitaiga:

• Ina ia faia se fa'amatalaga e mafai ona faitau e tagata pe aisea ua le maua ai le avanoa: # audit2allow -w -a
• Le va'ai i se ituaiga tulafono fa'amalosia e fa'atagaina le fa'atagaina o avanoa: # audit2allow -a
• Le faia o se fa'alapotopotoga fa'apitoa: # audit2allow -a -M mypolicy
• Filifiliga -M faia se faila fa'amalosia ituaiga (.te) fa'atasi ai ma le igoa fa'apitoa ma tu'ufa'atasia le tulafono i totonu o se pusa fa'avae (.pp): mypolicy.pp mypolicy.te
• Ina ia fa'apipi'i se module fa'apitoa: # semodule -i mypolicy.pp

30. Ina ia fetuutuunai se faiga ese'ese (ituaiga) e galue ai ile faiga fa'atagaina: # semanage permissive -a httpd_t

31. Afai e te le toe mana'o ia fa'ataga le vaega: # semanage permissive -d httpd_t

32. E tape uma vaega fa'atagaina: # semodule -d permissivedomains

33. Fa'agaoioi faiga fa'avae MLS SELinux: # yum install selinux-policy-mls
в /etc/selinux/config:

SELINUX=permissive
SELINUXTYPE=mls

Ia mautinoa o loʻo tamoʻe le SELinux i le faʻatagaina: # setenforce 0
Fa'aaoga se tusitusiga fixfilesia mautinoa o faila e toe faʻailogaina i le isi toe faʻafouina:

# fixfiles -F onboot # reboot

34. Fausia se tagata faʻaoga ma se vaega MLS patino: # useradd -Z staff_u john

Fa'aaogaina o le fa'atonuga useradd, fa'afanua le tagata fou i se tagata SELinux o lo'o i ai nei (i lenei tulaga, staff_u).

35. Ina ia vaʻai i le faʻafanua i le va o SELinux ma Linux tagata faʻaoga: # semanage login -l

36. Fa'amatala se vaega fa'apitoa mo le tagata fa'aoga: # semanage login --modify --range s2:c100 john

37. Ina ia faasa'o le igoa o le lisi o fale (pe a mana'omia): # chcon -R -l s2:c100 /home/john

38. E va'ai i vaega o lo'o iai nei: # chcat -L

39. Ina ia suia vaega poʻo le amata faia o oe lava, faʻasaʻo le faila e pei ona taua i lalo:

/etc/selinux/_<selinuxtype>_/setrans.conf

40. Le faʻatinoina o se faʻatonuga poʻo se faʻamaumauga i se faila patino, matafaioi, ma faʻaoga faʻaoga:

# runcon -t initrc_t -r system_r -u user_u yourcommandhere

• -t anotusi faila
• -r talaaga o matafaioi
• -u fa'aoga fa'aoga

41. Container o loʻo faʻaogaina ma SELinux ua le atoatoa:

• Podman: # podman run --security-opt label=disable …
• Faʻamau: # docker run --security-opt label=disable …

42. Afai e te manaʻomia le tuʻuina atu o le pusa avanoa atoatoa i le faiga:

• Podman: # podman run --privileged …
• Faʻamau: # docker run --privileged …

Ma o lea ua uma ona e iloa le tali. Fa'amolemole fa'amolemole: aua le popole ma fa'atagaina SELinux.

Faʻamatalaga:

• SELinux by Dan Walsh
• O lau vaʻaiga faʻafefea-e taʻiala mo le faʻamalosia o faiga faʻavae SELinux foi saunia e Dan Walsh
• Security Enhanced Linux mo na'o tagata by Thomas Cameron fai
• Le SELinux Coloring Book by Mairin Duffy
• SELinux User's and Administrator's Guide—Red Hat Enterprise Linux 7

puna: www.habr.com