I-ProHoster > Блог > Ukuphatha > Ishidi lokukopela le-SELinux labaphathi besistimu: Izimpendulo ze-42 zemibuzo ebalulekile

Ishidi lokukopela le-SELinux labaphathi besistimu: Izimpendulo ze-42 zemibuzo ebalulekile

Ukuhunyushwa kwalesi sihloko kulungiselelwe ngokukhethekile abafundi bezifundo "I-Linux Administrator".

Ishidi lokukopela le-SELinux labaphathi besistimu: Izimpendulo ze-42 zemibuzo ebalulekile

Lapha uzothola izimpendulo zemibuzo ebalulekile ngempilo, indawo yonke nayo yonke into eku-Linux ngokuvikeleka okuthuthukisiwe.

"Iqiniso elibalulekile lokuthi izinto azihlali zibonakala ziwulwazi olujwayelekile ..."

-Douglas Adams, I-Hitchhiker's Guide to the Galaxy

Ukuphepha. Ukwethenjelwa okwandisiwe. Ukubhalelana. Inqubomgomo. Abagibeli Bamahhashi Abane be-Apocalypse sysadmin. Ngaphezu kwemisebenzi yethu yansuku zonke - ukuqapha, ukwenza ikhophi yasenqolobaneni, ukusebenzisa, ukumisa, ukuvuselela, njll. - futhi sinesibopho sokuvikeleka kwamasistimu ethu. Ngisho nalawo masistimu lapho umhlinzeki wenkampani yangaphandle encoma ukuthi sikhubaze ukuvikeleka okuthuthukisiwe. Kuzwakala njengomsebenzi Ethan Hunt kwesithi “Injongo: Akunakwenzeka.”

Bebhekene nale nkinga, abanye abaphathi besistimu banquma ukuthatha iphilisi eliluhlaza okwesibhakabhaka, ngoba bacabanga ukuthi ngeke bazi impendulo yombuzo omkhulu wokuphila, indawo yonke nakho konke lokho. Futhi njengoba sonke sazi, leyo mpendulo ingu-42.

Ngomoya we-The Hitchhiker's Guide to the Galaxy, nazi izimpendulo ezingu-42 zemibuzo ebalulekile mayelana nokulawula nokusebenzisa. SELinux kumasistimu akho.

1. I-SELinux iwuhlelo lokulawula ukufinyelela oluphoqelelwe, okusho ukuthi yonke inqubo inelebula. Ifayela ngalinye, uhla lwemibhalo kanye nento yesistimu inamalebula. Imithetho yenqubomgomo ilawula ukufinyelela phakathi kwezinqubo ezimakiwe nezinto. I-kernel isebenzisa le mithetho.

2. Imiqondo emibili ebaluleke kakhulu yilena: Ukubiza - izimpawu (amafayela, izinqubo, izimbobo, njll.) kanye Thayipha ukuphoqelela (ehlukanisa izinqubo komunye nomunye ngokusekelwe ezinhlotsheni).

3. Ifomethi yelebula elungile user:role:type:level (uma uthanda).

4. Inhloso yokuhlinzeka ngokuvikeleka kwamazinga amaningi (Ukuphepha Kwezinga Eliningi - MLS) ukuphatha izinqubo (izizinda) ngokusekelwe ezingeni lokuphepha ledatha abazoyisebenzisa. Isibonelo, inqubo eyimfihlo ayikwazi ukufunda idatha eyimfihlo ephezulu.

5. Ukuqinisekisa ukuphepha kwezigaba eziningi (Ukuphepha Kwezigaba Eziningi - MCS) ivikela izinqubo ezifanayo komunye nomunye (isibonelo, imishini ebonakalayo, izinjini ze-OpenShift, ama-sandbox e-SELinux, iziqukathi, njll.).

6. Izinketho ze-Kernel zokushintsha izindlela ze-SELinux ekuqaleni:

  • autorelabel=1 → kubangela isistimu ukuthi iqalise ukulebula kabusha
  • selinux=0 → i-kernel ayilayishi ingqalasizinda ye-SELinux
  • enforcing=0 → ukulayisha ngemodi yokuvuma

7. Uma udinga ukulebula kabusha yonke isistimu:

# touch /.autorelabel
#reboot

Uma uhlelo lokumaka luqukethe amaphutha amaningi, kungase kudingeke ukuthi uqalise ngemodi evumelayo ukuze umaka kabusha uphumelele.

8. Ukuhlola ukuthi i-SELinux inikwe amandla: # getenforce

9. Ukunika amandla/ukukhubaza i-SELinux okwesikhashana: # setenforce [1|0]

10. Ihlola isimo se-SELinux: # sestatus

11. Ifayela lokumisa: /etc/selinux/config

12. Isebenza kanjani i-SELinux? Nasi isibonelo sokumaka iseva yewebhu ye-Apache:

  • Ukumelwa kanambambili: /usr/sbin/httpd→httpd_exec_t
  • Uhla lwemibhalo lokucushwa: /etc/httpd→httpd_config_t
  • Uhlu lwemibhalo yefayela lokungena: /var/log/httpd → httpd_log_t
  • Inkomba yokuqukethwe: /var/www/html → httpd_sys_content_t
  • Yethula umbhalo: /usr/lib/systemd/system/httpd.service → httpd_unit_file_d
  • Inqubo: /usr/sbin/httpd -DFOREGROUND → httpd_t
  • Amachweba: 80/tcp, 443/tcp → httpd_t, http_port_t

Inqubo esebenza kumongo httpd_t, ingahlanganyela nento enelebuli httpd_something_t.

13. Imiyalo eminingi yamukela impikiswano -Z ukuze ubuke, udale futhi uguqule umongo:

  • ls -Z
  • id -Z
  • ps -Z
  • netstat -Z
  • cp -Z
  • mkdir -Z

Okuqukethwe kuyasungulwa uma amafayela edalwa ngokusekelwe kumongo wohlu lwawo lomzali (ngaphandle kokunye). Ama-RPM angasungula okuqukethwe njengaphakathi nokufakwa.

14. Kunezimbangela ezine eziyinhloko zamaphutha e-SELinux, ezichazwe kabanzi kumaphuzu 15-21 ngezansi:

  • Izinkinga zokulebula
  • Ngenxa yento i-SELinux edinga ukuyazi
  • Iphutha kunqubomgomo/uhlelo lokusebenza lwe-SELinux
  • Ulwazi lwakho lungase lube sengozini

15. Inkinga yokulebula: uma amafayela akho engaphakathi /srv/myweb amakwe ngokungalungile, ukufinyelela kungase kunqatshelwe. Nazi ezinye izindlela zokulungisa lokhu:

  • Uma ulazi ilebula:
    # semanage fcontext -a -t httpd_sys_content_t '/srv/myweb(/.*)?'
  • Uma ulazi ifayela elinezimpawu ezilinganayo:
    # semanage fcontext -a -e /srv/myweb /var/www
  • Ukubuyisela umongo (kuzo zombili izimo):
    # restorecon -vR /srv/myweb

16. Inkinga yokulebula: uma uhambisa ifayela esikhundleni sokulikopisha, ifayela lizogcina umongo walo wangempela. Ukulungisa le nkinga:

  • Shintsha umyalo wokuqukethwe ilebula:
    # chcon -t httpd_system_content_t /var/www/html/index.html
  • Shintsha umyalo wokuqukethwe ngelebula yesixhumanisi:
    # chcon --reference /var/www/html/ /var/www/html/index.html
  • Buyisela umongo (kuzo zombili izimo): # restorecon -vR /var/www/html/

17. Uma SELinux odinga ukuyaziukuthi i-HTTPD ilalele ku-port 8585, tshela i-SELinux:

# semanage port -a -t http_port_t -p tcp 8585

18. SELinux odinga ukuyazi Amanani aphusile avumela izingxenye zenqubomgomo ye-SELinux ukuthi zishintshwe ngesikhathi sokusebenza ngaphandle kolwazi lokuthi inqubomgomo ye-SELinux ibhalwa ngaphezulu. Isibonelo, uma ufuna i-httpd ithumele i-imeyili, faka: # setsebool -P httpd_can_sendmail 1

19. SELinux odinga ukuyazi amanani anengqondo okuvumela/ukukhubaza izilungiselelo ze-SELinux:

  • Ukubona wonke amanani we-boolean: # getsebool -a
  • Ukuze ubone incazelo ngayinye: # semanage boolean -l
  • Ukuze usethe inani le-boolean: # setsebool [_boolean_] [1|0]
  • Ukuze ufake unomphela, engeza -P. Isibonelo: # setsebool httpd_enable_ftp_server 1 -P

20. Izinqubomgomo/izinhlelo zokusebenza ze-SELinux zingaqukatha amaphutha, okuhlanganisa:

  • Izindlela zekhodi ezingajwayelekile
  • Ukucushwa
  • Iqondisa kabusha i-stdout
  • Ukuvuza kwesichazi sefayela
  • Inkumbulo esebenzisekayo
  • Imitapo yolwazi eyakhiwe kabi

Amathikithi avuliwe (ungathumeli umbiko ku-Bugzilla; i-Bugzilla ayinayo i-SLA).

21. Ulwazi lwakho lungase lube sengoziniuma unezizinda ezikhawulelwe ezizama ukwenza lokhu:

  • Layisha amamojula e-kernel
  • Khubaza imodi ye-SELinux ephoqelelwe
  • Bhala ku etc_t/shadow_t
  • Shintsha imithetho ye-iptables

22. Amathuluzi e-SELinux okuthuthukisa amamojula wenqubomgomo:

# yum -y install setroubleshoot setroubleshoot-server

Qalisa kabusha noma qala kabusha auditd ngemva kokufakwa.

23. Sebenzisa 

journalctl

ukuze ubonise uhlu lwawo wonke amalogi ahlobene nawo setroubleshoot:

# journalctl -t setroubleshoot --since=14:20

24. Sebenzisa journalctl ukuze ufake kuhlu wonke amalogi ahlotshaniswa nethegi ethile ye-SELinux. Ngokwesibonelo:

# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0

25. Uma kwenzeka iphutha le-SELinux, sebenzisa ilogi setroubleshoot inikeza izixazululo eziningana ezingenzeka.
Ngokwesibonelo, kusukela journalctl:

Jun 14 19:41:07 web1 setroubleshoot: SELinux is preventing httpd from getattr access on the file /var/www/html/index.html. For complete message run: sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e

# sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e
SELinux is preventing httpd from getattr access on the file /var/www/html/index.html.

***** Plugin restorecon (99.5 confidence) suggests ************************

If you want to fix the label,
/var/www/html/index.html default label should be httpd_syscontent_t.
Then you can restorecon.
Do
# /sbin/restorecon -v /var/www/html/index.html

26. Ukungena ngemvume: I-SELinux irekhoda imininingwane ezindaweni eziningi:

  • / var / log / imilayezo
  • /var/log/audit/audit.log
  • /var/lib/setroubleshoot/setroubleshoot_database.xml

27. Ukungena ngemvume: ukucinga amaphutha e-SELinux kulogi yokuhlola:

# ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today

28. Ukuthola imilayezo ye-SELinux Access Vector Cache (AVC) yesevisi ethile:

# ausearch -m avc -c httpd

29. Okusetshenziswayo audit2allow iqoqa ulwazi kumalogi emisebenzi engavunyelwe bese ikhiqiza imithetho yenqubomgomo yemvume ye-SELinux. Ngokwesibonelo:

  • Ukudala incazelo efundeka umuntu yokuthi kungani ukufinyelela kunqatshelwe: # audit2allow -w -a
  • Ukuze ubuke uhlobo lomthetho lokuphoqelela oluvumela ukufinyelela okunqatshelwe: # audit2allow -a
  • Ukuze udale imojuli yangokwezifiso: # audit2allow -a -M mypolicy
  • Inketho -M idala uhlobo lwefayela lokuphoqelela (.te) elinegama elishiwo futhi ihlanganise isimiso sibe yiphakheji yenqubomgomo (.pp): mypolicy.pp mypolicy.te
  • Ukufaka imojuli yangokwezifiso: # semodule -i mypolicy.pp

30. Ukuze ulungiselele inqubo ehlukile (isizinda) ukuze isebenze kumodi yokuvuma: # semanage permissive -a httpd_t

31. Uma ungasafuni ukuthi isizinda sivumeleke: # semanage permissive -d httpd_t

32. Ukuze ukhubaze zonke izizinda ezivumelekile: # semodule -d permissivedomains

33. Inika amandla inqubomgomo ye-MLS SELinux: # yum install selinux-policy-mls
в /etc/selinux/config:

SELINUX=permissive
SELINUXTYPE=mls

Qiniseka ukuthi i-SELinux isebenza ngemodi evumelayo: # setenforce 0
Sebenzisa umbhalo fixfilesukuze uqinisekise ukuthi amafayela alebulwe kabusha ekuqaliseni kabusha okulandelayo:

# fixfiles -F onboot # reboot

34. Dala umsebenzisi ngebanga elithile le-MLS: # useradd -Z staff_u john

Ukusebenzisa umyalo useradd, imephu umsebenzisi omusha kumsebenzisi okhona we-SELinux (kulokhu, staff_u).

35. Ukubuka imephu phakathi kwabasebenzisi be-SELinux ne-Linux: # semanage login -l

36. Chaza ububanzi obuthile bomsebenzisi: # semanage login --modify --range s2:c100 john

37. Ukulungisa ilebula yohlu lwasekhaya lomsebenzisi (uma kunesidingo): # chcon -R -l s2:c100 /home/john

38. Ukuze ubuke izigaba zamanje: # chcat -L

39. Ukuze ushintshe izigaba noma uqale ukudala eyakho, hlela ifayela ngendlela elandelayo:

/etc/selinux/_<selinuxtype>_/setrans.conf

40. Ukuze usebenzise umyalo noma iskripthi kufayela elithile, indima, nomongo womsebenzisi:

# runcon -t initrc_t -r system_r -u user_u yourcommandhere

  • -t umongo wefayela
  • -r umongo wendima
  • -u umongo womsebenzisi

41. Iziqukathi ezisebenza nge-SELinux zikhutshaziwe:

  • I-Podman: # podman run --security-opt label=disable …
  • I-Docker: # docker run --security-opt label=disable …

42. Uma udinga ukunika isiqukathi ukufinyelela okugcwele ohlelweni:

  • I-Podman: # podman run --privileged …
  • I-Docker: # docker run --privileged …

Futhi manje usuyayazi impendulo. Ngakho-ke sicela: ungathuki futhi uvule i-SELinux.

Izinkomba:

Source: www.habr.com

Engeza amazwana