Ukuguqulelwa kwenqaku kulungiselelwe abafundi bekhosi "Ukhuseleko lweLinux"

I-SELinux okanye i-Linux eYomeleziweyo yoKhuseleko yindlela eyongeziweyo yolawulo lofikelelo ephuhliswe yi-US National Security Agency (NSA) ukunqanda ukungenelela okunonya. Isebenzisa imodeli yokulawula ukufikelela okunyanzeliswayo (okanye okunyanzeliswayo) (isiNgesi soLawulo loFikelelo oluMandatory, i-MAC) phezu kwemodeli ekhoyo (okanye ekhethiweyo) (okanye i-English Discretionary Access Control, iDAC), oko kukuthi, iimvume zokufunda, ukubhala, ukwenza.

I-SELinux ineendlela ezintathu:

Ukunyanzeliswa — ukwalelwa ukufikelela ngokusekwe kwimigaqo yomgaqo-nkqubo.
Ndiyavumela - ukugcina ilogi yezenzo eziphula umgaqo-nkqubo, oya kuvinjelwa kwindlela yokunyanzelisa.
Abakhubazekileyo -ukucinywa ngokupheleleyo kwe-SELinux.

Ngokungagqibekanga useto lungaphakathi /etc/selinux/config

Ukutshintsha iindlela ze-SELinux

Ukufumana indlela yangoku, baleka

$ getenforce

Ukutshintsha imo yemvume sebenzisa lo myalelo ulandelayo

$ setenforce 0

okanye, ukutshintsha indlela ukusuka vumela phezu ukunyanzelisa, phumeza

$ setenforce 1

Ukuba ufuna ukukhubaza ngokupheleleyo i-SELinux, ke oku kunokwenziwa kuphela ngefayile yoqwalaselo

$ vi /etc/selinux/config

Ukucisha, tshintsha iparamitha yeSELINUX ngolu hlobo lulandelayo:

SELINUX=disabled

Ukumisela iSELinux

Ifayile nganye kunye nenkqubo iphawulwe ngomxholo we-SELinux, oqulethe ulwazi olongezelelweyo njengomsebenzisi, indima, uhlobo, njl. Ukuba eli lixesha lakho lokuqala ukwenza i-SELinux, kuya kufuneka uqale uqwalasele umxholo kunye neelebhile. Inkqubo yokwabela iilebhile kunye nomxholo waziwa njengokuthega. Ukuqala ukumakisha, kwifayile yoqwalaselo sitshintsha imo vumela.

$ vi /etc/selinux/config
SELINUX=permissive

Emva kokumisela imo vumela, yenza ifayile efihliweyo engenanto kwingcambu enegama autorelabel

$ touch /.autorelabel

kwaye uqale kabusha ikhompyuter

$ init 6

Qaphela: Sisebenzisa imowudi vumela yokumakisha, ukusukela ukusetyenziswa kwendlela ukunyanzelisa inokubangela isixokelelwano ukuba singqubene ngexesha lokuqalisa kwakhona.

Sukuba nexhala ukuba ukhuphelo lubambekile kwenye ifayile, ukumakisha kuthatha ixesha. Nje ukuba ukumakisha kugqityiwe kwaye inkqubo yakho iqalisiwe, ungaya kwifayile yoqwalaselo kwaye usete indlela ukunyanzelisakwaye ubaleke kwakhona:

$ setenforce 1

Uyenze ngempumelelo iSELinux kwikhompyuter yakho.

Ukubeka esweni iingodo

Usenokuba ufumene iimpazamo ngexesha lokumakisha okanye ngelixa inkqubo isebenza. Ukujonga ukuba i-SELinux yakho isebenza ngokuchanekileyo kwaye ukuba ayivaleli ukufikelela kuyo nayiphi na i-port, isicelo, njl., kufuneka ujonge iilogi. Ilog yeSELinux ikhona /var/log/audit/audit.log, kodwa awudingi ukufunda yonke into ukuze ufumane iimpazamo. Ungasebenzisa i-audit2why utility ukufumana iimpazamo. Yenza lo myalelo ulandelayo:

$ audit2why < /var/log/audit/audit.log

Ngenxa yoko, uya kufumana uluhlu lweempazamo. Ukuba bekungekho ziphoso kwilogi, ngoko akukho miyalezo iya kuboniswa.

Ukuqwalasela uMgaqo-nkqubo we-SELinux

Umgaqo-nkqubo we-SELinux yiseti yemigaqo elawula indlela yokhuseleko ye-SELinux. Umgaqo-nkqubo uchaza uluhlu lwemithetho yendawo ethile. Ngoku siza kufunda indlela yokuqwalasela imigaqo-nkqubo ukuvumela ukufikelela kwiinkonzo ezithintelweyo.

1. Amaxabiso asengqiqweni (iiswitshi)

Iiswitshi (i-booleans) zikuvumela ukuba utshintshe iinxalenye zepolisi ngexesha lokusebenza, ngaphandle kokudala imigaqo-nkqubo emitsha. Bakuvumela ukuba wenze utshintsho ngaphandle kokuphinda uqalise okanye ubuyise imigaqo-nkqubo ye-SELinux.

Umzekelo:
Masithi sifuna ukwabelana ngolawulo lwasekhaya lomsebenzisi ngeFTP ukufunda/ukubhala, kwaye sele sabelane ngayo, kodwa xa sizama ukufikelela kuyo, asiboni nto. Oku kungenxa yokuba umgaqo-nkqubo we-SELinux uthintela iseva ye-FTP ekufundeni nasekubhaleni kulawulo lwasekhaya lomsebenzisi. Kufuneka sitshintshe umgaqo-nkqubo ukuze iseva ye-FTP ikwazi ukufikelela kubalawuli basekhaya. Makhe sibone ukuba kukho naluphi na utshintsho ngokwenza oku

$ semanage boolean -l

Lo myalelo uya kudwelisa iiswitshi ezikhoyo kunye nemeko yazo yangoku (ivuliwe okanye ivaliwe) kunye nenkcazo. Ungalucokisa ukhangelo lwakho ngokongeza i-grep ukufumana iziphumo ze-ftp kuphela:

$ semanage boolean -l | grep ftp

kwaye uya kufumana oku kulandelayo

ftp_home_dir        -> off       Allow ftp to read & write file in user home directory

Olu tshintsho luvaliwe, ngoko ke siza kulwenza ngalo setsebool $ setsebool ftp_home_dir on

Ngoku i-ftp daemon yethu iya kuba nakho ukufikelela kulawulo lwasekhaya lomsebenzisi.
Qaphela: Unokufumana kwakhona uluhlu lokutshintsha okukhoyo ngaphandle kwenkcazo ngokwenza getsebool -a

2. Ielebhile kunye nomxholo

Le yeyona ndlela iqhelekileyo yokuphumeza umgaqo-nkqubo we-SELinux. Yonke ifayile, ifolda, inkqubo kunye nezibuko ziphawulwe ngomxholo we-SELinux:

Kwiifayile kunye neefolda, iilebhile zigcinwa njengeempawu ezandisiweyo kwisixokelelwano sefayile kwaye zinokujongwa ngalo myalelo ulandelayo:
```
$ ls -Z /etc/httpd
```
Ngeenkqubo kunye namazibuko, ukuleyibhela kulawulwa yi-kernel, kwaye unokujonga ezi lebhile ngolu hlobo lulandelayo:

процесс

$ ps –auxZ | grep httpd

izibuko

$ netstat -anpZ | grep httpd

Umzekelo:
Ngoku makhe sijonge kumzekelo ukuqonda ngcono iilebhile kunye nomxholo. Masithi sinomncedisi wewebhu lowo, endaweni yoluhlu /var/www/html/ использует /home/dan/html/. I-SELinux iyakuthatha oku njengokwaphulwa komgaqo-nkqubo kwaye awuyi kukwazi ukujonga amaphepha akho ewebhu. Oku kungenxa yokuba asiwumiselanga umxholo wokhuseleko onxulumene neefayile zeHTML. Ukujonga imeko yokhuseleko olungagqibekanga, sebenzisa lo myalelo ulandelayo:

$ ls –lz /var/www/html
 -rw-r—r—. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/

Sifikile httpd_sys_content_t njengomxholo weefayile zehtml. Kufuneka sisete lo mxholo wokhuseleko kuluhlu lwethu lwangoku, olunomxholo olandelayo ngoku:

-rw-r—r—. dan dan system_u:object_r:user_home_t:s0 /home/dan/html/

Omnye umyalelo wokukhangela umxholo wokhuseleko wefayile okanye uvimba weefayili:

$ semanage fcontext -l | grep '/var/www'

Siza kusebenzisa kwakhona i-semanage ukutshintsha umxholo emva kokuba sifumene umxholo ochanekileyo wokhuseleko. Ukutshintsha umxholo we /home/dan/html, sebenzisa le miyalelo ilandelayo:

$ semanage fcontext -a -t httpd_sys_content_t ‘/home/dan/html(/.*)?’
$ semanage fcontext -l | grep ‘/home/dan/html’
/home/dan/html(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
$ restorecon -Rv /home/dan/html

Emva kokuba umxholo utshintshiwe usebenzisa i-semanage, umyalelo wokubuyisela uya kulayisha umxholo ongagqibekanga weefayile kunye nabalawuli. Umncedisi wethu wewebhu ngoku uya kukwazi ukufunda iifayile kwifolda /home/dan/htmlkuba imeko yokhuseleko yesi silawulo itshintshiwe httpd_sys_content_t.

3. Yenza imigaqo-nkqubo yasekuhlaleni

Kusenokubakho iimeko apho ezi ndlela zingentla zingasetyenziswanga kuwe kwaye ufumana iimpazamo (avc/denial) kwi-audit.log. Xa oku kusenzeka, kufuneka wenze umgaqo-nkqubo wendawo. Ungazifumana zonke iimpazamo usebenzisa i-audit2why, njengoko kuchaziwe ngasentla.

Unokwenza umgaqo-nkqubo wendawo ukusombulula iimpazamo. Umzekelo, sifumana impazamo enxulumene ne-httpd (apache) okanye i-smbd (samba), silungisa iimpazamo kwaye sizenzele umgaqo-nkqubo:

apache
$ grep httpd_t /var/log/audit/audit.log | audit2allow -M http_policy
samba
$ grep smbd_t /var/log/audit/audit.log | audit2allow -M smb_policy

kuyinto http_policy и smb_policy ngamagama emigaqo-nkqubo yasekuhlaleni esiyiyileyo. Ngoku kufuneka silayishe le migaqo-nkqubo yasekhaya eyenziweyo kumgaqo-nkqubo wangoku we-SELinux. Oku kunokwenziwa ngolu hlobo lulandelayo:

$ semodule –I http_policy.pp
$ semodule –I smb_policy.pp

Imigaqo-nkqubo yethu yasekuhlaleni ikhutshelwe kwaye akufuneki siphinde sifumane nayiphi na i-avc okanye i-denail kwi-audit.log.

Eli yayilinge lam lokukunceda uqonde iSELinux. Ndiyathemba ukuba emva kokufunda eli nqaku uya kuziva ukhululekile ngakumbi nge-SELinux.

umthombo: www.habr.com

Isikhokelo sabaQalayo kwiSELinux