I-ProHoster > Блог > Ukuphatha > Umhlahlandlela wabaqalayo ku-SELinux

Umhlahlandlela wabaqalayo ku-SELinux

Umhlahlandlela wabaqalayo ku-SELinux

Ukuhunyushwa kwesihloko okulungiselelwe abafundi bezifundo "Linux Security"

I-SELinux noma i-Security Enhanced Linux iyindlela ethuthukisiwe yokulawula ukufinyelela eyakhiwe yi-US National Security Agency (NSA) ukuze kuvinjwe ukungena okunonya. Isebenzisa imodeli yokulawula ukufinyelela okuphoqelelwe (noma okuphoqelekile) (I-English Mandatory Access Control, i-MAC) phezu kwemodeli ekhona yokuzikhethela (noma ekhethiwe) (I-English Discretionary Access Control, i-DAC), okungukuthi, izimvume zokufunda, ukubhala, ukwenza.

I-SELinux inezindlela ezintathu:

  1. Ukuphoqelela — ukwenqatshelwa ukufinyelela okusekelwe emithethweni yenqubomgomo.
  2. Ukuyekelela — ukugcina ilogu yezenzo ezephula inqubomgomo, ezingavinjelwa kumodi yokuphoqelela.
  3. Abakhubazekile - ukukhubaza ngokuphelele kwe-SELinux.

Ngokuzenzakalelayo izilungiselelo zingaphakathi /etc/selinux/config

Ukushintsha amamodi we-SELinux

Ukuze uthole imodi yamanje, gijima 

$ getenforce

Ukushintsha imodi iye kumvume sebenzisa umyalo olandelayo 

$ setenforce 0

noma, ukushintsha imodi ukusuka imvume on ukuphoqelela, khipha 

$ setenforce 1

Uma udinga ukukhubaza ngokuphelele i-SELinux, khona-ke lokhu kungenziwa kuphela ngefayela lokumisa 

$ vi /etc/selinux/config

Ukuze ukhubaze, shintsha ipharamitha ye-SELINUX kanje:

SELINUX=disabled

Isetha i-SELinux

Ifayela ngalinye nenqubo imakwe ngomongo we-SELinux, oqukethe ulwazi olwengeziwe njengomsebenzisi, indima, uhlobo, njll. Uma kuyisikhathi sakho sokuqala uvumela i-SELinux, uzodinga kuqala ukulungisa umongo namalebula. Inqubo yokunika amalebula nomongo yaziwa ngokuthi ukumaka. Ukuze uqale ukumaka, kufayela lokucushwa sishintsha imodi imvume.

$ vi /etc/selinux/config
SELINUX=permissive

Ngemva kokusetha imodi imvume, dala ifayela elifihliwe elingenalutho empandeni enegama autorelabel

$ touch /.autorelabel

bese uqala kabusha ikhompuyutha

$ init 6

Qaphela: Sisebenzisa imodi imvume yokumaka, kusukela ekusetshenzisweni kwemodi ukuphoqelela ingabangela isistimu ukuthi iphahlazeke phakathi nokuqalisa kabusha.

Ungakhathazeki uma ukulanda kubambeka kwelinye ifayela, ukumaka kuthatha isikhashana. Uma ukumaka sekuqediwe futhi uhlelo lwakho luqalisiwe, ungaya efayeleni lokumisa bese usetha imodi ukuphoqelelafuthi ugijime:

$ setenforce 1

Manje usuvule ngempumelelo i-SELinux kukhompuyutha yakho.

Ukuqapha izingodo

Kungenzeka ukuthi uhlangabezane namaphutha athile ngesikhathi sokumaka noma ngenkathi isistimu isebenza. Ukuhlola ukuthi ngabe i-SELinux yakho isebenza ngendlela efanele yini futhi uma ingavimbeli ukufinyelela kunoma iyiphi ichweba, uhlelo lokusebenza, njll., udinga ukubheka izingodo. Ilogi ye-SELinux itholakala /var/log/audit/audit.log, kodwa awudingi ukufunda yonke into ukuze uthole amaphutha. Ungasebenzisa insiza ye-audit2why ukuthola amaphutha. Qalisa umyalo olandelayo:

$ audit2why < /var/log/audit/audit.log

Ngenxa yalokho, uzothola uhlu lwamaphutha. Uma bekungekho amaphutha kulogi, akukho milayezo ezoboniswa.

Ilungiselela Inqubomgomo ye-SELinux

Inqubomgomo ye-SELinux isethi yemithetho elawula indlela yokuphepha ye-SELinux. Inqubomgomo ichaza isethi yemithetho yendawo ethile. Manje sizofunda ukuthi singamisa kanjani izinqubomgomo ukuze sivumele ukufinyelela kumasevisi anqatshelwe.

1. Amanani anengqondo (amaswishi)

Ukushintsha (ama-booleans) akuvumela ukuthi uguqule izingxenye zenqubomgomo ngesikhathi sokusebenza, ngaphandle kokuthi udale izinqubomgomo ezintsha. Zikuvumela ukuthi wenze izinguquko ngaphandle kokuqalisa kabusha noma ukubuyisela kabusha izinqubomgomo ze-SELinux.

Isibonelo:
Ake sithi sifuna ukwabelana ngohla lwemibhalo lwasekhaya lomsebenzisi nge-FTP funda/ubhale, futhi sesivele sabelane ngayo, kodwa uma sizama ukufinyelela kuyo, asiboni lutho. Lokhu kungenxa yokuthi inqubomgomo ye-SELinux ivimbela iseva ye-FTP ekufundeni nasekubhaleni uhla lwemibhalo lwasekhaya lomsebenzisi. Kudingeka siguqule inqubomgomo ukuze iseva ye-FTP ikwazi ukufinyelela uhla lwemibhalo lwasekhaya. Ake sibone ukuthi akhona yini amaswishi alokhu ngokwenza

$ semanage boolean -l

Lo myalo uzoklelisa amaswishi atholakalayo nesimo sawo samanje (esivuliwe noma esivaliwe) kanye nencazelo. Ungakwazi ukwenza ngcono usesho lwakho ngokungeza i-grep ukuze uthole imiphumela ye-ftp kuphela:

$ semanage boolean -l | grep ftp

futhi uzothola okulandelayo

ftp_home_dir        -> off       Allow ftp to read & write file in user home directory

Le swishi ivaliwe, ngakho sizoyivula nayo setsebool $ setsebool ftp_home_dir on

Manje i-daemon yethu ye-ftp izokwazi ukufinyelela uhla lwemibhalo lwasekhaya lomsebenzisi.
Qaphela: Ungathola futhi uhlu lwamaswishi atholakalayo ngaphandle kwencazelo ngokwenza getsebool -a

2. Amalebula nomongo

Lena indlela evamile kakhulu yokusebenzisa inqubomgomo ye-SELinux. Lonke ifayela, ifolda, inqubo kanye nembobo kumakwe ngomongo we-SELinux:

  • Kumafayela namafolda, amalebula agcinwa njengezibaluli ezinwetshiwe ohlelweni lwefayela futhi angabukwa ngomyalo olandelayo: 
    $ ls -Z /etc/httpd
  • Ngezinqubo nezimbobo, ukulebula kulawulwa i-kernel, futhi ungabuka lawa malebula kanje:

inqubo

$ ps –auxZ | grep httpd

imbobo

$ netstat -anpZ | grep httpd

Isibonelo:
Manje ake sibheke isibonelo ukuze siqonde kangcono amalebula nomongo. Ake sithi sineseva yewebhu leyo, esikhundleni sohlu lwemibhalo /var/www/html/ использует /home/dan/html/. I-SELinux izobheka lokhu njengokwephulwa kwenqubomgomo futhi ngeke ukwazi ukubuka amakhasi akho ewebhu. Lokhu kungenxa yokuthi asikasethi umongo wokuvikeleka ohlotshaniswa namafayela e-HTML. Ukuze ubuke umongo wokuphepha ozenzakalelayo, sebenzisa umyalo olandelayo:

$ ls –lz /var/www/html
 -rw-r—r—. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/

Nakhu sesifikile httpd_sys_content_t njengomongo wamafayela e-html. Sidinga ukusetha lokhu okuqukethwe kwezokuphepha kunkomba yethu yamanje, okwamanje enomongo olandelayo:

-rw-r—r—. dan dan system_u:object_r:user_home_t:s0 /home/dan/html/

Omunye umyalo wokuhlola umongo wokuphepha wefayela noma umkhombandlela:

$ semanage fcontext -l | grep '/var/www'

Sizophinda sisebenzise i-semanage ukuze siguqule umongo uma sesithole umongo olungile wokuphepha. Ukushintsha umongo we/home/dan/html, sebenzisa imiyalo elandelayo:

$ semanage fcontext -a -t httpd_sys_content_t ‘/home/dan/html(/.*)?’
$ semanage fcontext -l | grep ‘/home/dan/html’
/home/dan/html(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
$ restorecon -Rv /home/dan/html

Ngemuva kokuthi umongo ushintshiwe kusetshenziswa i-semanage, umyalo we-recoverycon uzolayisha umongo ozenzakalelayo wamafayela nezinkomba. Iseva yethu yewebhu manje isizokwazi ukufunda amafayela kufolda /home/dan/htmlngoba umongo wokuvikeleka wale folda ushintshiwe waba httpd_sys_content_t.

3. Dala izinqubomgomo zendawo

Kungase kube nezimo lapho izindlela ezingenhla zingakusizi ngalutho futhi uthole amaphutha (avc/denial) ku-audit.log. Uma lokhu kwenzeka, udinga ukudala inqubomgomo yendawo. Ungathola wonke amaphutha usebenzisa i-audit2why, njengoba kuchazwe ngenhla.

Ungakha inqubomgomo yendawo ukuze uxazulule amaphutha. Isibonelo, sithola iphutha elihlobene ne-httpd (apache) noma i-smbd (samba), silungisa amaphutha futhi siwakhe inqubomgomo:

apache
$ grep httpd_t /var/log/audit/audit.log | audit2allow -M http_policy
samba
$ grep smbd_t /var/log/audit/audit.log | audit2allow -M smb_policy

kuyinto http_policy и smb_policy amagama ezinqubomgomo zendawo esizidalile. Manje sidinga ukulayisha lezi zinqubomgomo zasendaweni ezidaliwe kunqubomgomo yamanje ye-SELinux. Lokhu kungenziwa ngale ndlela elandelayo:

$ semodule –I http_policy.pp
$ semodule –I smb_policy.pp

Izinqubomgomo zethu zasendaweni zilandiwe futhi akufanele sisathola noma iyiphi i-avc noma i-denail ku-audit.log.

Lona bekuwumzamo wami wokukusiza uqonde i-SELinux. Ngithemba ukuthi ngemva kokufunda lesi sihloko uzozizwa ukhululekile nge-SELinux.

Source: www.habr.com

Engeza amazwana