Phetolelo ea sengoloa e lokiselitsoeng baithuti ba thupelo
SELinux kapa Security Enhanced Linux ke mokhoa o ntlafalitsoeng oa taolo ea phihlello o ntlafalitsoeng ke US National Security Agency (NSA) ho thibela ho kenella ka lonya. E sebelisa mokhoa o qobelloang (kapa o tlamang) oa taolo ea phihlello (Senyesemane Mandatory Access Control, MAC) holim'a mofuta o teng oa discretionary (kapa o khethang) (English Discretionary Access Control, DAC), ke hore, tumello ea ho bala, ho ngola, ho etsa.
SELinux e na le mekhoa e meraro:
- Ho qobella — ho hanoa ho fihlella ho ipapisitsoe le melaoana ea leano.
- dumella - ho boloka tlaleho ea liketso tse tlōlang leano, tse neng li tla thibeloa ka mokhoa oa ho qobella.
- Bokooa - ho thibela ka ho feletseng SELinux.
Ka tloaelo li-setting li kene /etc/selinux/config
Ho fetola mekhoa ea SELinux
Ho fumana mokhoa oa hajoale, matha
$ getenforce
Ho fetola mokhoa oa ho lumella, tsamaisa taelo e latelang
$ setenforce 0
kapa, ho fetola mokhoa ho tloha lumella mabapi le ho qobella, phethisa
$ setenforce 1
Haeba o hloka ho tima SELinux ka botlalo, joale sena se ka etsoa feela ka faele ea tlhophiso
$ vi /etc/selinux/config
Ho tima, fetola parameter ea SELINUX ka tsela e latelang:
SELINUX=disabled
Ho theha SELinux
Faele e 'ngoe le e' ngoe le ts'ebetso li tšoailoe ka moelelo oa SELinux, o nang le lintlha tse ling tse kang mosebedisi, karolo, mofuta, joalo-joalo. Haeba e le lekhetlo la pele u nolofalletsa SELinux, u tla hloka pele ho lokisa moelelo le lileibole. Mokhoa oa ho fana ka lileibole le moelelo o tsejoa e le ho tšoaea. Ho qala ho tšoaea, faeleng ea tlhophiso re fetola mokhoa oa ho lumella.
$ vi /etc/selinux/config
SELINUX=permissive
Ka mor'a ho beha mode lumella, theha faele e patiloeng e se nang letho motsong o nang le lebitso autorelabel
$ touch /.autorelabel
ebe o qala komporo hape
$ init 6
Tlhokomeliso: Re sebelisa mokhoa lumella bakeng sa ho tšoaea, kaha ho sebelisoa mokhoa ho qobella e ka etsa hore sistimi e senyehe nakong ea ho qala bocha.
Se ke oa tšoenyeha haeba download e ka khomarela faeleng e itseng, ho tšoaea ho nka nakoana. Hang ha ho tšoaea ho phethiloe 'me tsamaiso ea hau e qaliloe, u ka ea ho file ea tlhophiso ebe u beha mokhoa ho qobellahape matha:
$ setenforce 1
Hona joale o atlehile ho nolofalletsa SELinux khomphuteng ea hau.
Ho beha leihlo likutung
E ka 'na eaba u kopane le liphoso tse itseng nakong ea ho tšoaea kapa ha tsamaiso e ntse e sebetsa. Ho hlahloba hore na SELinux ea hau e sebetsa ka nepo le hore na ha e thibele phihlello ea koung efe kapa efe, ts'ebeliso, joalo-joalo, o hloka ho sheba lits'oants'o. Lenane la SELinux le teng /var/log/audit/audit.log
, empa ha ho hlokahale hore u bale taba kaofela ho fumana liphoso. U ka sebelisa sesebelisoa sa audit2why ho fumana liphoso. Etsa taelo e latelang:
$ audit2why < /var/log/audit/audit.log
Ka lebaka leo, u tla fumana lethathamo la liphoso. Haeba ho ne ho se na liphoso ho log, joale ha ho melaetsa e tla hlahisoa.
Ho lokisa Leano la SELinux
Leano la SELinux ke letoto la melao e laolang mochini oa ts'ireletso oa SELinux. Leano le hlalosa sehlopha sa melao bakeng sa tikoloho e itseng. Joale re tla ithuta ho hlophisa maano ho lumella ho fihlella lits'ebeletso tse thibetsoeng.
1. Maemo a utloahalang (li-switches)
Li-switches (booleans) li u lumella ho fetola likarolo tsa leano ka nako ea ho sebetsa, ntle le hore u thehe maano a macha. Li u lumella ho etsa liphetoho ntle le ho qala bocha kapa ho khutlisa maano a SELinux.
Mohlala:
Ha re re re batla ho arolelana bukana ea lehae ea mosebelisi ka FTP bala / ngola, 'me re se re e arolelane, empa ha re leka ho e fumana, ha re bone letho. Lebaka ke hobane leano la SELinux le thibela seva sa FTP ho bala le ho ngolla bukana ea lapeng ea mosebelisi. Re hloka ho fetola pholisi e le hore seva sa FTP se khone ho fumana libuka tsa lapeng. Ha re bone hore na ho na le li-switches bakeng sa sena ka ho etsa joalo
$ semanage boolean -l
Taelo ena e tla thathamisa li-switches tse fumanehang ka boemo ba tsona ba hajoale (ho tima kapa ho tima) le tlhaloso. O ka ntlafatsa patlo ea hau ka ho kenya grep ho fumana liphetho tsa ftp-feela:
$ semanage boolean -l | grep ftp
mme o tla fumana tse latelang
ftp_home_dir -> off Allow ftp to read & write file in user home directory
Phetoho ena e holofetse, kahoo re tla e nolofalletsa ka setsebool $ setsebool ftp_home_dir on
Joale daemon ea rona ea ftp e tla khona ho fihlella bukana ea lehae ea mosebelisi.
Tlhokomeliso: U ka boela ua fumana lethathamo la li-switches tse fumanehang ntle le tlhaloso ka ho etsa getsebool -a
2. Labels le moelelo oa taba
Ena ke mokhoa o atileng haholo oa ho kenya ts'ebetsong leano la SELinux. Faele e 'ngoe le e' ngoe, foldara, ts'ebetso le boema-kepe li tšoailoe ka moelelo oa SELinux:
- Bakeng sa lifaele le lifoldara, lileibole li bolokoa e le litšobotsi tse atolositsoeng ho sistimi ea faele mme li ka bonoa ka taelo e latelang:
$ ls -Z /etc/httpd
- Bakeng sa lits'ebetso le likou, ho ngola ho laoloa ke kernel, 'me u ka sheba mangolo ana ka tsela e latelang:
thulaganyou e
$ ps –auxZ | grep httpd
boema-kepe
$ netstat -anpZ | grep httpd
Mohlala:
Joale a re shebeng mohlala ho utloisisa lileibole le moelelo haholoanyane. Ha re re re na le sebatli sa webo seo, ho fapana le directory /var/www/html/ использует /home/dan/html/
. SELinux e tla nka sena e le tlōlo ea molao 'me u ke ke ua khona ho bona maqephe a hau a marang-rang. Sena ke hobane ha rea beha maemo a ts'ireletso a amanang le lifaele tsa HTML. Ho sheba maemo a ts'ireletso ea kamehla, sebelisa taelo e latelang:
$ ls –lz /var/www/html
-rw-r—r—. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/
Re fihlile mona httpd_sys_content_t
joalo ka moelelo oa lifaele tsa html. Re hloka ho theha moelelo oa ts'ireletso bakeng sa bukana ea rona ea hajoale, eo hajoale e nang le moelelo o latelang:
-rw-r—r—. dan dan system_u:object_r:user_home_t:s0 /home/dan/html/
Taelo e 'ngoe ea ho lekola maemo a ts'ireletso ea faele kapa directory:
$ semanage fcontext -l | grep '/var/www'
Hape re tla sebelisa semanage ho fetola moelelo oa taba hang ha re se re fumane maemo a nepahetseng a ts'ireletso. Ho fetola moelelo oa /home/dan/html, tsamaisa litaelo tse latelang:
$ semanage fcontext -a -t httpd_sys_content_t ‘/home/dan/html(/.*)?’
$ semanage fcontext -l | grep ‘/home/dan/html’
/home/dan/html(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
$ restorecon -Rv /home/dan/html
Ka mor'a hore moelelo o fetoloe ho sebelisoa semanage, taelo ea tsosoloso e tla kenya moelelo oa kamehla oa lifaele le li-directory. Seva ea rona ea marang-rang e se e tla khona ho bala lifaele ho tsoa foldareng /home/dan/html
hobane maemo a ts'ireletso bakeng sa sephutheli sena a fetotsoe hore e be httpd_sys_content_t
.
3. Etsa maano a lehae
Ho ka 'na ha e-ba le maemo ao mekhoa e ka holimo e se nang thuso ho uena' me u fumana liphoso (avc/denial) ho audit.log. Ha sena se etsahala, o hloka ho theha pholisi ea lehae. U ka fumana liphoso tsohle u sebelisa audit2why, joalokaha ho hlalositsoe ka holimo.
U ka theha leano la lehae ho rarolla liphoso. Mohlala, re fumana phoso e amanang le httpd (apache) kapa smbd (samba), re grep liphoso ebe re li etsetsa leano:
apache
$ grep httpd_t /var/log/audit/audit.log | audit2allow -M http_policy
samba
$ grep smbd_t /var/log/audit/audit.log | audit2allow -M smb_policy
ke http_policy
и smb_policy
ke mabitso a maano a lehae ao re a entseng. Hona joale re hloka ho kenya maano ana a bōpiloeng sebakeng sa leano la hona joale la SELinux. Sena se ka etsoa ka tsela e latelang:
$ semodule –I http_policy.pp
$ semodule –I smb_policy.pp
Melao ea rona ea lehae e jarollotsoe 'me ha re sa lokela ho fumana avc kapa denail ho audit.log.
Ena e ne e le teko ea ka ea ho u thusa ho utloisisa SELinux. Ke tšepa hore ka mor'a ho bala sengoloa sena u tla ikutloa u phutholohile haholoanyane ka SELinux.
Source: www.habr.com