ProHoster > Blog > Utongi > Linux kuchengetedza masisitimu

Linux kuchengetedza masisitimu

Chimwe chezvikonzero zvekubudirira kukuru kweLinux OS pane yakamisikidzwa, nharembozha uye maseva ndiyo yakaringana dhigirii rekuchengetedza kernel, masevhisi ane hukama uye maapplication. Asi kana nyatsotarisisa kune dhizaini yeLinux kernel, saka hazvigoneke kuwana mairi sikweya ine mutoro wekuchengetedza seyakadaro. Ndekupi iyo Linux kuchengetedza subsystem yakavanda uye inosanganisira chii?

Kumashure paLinux Security Modules uye SELinux

Chengetedzo Yakasimbiswa Linux seti yemitemo uye nzira dzekuwana dzakavakirwa pane inosungirwa uye-yakavakirwa-yakavakirwa mamodheru ekuchengetedza Linux masisitimu kubva kune zvinogona kutyisidzira uye kugadzirisa zvikanganiso zveDiscretionary Access Control (DAC), iyo yechinyakare Unix yekuchengetedza system. Iyo purojekiti yakatanga mumatumbo eUS National Security Agency, uye yakagadziridzwa zvakananga kunyanya nemakontrakta Secure Computing Corporation neMITER, pamwe nenhamba yemarabhoritari ekutsvagisa.

Linux kuchengetedza masisitimu
Linux Security Modules

Linus Torvalds akaita akati wandei pamusoro pekuvandudzwa kweNSA kuitira kuti vagone kuverengerwa mune mainline Linux kernel. Akatsanangura nharaunda yakajairwa, ine seti yezvinopindira kudzora mashandiro nezvinhu uye seti yemamwe minda yekudzivirira mune kernel data zvimiro kuchengetedza zvinoenderana hunhu. Iyi nharaunda inogona kuzoshandiswa neinoremerwa kernel module kuita chero yaunoda kuchengetedza modhi. LSM yakapinda zvizere muLinux kernel v2.6 muna 2003.

Iyo LSM dhizaini inosanganisira minda yevarindi muzvimiro zvedata uye kufona kunobata mabasa panzvimbo dzakakosha mukernel kodhi kuvanyengedza uye kuita kutonga kwekuwana. Iyo inowedzerawo kushanda kwekunyoresa kuchengetedza mamodule. Iyo /sys/kernel/security/lsm interface ine rondedzero yemamodule anoshanda pane system. LSM hoko dzinochengetwa mumazita anodanwa nehurongwa hwakatsanangurwa muCONFIG_LSM. Detailed zvinyorwa pamusoro hoko zvinosanganisirwa mumusoro faira zvinosanganisira/linux/lsm_hooks.h.

Iyo LSM subsystem yakaita kuti zvikwanisike kupedzisa kubatanidzwa kuzere kweSELinux neshanduro imwechete yeLinux kernel yakagadzikana v2.6. Nenguva isipi, SELinux yakave iyo de facto chiyero chenzvimbo yakachengeteka yeLinux uye yakaverengerwa mukugovera kwakakurumbira: RedHat Enterprise Linux, Fedora, Debian, Ubuntu.

SELinux Glossary

  • Identity -Iyo SELinux mushandisi haina kufanana neyakajairika Unix / Linux mushandisi id; ivo vanogona kugarisana pane imwecheteyo sisitimu, asi zvakasiyana zvachose muhunhu. Imwe neimwe yakajairwa Linux account inogona kuenderana neimwe kana kupfuura muSELinux. Iyo SELinux chiziviso chikamu chezvese chengetedzo mamiriro, ayo anosarudza kuti ndeapi madomasi aunogona uye ausingakwanise kujoina.
  • Domains -MuSELinux, dura ndiyo mamiriro ekuita echidzidzo, kureva maitiro. Iyo domain inosarudza zvakananga masvikiro ayo maitiro ane. Domain inongonyorwa rondedzero yezvingaitwa maitiro kana kuti maitiro anogona kuita nemhando dzakasiyana. Mimwe mienzaniso yemadomasi ndeye sysadm_t yehurongwa hwekutonga, uye mushandisi_t inova yakajairika isiri-yakasarudzika mushandisi domain. Iyo init system inomhanya muinit_t domain, uye iyo yakatumidzwa maitiro inomhanya mune iyo inonzi_t domain.
  • Zvimiro - Chii chinoshanda semurevereri pakati pemadomasi nevashandisi veSELinux. Mabasa anoona kuti ndeapi madomasi anogona kushandiswa nemushandisi uye kuti ndeapi marudzi ezviro zvavanogona kuwana. Iyi nzira yekudzora yekuwana inodzivirira kutyisidzira kweropafadzo yekuwedzera kurwiswa. Mabasa akanyorwa muRole Based Access Control (RBAC) yekuchengetedza modhi inoshandiswa muSELinux.
  • Aina -A Type Enforcement rondedzero hunhu iyo inopihwa kune chinhu uye inoona kuti ndiani angaiwana. Zvakafanana netsanangudzo yedomasi, kunze kwekunge iyo domain inoshanda kune maitiro, uye mhando inoshanda kune zvinhu zvakaita sedhairekitori, mafaera, zvigadziko, nezvimwe.
  • Zvidzidzo uye zvinhu - Maitiro izvidzidzo uye anomhanya mune yakatarwa mamiriro, kana chengetedzo domain. Operating system zviwanikwa: mafaera, madhairekitori, zvigadziko, nezvimwewo, zvinhu zvakapihwa imwe mhando, nemamwe mazwi, nhanho yekuvanzika.
  • SELinux Mitemo -SELinux inoshandisa akasiyana marongero kuchengetedza sisitimu. Iyo SELinux mutemo inotsanangura kuwanikwa kwevashandisi kumabasa, mabasa kumadomasi, uye madomasi kune marudzi. Chekutanga, mushandisi anopihwa mvumo yekuwana basa, ipapo basa rinopihwa mvumo yekuwana madomasi. Chekupedzisira, domain inogona chete kuwana mamwe marudzi ezvinhu.

LSM uye SELinux architecture

Pasinei nezita, LSMs haawanzo kurodha Linux modules. Nekudaro, seSELinux, yakabatanidzwa zvakananga mukernel. Chero shanduko kune LSM sosi kodhi inoda nyowani kernel kuunganidzwa. Iyo inoenderana sarudzo inofanirwa kuve yakagoneswa mune kernel marongero, zvikasadaro iyo LSM kodhi haizoshandiswe mushure mebhoti. Asi kunyangwe mune iyi kesi, inogona kugoneswa neiyo OS bootloader sarudzo.

Linux kuchengetedza masisitimu
LSM cheki stack

LSM yakashongedzerwa nezvikokovonho mu core kernel mabasa anogona kuve akakodzera kune cheki. Chimwe chezvakakosha zveLSMs ndechekuti akaturikidzana. Saka, macheki akajairwa achiri kuitwa, uye yega yega yeLSM inongowedzera mamwe madhiraivha uye zvidzoreso. Izvi zvinoreva kuti kurambidzwa hakugone kudzoserwa kumashure. Izvi zvinoratidzwa mumufananidzo; kana mhedzisiro yemaitiro eDAC cheki yakundikana, saka nyaya yacho haitombosviki kune LSM hoko.

SELinux inotora iyo Flask kuchengetedza dhizaini yeFluke yekutsvagisa sisitimu yekushandisa, kunyanya iyo musimboti weiyo rombo rombo. Hunhu hwepfungwa iyi, sekureva kunoita zita rayo, kupa mushandisi kana kugadzirisa chete idzo kodzero dzinodiwa kuita zviito zvinotarisirwa. Iyi nheyo inoshandiswa uchishandisa kumanikidzirwa kupinda kutaipa, saka kutonga kwekuwana muSELinux kunobva pane domain => mhando yemhando.

Nekuda kwekumanikidzirwa kupinda kutaipa, SELinux ine hukuru hukuru hwekutonga masimba kupfuura yechinyakare DAC modhi inoshandiswa muUnix/Linux masisitimu anoshanda. Semuenzaniso, unogona kudzikamisa nhamba yechiteshi chetiweki iyo ftp server ichabatana nayo, bvumidza kunyora uye kushandura mafaera mune imwe folda, asi kwete kudzima.

Izvo zvakakosha zveSELinux ndezvi:

  • Policy Enforcement Server -Iyo nzira huru yekuronga kutonga kwekuwana.
  • System kuchengetedza mutemo database.
  • Kudyidzana neLSM chiitiko interceptor.
  • Selinuxfs - Pseudo-FS, yakafanana ne /proc uye yakaiswa mukati /sys/fs/selinux. Yakazara nesimba neLinux kernel panguva yekumhanya uye ine mafaera ane SELinux mamiriro eruzivo.
  • Svika Vector Cache - Imwe nzira yekubatsira yekuwedzera chibereko.

Linux kuchengetedza masisitimu
Iyo SELinux inoshanda sei

Zvose zvinoshanda seizvi.

  1. Imwe nyaya, muSELinux mazwi, inoita inotenderwa chiito pachinhu mushure meDAC cheki, sezvakaratidzwa pamufananidzo wepamusoro. Ichi chikumbiro chekuita oparesheni chinoenda kune LSM chiitiko interceptor.
  2. Kubva ipapo, chikumbiro, pamwe chete nenyaya uye chinhu chekuchengetedza mamiriro, chinopfuudzwa kune SELinux Abstraction uye Hook Logic module, iyo ine basa rekudyidzana neLSM.
  3. Chiremera chekuita sarudzo pakuwana kwechinyorwa kune chimwe chinhu ndiyo Policy Enforcement Server uye inogamuchira data kubva kuSELinux AnHL.
  4. Kuita sarudzo nezve kuwana kana kuramba, Policy Enforcement Server inotendeukira kune Access Vector Cache (AVC) caching subsystem yemitemo inonyanya kushandiswa.
  5. Kana mhinduro yemutemo unoenderana isingawanikwe mune cache, ipapo chikumbiro chinopfuudzwa kune yekuchengetedza mutemo dhatabhesi.
  6. Mhedzisiro yekutsvaga kubva mudhatabhesi uye AVC inodzoserwa kuPolicy Enforcement Server.
  7. Kana iyo yakawanikwa inoenderana neyakakumbirwa chiito, ipapo kushanda kunobvumirwa. Kana zvisina kudaro, kushanda kunorambidzwa.

Kugadzirisa SELinux Settings

SELinux inoshanda mune imwe yemhando nhatu:

  • Enforcing - Kutevedzera kwakasimba kumitemo yekuchengetedza.
  • Kubvumira - Kutyora kwezvirambidzo kunobvumidzwa; chinyorwa chinowirirana chinoitwa mujenari.
  • Yakaremara-Matemo ekuchengetedza haasi kushanda.

Iwe unogona kuona kuti SELinux mode ndeipi nemurairo unotevera.

[admin@server ~]$ getenforce
Permissive

Kuchinja iyo modhi usati watangazve, semuenzaniso, kuiisa kune yekumanikidza, kana 1. Iyo inobvumidza parameter inoenderana nenhamba kodhi 0.

[admin@server ~]$ setenfoce enforcing
[admin@server ~]$ setenfoce 1 #Ρ‚ΠΎ ΠΆΠ΅ самоС

Iwe unogona zvakare kushandura iyo modhi nekugadzirisa iyo faira:

[admin@server ~]$ cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.

SELINUXTYPE=chinangwa

Musiyano ne setenfoce ndewekuti kana iyo inoshanda sisitimu bhutsu, iyo SELinux modhi ichaiswa zvinoenderana nekukosha kweSELINUX parameter mufaira rekugadzirisa. Pamusoro pezvo, shanduko yekumanikidza <=> yakaremara inongoshanda nekugadzirisa iyo /etc/selinux/config faira uye mushure mekutangazve.

Ona pfupiso yemamiriro ezvinhu:

[admin@server ~]$ sestatus

SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
Kuti utarise SELinux hunhu, zvimwe zvakajairwa zvinoshandiswa zvinoshandisa iyo -Z parameter.

[admin@server ~]$ ls -lZ /var/log/httpd/
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20200920
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20200927
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20201004
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20201011
[admin@server ~]$ ps -u apache -Z
LABEL                             PID TTY          TIME CMD
system_u:system_r:httpd_t:s0     2914 ?        00:00:04 httpd
system_u:system_r:httpd_t:s0     2915 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0     2916 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0     2917 ?        00:00:00 httpd
...
system_u:system_r:httpd_t:s0     2918 ?        00:00:00 httpd

Kuenzaniswa neyakajairwa kubuda kwe ls -l, kune akati wandei mamwe minda mune inotevera fomati:

<user>:<role>:<type>:<level>

Munda wekupedzisira unoreva chimwe chinhu senge chengetedzo yemhando uye ine musanganiswa wezvinhu zviviri:

  • s0 - kukosha, zvakare yakanyorwa seyakaderera-yepamusoro-yepamusoro nguva
  • c0, c1… c1023 - chikamu.

Kuchinja magadzirirwo ekupinda

Shandisa semodule kurodha, kuwedzera, uye kubvisa SELinux modules.

[admin@server ~]$ semodule -l |wc -l #список всСх ΠΌΠΎΠ΄ΡƒΠ»Π΅ΠΉ
408
[admin@server ~]$ semodule -e abrt #enable - Π°ΠΊΡ‚ΠΈΠ²ΠΈΡ€ΠΎΠ²Π°Ρ‚ΡŒ ΠΌΠΎΠ΄ΡƒΠ»ΡŒ
[admin@server ~]$ semodule -d accountsd #disable - ΠΎΡ‚ΠΊΠ»ΡŽΡ‡ΠΈΡ‚ΡŒ ΠΌΠΎΠ΄ΡƒΠ»ΡŒ
[admin@server ~]$ semodule -r avahi #remove - ΡƒΠ΄Π°Π»ΠΈΡ‚ΡŒ ΠΌΠΎΠ΄ΡƒΠ»ΡŒ

First team semanage login inobatanidza mushandisi weSELinux kune anoshanda sisitimu mushandisi, yechipiri inoratidza runyorwa. Pakupedzisira, murairo wekupedzisira ne -r switch inobvisa mepu yevashandisi veSELinux kumaakaundi eOS. Tsananguro ye syntax yeMLS/MCS Range kukosha iri muchikamu chapfuura.

[admin@server ~]$ semanage login -a -s user_u karol
[admin@server ~]$ semanage login -l

Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
system_u system_u s0-s0:c0.c1023 *
[admin@server ~]$ semanage login -d karol

chikwata semanage mushandisi inoshandiswa kubata mepu pakati pevashandisi veSELinux nemabasa.

[admin@server ~]$ semanage user -l
                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range             SELinux Roles
guest_u         user       s0         s0                    guest_r
staff_u         staff      s0         s0-s0:c0.c1023        staff_r sysadm_r
...
user_u          user       s0         s0                    user_r
xguest_u        user       s0         s0                    xguest_r
[admin@server ~]$ semanage user -a -R 'staff_r user_r'
[admin@server ~]$ semanage user -d test_u

Command parameters:

  • -a wedzera tsika yekuita mepu yekupinda;
  • -l rondedzero yevashandisi vanofananidza uye mabasa;
  • -d bvisa mushandisi wekuita mepu yekupinda;
  • -R runyorwa rwemabasa akabatanidzwa kumushandisi;

Mafaira, Ports uye Boolean Values

Imwe neimwe SELinux module inopa seti yefaira yekumaka mitemo, asi iwe unogona zvakare kuwedzera yako wega mitemo kana zvichidikanwa. Semuenzaniso, isu tinoda kuti sevha yewebhu ive nekodzero dzekuwana ku /srv/www folda.

[admin@server ~]$ semanage fcontext -a -t httpd_sys_content_t "/srv/www(/.*)?
[admin@server ~]$ restorecon -R /srv/www/

Murairo wekutanga unonyora mitemo mitsva yekumaka, uye yechipiri inogadzirisa, kana kuti inogadzirisa, mafaira emhando maererano nemitemo iripo.

Saizvozvowo, zviteshi zveTCP/UDP zvinomakwa nenzira yekuti masevhisi akakodzera chete anogona kuteerera pazviri. Semuenzaniso, kuitira kuti sevha yewebhu iteerere pachiteshi 8080, unofanirwa kumhanya murairo.

[admin@server ~]$ semanage port -m -t http_port_t -p tcp 8080

Nhamba yakakosha yeSELinux modules ine ma paramita anogona kutora Boolean kukosha. Rondedzero yese yemaparamita akadaro inogona kuoneka uchishandisa getsebool -a. Unogona kushandura hunhu hwe boolean uchishandisa setsebool.

[admin@server ~]$ getsebool httpd_enable_cgi
httpd_enable_cgi --> on
[admin@server ~]$ setsebool -P httpd_enable_cgi off
[admin@server ~]$ getsebool httpd_enable_cgi
httpd_enable_homedirs --> off

Workshop, tora mukana kune iyo Pgadmin-web interface

Ngatitarisei muenzaniso unoshanda: isu takaisa pgadmin7.6-web paRHEL 4 kutonga iyo PostgreSQL dhatabhesi. Takafamba zvishoma quest ine zvigadziriso zve pg_hba.conf, postgresql.conf uye config_local.py, gadza mvumo yeforodha, yakaisa iyo isipo Python modules kubva pip. Zvese zvagadzirira, tinotangisa uye tinogamuchira 500 Yemukati Server kukanganisa.

Linux kuchengetedza masisitimu

Isu tinotanga nevaya vanofungidzira, tichitarisa /var/log/httpd/error_log. Pane zvimwe zvinonakidza zvinyorwa ipapo.

[timestamp] [core:notice] [pid 23689] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
...
[timestamp] [wsgi:error] [pid 23690] [Errno 13] Permission denied: '/var/lib/pgadmin'
[timestamp] [wsgi:error] [pid 23690] [timestamp] [wsgi:error] [pid 23690] HINT : You may need to manually set the permissions on
[timestamp] [wsgi:error] [pid 23690] /var/lib/pgadmin to allow apache to write to it.

Panguva ino, vazhinji vatariri veLinux vachayedzwa zvakasimba kuti vamhanye setencorce 0, uye ndiko kuchave kuguma kwayo. Kutaura chokwadi, ndakaita izvozvo kekutanga. Iyi ichokwadi zvakare nzira yekubuda nayo, asi iri kure nekunaka.

Kunyangwe iwo akaomesesa magadzirirwo, SELinux inogona kuva mushandisi-inoshamwaridzika. Ingoisa iyo setroubleshoot package uye tarisa iyo system log.

[admin@server ~]$ yum install setroubleshoot
[admin@server ~]$ journalctl -b -0
[admin@server ~]$ service restart auditd

Ndokumbira utarise kuti iyo yakaongororwa sevhisi inofanirwa kutangwazve nenzira iyi, uye kwete kushandisa systemctl, kunyangwe kuvepo kwesystemd muOS. Mune system log zvicharatidzwa kwete chete chokwadi chekuvhara, asiwo chikonzero uye nzira yekukunda kurambidzwa.

Linux kuchengetedza masisitimu

Tinoita mirairo iyi:

[admin@server ~]$ setsebool -P httpd_can_network_connect 1
[admin@server ~]$ setsebool -P httpd_can_network_connect_db 1

Isu tinotarisa kuwana kune pgadmin4-web peji rewebhu, zvese zvinoshanda.

Linux kuchengetedza masisitimu

Linux kuchengetedza masisitimu

Source: www.habr.com

Voeg