Ukuguqulelwa kwenqaku kulungiselelwe ngokukodwa abafundi bekhosi .
Apha uya kufumana iimpendulo kwimibuzo ebalulekileyo ngobomi, indalo kunye nayo yonke into ekwiLinux ngokhuseleko oluphuculweyo.
"Inyaniso ebalulekileyo yokuba izinto azisoloko zibonakala zilulwazi oluqhelekileyo ..."
-UDouglas Adams, Isikhokelo sikaHitchhiker kwiGalaxy
Ukhuseleko. Ukwenyuka kokuthembeka. Imbalelwano. Umgaqo-nkqubo. Abamahashe abane beApocalypse sysadmin. Ukongeza kwimisebenzi yethu yemihla ngemihla - ukubeka esweni, ukugcina, ukuphunyezwa, ukulungelelaniswa, ukuhlaziywa, njl njl - sikwanoxanduva lokhuseleko lweenkqubo zethu. Kwanezo sistim apho umboneleli womntu wesithathu ecebisa ukuba sikhubaze ukhuseleko olongeziweyo. Kuvakala ngathi ngumsebenzi ukusuka "Umsebenzi: Ayinakwenzeka."
Ejongene nale ngxaki, abanye abalawuli benkqubo bathatha isigqibo sokuthatha , kuba becinga ukuba abanakuze bayazi impendulo yombuzo omkhulu wobomi, ummandla wendalo nako konke oko. Kwaye njengoko sonke sisazi, loo mpendulo ngu-42.
Ngomoya weSikhokelo sikaHitchhiker kwiGalaxy, nazi iimpendulo ezingama-42 kwimibuzo ebalulekileyo malunga nolawulo kunye nokusetyenziswa. kwiinkqubo zakho.
1. I-SELinux yinkqubo yokulawula ukufikelela ngokunyanzeliswa, okuthetha ukuba yonke inkqubo ineleyibhile. Ifayile nganye, uvimba weefayili kunye nenkqubo yezinto nazo zineelebhile. Imithetho yomgaqo-nkqubo ilawula ukufikelela phakathi kweenkqubo eziphawulweyo kunye nezinto. I-kernel inyanzelisa le migaqo.
2. Iikhonsepthi ezimbini ezibalulekileyo zezi: Ukwenza iilebheli — amanqaku (iifayile, iinkqubo, amazibuko, njl. njl.) kunye Uhlobo lokunyanzeliswa (eyahlula iinkqubo ukusuka komnye nomnye ngokusekelwe kwiintlobo).
3. Ifomathi yeleyibhile echanekileyo user:role:type:level (ukhetho).
4. Injongo yokubonelela ngokhuseleko lwemigangatho emininzi (Ukhuseleko lweNqanaba ezininzi-MLS) kukulawula iinkqubo (i-domains) ngokusekelwe kwinqanaba lokhuseleko lwedatha abaza kuyisebenzisa. Umzekelo, inkqubo eyimfihlo ayikwazi ukufunda idatha eyimfihlo ephezulu.
5. Ukuqinisekisa ukhuseleko lwezigaba ezininzi (Ukhuseleko lweeNqanaba ezininzi-MCS) ikhusela iinkqubo ezifanayo ukusuka komnye nomnye (umzekelo, oomatshini benyani, iinjini ze-OpenShift, iibhokisi zesanti ze-SELinux, izitya, njl.).
6. Iinketho zeKernel zokutshintsha iindlela zeSELinux ekuqaleni:
autorelabel=1→ yenza ukuba inkqubo iqhube ukuleyibhela kwakhonaselinux=0→ ikernel ayilayishi isiseko seSELinuxenforcing=0→ ukulayisha kwimo yokuvumela
7. Ukuba ufuna ukuleyibhelisela kwakhona inkqubo yonke:
# touch /.autorelabel
#reboot
Ukuba inkqubo yokumakisha iqulethe inani elikhulu leempazamo, unokufuna ukuqala kwimo yokuvumela ukuphawula kwakhona ukuze uphumelele.
8. Ukujonga ukuba iSELinux iyasebenza: # getenforce
9. Ukwenza okwethutyana/ukuvala i-SELinux: # setenforce [1|0]
10. Ukujonga isimo seSELinux: # sestatus
11. Ifayile yoqwalaselo: /etc/selinux/config
12. Isebenza njani iSELinux? Nanku umzekelo wokumakisha kwiseva yewebhu ye-Apache:
- Umelo lukabini:
/usr/sbin/httpd→httpd_exec_t - Uluhlu loqwalaselo:
/etc/httpd→httpd_config_t - Uluhlu lwefayile yelog:
/var/log/httpd → httpd_log_t - Uvimba weefayili womxholo:
/var/www/html → httpd_sys_content_t - Qalisa umbhalo:
/usr/lib/systemd/system/httpd.service → httpd_unit_file_d - Inkqubo:
/usr/sbin/httpd -DFOREGROUND → httpd_t - Amazibuko:
80/tcp, 443/tcp → httpd_t, http_port_t
Inkqubo eqhuba kumxholo httpd_t, inokunxibelelana nento ephawulweyo httpd_something_t.
13. Imiyalelo emininzi iyayamkela ingxoxo -Z ukujonga, ukwenza kunye nokutshintsha umxholo:
ls -Zid -Zps -Znetstat -Zcp -Zmkdir -Z
Imixholo isekwa xa iifayile zenziwe ngokusekelwe kumxholo woluhlu lwabazali babo (ngaphandle kwezinye izinto). IiRPM zinokuseka iimeko njengoko ngexesha lofakelo.
14. Kukho izizathu ezine eziphambili zeempazamo ze-SELinux, ezichazwe ngokubanzi kumanqaku 15-21 angezantsi:
- Imiba yokuphawula
- Ngenxa yento ekufuneka iSELinux iyazi
- Imposiso kumgaqo-nkqubo/yesicelo se-SELinux
- Ulwazi lwakho lusenokuphazamiseka
15. Ingxaki yokuphawula: ukuba iifayile zakho zingaphakathi /srv/myweb ziphawulwe ngokungachanekanga, ukufikelela kunokwaliwa. Nazi ezinye iindlela zokulungisa oku:
- Ukuba uyayazi ileyibhile:
# semanage fcontext -a -t httpd_sys_content_t '/srv/myweb(/.*)?' - Ukuba uyayazi ifayile enophawu olulinganayo:
# semanage fcontext -a -e /srv/myweb /var/www - Ukubuyisela umxholo (kuzo zombini iimeko):
# restorecon -vR /srv/myweb
16. Ingxaki yokuphawula: Ukuba uhambisa ifayile endaweni yokuyikhuphela, ifayile izakugcina umxholo wayo woqobo. Ukulungisa le ngxaki:
- Guqula umyalelo womxholo onelebhile:
# chcon -t httpd_system_content_t /var/www/html/index.html - Guqula umyalelo womxholo ngeleyibhile yekhonkco:
# chcon --reference /var/www/html/ /var/www/html/index.html - Buyisela umxholo (kuzo zombini iimeko):
# restorecon -vR /var/www/html/
17. ukuba SELinux kufuneka uyaziukuba i-HTTPD imamele kwizibuko 8585, xelela i-SELinux:
# semanage port -a -t http_port_t -p tcp 8585
18. SELinux kufuneka uyazi Amaxabiso eBoolean avumela iinxalenye zomgaqo-nkqubo we-SELinux ukuba zitshintshwe ngexesha lokusebenza ngaphandle kolwazi lomgaqo-nkqubo we-SELinux ubhalwa ngaphezulu. Umzekelo, ukuba ufuna i-httpd ukuthumela i-imeyile, faka: # setsebool -P httpd_can_sendmail 1
19. SELinux kufuneka uyazi amaxabiso anengqiqo ukwenza/ukukhubaza useto lwe-SELinux:
- Ukubona onke amaxabiso e-boolean:
# getsebool -a - Ukubona inkcazo yayo nganye:
# semanage boolean -l - Ukuseta ixabiso le boolean:
# setsebool [_boolean_] [1|0] - Ufakelo olusisigxina, yongeza
-P. Umzekelo:# setsebool httpd_enable_ftp_server 1 -P
20. Imigaqo-nkqubo ye-SELinux/izicelo zinokuqulatha iimpazamo, kuquka:
- Iindlela zekhowudi ezingaqhelekanga
- Ulungelelwaniso
- Isalathisa ngokutsha i-stdout
- Ukuvuza kwenkcazelo yefayile
- Inkumbulo ephunyeziweyo
- Amathala eencwadi akhiwe kakubi
Vula amatikiti (ungafaki ingxelo kwi-Bugzilla; i-Bugzilla ayinayo i-SLA).
21. Ulwazi lwakho lusenokuphazamisekaukuba uthintele imimandla ezama uku:
- Layisha iimodyuli zekernel
- Khubaza unyanzeliso lwemo ye-SELinux
- Bhalela ku
etc_t/shadow_t - Guqula imithetho ye-iptables
22. Izixhobo ze-SELinux zokuphuhlisa iimodyuli zomgaqo-nkqubo:
# yum -y install setroubleshoot setroubleshoot-server
Qalisa kwakhona okanye uqalise kwakhona auditd emva kofakelo.
23. Sebenzisa
journalctl ukubonisa uluhlu lwazo zonke iilog ezidityanisiweyo nazo setroubleshoot:
# journalctl -t setroubleshoot --since=14:20
24. Sebenzisa journalctl ukudwelisa zonke iilog ezinxulumene nethegi ethile ye-SELinux. Umzekelo:
# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0
25. Ukuba kwenzeka imposiso ye-SELinux, sebenzisa ilog setroubleshoot ukunika izisombululo ezininzi ezinokubakho.
Umzekelo, ukusuka journalctl:
Jun 14 19:41:07 web1 setroubleshoot: SELinux is preventing httpd from getattr access on the file /var/www/html/index.html. For complete message run: sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e
# sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e
SELinux is preventing httpd from getattr access on the file /var/www/html/index.html.
***** Plugin restorecon (99.5 confidence) suggests ************************
If you want to fix the label,
/var/www/html/index.html default label should be httpd_syscontent_t.
Then you can restorecon.
Do
# /sbin/restorecon -v /var/www/html/index.html26. Ukungena: I-SELinux irekhoda ulwazi kwiindawo ezininzi:
- / var / log / imiyalezo
- /var/log/audit/audit.log
- /var/lib/setroubleshoot/setroubleshoot_database.xml
27. Ukuloga: ukukhangela iimpazamo zeSELinux kwilog yophicotho:
# ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today
28. Ukufumana imiyalezo ye-SELinux Access Vector Cache (AVC) yenkonzo ethile:
# ausearch -m avc -c httpd
29. Uncedo audit2allow iqokelela ulwazi kwiilog zemisebenzi engavumelekanga kwaye ivelise imithetho yemvume ye-SELinux. Umzekelo:
- Ukudala inkcazo efundeka ngumntu yokuba kutheni ufikelelo lwaliwe:
# audit2allow -w -a - Ukujonga uhlobo lomthetho wonyanzeliso oluvumela ukufikelela okwalelwayo:
# audit2allow -a - Ukwenza imodyuli eqhelekileyo:
# audit2allow -a -M mypolicy - Ukhetho
-Myenza uhlobo lwefayile yonyanzeliso (.te) enegama elikhankanyiweyo kwaye iqulunqa umthetho kwiphakheji yepolisi (.pp):mypolicy.pp mypolicy.te - Ukufakela imodyuli eqhelekileyo:
# semodule -i mypolicy.pp
30. Ukuqwalasela inkqubo eyahlukileyo (i-domain) ukuze isebenze kwimo yokuvumela: # semanage permissive -a httpd_t
31. Ukuba awusafuni ukuba isizinda sivumeleke: # semanage permissive -d httpd_t
32. Ukuvala yonke imimandla evumelekileyo: # semodule -d permissivedomains
33. Ukwenza inkqubo ye-MLS SELinux isebenze: # yum install selinux-policy-mls
в /etc/selinux/config:
SELINUX=permissive
SELINUXTYPE=mls
Qinisekisa ukuba i-SELinux iyasebenza kwimo yokuvumela: # setenforce 0
Sebenzisa iscript fixfilesukuqinisekisa ukuba iifayile zibhalwe ngokutsha kuqaliso olulandelayo:
# fixfiles -F onboot # reboot
34. Yenza umsebenzisi onoluhlu oluthile lwe-MLS: # useradd -Z staff_u john
Ukusebenzisa umyalelo useradd, imephu yomsebenzisi omtsha kumsebenzisi okhoyo we-SELinux (kulo mzekelo, staff_u).
35. Ukujonga imephu phakathi kweSELinux kunye nabasebenzisi beLinux: # semanage login -l
36. Chaza uluhlu oluthile lomsebenzisi: # semanage login --modify --range s2:c100 john
37. Ukulungisa ileyibhile yolawulo lwasekhaya lomsebenzisi (ukuba kuyimfuneko): # chcon -R -l s2:c100 /home/john
38. Ukujonga iindidi zangoku: # chcat -L
39. Ukutshintsha iindidi okanye uqalise ukwenza eyakho, hlela ifayile ngolu hlobo lulandelayo:
/etc/selinux/_<selinuxtype>_/setrans.conf
40. Ukwenza umyalelo okanye iskripthi kwifayile ethile, indima, kunye nomxholo womsebenzisi:
# runcon -t initrc_t -r system_r -u user_u yourcommandhere
-tumxholo wefayile-rumxholo wendima-uumxholo womsebenzisi
41. Izikhongozeli ezisebenza ngeSELinux zivaliwe:
- I-Podman:
# podman run --security-opt label=disable … - Idokodo:
# docker run --security-opt label=disable …
42. Ukuba ufuna ukunika isikhongozeli ufikelelo olupheleleyo kwinkqubo:
- I-Podman:
# podman run --privileged … - Idokodo:
# docker run --privileged …
Kwaye ngoku sele uyayazi impendulo. Ngoko nceda: ungothuki kwaye uvule i-SELinux.
Izalathiso:
- by
- nguDan Walsh
- by
- by
umthombo: www.habr.com