Phetolelo ea sehlooho sena e lokiselitsoe ka ho khetheha liithuti tsa thupelo .
Mona u tla fumana likarabo tsa lipotso tsa bohlokoa mabapi le bophelo, bokahohle le ntho e 'ngoe le e' ngoe e Linux ka ts'ireletso e ntlafetseng.
"'Nete ea bohlokoa ea hore lintho ha se kamehla li shebahalang eka ke tsebo e tloaelehileng ..."
- Douglas Adams, Tataiso ea Hitchhiker ho Galaxy
Polokeho. Ho tšepahala ho eketsehileng. Ngollano. Leano. Bapalami ba Lipere ba bane ba Apocalypse sysadmin. Ntle le mesebetsi ea rona ea letsatsi le letsatsi - ho beha leihlo, ho boloka, ho kenya ts'ebetsong, ho hlophisa, ho ntlafatsa, joalo-joalo - re boetse re ikarabella bakeng sa ts'ireletso ea litsamaiso tsa rona. Le litsamaiso tseo ho tsona mofani oa batho ba bang a re khothalletsang hore re thibele tšireletso e ntlafetseng. Ho utloahala eka ke mosebetsi ho tsoa ho "Morero: Ha ho khonehe."
Ha ba tobane le bothata bona, batsamaisi ba bang ba sistimi ba etsa qeto ea ho e nka , hobane ba nahana hore ba ke ke ba tseba karabo ea potso e khōlō ea bophelo, bokahohle le lintho tseo tsohle. Joalo ka ha bohle re tseba, karabo eo ke 42.
Ka moea oa The Hitchhiker's Guide to the Galaxy, mona ke likarabo tse 42 tsa lipotso tsa bohlokoa mabapi le taolo le tšebeliso. tsamaisong ea hau.
1. SELinux ke mokhoa o qobelloang oa taolo ea phihlello, ho bolelang hore ts'ebetso e 'ngoe le e' ngoe e na le lengolo. Faele e 'ngoe le e 'ngoe, directory le ntho ea sistimi e boetse e na le lileibole. Melao ea maano e laola phihlello lipakeng tsa lits'ebetso tse tšoailoeng le lintho. Kernel e tiisa melao ena.
2. Likhopolo tse peli tsa bohlokoa ke tsena: Ho ngola lebitso - matšoao (lifaele, lits'ebetso, likou, joalo-joalo) le Mofuta oa ts'ebetsong (e khethollang lits'ebetso ho tsoa ho tse ling ho latela mefuta).
3. Sebopeho se nepahetseng sa label user:role:type:level (boikhethelo).
4. Sepheo sa ho fana ka tšireletso ea mekhahlelo e mengata (Multi-level Security - MLS) ke ho laola lits'ebetso (li-domains) ho latela boemo ba ts'ireletso ea data eo ba tla e sebelisa. Ka mohlala, ts'ebetso ea lekunutu ha e khone ho bala lintlha tse phahameng tsa lekunutu.
5. Ho netefatsa ts'ireletso ea mekhahlelo e mengata (Multi-Category Security - MCS) e sireletsa mekhoa e ts'oanang ho e mong (mohlala, mechine ea sebele, lienjiniere tsa OpenShift, li-sandbox tsa SELinux, lijana, joalo-joalo).
6. Likhetho tsa Kernel tsa ho fetola mekhoa ea SELinux ho boot:
autorelabel=1→ e etsa hore sistimi e sebetse ho ngola mabitso hapeselinux=0→ kernel ha e kenye lisebelisoa tsa SELinuxenforcing=0→ ho kenya ka mokhoa oa tumello
7. Haeba o hloka ho khutlisa sistimi eohle:
# touch /.autorelabel
#reboot
Haeba mokhoa oa ho tšoaea o na le liphoso tse ngata, ho ka 'na ha hlokahala hore u qalelle ka mokhoa o lumellang hore u atlehe ho ngola.
8. Ho hlahloba hore na SELinux e nolofalitsoe: # getenforce
9. Ho nolofalletsa / tima SELinux ka nakoana: # setenforce [1|0]
10. Ho hlahloba boemo ba SELinux: # sestatus
11. Faele ea tlhophiso: /etc/selinux/config
12. SELinux e sebetsa joang? Mona ke mohlala o tšoaeang seva sa marang-rang sa Apache:
- Boemeli ba binary:
/usr/sbin/httpd→httpd_exec_t - Lenane la litlhophiso:
/etc/httpd→httpd_config_t - Log file directory:
/var/log/httpd → httpd_log_t - Lenane la litaba:
/var/www/html → httpd_sys_content_t - Qala script:
/usr/lib/systemd/system/httpd.service → httpd_unit_file_d - Tshebetso:
/usr/sbin/httpd -DFOREGROUND → httpd_t - Boema-kepe:
80/tcp, 443/tcp → httpd_t, http_port_t
Ts'ebetso e ntse e tsoela pele httpd_t, e ka sebelisana le ntho e ngotsoeng httpd_something_t.
13. Litaelo tse ngata li amohela khang -Z ho sheba, ho theha le ho fetola maemo:
ls -Zid -Zps -Znetstat -Zcp -Zmkdir -Z
Maemo a thehoa ha lifaele li etsoa ho ipapisitsoe le moelelo oa buka ea batsoali ba bona (ntle le mekhelo e itseng). Li-RPM li ka theha maemo joalo ka nakong ea ho kenya.
14. Ho na le lisosa tse 'ne tsa mantlha tsa liphoso tsa SELinux, tse hlalosoang ka botlalo lintlheng tsa 15-21 ka tlase:
- Litaba tsa ho ngola
- Ka lebaka la ntho eo SELinux e hlokang ho e tseba
- Phoso ho SELinux policy/application
- Lintlha tsa hau li kanna tsa sekisetsoa
15. Bothata ba ho ngola: haeba lifaele tsa hau li le teng /srv/myweb li tšoailoe ka phoso, phihlello e kanna ea haneloa. Mona ke litsela tse ling tsa ho lokisa sena:
- Haeba u tseba label:
# semanage fcontext -a -t httpd_sys_content_t '/srv/myweb(/.*)?' - Haeba u tseba faele e nang le matšoao a tšoanang:
# semanage fcontext -a -e /srv/myweb /var/www - Ho khutlisetsa moelelo (bakeng sa maemo a mabeli):
# restorecon -vR /srv/myweb
16. Bothata ba ho ngola: haeba u tsamaisa faele ho e-na le ho e kopitsa, faele e tla boloka moelelo oa eona oa pele. Ho lokisa bothata bona:
- Fetola taelo ea moelelo le lengolo:
# chcon -t httpd_system_content_t /var/www/html/index.html - Fetola taelo ea moelelo oa taba ka label ea lihokelo:
# chcon --reference /var/www/html/ /var/www/html/index.html - Khutlisetsa moelelo (bakeng sa maemo a mabeli):
# restorecon -vR /var/www/html/
17. haeba SELinux o hloka ho e tsebahore HTTPD e mametse ho port 8585, bolella SELinux:
# semanage port -a -t http_port_t -p tcp 8585
18. SELinux o hloka ho e tseba Melao ea Boolean e lumellang likarolo tsa leano la SELinux hore li fetoloe ka nako ea ho sebetsa ntle le tsebo ea hore leano la SELinux le ntse le ngoloa. Mohlala, haeba u batla httpd ho romella lengolo-tsoibila, kenya: # setsebool -P httpd_can_sendmail 1
19. SELinux o hloka ho e tseba litekanyetso tse utloahalang bakeng sa ho nolofalletsa / ho thibela litlhophiso tsa SELinux:
- Ho bona boleng bohle ba boolean:
# getsebool -a - Ho bona tlhaloso ea e 'ngoe le e' ngoe:
# semanage boolean -l - Ho beha boleng ba boolean:
# setsebool [_boolean_] [1|0] - Bakeng sa ho kenya ka ho sa feleng, eketsa
-P. Ka mohlala:# setsebool httpd_enable_ftp_server 1 -P
20. Melao / lits'ebetso tsa SELinux li kanna tsa ba le liphoso, ho kenyelletsa:
- Litsela tse sa tloaelehang tsa khoutu
- Litlhophiso
- E tsamaisa stdout
- Litlhaloso tsa faele lia lutla
- Mehopolo e sebetsang
- Lilaeborari tse hahiloeng hampe
Litekete tse bulehileng (u se ke oa fana ka tlaleho ho Bugzilla; Bugzilla ha e na SLA).
21. Lintlha tsa hau li kanna tsa sekisetsoahaeba u na le libaka tse thibetsoeng tse lekang ho:
- Kenya li-module tsa kernel
- Tlosa mokhoa o kentsoeng oa SELinux
- Ngolla ho
etc_t/shadow_t - Fetola melao ea iptables
22. Lisebelisoa tsa SELinux bakeng sa ho ntlafatsa li-module tsa leano:
# yum -y install setroubleshoot setroubleshoot-server
Qala bocha kapa qala bocha auditd ka mor'a ho kenya.
23. Sebelisa
journalctl ho bontsha lenane la dipoloto kaofela tse amanang le setroubleshoot:
# journalctl -t setroubleshoot --since=14:20
24. Sebelisa journalctl ho thathamisa lintlha tsohle tse amanang le tag e itseng ea SELinux. Ka mohlala:
# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0
25. Haeba phoso ea SELinux e etsahala, sebelisa log setroubleshoot ho fana ka litharollo tse 'maloa tse ka khonehang.
Ka mohlala, ho tloha journalctl:
Jun 14 19:41:07 web1 setroubleshoot: SELinux is preventing httpd from getattr access on the file /var/www/html/index.html. For complete message run: sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e
# sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e
SELinux is preventing httpd from getattr access on the file /var/www/html/index.html.
***** Plugin restorecon (99.5 confidence) suggests ************************
If you want to fix the label,
/var/www/html/index.html default label should be httpd_syscontent_t.
Then you can restorecon.
Do
# /sbin/restorecon -v /var/www/html/index.html26. Ho rema lifate: SELinux e tlaleha tlhahisoleseling libakeng tse ngata:
- / var / log / melaetsa
- /var/log/audit/audit.log
- /var/lib/setroubleshoot/setroubleshoot_database.xml
27. Ho rema lifate: ho batla liphoso tsa SELinux ho logong la tlhahlobo:
# ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today
28. Ho fumana melaetsa ea SELinux Access Vector Cache (AVC) bakeng sa ts'ebeletso e itseng:
# ausearch -m avc -c httpd
29. Tšebeliso audit2allow e bokella tlhahisoleseding ho tswa ho lits'ebetso tse thibetsoeng ebe e hlahisa melao ea leano la tumello ea SELinux. Ka mohlala:
- Ho theha tlhaloso e ka baloang ke motho ea hore na hobaneng phihlello e haneloa:
# audit2allow -w -a - Ho sheba mofuta oa molao oa ts'ebetso o lumellang ho haneloa ho kena:
# audit2allow -a - Ho etsa mojule o ikhethileng:
# audit2allow -a -M mypolicy - Khetho
-Me theha mofuta oa faele ea ts'ebetsong (.te) e nang le lebitso le boletsoeng ebe e hlophisa molao ho etsa sephutheloana sa melao (.pp):mypolicy.pp mypolicy.te - Ho kenya module ea tloaelo:
# semodule -i mypolicy.pp
30. Ho hlophisa ts'ebetso e arohaneng (domain) ho sebetsa ka mokhoa oa tumello: # semanage permissive -a httpd_t
31. Haeba ha u sa batla hore domain name e lumelle: # semanage permissive -d httpd_t
32. Ho tima libaka tsohle tse lumelletsoeng: # semodule -d permissivedomains
33. E nolofalletsa leano la MLS SELinux: # yum install selinux-policy-mls
в /etc/selinux/config:
SELINUX=permissive
SELINUXTYPE=mls
Etsa bonnete ba hore SELinux e sebetsa ka mokhoa oa tumello: # setenforce 0
Sebelisa mongolo fixfilesho etsa bonnete ba hore lifaele li ngotsoe bocha ha u qala bocha:
# fixfiles -F onboot # reboot
34. Theha mosebelisi ka mefuta e ikhethileng ea MLS: # useradd -Z staff_u john
Ho sebelisa taelo useradd, 'mapa mosebelisi e mocha ho mosebelisi ea teng oa SELinux (tabeng ena, staff_u).
35. Ho sheba 'mapa lipakeng tsa basebelisi ba SELinux le Linux: # semanage login -l
36. Hlalosa mofuta o ikhethileng oa mosebelisi: # semanage login --modify --range s2:c100 john
37. Ho lokisa leibole ea buka ea lapeng ea mosebelisi (ha ho hlokahala): # chcon -R -l s2:c100 /home/john
38. Ho sheba mekhahlelo ea hajoale: # chcat -L
39. Ho fetola mekhahlelo kapa ho qala ho iketsetsa ea hau, fetola faele ka tsela e latelang:
/etc/selinux/_<selinuxtype>_/setrans.conf
40. Ho tsamaisa taelo kapa mongolo faeleng e itseng, karolo, le moelelong oa mosebelisi:
# runcon -t initrc_t -r system_r -u user_u yourcommandhere
-tmoelelo oa faele-rmaemo a karolo-umaemo a mosebedisi
41. Lisebelisoa tse tsamaeang le SELinux li holofetse:
- Podman:
# podman run --security-opt label=disable … - Docker:
# docker run --security-opt label=disable …
42. Haeba o hloka ho fa setshelo phihlello e felletseng ea sistimi:
- Podman:
# podman run --privileged … - Docker:
# docker run --privileged …
'Me joale u se u ntse u tseba karabo. Kahoo ka kopo: seke oa tšoha 'me u nolofalletse SELinux.
Lipeeletso:
- by
- ka Dan Walsh
- by
- by
Source: www.habr.com