Esinye sezizathu zempumelelo enkulu ye-Linux OS kwi-embedded, izixhobo eziphathwayo kunye neeseva linqanaba eliphezulu lokhuseleko lwe-kernel, iinkonzo ezinxulumeneyo kunye nezicelo. Kodwa ukuba kulwakhiwo lwe Linux kernel, ngoko akunakwenzeka ukufumana kuyo isikwere esinoxanduva lokhuseleko olunjalo. Ifihla phi inkqubo esezantsi yokhuseleko yeLinux kwaye ibandakanya ntoni?
Imvelaphi kwiiModyuli zoKhuseleko zeLinux kunye neSELinux
I-Linux yoKhuseleko eyomeleziweyo yiseti yemithetho kunye neendlela zofikelelo ezisekelwe kwimimiselo yofikelelo enyanzelekileyo kunye nendima-esekelwe kwindima yokukhusela iinkqubo ze-Linux kwizoyikiso ezinokubakho kunye nokulungisa iziphene ze-Discretionary Access Control (DAC), inkqubo yokhuseleko ye-Unix yendabuko. Le projekthi yaqala emathunjini e-Arhente yoKhuseleko yeSizwe yase-US, kwaye yaphuhliswa ngokuthe ngqo ikakhulu ngooKontraka iSecure Computing Corporation kunye ne-MITER, kunye nenani leelabhoratri zophando.
Iimodyuli zoKhuseleko zeLinux
U-Linus Torvalds wenze inani lamagqabantshintshi malunga nophuhliso olutsha lwe-NSA ukuze lufakwe kwi-Linux kernel engundoqo. Wachaza indawo eqhelekileyo, kunye nesethi ye-interceptors yokulawula ukusebenza kunye nezinto kunye nesethi yemimandla ethile yokukhusela kwizakhiwo zedatha ye-kernel ukugcina iimpawu ezihambelanayo. Le meko-bume ingasetyenziswa ziimodyuli zekernel ezinokulayishwa ukuphumeza nayiphi na imodeli yokhuseleko efunekayo. I-LSM yangena ngokupheleleyo kwi-Linux kernel v2.6 ngo-2003.
Isakhelo se-LSM sibandakanya iindawo zokugada kwizakhiwo zedatha kunye neefowuni kwimisebenzi yokuthintela kwiindawo ezibalulekileyo kwikhowudi ye-kernel ukuyiphatha kunye nokwenza ulawulo lokufikelela. Yongeza kwakhona umsebenzi wokubhalisa iimodyuli zokhuseleko. I/sys/kernel/security/lsm interface iqulathe uluhlu lweemodyuli ezisebenzayo kwisixokelelwano. Iihuka ze-LSM zigcinwa kuluhlu olubizwa ngendlela echazwe kwi-CONFIG_LSM. Amaxwebhu aneenkcukacha kwiihuku zibandakanyiwe kwifayili yeheda ziquka/linux/lsm_hooks.h.
Inkqubo engaphantsi ye-LSM yenze ukuba kube nokwenzeka ukugqiba udibaniso olupheleleyo lwe-SELinux kunye noguqulelo olufanayo lwe-Linux kernel v2.6. Phantse kwangoko, i-SELinux yaba ngumgangatho we-de facto kwindawo ekhuselekileyo ye-Linux kwaye yafakwa kwezona zisasazo zidumileyo: iRedHat Enterprise Linux, Fedora, Debian, Ubuntu.
SELinux Uluhlu lweenkcazelo
- Isazisi Umsebenzisi we-SELinux akafani ne-id eqhelekileyo yomsebenzisi we-Unix/Linux; banokuhlalisana kwinkqubo enye, kodwa bahluke ngokupheleleyo ngokubaluleka. Iakhawunti nganye yeLinux esemgangathweni inokuhambelana nenye okanye ngaphezulu kwiSELinux. Isazisi se-SELinux yinxalenye yomxholo wokhuseleko jikelele, omisela ukuba yeyiphi imimandla onokuthi ungayijoyina.
- Domains -Kwi-SELinux, i-domain ngumxholo wophumezo wesifundo, o.k. inkqubo. I-domain imisela ngokuthe ngqo ukufikelela inkqubo enayo. I-domain ngokusisiseko luluhlu lweziphi iinkqubo ezinokuthi zenziwe okanye yintoni inkqubo enokuyenza ngeentlobo ezahlukeneyo. Eminye imizekelo yemimandla ithi sysadm_t kulawulo lwesixokelelwano, kunye ne-user_t eyindawo eqhelekileyo yomsebenzisi engenawo amalungelo. Isixokelelwano se-init sisebenza kwi-domain ye-init_t, kwaye inkqubo enegama isebenza kwindawo enegama_t.
- Iindima -Yintoni esebenza njengomlamli phakathi kwesizinda kunye nabasebenzisi be-SELinux. Iindima zimisela ukuba yeyiphi imimandla umsebenzisi anokuba kuyo kwaye zeziphi iintlobo zezinto abanokufikelela kuzo. Le ndlela yokulawula ukufikelela ithintela isoyikiso sokuhlaselwa kwelungelo lokunyuka. Iindima zibhalwe kwiRole Based Access Control (RBAC) imodeli yokhuseleko esetyenziswa kwiSELinux.
- Iintlobo - Uluhlu lweempawu zokunyanzeliswa koluhlu olwabelwa into kwaye lumisela ukuba ngubani onokufikelela kulo. Ngokufana nenkcazo yesizinda, ngaphandle kokuba i-domain iyasebenza kwinkqubo, kwaye uhlobo lusebenza kwizinto ezifana nabalawuli, iifayile, iziseko, njl.
- Izifundo kunye nezinto - Iinkqubo ziyizifundo kwaye ziqhutywa kumxholo othile, okanye indawo yokhuseleko. Izixhobo zenkqubo yokusebenza: iifayile, ii-directory, iisokethi, njl., zizinto ezabelwe uhlobo oluthile, ngamanye amagama, inqanaba labucala.
- SELinux Imigaqo-nkqubo - I-SELinux isebenzisa imigaqo-nkqubo eyahlukeneyo ukukhusela inkqubo. Umgaqo-nkqubo we-SELinux uchaza ukufikelela kwabasebenzisi kwiindima, iindima kwiindawo, kunye nemimandla kwiintlobo. Okokuqala, umsebenzisi ugunyazisiweyo ukuba afumane indima, ngoko indima igunyazisiwe ukufikelela kwimida. Ekugqibeleni, i-domain inokufikelela kuphela kwiintlobo ezithile zezinto.
Uyilo lwe-LSM kunye ne-SELinux
Ngaphandle kwegama, ii-LSMs aziqhelekanga ukulayisheka iimodyuli zeLinux. Nangona kunjalo, njenge-SELinux, idityaniswe ngokuthe ngqo kwi-kernel. Naluphi na utshintsho kwikhowudi yomthombo we-LSM ifuna ukuhlanganiswa kwekernel entsha. Inketho ehambelanayo kufuneka yenziwe kwimimiselo ye-kernel, ngaphandle koko ikhowudi ye-LSM ayiyi kuqaliswa emva kokuqalisa. Kodwa nakule meko, inokuthi yenziwe ngokhetho lwe-OS bootloader.
Isitaki sokujonga i-LSM
I-LSM ixhotyiswe ngamagwegwe kwimisebenzi ye-kernel engundoqo enokufaneleka kwiitshekhi. Enye yezinto eziphambili kwii-LSMs kukuba zipakishwe. Ngaloo ndlela, ukuhlolwa okusemgangathweni kusenziwa, kwaye umaleko ngamnye we-LSM wongeza kuphela ulawulo kunye nolawulo olongezelelweyo. Oku kuthetha ukuba ukuvalwa akukwazi ukuphinda kubuyiselwe umva. Oku kubonisiwe kumzobo; ukuba isiphumo sokutshekishwa kwesiqhelo kwe-DAC kusilele, ke loo nto ayisayi kufikelela kwiihuku ze-LSM.
I-SELinux yamkele uyilo lokhuseleko lweFlask yenkqubo yokusebenza yophando lweFluke, ngakumbi umgaqo welona lungelo lincinci. Ingundoqo yale ngcamango, njengoko igama layo libonisa, kukunika umsebenzisi okanye inkqubo kuphela loo malungelo ayimfuneko ukwenza izenzo ezijoliswe kuyo. Lo mgaqo uphunyeziwe ngokusebenzisa ukuchwethezwa kokufikelela ngokunyanzeliswa, ngoko ke ulawulo lokufikelela kwi-SELinux lusekelwe kwi-domain => imodeli yohlobo.
Enkosi ngokuchwetheza ngenkani yokufikelela, i-SELinux inamandla amakhulu okulawula ukufikelela kunemodeli yemveli yeDAC esetyenziswa kwiinkqubo zokusebenza ze-Unix/Linux. Umzekelo, unganciphisa inombolo ye-port yenethiwekhi apho umncedisi we-ftp uya kuxhuma kuyo, vumela ukubhala kunye nokutshintsha iifayile kwifolda ethile, kodwa ungazicimi.
Amacandelo aphambili e-SELinux ngala:
- Iseva yoNyanzeliso loMgaqo-nkqubo β Eyona ndlela yokuququzelela ulawulo lofikelelo.
- Isiseko sedatha yomgaqo-nkqubo wokhuseleko.
- Ukusebenzisana ne-LSM isiganeko interceptor.
- Selinuxfs -I-Pseudo-FS, efanayo ne-/proc kwaye inyuswe kwi /sys/fs/selinux. Igxilwe ngamandla yiLinux kernel ngexesha lokusebenza kwaye iqulathe iifayile eziqulethe ulwazi lobume beSELinux.
- Fikelela kwiVector Cache -Isixhobo esincedisayo sokwandisa imveliso.
Isebenza njani iSELinux
Konke kusebenza ngolu hlobo.
- Isihloko esithile, ngokwemigaqo ye-SELinux, yenza isenzo esivumelekileyo kwinto emva kokuhlolwa kwe-DAC, njengoko kubonisiwe kumfanekiso ophezulu. Esi sicelo sokwenza umsebenzi siya kwi LSM isiganeko interceptor.
- Ukusuka apho, isicelo, kunye nomxholo kunye nomxholo wokhuseleko, ugqithiselwe kwimodyuli ye-SELinux Abstraction kunye ne-Hook Logic, ejongene nokusebenzisana ne-LSM.
- Igunya lokwenza isigqibo malunga nokufikelela komxholo kwinto yiSeva yoNyanzeliso loMgaqo-nkqubo kwaye ifumana idatha kwi-SELinux AnHL.
- Ukwenza izigqibo malunga nokufikelela okanye ukwala, iSeva yoNyanzeliso loMgaqo-nkqubo ijikela kwi-Access Vector Cache (AVC) kwi-caching subsystem yeyona mithetho isetyenziswa kakhulu.
- Ukuba isisombululo somgaqo ohambelanayo asifumanekanga kwi-cache, ngoko isicelo sidluliselwa kwisiseko somgaqo-nkqubo wokhuseleko.
- Iziphumo zokukhangela kwisiseko sedatha kunye ne-AVC zibuyiselwa kwiSeva yoNyanzeliso loMgaqo-nkqubo.
- Ukuba umgaqo-nkqubo ofunyenweyo uhambelana nesenzo esiceliweyo, ngoko umsebenzi uvumelekile. Ngaphandle koko, umsebenzi awuvumelekanga.
Ukulawula iSELinux Useto
I-SELinux isebenza kwenye yeendlela ezintathu:
- Ukunyanzeliswa - Ukubambelela ngokungqongqo kwimigaqo-nkqubo yokhuseleko.
- Ukuvumela - Ukwaphulwa kwezithintelo kuvumelekile; inqaku elihambelanayo lenziwe kwijenali.
- Ikhubaziweβimigaqo-nkqubo yoKhuseleko ayisebenzi.
Uyakwazi ukubona ukuba yeyiphi imo SELinux ekuyo ngalo myalelo ulandelayo.
[admin@server ~]$ getenforce
PermissiveUkutshintsha imo phambi kokuba uqalise kwakhona, umzekelo, ukuseta ekunyanzeliseni, okanye 1. Iparamitha evumayo ihambelana nekhowudi yamanani 0.
[admin@server ~]$ setenfoce enforcing
[admin@server ~]$ setenfoce 1 #ΡΠΎ ΠΆΠ΅ ΡΠ°ΠΌΠΎΠ΅
Unako kwakhona ukutshintsha indlela ngokuhlela ifayile:
[admin@server ~]$ cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=ithagethi
Umahluko nge-setenfoce kukuba xa inkqubo yokusebenza iqala, imo ye-SELinux iya kusekwa ngokuhambelana nexabiso le-SELINUX ipharamitha kwifayile yoqwalaselo. Ukongeza, utshintsho lokunyanzeliswa <=> lukhutshaziwe lusebenza kuphela ngokuhlela /etc/selinux/config file and after reboot.
Jonga ingxelo yesimo esifutshane:
[admin@server ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
Ukujonga iimpawu ze-SELinux, ezinye izinto ezisemgangathweni zisebenzisa i -Z iparamitha.
[admin@server ~]$ ls -lZ /var/log/httpd/
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20200920
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20200927
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20201004
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20201011
[admin@server ~]$ ps -u apache -Z
LABEL PID TTY TIME CMD
system_u:system_r:httpd_t:s0 2914 ? 00:00:04 httpd
system_u:system_r:httpd_t:s0 2915 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0 2916 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0 2917 ? 00:00:00 httpd
...
system_u:system_r:httpd_t:s0 2918 ? 00:00:00 httpdXa kuthelekiswa nemveliso eqhelekileyo ye-ls -l, kukho imihlaba emininzi eyongezelelweyo kule fomati ilandelayo:
<user>:<role>:<type>:<level>
Indawo yokugqibela ibonisa into efana nokuhlelwa kokhuseleko kwaye iqulathe indibaniselwano yezinto ezimbini:
- s0 - ukubaluleka, kwakhona kubhalwe njengomgangatho ophantsi wesithuba sokuphumla
- c0, c1β¦ c1023 - udidi.
Ukutshintsha ulungelelwaniso lofikelelo
Sebenzisa imodyuli ukulayisha, ukongeza, kunye nokususa iimodyuli zeSELinux.
[admin@server ~]$ semodule -l |wc -l #ΡΠΏΠΈΡΠΎΠΊ Π²ΡΠ΅Ρ
ΠΌΠΎΠ΄ΡΠ»Π΅ΠΉ
408
[admin@server ~]$ semodule -e abrt #enable - Π°ΠΊΡΠΈΠ²ΠΈΡΠΎΠ²Π°ΡΡ ΠΌΠΎΠ΄ΡΠ»Ρ
[admin@server ~]$ semodule -d accountsd #disable - ΠΎΡΠΊΠ»ΡΡΠΈΡΡ ΠΌΠΎΠ΄ΡΠ»Ρ
[admin@server ~]$ semodule -r avahi #remove - ΡΠ΄Π°Π»ΠΈΡΡ ΠΌΠΎΠ΄ΡΠ»ΡIqela lokuqala ukungena ngemvume idibanisa umsebenzisi we-SELinux kumsebenzisi wenkqubo yokusebenza, owesibini ubonisa uluhlu. Ekugqibeleni, umyalelo wokugqibela kunye ne--r switch isusa imephu yabasebenzisi be-SELinux kwiiakhawunti ze-OS. Ingcaciso yesivakalisi seMLS/MCS Uluhlu lwamaxabiso lukwicandelo langaphambili.
[admin@server ~]$ semanage login -a -s user_u karol
[admin@server ~]$ semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
system_u system_u s0-s0:c0.c1023 *
[admin@server ~]$ semanage login -d karol
Iqela lawula umsebenzisi isetyenziselwa ukulawula iimaphu phakathi kwabasebenzisi be-SELinux kunye neendima.
[admin@server ~]$ semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
guest_u user s0 s0 guest_r
staff_u staff s0 s0-s0:c0.c1023 staff_r sysadm_r
...
user_u user s0 s0 user_r
xguest_u user s0 s0 xguest_r
[admin@server ~]$ semanage user -a -R 'staff_r user_r'
[admin@server ~]$ semanage user -d test_uIiparamitha zomyalelo:
- -ukongeza ingeniso yendima yesiko yokwenza imephu;
- -l uluhlu lwabasebenzisi abahambelanayo kunye neendima;
- -d cima ukungena kwendima yomsebenzisi kwimephu;
- -R uluhlu lweendima eziqhotyoshelwe kumsebenzisi;
Iifayile, amazibuko kunye neeNqobo zeBoolean
Imodyuli nganye ye-SELinux ibonelela ngeseti yemithetho yokuphawula ifayile, kodwa unokongeza eyakho imithetho ukuba kuyimfuneko. Umzekelo, sifuna umncedisi wewebhu abe namalungelo okufikelela kwi/srv/www ifolda.
[admin@server ~]$ semanage fcontext -a -t httpd_sys_content_t "/srv/www(/.*)?
[admin@server ~]$ restorecon -R /srv/www/Umyalelo wokuqala ubhalisa imithetho emitsha yokumakisha, kwaye okwesibini ukusetha kwakhona, okanye kunoko ukusetha, iindidi zefayile ngokuhambelana nemithetho yangoku.
Ngokufanayo, izibuko ze-TCP / UDP ziphawulwe ngendlela yokuba kuphela iinkonzo ezifanelekileyo ezinokumamela kuzo. Ngokomzekelo, ukuze umncedisi wewebhu aphulaphule kwi-port 8080, kufuneka uqhube umyalelo.
[admin@server ~]$ semanage port -m -t http_port_t -p tcp 8080Inani elibalulekileyo leemodyuli zeSELinux zineeparamitha ezinokuthatha amaxabiso eBoolean. Uluhlu olupheleleyo lweparameters ezinjalo lunokubonwa usebenzisa getsebool -a. Ungatshintsha amaxabiso e-boolean usebenzisa i- setsebool.
[admin@server ~]$ getsebool httpd_enable_cgi
httpd_enable_cgi --> on
[admin@server ~]$ setsebool -P httpd_enable_cgi off
[admin@server ~]$ getsebool httpd_enable_cgi
httpd_enable_homedirs --> off
Iworkshop, fumana ukufikelela kujongano lwewebhu lwe-PGadmin
Makhe sijonge umzekelo osebenzayo: sifake i-pgadmin7.6-web kwi-RHEL 4 ukulawula i-PostgreSQL database. Sahamba kancinci kunye noseto lwe-pg_hba.conf, postgresql.conf kunye ne-config_local.py, seta iimvume zefolda, ifakele iimodyuli zePython ezingekhoyo kwipip. Yonke into ilungile, siyayisungula kwaye siyayamkela 500 Impazamo yeseva yangaphakathi.
Siqala ngabarhanelwa abaqhelekileyo, sijonga /var/log/httpd/error_log. Kukho amangeno anomdla apho.
[timestamp] [core:notice] [pid 23689] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
...
[timestamp] [wsgi:error] [pid 23690] [Errno 13] Permission denied: '/var/lib/pgadmin'
[timestamp] [wsgi:error] [pid 23690]
[timestamp] [wsgi:error] [pid 23690] HINT : You may need to manually set the permissions on
[timestamp] [wsgi:error] [pid 23690] /var/lib/pgadmin to allow apache to write to it.
Okwangoku, uninzi lwabalawuli beLinux baya kuhendwa ngamandla ukuba baqhube i-setencorce 0, kwaye iya kuba sisiphelo sayo. Ngeliphandle, ndenza loo nto kanye okokuqala. Oku kunjalo kwakhona indlela yokuphuma, kodwa kude kakhulu.
Ngaphandle koyilo olunzima, i-SELinux inokusebenziseka ngokulula. Faka nje iphakheji ye-setroubleshoot kwaye ujonge inkqubo yokungena.
[admin@server ~]$ yum install setroubleshoot
[admin@server ~]$ journalctl -b -0
[admin@server ~]$ service restart auditd
Nceda uqaphele ukuba inkonzo ephicothiweyo kufuneka iqalwe kwakhona ngale ndlela, kwaye ingasebenzisi i-systemctl, ngaphandle kobukho be-systemd kwi-OS. Kwinkqubo yelog iya kuboniswa kungekhona nje inyaniso yokuthintela, kodwa kunye nesizathu kunye indlela yokoyisa ukuvalwa.
Senza le miyalelo:
[admin@server ~]$ setsebool -P httpd_can_network_connect 1
[admin@server ~]$ setsebool -P httpd_can_network_connect_db 1
Sijonga ukufikelela kwiphepha lewebhu le-pgadmin4, yonke into isebenza.
umthombo: www.habr.com