ProHoster > Blog > Tsamaiso > SELinux cheat sheet bakeng sa batsamaisi ba sistimi: Likarabo tsa 42 tsa lipotso tsa bohlokoa
SELinux cheat sheet bakeng sa batsamaisi ba sistimi: Likarabo tsa 42 tsa lipotso tsa bohlokoa
Phetolelo ea sehlooho sena e lokiselitsoe ka ho khetheha liithuti tsa thupelo "Linux Administrator".
Mona u tla fumana likarabo tsa lipotso tsa bohlokoa mabapi le bophelo, bokahohle le ntho e 'ngoe le e' ngoe e Linux ka ts'ireletso e ntlafetseng.
"'Nete ea bohlokoa ea hore lintho ha se kamehla li shebahalang eka ke tsebo e tloaelehileng ..."
- Douglas Adams, Tataiso ea Hitchhiker ho Galaxy
Polokeho. Ho tšepahala ho eketsehileng. Ngollano. Leano. Bapalami ba Lipere ba bane ba Apocalypse sysadmin. Ntle le mesebetsi ea rona ea letsatsi le letsatsi - ho beha leihlo, ho boloka, ho kenya ts'ebetsong, ho hlophisa, ho ntlafatsa, joalo-joalo - re boetse re ikarabella bakeng sa ts'ireletso ea litsamaiso tsa rona. Le litsamaiso tseo ho tsona mofani oa batho ba bang a re khothalletsang hore re thibele tšireletso e ntlafetseng. Ho utloahala eka ke mosebetsi Ethan Hunt ho tsoa ho "Morero: Ha ho khonehe."
Ha ba tobane le bothata bona, batsamaisi ba bang ba sistimi ba etsa qeto ea ho e nka pilisi e putsoa, hobane ba nahana hore ba ke ke ba tseba karabo ea potso e khōlō ea bophelo, bokahohle le lintho tseo tsohle. Joalo ka ha bohle re tseba, karabo eo ke 42.
Ka moea oa The Hitchhiker's Guide to the Galaxy, mona ke likarabo tse 42 tsa lipotso tsa bohlokoa mabapi le taolo le tšebeliso. SELinux tsamaisong ea hau.
1. SELinux ke mokhoa o qobelloang oa taolo ea phihlello, ho bolelang hore ts'ebetso e 'ngoe le e' ngoe e na le lengolo. Faele e 'ngoe le e 'ngoe, directory le ntho ea sistimi e boetse e na le lileibole. Melao ea maano e laola phihlello lipakeng tsa lits'ebetso tse tšoailoeng le lintho. Kernel e tiisa melao ena.
2. Likhopolo tse peli tsa bohlokoa ke tsena: Ho ngola lebitso - matšoao (lifaele, lits'ebetso, likou, joalo-joalo) le Mofuta oa ts'ebetsong (e khethollang lits'ebetso ho tsoa ho tse ling ho latela mefuta).
3. Sebopeho se nepahetseng sa label user:role:type:level (boikhethelo).
4. Sepheo sa ho fana ka tšireletso ea mekhahlelo e mengata (Multi-level Security - MLS) ke ho laola lits'ebetso (li-domains) ho latela boemo ba ts'ireletso ea data eo ba tla e sebelisa. Ka mohlala, ts'ebetso ea lekunutu ha e khone ho bala lintlha tse phahameng tsa lekunutu.
5. Ho netefatsa ts'ireletso ea mekhahlelo e mengata (Multi-Category Security - MCS) e sireletsa mekhoa e ts'oanang ho e mong (mohlala, mechine ea sebele, lienjiniere tsa OpenShift, li-sandbox tsa SELinux, lijana, joalo-joalo).
6. Likhetho tsa Kernel tsa ho fetola mekhoa ea SELinux ho boot:
autorelabel=1 → e etsa hore sistimi e sebetse ho ngola mabitso hape
selinux=0 → kernel ha e kenye lisebelisoa tsa SELinux
enforcing=0 → ho kenya ka mokhoa oa tumello
7. Haeba o hloka ho khutlisa sistimi eohle:
# touch /.autorelabel
#reboot
Haeba mokhoa oa ho tšoaea o na le liphoso tse ngata, ho ka 'na ha hlokahala hore u qalelle ka mokhoa o lumellang hore u atlehe ho ngola.
8. Ho hlahloba hore na SELinux e nolofalitsoe: # getenforce
9. Ho nolofalletsa / tima SELinux ka nakoana: # setenforce [1|0]
10. Ho hlahloba boemo ba SELinux: # sestatus
11. Faele ea tlhophiso: /etc/selinux/config
12. SELinux e sebetsa joang? Mona ke mohlala o tšoaeang seva sa marang-rang sa Apache:
Boemeli ba binary: /usr/sbin/httpd→httpd_exec_t
Lenane la litlhophiso: /etc/httpd→httpd_config_t
Log file directory: /var/log/httpd → httpd_log_t
Lenane la litaba: /var/www/html → httpd_sys_content_t
Qala script: /usr/lib/systemd/system/httpd.service → httpd_unit_file_d
Ts'ebetso e ntse e tsoela pele httpd_t, e ka sebelisana le ntho e ngotsoeng httpd_something_t.
13. Litaelo tse ngata li amohela khang -Z ho sheba, ho theha le ho fetola maemo:
ls -Z
id -Z
ps -Z
netstat -Z
cp -Z
mkdir -Z
Maemo a thehoa ha lifaele li etsoa ho ipapisitsoe le moelelo oa buka ea batsoali ba bona (ntle le mekhelo e itseng). Li-RPM li ka theha maemo joalo ka nakong ea ho kenya.
14. Ho na le lisosa tse 'ne tsa mantlha tsa liphoso tsa SELinux, tse hlalosoang ka botlalo lintlheng tsa 15-21 ka tlase:
Litaba tsa ho ngola
Ka lebaka la ntho eo SELinux e hlokang ho e tseba
Phoso ho SELinux policy/application
Lintlha tsa hau li kanna tsa sekisetsoa
15.Bothata ba ho ngola: haeba lifaele tsa hau li le teng /srv/myweb li tšoailoe ka phoso, phihlello e kanna ea haneloa. Mona ke litsela tse ling tsa ho lokisa sena:
Haeba u tseba label: # semanage fcontext -a -t httpd_sys_content_t '/srv/myweb(/.*)?'
Haeba u tseba faele e nang le matšoao a tšoanang: # semanage fcontext -a -e /srv/myweb /var/www
Ho khutlisetsa moelelo (bakeng sa maemo a mabeli): # restorecon -vR /srv/myweb
16.Bothata ba ho ngola: haeba u tsamaisa faele ho e-na le ho e kopitsa, faele e tla boloka moelelo oa eona oa pele. Ho lokisa bothata bona:
Fetola taelo ea moelelo le lengolo: # chcon -t httpd_system_content_t /var/www/html/index.html
Fetola taelo ea moelelo oa taba ka label ea lihokelo: # chcon --reference /var/www/html/ /var/www/html/index.html
Khutlisetsa moelelo (bakeng sa maemo a mabeli): # restorecon -vR /var/www/html/
17. haeba SELinux o hloka ho e tsebahore HTTPD e mametse ho port 8585, bolella SELinux:
# semanage port -a -t http_port_t -p tcp 8585
18.SELinux o hloka ho e tseba Melao ea Boolean e lumellang likarolo tsa leano la SELinux hore li fetoloe ka nako ea ho sebetsa ntle le tsebo ea hore leano la SELinux le ntse le ngoloa. Mohlala, haeba u batla httpd ho romella lengolo-tsoibila, kenya: # setsebool -P httpd_can_sendmail 1
19.SELinux o hloka ho e tseba litekanyetso tse utloahalang bakeng sa ho nolofalletsa / ho thibela litlhophiso tsa SELinux:
Ho bona boleng bohle ba boolean: # getsebool -a
Ho bona tlhaloso ea e 'ngoe le e' ngoe: # semanage boolean -l
Ho beha boleng ba boolean: # setsebool [_boolean_] [1|0]
Bakeng sa ho kenya ka ho sa feleng, eketsa -P. Ka mohlala: # setsebool httpd_enable_ftp_server 1 -P
20. Melao / lits'ebetso tsa SELinux li kanna tsa ba le liphoso, ho kenyelletsa:
Litsela tse sa tloaelehang tsa khoutu
Litlhophiso
E tsamaisa stdout
Litlhaloso tsa faele lia lutla
Mehopolo e sebetsang
Lilaeborari tse hahiloeng hampe
Litekete tse bulehileng (u se ke oa fana ka tlaleho ho Bugzilla; Bugzilla ha e na SLA).
21.Lintlha tsa hau li kanna tsa sekisetsoahaeba u na le libaka tse thibetsoeng tse lekang ho:
Kenya li-module tsa kernel
Tlosa mokhoa o kentsoeng oa SELinux
Ngolla ho etc_t/shadow_t
Fetola melao ea iptables
22. Lisebelisoa tsa SELinux bakeng sa ho ntlafatsa li-module tsa leano:
25. Haeba phoso ea SELinux e etsahala, sebelisa log setroubleshoot ho fana ka litharollo tse 'maloa tse ka khonehang.
Ka mohlala, ho tloha journalctl:
Jun 14 19:41:07 web1 setroubleshoot: SELinux is preventing httpd from getattr access on the file /var/www/html/index.html. For complete message run: sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e
# sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e
SELinux is preventing httpd from getattr access on the file /var/www/html/index.html.
***** Plugin restorecon (99.5 confidence) suggests ************************
If you want to fix the label,
/var/www/html/index.html default label should be httpd_syscontent_t.
Then you can restorecon.
Do
# /sbin/restorecon -v /var/www/html/index.html
26. Ho rema lifate: SELinux e tlaleha tlhahisoleseling libakeng tse ngata:
27. Ho rema lifate: ho batla liphoso tsa SELinux ho logong la tlhahlobo:
# ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today
28. Ho fumana melaetsa ea SELinux Access Vector Cache (AVC) bakeng sa ts'ebeletso e itseng:
# ausearch -m avc -c httpd
29. Tšebeliso audit2allow e bokella tlhahisoleseding ho tswa ho lits'ebetso tse thibetsoeng ebe e hlahisa melao ea leano la tumello ea SELinux. Ka mohlala:
Ho theha tlhaloso e ka baloang ke motho ea hore na hobaneng phihlello e haneloa: # audit2allow -w -a
Ho sheba mofuta oa molao oa ts'ebetso o lumellang ho haneloa ho kena: # audit2allow -a
Ho etsa mojule o ikhethileng: # audit2allow -a -M mypolicy
Khetho -M e theha mofuta oa faele ea ts'ebetsong (.te) e nang le lebitso le boletsoeng ebe e hlophisa molao ho etsa sephutheloana sa melao (.pp): mypolicy.pp mypolicy.te
Ho kenya module ea tloaelo: # semodule -i mypolicy.pp
30. Ho hlophisa ts'ebetso e arohaneng (domain) ho sebetsa ka mokhoa oa tumello: # semanage permissive -a httpd_t
31. Haeba ha u sa batla hore domain name e lumelle: # semanage permissive -d httpd_t
33. E nolofalletsa leano la MLS SELinux: # yum install selinux-policy-mls
в /etc/selinux/config:
SELINUX=permissive
SELINUXTYPE=mls
Etsa bonnete ba hore SELinux e sebetsa ka mokhoa oa tumello: # setenforce 0
Sebelisa mongolo fixfilesho etsa bonnete ba hore lifaele li ngotsoe bocha ha u qala bocha:
# fixfiles -F onboot # reboot
34. Theha mosebelisi ka mefuta e ikhethileng ea MLS: # useradd -Z staff_u john
Ho sebelisa taelo useradd, 'mapa mosebelisi e mocha ho mosebelisi ea teng oa SELinux (tabeng ena, staff_u).
35. Ho sheba 'mapa lipakeng tsa basebelisi ba SELinux le Linux: # semanage login -l
36. Hlalosa mofuta o ikhethileng oa mosebelisi: # semanage login --modify --range s2:c100 john
37. Ho lokisa leibole ea buka ea lapeng ea mosebelisi (ha ho hlokahala): # chcon -R -l s2:c100 /home/john
38. Ho sheba mekhahlelo ea hajoale: # chcat -L
39. Ho fetola mekhahlelo kapa ho qala ho iketsetsa ea hau, fetola faele ka tsela e latelang:
/etc/selinux/_<selinuxtype>_/setrans.conf
40. Ho tsamaisa taelo kapa mongolo faeleng e itseng, karolo, le moelelong oa mosebelisi: