Dudziro yechinyorwa chakagadzirirwa vadzidzi vekosi
SELinux kana Chengetedzo Yakawedzerwa Linux ndeye yakakwidziridzwa yekudzora nzira yakagadziriswa neUS National Security Agency (NSA) kudzivirira kupindira kwakashata. Iyo inoshandisa yekumanikidza (kana inosungirwa) yekuwana yekudzora modhi (Chirungu Mandatory Access Control, MAC) pamusoro peiyo iripo discretionary (kana yakasarudzika) modhi (Chirungu Discretionary Access Control, DAC), kureva, mvumo yekuverenga, kunyora, kuita.
SELinux ine matatu modes:
- Kusimudzira - kurambwa kwekuwana kunoenderana nemitemo yemitemo.
- bvumira - kuchengeta chinyorwa chezviito zvinotyora mutemo, izvo zvingave zvichirambidzwa mukumanikidza maitiro.
- Akaremara -Kudzima zvachose kweSELinux.
By default marongero ari mukati /etc/selinux/config
Kuchinja SELinux modes
Kuti uzive mamiriro azvino, mhanya
$ getenforce
Kuti uchinje iyo modhi kune inobvumidza mhanya unotevera kuraira
$ setenforce 0
kana, kuchinja maitiro kubva kubvumira pamusoro enforcing, uraya
$ setenforce 1
Kana iwe uchida kudzima zvachose SELinux, saka izvi zvinogona kuitwa chete kuburikidza nefaira rekugadzirisa
$ vi /etc/selinux/config
Kudzima, shandura iyo SELINUX parameter sezvinotevera:
SELINUX=disabled
Kugadzika SELinux
Imwe neimwe faira uye maitiro akanyorwa neSELinux mamiriro, ayo ane rumwe ruzivo senge mushandisi, basa, mhando, nezvimwe. Kana iyi iri nguva yako yekutanga kugonesa SELinux, iwe unozofanirwa kutanga wagadzirisa mamiriro uye mavara. Maitiro ekugovera mavara uye mamiriro anozivikanwa sekumaka. Kutanga kumaka, mufaira rekugadzirisa isu tinoshandura maitiro kubvumira.
$ vi /etc/selinux/config
SELINUX=permissive
Mushure mekugadzirisa mode kubvumira, gadzira isina chinhu yakavanzika faira mumudzi ine zita autorelabel
$ touch /.autorelabel
uye tangazve komputa
$ init 6
Cherechedza: Isu tinoshandisa iyo mode kubvumira yekumaka, kubva pakushandiswa kweiyo modhi enforcing zvinogona kuita kuti sisitimu iparare panguva yekutangisa.
Usanetseke kana kurodha kwakanamatira pane rimwe faira, kumaka kunotora nguva. Kamwe kumaka kwapera uye system yako yakabhowa, unogona kuenda kune yekumisikidza faira uye kuseta modhi enforcinguye zvakare kumhanya:
$ setenforce 1
Iwe ikozvino wakagonesa SELinux pakombuta yako.
Kuongorora matanda
Iwe unogona kunge wakasangana nezvimwe zvikanganiso panguva yekumaka kana iyo system iri kushanda. Kuti utarise kana SELinux yako iri kushanda nemazvo uye kana isiri kuvharidzira kupinda kune chero chiteshi, application, nezvimwe, unofanirwa kutarisa matanda. Iyo SELinux log inowanikwa mukati /var/log/audit/audit.log
, asi haufanire kuverenga zvese kuti uwane zvikanganiso. Unogona kushandisa iyo audit2why utility kuwana zvikanganiso. Mhanya unotevera kuraira:
$ audit2why < /var/log/audit/audit.log
Nekuda kweizvozvo, iwe uchagamuchira runyorwa rwezvikanganiso. Kana pakange pasina zvikanganiso mulogi, saka hapana meseji icharatidzwa.
Kugadzirisa SELinux Policy
A SELinux mutemo seti yemitemo inotonga iyo SELinux kuchengetedza michina. Gwaro rinotsanangura bumbiro remitemo yenzvimbo yakatarwa. Iye zvino tichadzidza magadzirirwo emitemo yekubvumira kuwana masevhisi anorambidzwa.
1. Hunhu hunonzwisisika (switch)
Shanduko (booleans) inobvumidza iwe kuti uchinje zvikamu zvepolitisi panguva yekumhanya, pasina kugadzira marongero matsva. Ivo vanokutendera iwe kuti uite shanduko pasina kutangazve kana kudzoreredza SELinux marongero.
Muenzaniso:
Ngatitii tinoda kugovera dhairekitori remusha wemushandisi kuburikidza neFTP verenga / nyora, uye isu takatoigovanisa, asi kana tikayedza kuiwana, hapana chatinoona. Izvi zvinodaro nekuti SELinux mutemo unodzivirira iyo FTP server kubva pakuverenga nekunyora kune dhairekitori remusha remushandisi. Isu tinofanirwa kushandura mutemo kuitira kuti FTP server iwane madhairekitori epamba. Ngationei kana paine maswichi eizvi nekuita
$ semanage boolean -l
Uyu murairo unonyora ma switch anowanikwa nemamiriro azvino (pairi kana kudzima) uye tsananguro. Unogona kunatsa kutsvaga kwako nekuwedzera grep kuti uwane ftp-chete mhinduro:
$ semanage boolean -l | grep ftp
uye iwe uchawana zvinotevera
ftp_home_dir -> off Allow ftp to read & write file in user home directory
Switch iyi yakadzimwa, saka tichaigonesa nayo setsebool $ setsebool ftp_home_dir on
Iye zvino daemon yedu yeftp ichakwanisa kuwana dhairekitori remusha remushandisi.
Ongorora: Unogonawo kuwana runyoro rwema switch anowanikwa pasina tsananguro nekuita getsebool -a
2. Mazita uye mamiriro
Iyi ndiyo nzira yakajairika yekushandisa SELinux mutemo. Yese faira, folda, maitiro uye chiteshi chakamisikidzwa neSELinux mamiriro:
- Kune mafaera nemaforodha, mavara anochengetwa seakawedzera hunhu pane faira system uye anogona kutariswa nemurairo unotevera:
$ ls -Z /etc/httpd
- Kune maitiro uye madoko, iyo label inotungamirwa ne kernel, uye iwe unogona kuona aya mavara seanotevera:
maitiro
$ ps –auxZ | grep httpd
port
$ netstat -anpZ | grep httpd
Muenzaniso:
Zvino ngatitarisei muenzaniso kuti tinzwisise zviri nani mavara uye mamiriro. Ngatitii tine web server iyo, panzvimbo yedhairekitori /var/www/html/ использует /home/dan/html/
. SELinux ichaona uku kutyora mutemo uye haugone kuona mapeji ako ewebhu. Izvi zvinodaro nekuti isu hatina kuseta mamiriro ekuchengetedza ane hukama nemafaira eHTML. Kuti uone mamiriro ekuchengetedza akasarudzika, shandisa murairo unotevera:
$ ls –lz /var/www/html
-rw-r—r—. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/
Tasvika httpd_sys_content_t
sechirevo che html mafaira. Isu tinofanirwa kuseta iyi yekuchengetedza mamiriro kune yedu yazvino dhairekitori, iyo parizvino ine inotevera mamiriro:
-rw-r—r—. dan dan system_u:object_r:user_home_t:s0 /home/dan/html/
Mumwe murairo wekutarisa kuchengetedza mamiriro efaira kana dhairekitori:
$ semanage fcontext -l | grep '/var/www'
Isu tichashandisawo semanage kushandura mamiriro kana tawana iyo chaiyo yekuchengetedza mamiriro. Kuti uchinje mamiriro e /home/dan/html, mhanya unotevera mirairo:
$ semanage fcontext -a -t httpd_sys_content_t ‘/home/dan/html(/.*)?’
$ semanage fcontext -l | grep ‘/home/dan/html’
/home/dan/html(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
$ restorecon -Rv /home/dan/html
Mushure mokunge mamiriro acho achinjwa uchishandisa semanage, murairo wekudzoreredza unotakura mamiriro ekugadzirisa mafaira nemadhairekitori. Yedu sevha yewebhu zvino yava kukwanisa kuverenga mafaera kubva muforodha /home/dan/html
nekuti chengetedzo yefolder iyi yakachinjirwa kuita httpd_sys_content_t
.
3. Gadzira mitemo yemunharaunda
Panogona kunge paine mamiriro ezvinhu apo nzira dziri pamusoro dzisingabatsiri kwauri uye unowana zvikanganiso (avc/denial) muaudit.log. Kana izvi zvikaitika, unofanirwa kugadzira mutemo wenzvimbo. Unogona kuwana zvikanganiso zvese uchishandisa audit2why, sezvatsanangurwa pamusoro.
Iwe unogona kugadzira mutemo wemunharaunda kugadzirisa zvikanganiso. Semuenzaniso, tinowana kukanganisa kwakabatana ne httpd (apache) kana smbd (samba), isu tinogadzirisa zvikanganiso uye tinozvigadzirira mutemo:
apache
$ grep httpd_t /var/log/audit/audit.log | audit2allow -M http_policy
samba
$ grep smbd_t /var/log/audit/audit.log | audit2allow -M smb_policy
zviri http_policy
и smb_policy
ndiwo mazita emitemo yemunharaunda yatakagadzira. Zvino isu tinoda kurodha aya akagadzirwa emuno marongero mune yazvino SELinux mutemo. Izvi zvinogona kuitwa sezvinotevera:
$ semodule –I http_policy.pp
$ semodule –I smb_policy.pp
Mitemo yedu yemuno yakatorwa uye isu hatifanirwe kugamuchira chero avc kana denail muaudit.log.
Uku kwaive kuedza kwangu kukubatsira kunzwisisa SELinux. Ndinovimba kuti mushure mekuverenga chinyorwa ichi iwe uchanzwa wakasununguka zvakanyanya neSELinux.
Source: www.habr.com