ProHoster > Blog > Tsamaiso > Tataiso ea ba qalang ho SELinux

Tataiso ea ba qalang ho SELinux

Tataiso ea ba qalang ho SELinux

Phetolelo ea sengoloa e lokiselitsoeng baithuti ba thupelo "Linux Security"

SELinux kapa Security Enhanced Linux ke mokhoa o ntlafalitsoeng oa taolo ea phihlello o ntlafalitsoeng ke US National Security Agency (NSA) ho thibela ho kenella ka lonya. E sebelisa mokhoa o qobelloang (kapa o tlamang) oa taolo ea phihlello (Senyesemane Mandatory Access Control, MAC) holim'a mofuta o teng oa discretionary (kapa o khethang) (English Discretionary Access Control, DAC), ke hore, tumello ea ho bala, ho ngola, ho etsa.

SELinux e na le mekhoa e meraro:

  1. Ho qobella — ho hanoa ho fihlella ho ipapisitsoe le melaoana ea leano.
  2. dumella - ho boloka tlaleho ea liketso tse tlōlang leano, tse neng li tla thibeloa ka mokhoa oa ho qobella.
  3. Bokooa - ho thibela ka ho feletseng SELinux.

Ka tloaelo li-setting li kene /etc/selinux/config

Ho fetola mekhoa ea SELinux

Ho fumana mokhoa oa hajoale, matha 

$ getenforce

Ho fetola mokhoa oa ho lumella, tsamaisa taelo e latelang 

$ setenforce 0

kapa, ho fetola mokhoa ho tloha lumella mabapi le ho qobella, phethisa 

$ setenforce 1

Haeba o hloka ho tima SELinux ka botlalo, joale sena se ka etsoa feela ka faele ea tlhophiso 

$ vi /etc/selinux/config

Ho tima, fetola parameter ea SELINUX ka tsela e latelang:

SELINUX=disabled

Ho theha SELinux

Faele e 'ngoe le e' ngoe le ts'ebetso li tšoailoe ka moelelo oa SELinux, o nang le lintlha tse ling tse kang mosebedisi, karolo, mofuta, joalo-joalo. Haeba e le lekhetlo la pele u nolofalletsa SELinux, u tla hloka pele ho lokisa moelelo le lileibole. Mokhoa oa ho fana ka lileibole le moelelo o tsejoa e le ho tšoaea. Ho qala ho tšoaea, faeleng ea tlhophiso re fetola mokhoa oa ho lumella.

$ vi /etc/selinux/config
SELINUX=permissive

Ka mor'a ho beha mode lumella, theha faele e patiloeng e se nang letho motsong o nang le lebitso autorelabel

$ touch /.autorelabel

ebe o qala komporo hape

$ init 6

Tlhokomeliso: Re sebelisa mokhoa lumella bakeng sa ho tšoaea, kaha ho sebelisoa mokhoa ho qobella e ka etsa hore sistimi e senyehe nakong ea ho qala bocha.

Se ke oa tšoenyeha haeba download e ka khomarela faeleng e itseng, ho tšoaea ho nka nakoana. Hang ha ho tšoaea ho phethiloe 'me tsamaiso ea hau e qaliloe, u ka ea ho file ea tlhophiso ebe u beha mokhoa ho qobellahape matha:

$ setenforce 1

Hona joale o atlehile ho nolofalletsa SELinux khomphuteng ea hau.

Ho beha leihlo likutung

E ka 'na eaba u kopane le liphoso tse itseng nakong ea ho tšoaea kapa ha tsamaiso e ntse e sebetsa. Ho hlahloba hore na SELinux ea hau e sebetsa ka nepo le hore na ha e thibele phihlello ea koung efe kapa efe, ts'ebeliso, joalo-joalo, o hloka ho sheba lits'oants'o. Lenane la SELinux le teng /var/log/audit/audit.log, empa ha ho hlokahale hore u bale taba kaofela ho fumana liphoso. U ka sebelisa sesebelisoa sa audit2why ho fumana liphoso. Etsa taelo e latelang:

$ audit2why < /var/log/audit/audit.log

Ka lebaka leo, u tla fumana lethathamo la liphoso. Haeba ho ne ho se na liphoso ho log, joale ha ho melaetsa e tla hlahisoa.

Ho lokisa Leano la SELinux

Leano la SELinux ke letoto la melao e laolang mochini oa ts'ireletso oa SELinux. Leano le hlalosa sehlopha sa melao bakeng sa tikoloho e itseng. Joale re tla ithuta ho hlophisa maano ho lumella ho fihlella lits'ebeletso tse thibetsoeng.

1. Maemo a utloahalang (li-switches)

Li-switches (booleans) li u lumella ho fetola likarolo tsa leano ka nako ea ho sebetsa, ntle le hore u thehe maano a macha. Li u lumella ho etsa liphetoho ntle le ho qala bocha kapa ho khutlisa maano a SELinux.

Mohlala:
Ha re re re batla ho arolelana bukana ea lehae ea mosebelisi ka FTP bala / ngola, 'me re se re e arolelane, empa ha re leka ho e fumana, ha re bone letho. Lebaka ke hobane leano la SELinux le thibela seva sa FTP ho bala le ho ngolla bukana ea lapeng ea mosebelisi. Re hloka ho fetola pholisi e le hore seva sa FTP se khone ho fumana libuka tsa lapeng. Ha re bone hore na ho na le li-switches bakeng sa sena ka ho etsa joalo

$ semanage boolean -l

Taelo ena e tla thathamisa li-switches tse fumanehang ka boemo ba tsona ba hajoale (ho tima kapa ho tima) le tlhaloso. O ka ntlafatsa patlo ea hau ka ho kenya grep ho fumana liphetho tsa ftp-feela:

$ semanage boolean -l | grep ftp

mme o tla fumana tse latelang

ftp_home_dir        -> off       Allow ftp to read & write file in user home directory

Phetoho ena e holofetse, kahoo re tla e nolofalletsa ka setsebool $ setsebool ftp_home_dir on

Joale daemon ea rona ea ftp e tla khona ho fihlella bukana ea lehae ea mosebelisi.
Tlhokomeliso: U ka boela ua fumana lethathamo la li-switches tse fumanehang ntle le tlhaloso ka ho etsa getsebool -a

2. Labels le moelelo oa taba

Ena ke mokhoa o atileng haholo oa ho kenya ts'ebetsong leano la SELinux. Faele e 'ngoe le e' ngoe, foldara, ts'ebetso le boema-kepe li tšoailoe ka moelelo oa SELinux:

  • Bakeng sa lifaele le lifoldara, lileibole li bolokoa e le litšobotsi tse atolositsoeng ho sistimi ea faele mme li ka bonoa ka taelo e latelang: 
    $ ls -Z /etc/httpd
  • Bakeng sa lits'ebetso le likou, ho ngola ho laoloa ke kernel, 'me u ka sheba mangolo ana ka tsela e latelang:

thulaganyou e

$ ps –auxZ | grep httpd

boema-kepe

$ netstat -anpZ | grep httpd

Mohlala:
Joale a re shebeng mohlala ho utloisisa lileibole le moelelo haholoanyane. Ha re re re na le sebatli sa webo seo, ho fapana le directory /var/www/html/ использует /home/dan/html/. SELinux e tla nka sena e le tlōlo ea molao 'me u ke ke ua khona ho bona maqephe a hau a marang-rang. Sena ke hobane ha rea ​​beha maemo a ts'ireletso a amanang le lifaele tsa HTML. Ho sheba maemo a ts'ireletso ea kamehla, sebelisa taelo e latelang:

$ ls –lz /var/www/html
 -rw-r—r—. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/

Re fihlile mona httpd_sys_content_t joalo ka moelelo oa lifaele tsa html. Re hloka ho theha moelelo oa ts'ireletso bakeng sa bukana ea rona ea hajoale, eo hajoale e nang le moelelo o latelang:

-rw-r—r—. dan dan system_u:object_r:user_home_t:s0 /home/dan/html/

Taelo e 'ngoe ea ho lekola maemo a ts'ireletso ea faele kapa directory:

$ semanage fcontext -l | grep '/var/www'

Hape re tla sebelisa semanage ho fetola moelelo oa taba hang ha re se re fumane maemo a nepahetseng a ts'ireletso. Ho fetola moelelo oa /home/dan/html, tsamaisa litaelo tse latelang:

$ semanage fcontext -a -t httpd_sys_content_t ‘/home/dan/html(/.*)?’
$ semanage fcontext -l | grep ‘/home/dan/html’
/home/dan/html(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
$ restorecon -Rv /home/dan/html

Ka mor'a hore moelelo o fetoloe ho sebelisoa semanage, taelo ea tsosoloso e tla kenya moelelo oa kamehla oa lifaele le li-directory. Seva ea rona ea marang-rang e se e tla khona ho bala lifaele ho tsoa foldareng /home/dan/htmlhobane maemo a ts'ireletso bakeng sa sephutheli sena a fetotsoe hore e be httpd_sys_content_t.

3. Etsa maano a lehae

Ho ka 'na ha e-ba le maemo ao mekhoa e ka holimo e se nang thuso ho uena' me u fumana liphoso (avc/denial) ho audit.log. Ha sena se etsahala, o hloka ho theha pholisi ea lehae. U ka fumana liphoso tsohle u sebelisa audit2why, joalokaha ho hlalositsoe ka holimo.

U ka theha leano la lehae ho rarolla liphoso. Mohlala, re fumana phoso e amanang le httpd (apache) kapa smbd (samba), re grep liphoso ebe re li etsetsa leano:

apache
$ grep httpd_t /var/log/audit/audit.log | audit2allow -M http_policy
samba
$ grep smbd_t /var/log/audit/audit.log | audit2allow -M smb_policy

ke http_policy и smb_policy ke mabitso a maano a lehae ao re a entseng. Hona joale re hloka ho kenya maano ana a bōpiloeng sebakeng sa leano la hona joale la SELinux. Sena se ka etsoa ka tsela e latelang:

$ semodule –I http_policy.pp
$ semodule –I smb_policy.pp

Melao ea rona ea lehae e jarollotsoe 'me ha re sa lokela ho fumana avc kapa denail ho audit.log.

Ena e ne e le teko ea ka ea ho u thusa ho utloisisa SELinux. Ke tšepa hore ka mor'a ho bala sengoloa sena u tla ikutloa u phutholohile haholoanyane ka SELinux.

Source: www.habr.com

Eketsa ka tlhaloso