Halkan waxaad ka heli doontaa jawaabaha su'aalaha muhiimka ah ee ku saabsan nolosha, caalamka iyo wax kasta oo Linux ah oo leh amniga soo hagaagay.
"Xaqiiqda muhiimka ah ee ah in arrimuhu aysan had iyo jeer ahayn waxa ay u muuqdaan waa aqoon guud..."
- Douglas Adams, Hagaha Hitchhiker ee Galaxy
Badbaadada Kalsoonida oo korodhay. Xiriirinta Siyaasadda. Afar Fardooley oo ka mid ah Raaxada sysadmin. Marka lagu daro hawlaheenna maalinlaha ah - la socodka, kaabaynta, hirgelinta, qaabeynta, cusboonaysiinta, iwm. - waxaan sidoo kale mas'uul ka nahay amniga nidaamyadayada. Xataa nidaamyada ay bixiyaha dhinac saddexaad ku taliyaan in aan gabno ammaanka la xoojiyay. Waxay u egtahay shaqo Ethan Hunt ka "Howlgalka: macquul ma aha."
Iyadoo ay la soo gudboonaatay dhibaatadan, qaar ka mid ah maamulayaasha nidaamka ayaa go'aansada inay qaataan kiniin buluug ah, sababtoo ah waxay u maleynayaan inaysan waligood ogaan doonin jawaabta su'aasha weyn ee nolosha, koonka iyo waxaas oo dhan. Sida aynu wada ognahayna jawaabtaasi waa 42.
4. Ujeedada bixinta amniga heerar badanAmmaanka Heerarka Badan - MLS) waa in la maareeyo hababka (domains) iyadoo lagu salaynayo heerka amniga xogta ay isticmaali doonaan. Tusaale ahaan, habka sirta ah ma akhrin karo xogta sirta sare.
5. Xaqiijinta amniga qaybaha badan (Ammaanka Qaybaha Kala Duwan - MCS) wuxuu ilaaliyaa hababka isku midka ah ee midba midka kale (tusaale ahaan, mishiinnada farsamada, matoorada OpenShift, sanduuqyada ciidda ee SELinux, weelasha, iwm.).
6. Ikhtiyaarada Kernel ee lagu beddelayo qaababka SELinux ee boot:
autorelabel=1 → waxay keentaa in nidaamku ku shaqeeyo dib u habeynta
selinux=0 → Kernelku ma raro kaabayaasha SELinux
enforcing=0 → ku shubashada hab ogolaansho leh
7. Haddii aad u baahan tahay inaad dib u calaamadiso nidaamka oo dhan:
# touch /.autorelabel
#reboot
Haddii calaamadaynta nidaamka ay ka kooban tahay tiro badan oo khaladaad ah, waxaa laga yaabaa inaad u baahato inaad u kabto habka oggolaanshaha si aad u guulaysato.
8. Si aad u hubiso in SELinux ay karti u leedahay: # getenforce
9. Si aad si ku meel gaar ah u awood u yeelato/demiso SELinux: # setenforce [1|0]
10. Hubinta heerka SELinux: # sestatus
11. Faylka habaynta: /etc/selinux/config
12. Sidee SELinux u shaqeysaa? Waa kuwan tusaale calaamad u ah server-ka shabakadda Apache:
Habka ku socda macnaha guud httpd_t, waxay la falgeli kartaa shay calaamadeysan httpd_something_t.
13. Amarro badan ayaa aqbalaya dood -Z si loo eego, loo abuuro loona beddelo macnaha guud:
ls -Z
id -Z
ps -Z
netstat -Z
cp -Z
mkdir -Z
Mawduucyada waxa la dejiyaa marka galalka la sameeyo iyada oo lagu salaynayo macnaha guud ee hagaha waalidka (marka laga reebo qaar ka mid ah). RPM-yadu waxay dejin karaan macnaha guud sida marka la rakibayo.
14. Waxaa jira afar sababood oo waaweyn oo keena khaladaadka SELinux, kuwaas oo si faahfaahsan loogu qeexay qodobbada 15-21 ee hoose:
Arrimaha calaamadaynta
Sababtoo ah wax ay SELinux u baahan tahay inay ogaato
Khaladka ku jira siyaasadda/codsiga SELinux
Waxaa laga yaabaa in macluumaadkaaga la jabiyo
15.Dhibaatada calaamadaynta: haddii faylashaadu ku jiraan /srv/myweb si khaldan loo calaamadeeyay, gelitaanka waa la diidi karaa. Waa kuwan qaar ka mid ah siyaabaha tan lagu hagaajin karo:
Haddii aad taqaanid fayl leh calaamado u dhigma: # semanage fcontext -a -e /srv/myweb /var/www
Soo celinta macnaha guud (labada xaaladood): # restorecon -vR /srv/myweb
16.Dhibaatada calaamadaynta: haddii aad dhaqaajiso faylka halkii aad nuqul ka samayn lahayd, feylku waxa uu hayn doonaa macnihiisa asalka ah. Si loo xaliyo dhibaatadan:
Ku beddel amarka macnaha guud ee summada: # chcon -t httpd_system_content_t /var/www/html/index.html
Ku beddel amarka macnaha guud ee sumadda isku xirka: # chcon --reference /var/www/html/ /var/www/html/index.html
Soo celi macnaha guud (labada xaaladood): # restorecon -vR /var/www/html/
17. haddii SELinux waxaad u baahan tahay inaad ogaatoin HTTPD ay ku dhegaysanayso dekedda 8585, u sheeg SELinux:
# semanage port -a -t http_port_t -p tcp 8585
18.SELinux waxaad u baahan tahay inaad ogaato Qiimaha Boolean ee u oggolaanaya qaybo ka mid ah siyaasadda SELinux in la beddelo wakhtiga runtime iyada oo aan aqoonta siyaasadda SELinux dib loo qorin. Tusaale ahaan, haddii aad rabto in httpd u dirto iimaylka, geli: # setsebool -P httpd_can_sendmail 1
19.SELinux waxaad u baahan tahay inaad ogaato qiyamka macquulka ah ee awood u siinta/dejinta dejinta SELinux:
Si aad u aragto dhammaan qiimayaasha boolean: # getsebool -a
Si aad u aragto sharaxaad mid kasta: # semanage boolean -l
Si loo dejiyo qiimaha boolean: # setsebool [_boolean_] [1|0]
Rakibaadda joogtada ah, ku dar -P. Tusaale ahaan: # setsebool httpd_enable_ftp_server 1 -P
20. Siyaasadaha/codsiyada SELinux waxa ku jiri kara khaladaad, ay ku jiraan:
Waddooyin kood aan caadi ahayn
Habaynta
Jihaynta stdout
Faylka sifeeyaha ayaa daadanaya
Xusuusta la fulin karo
Maktabado si liidata loo dhisay
Tigidhada furan (warbixin ha u gudbin Bugzilla; Bugzilla ma laha SLA).
21.Waxaa laga yaabaa in macluumaadkaaga la jabiyohaddii aad leedahay domains xaddidan oo isku dayaya inaad:
Ku shub cutubyada kernel-ka
Dami qaabka SELinux ee la xoojiyay
U qor etc_t/shadow_t
Beddel xeerarka iptables
22. Qalabka SELinux ee horumarinta qaybaha siyaasadda:
Jun 14 19:41:07 web1 setroubleshoot: SELinux is preventing httpd from getattr access on the file /var/www/html/index.html. For complete message run: sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e
# sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e
SELinux is preventing httpd from getattr access on the file /var/www/html/index.html.
***** Plugin restorecon (99.5 confidence) suggests ************************
If you want to fix the label,
/var/www/html/index.html default label should be httpd_syscontent_t.
Then you can restorecon.
Do
# /sbin/restorecon -v /var/www/html/index.html
26. Gelitaanka: SELinux waxay ku diiwaan gelisaa macluumaadka meelo badan:
Hubi in SELinux uu ku socdo qaab la oggol yahay: # setenforce 0
Isticmaal qoraal fixfilessi loo hubiyo in faylalka lagu calaamadeeyay dib u soo kabashada soo socota: