ProHoster > Blog > Utongi > A Beginner's Guide kune SELinux

A Beginner's Guide kune SELinux

A Beginner's Guide kune SELinux

Dudziro yechinyorwa chakagadzirirwa vadzidzi vekosi "Linux Security"

SELinux kana Chengetedzo Yakawedzerwa Linux ndeye yakakwidziridzwa yekudzora nzira yakagadziriswa neUS National Security Agency (NSA) kudzivirira kupindira kwakashata. Iyo inoshandisa yekumanikidza (kana inosungirwa) yekuwana yekudzora modhi (Chirungu Mandatory Access Control, MAC) pamusoro peiyo iripo discretionary (kana yakasarudzika) modhi (Chirungu Discretionary Access Control, DAC), kureva, mvumo yekuverenga, kunyora, kuita.

SELinux ine matatu modes:

  1. Kusimudzira - kurambwa kwekuwana kunoenderana nemitemo yemitemo.
  2. bvumira - kuchengeta chinyorwa chezviito zvinotyora mutemo, izvo zvingave zvichirambidzwa mukumanikidza maitiro.
  3. Akaremara -Kudzima zvachose kweSELinux.

By default marongero ari mukati /etc/selinux/config

Kuchinja SELinux modes

Kuti uzive mamiriro azvino, mhanya 

$ getenforce

Kuti uchinje iyo modhi kune inobvumidza mhanya unotevera kuraira 

$ setenforce 0

kana, kuchinja maitiro kubva kubvumira pamusoro enforcing, uraya 

$ setenforce 1

Kana iwe uchida kudzima zvachose SELinux, saka izvi zvinogona kuitwa chete kuburikidza nefaira rekugadzirisa 

$ vi /etc/selinux/config

Kudzima, shandura iyo SELINUX parameter sezvinotevera:

SELINUX=disabled

Kugadzika SELinux

Imwe neimwe faira uye maitiro akanyorwa neSELinux mamiriro, ayo ane rumwe ruzivo senge mushandisi, basa, mhando, nezvimwe. Kana iyi iri nguva yako yekutanga kugonesa SELinux, iwe unozofanirwa kutanga wagadzirisa mamiriro uye mavara. Maitiro ekugovera mavara uye mamiriro anozivikanwa sekumaka. Kutanga kumaka, mufaira rekugadzirisa isu tinoshandura maitiro kubvumira.

$ vi /etc/selinux/config
SELINUX=permissive

Mushure mekugadzirisa mode kubvumira, gadzira isina chinhu yakavanzika faira mumudzi ine zita autorelabel

$ touch /.autorelabel

uye tangazve komputa

$ init 6

Cherechedza: Isu tinoshandisa iyo mode kubvumira yekumaka, kubva pakushandiswa kweiyo modhi enforcing zvinogona kuita kuti sisitimu iparare panguva yekutangisa.

Usanetseke kana kurodha kwakanamatira pane rimwe faira, kumaka kunotora nguva. Kamwe kumaka kwapera uye system yako yakabhowa, unogona kuenda kune yekumisikidza faira uye kuseta modhi enforcinguye zvakare kumhanya:

$ setenforce 1

Iwe ikozvino wakagonesa SELinux pakombuta yako.

Kuongorora matanda

Iwe unogona kunge wakasangana nezvimwe zvikanganiso panguva yekumaka kana iyo system iri kushanda. Kuti utarise kana SELinux yako iri kushanda nemazvo uye kana isiri kuvharidzira kupinda kune chero chiteshi, application, nezvimwe, unofanirwa kutarisa matanda. Iyo SELinux log inowanikwa mukati /var/log/audit/audit.log, asi haufanire kuverenga zvese kuti uwane zvikanganiso. Unogona kushandisa iyo audit2why utility kuwana zvikanganiso. Mhanya unotevera kuraira:

$ audit2why < /var/log/audit/audit.log

Nekuda kweizvozvo, iwe uchagamuchira runyorwa rwezvikanganiso. Kana pakange pasina zvikanganiso mulogi, saka hapana meseji icharatidzwa.

Kugadzirisa SELinux Policy

A SELinux mutemo seti yemitemo inotonga iyo SELinux kuchengetedza michina. Gwaro rinotsanangura bumbiro remitemo yenzvimbo yakatarwa. Iye zvino tichadzidza magadzirirwo emitemo yekubvumira kuwana masevhisi anorambidzwa.

1. Hunhu hunonzwisisika (switch)

Shanduko (booleans) inobvumidza iwe kuti uchinje zvikamu zvepolitisi panguva yekumhanya, pasina kugadzira marongero matsva. Ivo vanokutendera iwe kuti uite shanduko pasina kutangazve kana kudzoreredza SELinux marongero.

Muenzaniso:
Ngatitii tinoda kugovera dhairekitori remusha wemushandisi kuburikidza neFTP verenga / nyora, uye isu takatoigovanisa, asi kana tikayedza kuiwana, hapana chatinoona. Izvi zvinodaro nekuti SELinux mutemo unodzivirira iyo FTP server kubva pakuverenga nekunyora kune dhairekitori remusha remushandisi. Isu tinofanirwa kushandura mutemo kuitira kuti FTP server iwane madhairekitori epamba. Ngationei kana paine maswichi eizvi nekuita

$ semanage boolean -l

Uyu murairo unonyora ma switch anowanikwa nemamiriro azvino (pairi kana kudzima) uye tsananguro. Unogona kunatsa kutsvaga kwako nekuwedzera grep kuti uwane ftp-chete mhinduro:

$ semanage boolean -l | grep ftp

uye iwe uchawana zvinotevera

ftp_home_dir        -> off       Allow ftp to read & write file in user home directory

Switch iyi yakadzimwa, saka tichaigonesa nayo setsebool $ setsebool ftp_home_dir on

Iye zvino daemon yedu yeftp ichakwanisa kuwana dhairekitori remusha remushandisi.
Ongorora: Unogonawo kuwana runyoro rwema switch anowanikwa pasina tsananguro nekuita getsebool -a

2. Mazita uye mamiriro

Iyi ndiyo nzira yakajairika yekushandisa SELinux mutemo. Yese faira, folda, maitiro uye chiteshi chakamisikidzwa neSELinux mamiriro:

  • Kune mafaera nemaforodha, mavara anochengetwa seakawedzera hunhu pane faira system uye anogona kutariswa nemurairo unotevera: 
    $ ls -Z /etc/httpd
  • Kune maitiro uye madoko, iyo label inotungamirwa ne kernel, uye iwe unogona kuona aya mavara seanotevera:

maitiro

$ ps –auxZ | grep httpd

port

$ netstat -anpZ | grep httpd

Muenzaniso:
Zvino ngatitarisei muenzaniso kuti tinzwisise zviri nani mavara uye mamiriro. Ngatitii tine web server iyo, panzvimbo yedhairekitori /var/www/html/ использует /home/dan/html/. SELinux ichaona uku kutyora mutemo uye haugone kuona mapeji ako ewebhu. Izvi zvinodaro nekuti isu hatina kuseta mamiriro ekuchengetedza ane hukama nemafaira eHTML. Kuti uone mamiriro ekuchengetedza akasarudzika, shandisa murairo unotevera:

$ ls –lz /var/www/html
 -rw-r—r—. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/

Tasvika httpd_sys_content_t sechirevo che html mafaira. Isu tinofanirwa kuseta iyi yekuchengetedza mamiriro kune yedu yazvino dhairekitori, iyo parizvino ine inotevera mamiriro:

-rw-r—r—. dan dan system_u:object_r:user_home_t:s0 /home/dan/html/

Mumwe murairo wekutarisa kuchengetedza mamiriro efaira kana dhairekitori:

$ semanage fcontext -l | grep '/var/www'

Isu tichashandisawo semanage kushandura mamiriro kana tawana iyo chaiyo yekuchengetedza mamiriro. Kuti uchinje mamiriro e /home/dan/html, mhanya unotevera mirairo:

$ semanage fcontext -a -t httpd_sys_content_t ‘/home/dan/html(/.*)?’
$ semanage fcontext -l | grep ‘/home/dan/html’
/home/dan/html(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
$ restorecon -Rv /home/dan/html

Mushure mokunge mamiriro acho achinjwa uchishandisa semanage, murairo wekudzoreredza unotakura mamiriro ekugadzirisa mafaira nemadhairekitori. Yedu sevha yewebhu zvino yava kukwanisa kuverenga mafaera kubva muforodha /home/dan/htmlnekuti chengetedzo yefolder iyi yakachinjirwa kuita httpd_sys_content_t.

3. Gadzira mitemo yemunharaunda

Panogona kunge paine mamiriro ezvinhu apo nzira dziri pamusoro dzisingabatsiri kwauri uye unowana zvikanganiso (avc/denial) muaudit.log. Kana izvi zvikaitika, unofanirwa kugadzira mutemo wenzvimbo. Unogona kuwana zvikanganiso zvese uchishandisa audit2why, sezvatsanangurwa pamusoro.

Iwe unogona kugadzira mutemo wemunharaunda kugadzirisa zvikanganiso. Semuenzaniso, tinowana kukanganisa kwakabatana ne httpd (apache) kana smbd (samba), isu tinogadzirisa zvikanganiso uye tinozvigadzirira mutemo:

apache
$ grep httpd_t /var/log/audit/audit.log | audit2allow -M http_policy
samba
$ grep smbd_t /var/log/audit/audit.log | audit2allow -M smb_policy

zviri http_policy и smb_policy ndiwo mazita emitemo yemunharaunda yatakagadzira. Zvino isu tinoda kurodha aya akagadzirwa emuno marongero mune yazvino SELinux mutemo. Izvi zvinogona kuitwa sezvinotevera:

$ semodule –I http_policy.pp
$ semodule –I smb_policy.pp

Mitemo yedu yemuno yakatorwa uye isu hatifanirwe kugamuchira chero avc kana denail muaudit.log.

Uku kwaive kuedza kwangu kukubatsira kunzwisisa SELinux. Ndinovimba kuti mushure mekuverenga chinyorwa ichi iwe uchanzwa wakasununguka zvakanyanya neSELinux.

Source: www.habr.com

Voeg