ProHoster > Блог > Maamulka > Xaashida qishka SELinux ee maamulayaasha nidaamka: 42 jawaabaha su'aalaha muhiimka ah

Xaashida qishka SELinux ee maamulayaasha nidaamka: 42 jawaabaha su'aalaha muhiimka ah

Turjumaada maqaalka waxaa si gaar ah loogu diyaariyey ardayda koorsada "Maamulaha Linux".

Xaashida qishka SELinux ee maamulayaasha nidaamka: 42 jawaabaha su'aalaha muhiimka ah

Halkan waxaad ka heli doontaa jawaabaha su'aalaha muhiimka ah ee ku saabsan nolosha, caalamka iyo wax kasta oo Linux ah oo leh amniga soo hagaagay.

"Xaqiiqda muhiimka ah ee ah in arrimuhu aysan had iyo jeer ahayn waxa ay u muuqdaan waa aqoon guud..."

- Douglas Adams, Hagaha Hitchhiker ee Galaxy

Badbaadada Kalsoonida oo korodhay. Xiriirinta Siyaasadda. Afar Fardooley oo ka mid ah Raaxada sysadmin. Marka lagu daro hawlaheenna maalinlaha ah - la socodka, kaabaynta, hirgelinta, qaabeynta, cusboonaysiinta, iwm. - waxaan sidoo kale mas'uul ka nahay amniga nidaamyadayada. Xataa nidaamyada ay bixiyaha dhinac saddexaad ku taliyaan in aan gabno ammaanka la xoojiyay. Waxay u egtahay shaqo Ethan Hunt ka "Howlgalka: macquul ma aha."

Iyadoo ay la soo gudboonaatay dhibaatadan, qaar ka mid ah maamulayaasha nidaamka ayaa go'aansada inay qaataan kiniin buluug ah, sababtoo ah waxay u maleynayaan inaysan waligood ogaan doonin jawaabta su'aasha weyn ee nolosha, koonka iyo waxaas oo dhan. Sida aynu wada ognahayna jawaabtaasi waa 42.

Ruuxa Hagaha Hitchhiker ee Galaxy, halkan waxaa ah 42 jawaabood oo su'aalo muhiim ah oo ku saabsan xakamaynta iyo isticmaalka. SELinux nidaamyadaaga.

1. SELinux waa hab lagu xakameynayo gelitaanka qasabka ah, taas oo macnaheedu yahay in nidaam kastaa leeyahay calaamad. Fayl kasta, tusaha iyo shayga nidaamka sidoo kale wuxuu leeyahay sumado. Xeerarka siyaasaddu waxay xakameeyaan gelitaanka inta u dhaxaysa hababka la calaamadeeyay iyo walxaha. Kernelku wuxuu xoojiyaa xeerarkan.

2. Labada fikradood ee ugu muhiimsan waa: Calaamadeynta - calaamadaha (faylalka, hababka, dekedaha, iwm) iyo Nooca dhaqangelinta (taas oo ka soocda hababka midba midka kale ku salaysan noocyada).

3. Qaabka summada oo sax ah user:role:type:level (ikhtiyaar).

4. Ujeedada bixinta amniga heerar badanAmmaanka Heerarka Badan - MLS) waa in la maareeyo hababka (domains) iyadoo lagu salaynayo heerka amniga xogta ay isticmaali doonaan. Tusaale ahaan, habka sirta ah ma akhrin karo xogta sirta sare.

5. Xaqiijinta amniga qaybaha badan (Ammaanka Qaybaha Kala Duwan - MCS) wuxuu ilaaliyaa hababka isku midka ah ee midba midka kale (tusaale ahaan, mishiinnada farsamada, matoorada OpenShift, sanduuqyada ciidda ee SELinux, weelasha, iwm.).

6. Ikhtiyaarada Kernel ee lagu beddelayo qaababka SELinux ee boot:

  • autorelabel=1 → waxay keentaa in nidaamku ku shaqeeyo dib u habeynta
  • selinux=0 → Kernelku ma raro kaabayaasha SELinux
  • enforcing=0 → ku shubashada hab ogolaansho leh

7. Haddii aad u baahan tahay inaad dib u calaamadiso nidaamka oo dhan:

# touch /.autorelabel
#reboot

Haddii calaamadaynta nidaamka ay ka kooban tahay tiro badan oo khaladaad ah, waxaa laga yaabaa inaad u baahato inaad u kabto habka oggolaanshaha si aad u guulaysato.

8. Si aad u hubiso in SELinux ay karti u leedahay: # getenforce

9. Si aad si ku meel gaar ah u awood u yeelato/demiso SELinux: # setenforce [1|0]

10. Hubinta heerka SELinux: # sestatus

11. Faylka habaynta: /etc/selinux/config

12. Sidee SELinux u shaqeysaa? Waa kuwan tusaale calaamad u ah server-ka shabakadda Apache:

  • Matalaadda binary: /usr/sbin/httpd→httpd_exec_t
  • Hagaha habaynta: /etc/httpd→httpd_config_t
  • Log tusaha faylka: /var/log/httpd → httpd_log_t
  • Tusaha nuxurka: /var/www/html → httpd_sys_content_t
  • Daahfurka qoraalka: /usr/lib/systemd/system/httpd.service → httpd_unit_file_d
  • Habka: /usr/sbin/httpd -DFOREGROUND → httpd_t
  • Dekadaha: 80/tcp, 443/tcp → httpd_t, http_port_t

Habka ku socda macnaha guud httpd_t, waxay la falgeli kartaa shay calaamadeysan httpd_something_t.

13. Amarro badan ayaa aqbalaya dood -Z si loo eego, loo abuuro loona beddelo macnaha guud:

  • ls -Z
  • id -Z
  • ps -Z
  • netstat -Z
  • cp -Z
  • mkdir -Z

Mawduucyada waxa la dejiyaa marka galalka la sameeyo iyada oo lagu salaynayo macnaha guud ee hagaha waalidka (marka laga reebo qaar ka mid ah). RPM-yadu waxay dejin karaan macnaha guud sida marka la rakibayo.

14. Waxaa jira afar sababood oo waaweyn oo keena khaladaadka SELinux, kuwaas oo si faahfaahsan loogu qeexay qodobbada 15-21 ee hoose:

  • Arrimaha calaamadaynta
  • Sababtoo ah wax ay SELinux u baahan tahay inay ogaato
  • Khaladka ku jira siyaasadda/codsiga SELinux
  • Waxaa laga yaabaa in macluumaadkaaga la jabiyo

15. Dhibaatada calaamadaynta: haddii faylashaadu ku jiraan /srv/myweb si khaldan loo calaamadeeyay, gelitaanka waa la diidi karaa. Waa kuwan qaar ka mid ah siyaabaha tan lagu hagaajin karo:

  • Haddii aad garanayso summada:
    # semanage fcontext -a -t httpd_sys_content_t '/srv/myweb(/.*)?'
  • Haddii aad taqaanid fayl leh calaamado u dhigma:
    # semanage fcontext -a -e /srv/myweb /var/www
  • Soo celinta macnaha guud (labada xaaladood):
    # restorecon -vR /srv/myweb

16. Dhibaatada calaamadaynta: haddii aad dhaqaajiso faylka halkii aad nuqul ka samayn lahayd, feylku waxa uu hayn doonaa macnihiisa asalka ah. Si loo xaliyo dhibaatadan:

  • Ku beddel amarka macnaha guud ee summada:
    # chcon -t httpd_system_content_t /var/www/html/index.html
  • Ku beddel amarka macnaha guud ee sumadda isku xirka:
    # chcon --reference /var/www/html/ /var/www/html/index.html
  • Soo celi macnaha guud (labada xaaladood): # restorecon -vR /var/www/html/

17. haddii SELinux waxaad u baahan tahay inaad ogaatoin HTTPD ay ku dhegaysanayso dekedda 8585, u sheeg SELinux:

# semanage port -a -t http_port_t -p tcp 8585

18. SELinux waxaad u baahan tahay inaad ogaato Qiimaha Boolean ee u oggolaanaya qaybo ka mid ah siyaasadda SELinux in la beddelo wakhtiga runtime iyada oo aan aqoonta siyaasadda SELinux dib loo qorin. Tusaale ahaan, haddii aad rabto in httpd u dirto iimaylka, geli: # setsebool -P httpd_can_sendmail 1

19. SELinux waxaad u baahan tahay inaad ogaato qiyamka macquulka ah ee awood u siinta/dejinta dejinta SELinux:

  • Si aad u aragto dhammaan qiimayaasha boolean: # getsebool -a
  • Si aad u aragto sharaxaad mid kasta: # semanage boolean -l
  • Si loo dejiyo qiimaha boolean: # setsebool [_boolean_] [1|0]
  • Rakibaadda joogtada ah, ku dar -P. Tusaale ahaan: # setsebool httpd_enable_ftp_server 1 -P

20. Siyaasadaha/codsiyada SELinux waxa ku jiri kara khaladaad, ay ku jiraan:

  • Waddooyin kood aan caadi ahayn
  • Habaynta
  • Jihaynta stdout
  • Faylka sifeeyaha ayaa daadanaya
  • Xusuusta la fulin karo
  • Maktabado si liidata loo dhisay

Tigidhada furan (warbixin ha u gudbin Bugzilla; Bugzilla ma laha SLA).

21. Waxaa laga yaabaa in macluumaadkaaga la jabiyohaddii aad leedahay domains xaddidan oo isku dayaya inaad:

  • Ku shub cutubyada kernel-ka
  • Dami qaabka SELinux ee la xoojiyay
  • U qor etc_t/shadow_t
  • Beddel xeerarka iptables

22. Qalabka SELinux ee horumarinta qaybaha siyaasadda:

# yum -y install setroubleshoot setroubleshoot-server

Dib u bilow ama dib u bilow auditd ka dib markii la rakibo.

23. Adeegso 

journalctl

si aad u muujiso liiska dhammaan diiwaannada la xidhiidha setroubleshoot:

# journalctl -t setroubleshoot --since=14:20

24. Adeegso journalctl si aad u taxdo dhammaan diiwaannada la xidhiidha sumadda SELinux gaar ah. Tusaale ahaan:

# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0

25. Haddii qalad SELinux dhaco, isticmaal log setroubleshoot bixinta dhowr xal oo suurtagal ah.
Tusaale ahaan, laga bilaabo journalctl:

Jun 14 19:41:07 web1 setroubleshoot: SELinux is preventing httpd from getattr access on the file /var/www/html/index.html. For complete message run: sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e

# sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e
SELinux is preventing httpd from getattr access on the file /var/www/html/index.html.

***** Plugin restorecon (99.5 confidence) suggests ************************

If you want to fix the label,
/var/www/html/index.html default label should be httpd_syscontent_t.
Then you can restorecon.
Do
# /sbin/restorecon -v /var/www/html/index.html

26. Gelitaanka: SELinux waxay ku diiwaan gelisaa macluumaadka meelo badan:

  • / var / log / farriimo
  • /var/log/audit/audit.log
  • /var/lib/setroubleshoot/setroubleshoot_database.xml

27. Gelida: raadinta khaladaadka SELinux ee diiwaanka hanti dhawrka:

# ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today

28. Si aad u hesho fariimaha SELinux Access Vector Cache (AVC) ee adeeg gaar ah:

# ausearch -m avc -c httpd

29. Faa'iidada audit2allow waxay ka ururisaa macluumaadka diiwaannada hawlgallada mamnuuca ah ka dibna waxay soo saartaa xeerarka siyaasadda oggolaanshaha SELinux. Tusaale ahaan:

  • Si loo abuuro sharaxaad bini'aadmigu akhriyi karo oo ku saabsan sababta gelitaanka loo diiday: # audit2allow -w -a
  • Si aad u aragto nooca qaanuunka dhaqangelinta ee oggolaanaya gelitaanka loo diiday: # audit2allow -a
  • Si aad u abuurto module gaar ah: # audit2allow -a -M mypolicy
  • Ikhtiyaar -M wuxuu abuuraa nooc faylka fulinta ah (.te) oo wata magaca la cayimay oo wuxuu ku ururiyaa qaanuunka xirmo siyaasadeed (.pp): mypolicy.pp mypolicy.te
  • Si loo rakibo module gaar ah: # semodule -i mypolicy.pp

30. Si loo habeeyo nidaam gooni ah (domain) si uu ugu shaqeeyo qaab ogolan: # semanage permissive -a httpd_t

31. Haddii aadan rabin in domainku noqdo mid la ogol yahay: # semanage permissive -d httpd_t

32. Si loo joojiyo dhammaan xayndaabka la oggol yahay: # semodule -d permissivedomains

33. Xoojinta siyaasadda MLS SELinux: # yum install selinux-policy-mls
в /etc/selinux/config:

SELINUX=permissive
SELINUXTYPE=mls

Hubi in SELinux uu ku socdo qaab la oggol yahay: # setenforce 0
Isticmaal qoraal fixfilessi loo hubiyo in faylalka lagu calaamadeeyay dib u soo kabashada soo socota:

# fixfiles -F onboot # reboot

34. Abuur isticmaale leh MLS gaar ah: # useradd -Z staff_u john

Isticmaalka amarka useradd, khariidad isticmaale cusub isticmaal isticmaale SELinux (kiiskan, staff_u).

35. Si aad u aragto khariidaynta u dhaxaysa isticmaalayaasha SELinux iyo Linux: # semanage login -l

36. Qeex xad gaar ah isticmaalaha: # semanage login --modify --range s2:c100 john

37. Si loo saxo summada tusaha guriga isticmaalaha (haddii loo baahdo): # chcon -R -l s2:c100 /home/john

38. Si aad u aragto qaybaha hadda: # chcat -L

39. Si aad u bedesho qaybaha ama aad bilowdo abuuristaada, u tafatir faylka sida soo socota:

/etc/selinux/_<selinuxtype>_/setrans.conf

40. Si aad amar ama qoraal ugu socodsiiso fayl gaar ah, door, iyo macnaha guud ee isticmaalaha:

# runcon -t initrc_t -r system_r -u user_u yourcommandhere

  • -t macnaha guud
  • -r macnaha doorka
  • -u macnaha guud ee isticmaalaha

41. Weeladaha ku shaqeeya SELinux waa naafo:

  • Podman: # podman run --security-opt label=disable …
  • Docker: # docker run --security-opt label=disable …

42. Haddii aad u baahan tahay inaad si buuxda u siiso weelka nidaamka:

  • Podman: # podman run --privileged …
  • Docker: # docker run --privileged …

Haddana jawaabta hore ayaad u garanaysaa. Markaa fadlan: ha argagixin oo awood SELinux.

Tixraacyada:

Source: www.habr.com

Add a comment