Ukuhunyushwa kwalesi sihloko kulungiselelwe ngokukhethekile abafundi bezifundo
Lapha uzothola izimpendulo zemibuzo ebalulekile ngempilo, indawo yonke nayo yonke into eku-Linux ngokuvikeleka okuthuthukisiwe.
"Iqiniso elibalulekile lokuthi izinto azihlali zibonakala ziwulwazi olujwayelekile ..."
-Douglas Adams, I-Hitchhiker's Guide to the Galaxy
Ukuphepha. Ukwethenjelwa okwandisiwe. Ukubhalelana. Inqubomgomo. Abagibeli Bamahhashi Abane be-Apocalypse sysadmin. Ngaphezu kwemisebenzi yethu yansuku zonke - ukuqapha, ukwenza ikhophi yasenqolobaneni, ukusebenzisa, ukumisa, ukuvuselela, njll. - futhi sinesibopho sokuvikeleka kwamasistimu ethu. Ngisho nalawo masistimu lapho umhlinzeki wenkampani yangaphandle encoma ukuthi sikhubaze ukuvikeleka okuthuthukisiwe. Kuzwakala njengomsebenzi
Bebhekene nale nkinga, abanye abaphathi besistimu banquma ukuthatha
Ngomoya we-The Hitchhiker's Guide to the Galaxy, nazi izimpendulo ezingu-42 zemibuzo ebalulekile mayelana nokulawula nokusebenzisa.
1. I-SELinux iwuhlelo lokulawula ukufinyelela oluphoqelelwe, okusho ukuthi yonke inqubo inelebula. Ifayela ngalinye, uhla lwemibhalo kanye nento yesistimu inamalebula. Imithetho yenqubomgomo ilawula ukufinyelela phakathi kwezinqubo ezimakiwe nezinto. I-kernel isebenzisa le mithetho.
2. Imiqondo emibili ebaluleke kakhulu yilena: Ukubiza - izimpawu (amafayela, izinqubo, izimbobo, njll.) kanye Thayipha ukuphoqelela (ehlukanisa izinqubo komunye nomunye ngokusekelwe ezinhlotsheni).
3. Ifomethi yelebula elungile user:role:type:level
(uma uthanda).
4. Inhloso yokuhlinzeka ngokuvikeleka kwamazinga amaningi (Ukuphepha Kwezinga Eliningi - MLS) ukuphatha izinqubo (izizinda) ngokusekelwe ezingeni lokuphepha ledatha abazoyisebenzisa. Isibonelo, inqubo eyimfihlo ayikwazi ukufunda idatha eyimfihlo ephezulu.
5. Ukuqinisekisa ukuphepha kwezigaba eziningi (Ukuphepha Kwezigaba Eziningi - MCS) ivikela izinqubo ezifanayo komunye nomunye (isibonelo, imishini ebonakalayo, izinjini ze-OpenShift, ama-sandbox e-SELinux, iziqukathi, njll.).
6. Izinketho ze-Kernel zokushintsha izindlela ze-SELinux ekuqaleni:
autorelabel=1
→ kubangela isistimu ukuthi iqalise ukulebula kabushaselinux=0
→ i-kernel ayilayishi ingqalasizinda ye-SELinuxenforcing=0
→ ukulayisha ngemodi yokuvuma
7. Uma udinga ukulebula kabusha yonke isistimu:
# touch /.autorelabel
#reboot
Uma uhlelo lokumaka luqukethe amaphutha amaningi, kungase kudingeke ukuthi uqalise ngemodi evumelayo ukuze umaka kabusha uphumelele.
8. Ukuhlola ukuthi i-SELinux inikwe amandla: # getenforce
9. Ukunika amandla/ukukhubaza i-SELinux okwesikhashana: # setenforce [1|0]
10. Ihlola isimo se-SELinux: # sestatus
11. Ifayela lokumisa: /etc/selinux/config
12. Isebenza kanjani i-SELinux? Nasi isibonelo sokumaka iseva yewebhu ye-Apache:
- Ukumelwa kanambambili:
/usr/sbin/httpd→httpd_exec_t
- Uhla lwemibhalo lokucushwa:
/etc/httpd→httpd_config_t
- Uhlu lwemibhalo yefayela lokungena:
/var/log/httpd → httpd_log_t
- Inkomba yokuqukethwe:
/var/www/html → httpd_sys_content_t
- Yethula umbhalo:
/usr/lib/systemd/system/httpd.service → httpd_unit_file_d
- Inqubo:
/usr/sbin/httpd -DFOREGROUND → httpd_t
- Amachweba:
80/tcp, 443/tcp → httpd_t, http_port_t
Inqubo esebenza kumongo httpd_t
, ingahlanganyela nento enelebuli httpd_something_t
.
13. Imiyalo eminingi yamukela impikiswano -Z
ukuze ubuke, udale futhi uguqule umongo:
ls -Z
id -Z
ps -Z
netstat -Z
cp -Z
mkdir -Z
Okuqukethwe kuyasungulwa uma amafayela edalwa ngokusekelwe kumongo wohlu lwawo lomzali (ngaphandle kokunye). Ama-RPM angasungula okuqukethwe njengaphakathi nokufakwa.
14. Kunezimbangela ezine eziyinhloko zamaphutha e-SELinux, ezichazwe kabanzi kumaphuzu 15-21 ngezansi:
- Izinkinga zokulebula
- Ngenxa yento i-SELinux edinga ukuyazi
- Iphutha kunqubomgomo/uhlelo lokusebenza lwe-SELinux
- Ulwazi lwakho lungase lube sengozini
15. Inkinga yokulebula: uma amafayela akho engaphakathi /srv/myweb
amakwe ngokungalungile, ukufinyelela kungase kunqatshelwe. Nazi ezinye izindlela zokulungisa lokhu:
- Uma ulazi ilebula:
# semanage fcontext -a -t httpd_sys_content_t '/srv/myweb(/.*)?'
- Uma ulazi ifayela elinezimpawu ezilinganayo:
# semanage fcontext -a -e /srv/myweb /var/www
- Ukubuyisela umongo (kuzo zombili izimo):
# restorecon -vR /srv/myweb
16. Inkinga yokulebula: uma uhambisa ifayela esikhundleni sokulikopisha, ifayela lizogcina umongo walo wangempela. Ukulungisa le nkinga:
- Shintsha umyalo wokuqukethwe ilebula:
# chcon -t httpd_system_content_t /var/www/html/index.html
- Shintsha umyalo wokuqukethwe ngelebula yesixhumanisi:
# chcon --reference /var/www/html/ /var/www/html/index.html
- Buyisela umongo (kuzo zombili izimo):
# restorecon -vR /var/www/html/
17. Uma SELinux odinga ukuyaziukuthi i-HTTPD ilalele ku-port 8585, tshela i-SELinux:
# semanage port -a -t http_port_t -p tcp 8585
18. SELinux odinga ukuyazi Amanani aphusile avumela izingxenye zenqubomgomo ye-SELinux ukuthi zishintshwe ngesikhathi sokusebenza ngaphandle kolwazi lokuthi inqubomgomo ye-SELinux ibhalwa ngaphezulu. Isibonelo, uma ufuna i-httpd ithumele i-imeyili, faka: # setsebool -P httpd_can_sendmail 1
19. SELinux odinga ukuyazi amanani anengqondo okuvumela/ukukhubaza izilungiselelo ze-SELinux:
- Ukubona wonke amanani we-boolean:
# getsebool -a
- Ukuze ubone incazelo ngayinye:
# semanage boolean -l
- Ukuze usethe inani le-boolean:
# setsebool [_boolean_] [1|0]
- Ukuze ufake unomphela, engeza
-P
. Isibonelo:# setsebool httpd_enable_ftp_server 1 -P
20. Izinqubomgomo/izinhlelo zokusebenza ze-SELinux zingaqukatha amaphutha, okuhlanganisa:
- Izindlela zekhodi ezingajwayelekile
- Ukucushwa
- Iqondisa kabusha i-stdout
- Ukuvuza kwesichazi sefayela
- Inkumbulo esebenzisekayo
- Imitapo yolwazi eyakhiwe kabi
Amathikithi avuliwe (ungathumeli umbiko ku-Bugzilla; i-Bugzilla ayinayo i-SLA).
21. Ulwazi lwakho lungase lube sengoziniuma unezizinda ezikhawulelwe ezizama ukwenza lokhu:
- Layisha amamojula e-kernel
- Khubaza imodi ye-SELinux ephoqelelwe
- Bhala ku
etc_t/shadow_t
- Shintsha imithetho ye-iptables
22. Amathuluzi e-SELinux okuthuthukisa amamojula wenqubomgomo:
# yum -y install setroubleshoot setroubleshoot-server
Qalisa kabusha noma qala kabusha auditd
ngemva kokufakwa.
23. Sebenzisa
journalctl
ukuze ubonise uhlu lwawo wonke amalogi ahlobene nawo setroubleshoot
:
# journalctl -t setroubleshoot --since=14:20
24. Sebenzisa journalctl
ukuze ufake kuhlu wonke amalogi ahlotshaniswa nethegi ethile ye-SELinux. Ngokwesibonelo:
# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0
25. Uma kwenzeka iphutha le-SELinux, sebenzisa ilogi setroubleshoot
inikeza izixazululo eziningana ezingenzeka.
Ngokwesibonelo, kusukela journalctl
:
Jun 14 19:41:07 web1 setroubleshoot: SELinux is preventing httpd from getattr access on the file /var/www/html/index.html. For complete message run: sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e
# sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e
SELinux is preventing httpd from getattr access on the file /var/www/html/index.html.
***** Plugin restorecon (99.5 confidence) suggests ************************
If you want to fix the label,
/var/www/html/index.html default label should be httpd_syscontent_t.
Then you can restorecon.
Do
# /sbin/restorecon -v /var/www/html/index.html
26. Ukungena ngemvume: I-SELinux irekhoda imininingwane ezindaweni eziningi:
- / var / log / imilayezo
- /var/log/audit/audit.log
- /var/lib/setroubleshoot/setroubleshoot_database.xml
27. Ukungena ngemvume: ukucinga amaphutha e-SELinux kulogi yokuhlola:
# ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today
28. Ukuthola imilayezo ye-SELinux Access Vector Cache (AVC) yesevisi ethile:
# ausearch -m avc -c httpd
29. Okusetshenziswayo audit2allow
iqoqa ulwazi kumalogi emisebenzi engavunyelwe bese ikhiqiza imithetho yenqubomgomo yemvume ye-SELinux. Ngokwesibonelo:
- Ukudala incazelo efundeka umuntu yokuthi kungani ukufinyelela kunqatshelwe:
# audit2allow -w -a
- Ukuze ubuke uhlobo lomthetho lokuphoqelela oluvumela ukufinyelela okunqatshelwe:
# audit2allow -a
- Ukuze udale imojuli yangokwezifiso:
# audit2allow -a -M mypolicy
- Inketho
-M
idala uhlobo lwefayela lokuphoqelela (.te) elinegama elishiwo futhi ihlanganise isimiso sibe yiphakheji yenqubomgomo (.pp):mypolicy.pp mypolicy.te
- Ukufaka imojuli yangokwezifiso:
# semodule -i mypolicy.pp
30. Ukuze ulungiselele inqubo ehlukile (isizinda) ukuze isebenze kumodi yokuvuma: # semanage permissive -a httpd_t
31. Uma ungasafuni ukuthi isizinda sivumeleke: # semanage permissive -d httpd_t
32. Ukuze ukhubaze zonke izizinda ezivumelekile: # semodule -d permissivedomains
33. Inika amandla inqubomgomo ye-MLS SELinux: # yum install selinux-policy-mls
в /etc/selinux/config:
SELINUX=permissive
SELINUXTYPE=mls
Qiniseka ukuthi i-SELinux isebenza ngemodi evumelayo: # setenforce 0
Sebenzisa umbhalo fixfiles
ukuze uqinisekise ukuthi amafayela alebulwe kabusha ekuqaliseni kabusha okulandelayo:
# fixfiles -F onboot # reboot
34. Dala umsebenzisi ngebanga elithile le-MLS: # useradd -Z staff_u john
Ukusebenzisa umyalo useradd
, imephu umsebenzisi omusha kumsebenzisi okhona we-SELinux (kulokhu, staff_u
).
35. Ukubuka imephu phakathi kwabasebenzisi be-SELinux ne-Linux: # semanage login -l
36. Chaza ububanzi obuthile bomsebenzisi: # semanage login --modify --range s2:c100 john
37. Ukulungisa ilebula yohlu lwasekhaya lomsebenzisi (uma kunesidingo): # chcon -R -l s2:c100 /home/john
38. Ukuze ubuke izigaba zamanje: # chcat -L
39. Ukuze ushintshe izigaba noma uqale ukudala eyakho, hlela ifayela ngendlela elandelayo:
/etc/selinux/_<
selinuxtype>
_/setrans.conf
40. Ukuze usebenzise umyalo noma iskripthi kufayela elithile, indima, nomongo womsebenzisi:
# runcon -t initrc_t -r system_r -u user_u yourcommandhere
-t
umongo wefayela-r
umongo wendima-u
umongo womsebenzisi
41. Iziqukathi ezisebenza nge-SELinux zikhutshaziwe:
- I-Podman:
# podman run --security-opt label=disable …
- I-Docker:
# docker run --security-opt label=disable …
42. Uma udinga ukunika isiqukathi ukufinyelela okugcwele ohlelweni:
- I-Podman:
# podman run --privileged …
- I-Docker:
# docker run --privileged …
Futhi manje usuyayazi impendulo. Ngakho-ke sicela: ungathuki futhi uvule i-SELinux.
Izinkomba:
SELinux byUDan Walsh Umhlahlandlela wakho obonakalayo wokusebenzisa inqubomgomo ye-SELinux futhi nguDan WalshI-Linux Ethuthukisiwe Yokuphepha kubantu abafayo nje byUThomas Cameron I-SELinux Coloring Book byMáirín Duffy I-SELinux User's and Administrator's Guide—Red Hat Enterprise Linux 7
Source: www.habr.com