Mid ka mid ah sababaha guusha weyn ee Linux OS ee ku-xidhan, aaladaha mobilada iyo server-yada waa heerka sare ee amniga kernel-ka, adeegyada la xiriira iyo codsiyada. Laakiin haddii in qaab dhismeedka kernel Linux ah, ka dibna waa wax aan macquul aheyn in la helo square ah ee mas'uul ka ah ammaanka, sida oo kale. Halkee ku dhuumanayaa nidaamka hoose ee amniga Linux muxuuse ka kooban yahay?
Asalkii hore ee Modules Security Linux iyo SELinux
Nabadgelyada Linux oo la xoojiyey waa xeerar iyo hannaan gelitaan oo ku salaysan qaababka gelitaanka qasabka ah iyo doorka-ku-salaysan si looga ilaaliyo nidaamyada Linux khataraha iman kara loona hagaajiyo daciifnimada Xakamaynta Helitaanka Aqoonta (DAC), nidaamka amniga Unix ee dhaqameed. Mashruucu wuxuu ka yimid mindhicirka Hay'adda Ammaanka Qaranka Mareykanka, iyo qandaraaslayaasha Secure Computing Corporation iyo MITER, iyo sidoo kale tiro shaybaaro cilmi-baaris ah, ayaa si toos ah ugu lug lahaa horumarinta.
Modules Security Linux
Linus Torvalds waxa uu ka qayb qaatay qoraalo dhawr ah oo ku saabsan horumarka cusub ee NSA si loogu daro laanta ugu weyn ee kernel Linux. Waxa uu ku tilmaamay bey'ad wadaag ah, oo leh kooxo dhexgal ah oo lagu maareeyo hawlgallada walxaha iyo qaybo ka mid ah goobaha ilaalinta ee qaababka xogta kernel si loo kaydiyo sifooyinka u dhigma. Deegaankan waxaa markaa isticmaali kara unugyo kernel-ka la rari karo si loo hirgeliyo nooc kasta oo amniga la doonayo. LSM waxay si buuxda u gashay Linux kernel v2.6 sanadkii 2003.
Qaab dhismeedka LSM waxa ka mid ah goobaha ilaalinta ee qaab dhismeedka xogta iyo shaqada dhex galka wicitaanada meelaha muhiimka ah ee koodhka kernel si loo maareeyo loona sameeyo xakamaynta gelitaanka. Waxa kale oo ay ku darsataa shaqaynta diiwaangelinta qaybaha amniga. Interface-ka /sys/kernel/security/lsm waxa uu ka kooban yahay liiska qaybaha firfircoon ee nidaamka. Qaboojiyaha LSM waxa lagu kaydiyaa liisaska loogu yeedhay siday u kala horreeyaan CONFIG_LSM. Dukumeenti jillaab oo faahfaahsan ayaa lagu soo daray/linux/lsm_hooks.h faylka madaxa.
Nidaamka hoose ee LSM waxa uu suurtageliyay in la dhammaystiro is dhexgalka buuxa ee SELinux ee isla nooca Linux kernel v2.6. Isla markiiba, SELinux wuxuu noqday halbeegga dhabta ah ee deegaan sugan Linux wuxuuna noqday qayb ka mid ah qaybinta ugu caansan: RedHat Enterprise Linux, Fedora, Debian, Ubuntu.
Qaamuuska
- Aqoonsiga Isticmaalaha SELinux maahan mid la mid ah aqoonsiga isticmaalaha Unix / Linux, waxay ku wada noolaan karaan nidaam isku mid ah, laakiin gabi ahaanba way ka duwan yihiin nuxurka. Koontada caadiga ah ee Linux kasta waxay u dhigantaa mid ama in ka badan oo ku taal SELinux. Aqoonsiga SELinux waa qayb ka mid ah xaaladda guud ee amniga taasoo go'aamisa xayndaabka aad awoodid oo aadan ku biiri karin.
- Domains - SELinux, domainku waa macnaha fulinta mawduuca, i.e. habka. Domainku wuxuu si toos ah u qeexayaa gelitaanka hab-socodka uu leeyahay. Goob-guud asal ahaan waa liis ay ku qoran yihiin waxa geeddi-socodku qaban karaan ama ficillada hab-socodku ku samayn karo noocyo kala duwan. Tusaalooyinka boggaga qaarkood waa sysadm_t ee maamulka nidaamka, iyo user_t oo ah goob isticmaale oo aan mudnayn. Nidaamka init wuxuu ku socdaa domain init_t, iyo habka la magacaabay wuxuu ku socdaa domain name_t.
- Doorarka - Wax u adeega sidii dhexdhexaadiye u dhexeeya domains iyo isticmaalayaasha SELinux. Doorarku waxay qeexaan waxa xayndaabyada isticmaaluhu ka tirsanaan karo iyo noocyada walxaha uu isticmaaluhu geli karo. Habka xakamaynta gelitaanka ee noocan oo kale ah ayaa ka hortagaya khatarta weerarka mudnaanta mudnaanta. Doorarka waxaa lagu qoraa qaabka amniga ee lagu isticmaalo kontoroolka Helitaanka Kaalinta (RBAC) ee lagu isticmaalo SELinux.
- Noocyada - Nooca liiska fulinta sifada loo qoondeeyay shay oo go'aamisa cidda geli doonta. Si la mid ah qeexidda domain, marka laga reebo in domainku uu khuseeyo habka, halka nooca ay khuseyso walxaha sida hagaha, faylasha, saldhigyada, iyo wixii la mid ah.
- Mawduucyada iyo walxaha - Nidaamyadu waa maadooyin waxayna ku socdaan xaalad gaar ah, ama qaybta amniga. Ilaha nidaamka hawlgalka: faylasha, hagayaasha, saldhigyada, iwm, waa shay loo qoondeeyay nooc gaar ah, si kale haddii loo dhigo, heer sir ah.
- Siyaasadaha SELinux - SELinux waxay isticmaashaa siyaasado kala duwan si loo ilaaliyo nidaamka. Siyaasadda SELinux waxay qeexdaa gelitaanka isticmaalaha doorarka, doorarka xayndaabka, iyo xayndaabka noocyada. Marka hore, isticmaaluhu waa loo oggolaaday inuu door helo, ka dib doorka waa loo oggolaaday inuu galo boggaga Ugu dambeyntii, domain-ku waxa uu heli karaa oo keliya noocyada walxaha qaarkood.
LSM iyo SELinux architecture
Inkasta oo magaca, LSM-yadu guud ahaan maaha qaybo Linux ah oo la rari karo. Si kastaba ha noqotee, sida SELinux, waxay si toos ah ugu dhex jirtaa kernel-ka. Isbeddel kasta oo lagu sameeyo koodhka isha LSM wuxuu u baahan yahay ururin kernel cusub. Doorashada u dhiganta waa in lagu dhaqaajiyaa goobaha kernel-ka, haddii kale koodhka LSM lama hawlgelin doono ka dib bootinta. Laakiin xitaa kiiskan, waxaa karti u yeelan kara ikhtiyaarka bootloader OS.
Xidhmada jeegaga LSM
LSM waxay ku qalabaysan tahay qabsatooyin ka mid ah hawlaha kernel-ka ee laga yaabo inay khuseeyaan hubinta. Mid ka mid ah sifooyinka ugu muhiimsan ee LSM waa in ay ku saleysan yihiin. Sidaa darteed, hubinta caadiga ah ayaa wali la sameeyaa, lakab kasta oo LSM ah ayaa kaliya ku daraya kontaroolo dheeraad ah. Tani waxay ka dhigan tahay in mamnuucida aan dib loo rogi karin. Tan waxaa lagu muujiyey shaxanka, haddii natiijada hubinta joogtada ah ee DAC ay tahay guuldarro, markaa xitaa ma gaadhi doonto qabsashada LSM.
SELinux waxay qaadatay qaab dhismeedka amniga Flask ee nidaamka hawlgalka cilmi baarista Fluke, gaar ahaan mabda'a mudnaanta ugu yar. Nuxurka fikraddan, sida magacooda ka muuqata, waa in la siiyo isticmaalaha ama habka kaliya ee xuquuqaha lagama maarmaanka u ah hirgelinta ficillada loogu talagalay. Mabda'an waxaa lagu fuliyay iyada oo la adeegsanayo qorista gelista qasabka ah, markaa koontaroolka gelitaanka SELinux wuxuu ku salaysan yahay domain => nooca nooca.
Iyada oo la adeegsanaayo ku qorista marinka la dhaqan galiyay, SELinux waxay leedahay awood kontorool oo aad uga weyn qaabka caadiga ah ee DAC ee lagu isticmaalo nidaamyada hawlgalka Unix/Linux. Tusaale ahaan, waxaad xaddidi kartaa lambarka dekedda shabakadda ee ku dhici doona server-ka ftp, u oggolow qorista iyo beddelka faylalka gal gaar ah, laakiin ha tirtirin.
Qaybaha ugu muhiimsan ee SELinux waa:
- Adeegga Dhaqangelinta Siyaasadda - Habka ugu muhiimsan ee abaabulka xakamaynta gelitaanka.
- Database ee siyaasadaha amniga nidaamka.
- La falgalka dhegeystaha dhacdada LSM.
- Selinuxfs - Pseudo-FS, oo la mid ah /proc oo lagu dhejiyay /sys/fs/selinux. Waxaa si firfircoon u soo buux dhaafiyay kernel Linux wakhtiga runtime waxayna ka kooban tahay faylal ay ku jiraan macluumaadka heerka SELinux.
- Helitaanka kaydka Vector - Habka kaaliyaha si kor loogu qaado waxqabadka.
Sida SELinux u shaqeyso
Waxaas oo dhami waxay u shaqeeyaan sida soo socota.
- Mawduuca, marka la eego shuruudaha SELinux, wuxuu sameeyaa ficil la oggol yahay shay ka dib hubinta DAC, sida ka muuqata sawirka sare. Codsiga qalliinkan waxa uu aadayaa dhegeystaha dhacdada LSM.
- Laga soo bilaabo halkaas, codsiga, oo ay la socdaan xaaladda ammaanka ee mawduuca iyo shayga, waxaa loo gudbiyaa SELinux Abstraction iyo Hook Logic module mas'uul ka ah la falgalka LSM ah.
- Server Enforcement Server waa awooda go'aan ka gaadhista mawduuca marin u helka shayga, waxayna xogta ka heshaa SELinux AnHL.
- Si go'aan looga gaadho gelitaanka, ama mamnuucidda, Adeegga Dhaqangelinta Siyaasadda waxa uu tixraacaa nidaamka hoosaadka kaydinta ee xeerarka Helitaanka Vector Cache (AVC) ee aadka loo isticmaalo.
- Haddii xalka qaanuunka u dhigma aan laga helin kaydka, markaa codsiga waxaa loo gudbiyaa xogta siyaasadda amniga.
- Natiijooyinka raadinta ee xogta iyo AVC waxaa lagu soo celiyaa Server Enforcement Server.
- Haddii siyaasadda la helay ay waafaqsan tahay tallaabada la codsaday, markaas hawlgalka waa la oggol yahay. Haddii kale, qalliinku waa mamnuuc.
Maamulka SELinux Settings
SELinux waxay ku shaqeysaa mid ka mid ah saddexda nooc:
- Dhaqangelinta - Dhaqangelinta adag ee siyaasadaha amniga.
- La oggol yahay - Xadgudubka xayiraadaha waa la oggol yahay, calaamadda u dhiganta ayaa lagu sameeyay log.
- Naafo - Xeerarka ammaanku ma shaqeeyaan.
Waxaad ku arki kartaa qaabka SELinux ku jiro amarkan soo socda.
[admin@server ~]$ getenforce
PermissiveBeddelida qaabka ka hor inta aan dib loo kicin, tusaale ahaan, u deji dhaqan gelinta, ama 1. Halbeegga oggolaanshaha wuxuu u dhigmaa lambarka lambarka 0.
[admin@server ~]$ setenfoce enforcing
[admin@server ~]$ setenfoce 1 #ΡΠΎ ΠΆΠ΅ ΡΠ°ΠΌΠΎΠ΅
Waxa kale oo aad bedeli kartaa qaabka adiga oo tafatiraaya faylka:
[admin@server ~]$ cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE= bartilmaameed
Farqiga u dhexeeya setenfoce waa in marka nidaamka qalliinka kabaha, qaabka SELinux lagu dejin doono si waafaqsan qiimaha SELINUX ee faylka qaabeynta. Intaa waxaa dheer, dhaqangelinta <=> isbeddellada naafada ah waxay saameyn ku yeeshaan kaliya iyada oo la tafatirayo faylka /etc/selinux/config iyo ka dib dib-u-kicinta.
Eeg warbixinta xaalada kooban
[admin@server ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
Si aad u aragto sifooyinka SELinux, qaar ka mid ah utility stock waxay isticmaalaan ikhtiyaarka -Z.
[admin@server ~]$ ls -lZ /var/log/httpd/
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20200920
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20200927
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20201004
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20201011
[admin@server ~]$ ps -u apache -Z
LABEL PID TTY TIME CMD
system_u:system_r:httpd_t:s0 2914 ? 00:00:04 httpd
system_u:system_r:httpd_t:s0 2915 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0 2916 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0 2917 ? 00:00:00 httpd
...
system_u:system_r:httpd_t:s0 2918 ? 00:00:00 httpdMarka la barbar dhigo wax soo saarka ls -l ee caadiga ah, waxa jira dhawr qaybood oo dheeraad ah oo qaabkan ah:
<user>:<role>:<type>:<level>
Goobta ugu dambeysa waxay tilmaamaysaa shay sida shaambada amniga oo ka kooban laba walxood oo la isku daray:
- s0 - muhiimada, sidoo kale lagu diiwaan galiyay inta u dhaxaysa heerka hoose-sare
- c0, c1β¦ c1023 waa qaybta.
Beddelidda qaabeynta gelitaanka
Isticmaal semodule si aad ugu shubto cutubyada SELinux, ku dar oo ka saar.
[admin@server ~]$ semodule -l |wc -l #ΡΠΏΠΈΡΠΎΠΊ Π²ΡΠ΅Ρ
ΠΌΠΎΠ΄ΡΠ»Π΅ΠΉ
408
[admin@server ~]$ semodule -e abrt #enable - Π°ΠΊΡΠΈΠ²ΠΈΡΠΎΠ²Π°ΡΡ ΠΌΠΎΠ΄ΡΠ»Ρ
[admin@server ~]$ semodule -d accountsd #disable - ΠΎΡΠΊΠ»ΡΡΠΈΡΡ ΠΌΠΎΠ΄ΡΠ»Ρ
[admin@server ~]$ semodule -r avahi #remove - ΡΠ΄Π°Π»ΠΈΡΡ ΠΌΠΎΠ΄ΡΠ»ΡKooxda koowaad semanage login wuxuu la xiriiriyaa isticmaalaha SELinux ee isticmaala nidaamka qalliinka, kan labaadna wuu taxayaa. Ugu dambeyntii, amarka ugu dambeeya ee leh -r switch wuxuu ka saarayaa khariidaynta isticmaalayaasha SELinux xisaabaadka OS. Sharaxaada isku dhafka MLS/MCS ee qiyamka Range waxay ku jirtaa qaybta hore.
[admin@server ~]$ semanage login -a -s user_u karol
[admin@server ~]$ semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
system_u system_u s0-s0:c0.c1023 *
[admin@server ~]$ semanage login -d karol
kooxda adeegsade semanage loo isticmaalo in lagu maareeyo khariidado ka dhexeeya isticmaalayaasha SELinux iyo doorarka.
[admin@server ~]$ semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
guest_u user s0 s0 guest_r
staff_u staff s0 s0-s0:c0.c1023 staff_r sysadm_r
...
user_u user s0 s0 user_r
xguest_u user s0 s0 xguest_r
[admin@server ~]$ semanage user -a -R 'staff_r user_r'
[admin@server ~]$ semanage user -d test_uXulashada amarka:
- -ku dar khariidaynta doorka gaarka ah gelitaanka;
- -l liiska isticmaalayaasha iyo doorarka ku habboon;
- -D meesha ka saar gelida khariidaynta doorka gaarka ah;
- -R liiska doorarka ku lifaaqan isticmaalaha;
Files, dekedaha iyo booleans
Mid kasta oo ka mid ah SELinux module wuxuu bixiyaa xeerar calaamadaynta faylka, laakiin sidoo kale waxaad ku dari kartaa xeerarkaaga haddii loo baahdo. Tusaale ahaan, waxaan rabnaa in server-ka shabakadu uu lahaado xuquuqda gelitaanka faylka /srv/www.
[admin@server ~]$ semanage fcontext -a -t httpd_sys_content_t "/srv/www(/.*)?
[admin@server ~]$ restorecon -R /srv/www/Amarka koowaad wuxuu diiwaangeliyaa xeerar cusub oo calaamadeyn ah, kan labaadna wuxuu dib u dejiyaa, ama taa beddelkeeda wuxuu soo bandhigaa, noocyada faylalka si waafaqsan xeerarka hadda jira.
Sidoo kale, dekedaha TCP/UDP waxaa lagu calaamadeeyay qaab kaliya adeegyada ku habboon ay ku dhageysan karaan. Tusaale ahaan, si server-ka shabakadu uu u dhageysto dekedda 8080, waxaad u baahan tahay inaad maamusho.
[admin@server ~]$ semanage port -m -t http_port_t -p tcp 8080Tiro muhiim ah oo ka mid ah qaybaha SELinux waxay leeyihiin cabbirro qaadi kara qiyamka boolean. Liiska dhammaan xulashooyinka noocaas ah waxaa lagu arki karaa getsebool -a. Qiimaha Boolean waa la bedeli karaa iyadoo la isticmaalayo setsebool.
[admin@server ~]$ getsebool httpd_enable_cgi
httpd_enable_cgi --> on
[admin@server ~]$ setsebool -P httpd_enable_cgi off
[admin@server ~]$ getsebool httpd_enable_cgi
httpd_enable_homedirs --> off
Practicum, gal interface-ka Pgadmin-web
Tixgeli tusaale ka mid ah dhaqanka, waxaan ku rakibnay pgadmin7.6-web RHEL 4 si aan u maamulno xogta PostgreSQL. In yar ayaannu dhaafnay adoo dejinaya pg_hba.conf, postgresql.conf iyo config_local.py, deji xuquuqaha faylalka, rakibay qaybaha Python ee maqan ee pip. Wax walba waa diyaar, orod oo hel 500 qalad Server gudaha.
Waxaan ku bilownaa tuhmanayaasha caadiga ah, hubi /var/log/httpd/error_log. Waxaa jira qoraallo xiiso leh halkaas.
[timestamp] [core:notice] [pid 23689] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
...
[timestamp] [wsgi:error] [pid 23690] [Errno 13] Permission denied: '/var/lib/pgadmin'
[timestamp] [wsgi:error] [pid 23690]
[timestamp] [wsgi:error] [pid 23690] HINT : You may need to manually set the permissions on
[timestamp] [wsgi:error] [pid 23690] /var/lib/pgadmin to allow apache to write to it.
Halkaa marka ay marayso, inta badan maamulayaasha Linux ayaa si adag loogu tijaabin doonaa inay socodsiiyaan setencorce 0, oo lagu dhammeeyo. Run ahaantii, tani waa markii ugu horeysay ee aan sameeyo. Tani, dabcan, sidoo kale waa dariiqa looga baxo, laakiin aad uga fog tan ugu fiican.
Inkasta oo ay jiraan naqshado adag, SELinux waxay noqon kartaa mid saaxiibtinimo leh. Kaliya rakib xirmada setroubleshoot oo arag log-ka nidaamka.
[admin@server ~]$ yum install setroubleshoot
[admin@server ~]$ journalctl -b -0
[admin@server ~]$ service restart auditd
Ogsoonow in adeega hantidhawrka dib loo bilaabo habkan, oo aan lagu bilaabin systemctl, in kasta oo uu jiro systemd OS-ka. In log nidaamka lagu tilmaami doono ma aha oo kaliya xaqiiqda xannibaadda, laakiin sidoo kale sababta iyo habka looga gudbo xayiraadda.
Waxaan fulinaa amarradan:
[admin@server ~]$ setsebool -P httpd_can_network_connect 1
[admin@server ~]$ setsebool -P httpd_can_network_connect_db 1
Waxaan hubineynaa gelitaanka bogga pgadmin4-web, wax walbaa waa shaqeeyaan.
Source: www.habr.com