Ukuhunyushwa kwalesi sihloko kulungiselelwe ngokukhethekile abafundi bezifundo .
Lapha uzothola izimpendulo zemibuzo ebalulekile mayelana nokuphila, indawo yonke nakho konke okukuyo Linux ngokuphepha okuthuthukisiwe.
"Iqiniso elibalulekile lokuthi izinto azihlali zibonakala ziwulwazi olujwayelekile ..."
-Douglas Adams, I-Hitchhiker's Guide to the Galaxy
Ukuphepha. Ukwethenjelwa okwandisiwe. Ukubhalelana. Inqubomgomo. Abagibeli Bamahhashi Abane be-Apocalypse sysadmin. Ngaphezu kwemisebenzi yethu yansuku zonke - ukuqapha, ukwenza ikhophi yasenqolobaneni, ukusebenzisa, ukumisa, ukuvuselela, njll. - futhi sinesibopho sokuvikeleka kwamasistimu ethu. Ngisho nalawo masistimu lapho umhlinzeki wenkampani yangaphandle encoma ukuthi sikhubaze ukuvikeleka okuthuthukisiwe. Kuzwakala njengomsebenzi kwesithi “Injongo: Akunakwenzeka.”
Bebhekene nale nkinga, abanye abaphathi besistimu banquma ukuthatha , ngoba bacabanga ukuthi ngeke bazi impendulo yombuzo omkhulu wokuphila, indawo yonke nakho konke lokho. Futhi njengoba sonke sazi, leyo mpendulo ingu-42.
Ngomoya we-The Hitchhiker's Guide to the Galaxy, nazi izimpendulo ezingu-42 zemibuzo ebalulekile mayelana nokulawula nokusebenzisa. kumasistimu akho.
1. SELinux — uhlelo lokulawula ukufinyelela oluyimpoqo, okusho ukuthi yonke inqubo inelebula. Yonke ifayela, isiqondisi, kanye nento yesistimu nayo inelebula. Imithetho yenqubomgomo ilawula ukufinyelela phakathi kwezinqubo nezinto ezinelebula. I-kernel iphoqelela le mithetho.
2. Imiqondo emibili ebaluleke kakhulu yilena: Ukubiza - izimpawu (amafayela, izinqubo, izimbobo, njll.) kanye Thayipha ukuphoqelela (ehlukanisa izinqubo komunye nomunye ngokusekelwe ezinhlotsheni).
3. Ifomethi yelebula elungile user:role:type:level (uma uthanda).
4. Inhloso yokuhlinzeka ngokuvikeleka kwamazinga amaningi (Ukuphepha Kwezinga Eliningi - MLS) ukuphatha izinqubo (izizinda) ngokusekelwe ezingeni lokuphepha ledatha abazoyisebenzisa. Isibonelo, inqubo eyimfihlo ayikwazi ukufunda idatha eyimfihlo ephezulu.
5. Ukuqinisekisa ukuphepha kwezigaba eziningi (Ukuphepha Kwezigaba Eziningi - MCS) ivikela izinqubo ezifanayo komunye nomunye (isb. imishini ebonakalayo, izinjini ze-OpenShift, ama-sandbox e-SELinux, izitsha, njll.).
6. Amapharamitha e-Kernel okushintsha izindlela ze-SELinux uma ulayisha:
autorelabel=1→ kubangela isistimu ukuthi iqalise ukulebula kabushaselinux=0→ i-kernel ayilayishi ingqalasizinda ye-SELinuxenforcing=0→ ukulayisha ngemodi yokuvuma
7. Uma udinga ukulebula kabusha yonke isistimu:
# touch /.autorelabel
#reboot
Uma uhlelo lokumaka luqukethe amaphutha amaningi, kungase kudingeke ukuthi uqalise ngemodi evumelayo ukuze umaka kabusha uphumelele.
8. Ukuhlola ukuthi i-SE ivuliwe yiniLinux: # getenforce
9. Ukunika amandla/ukukhubaza i-SE okwesikhashanaLinux: # setenforce [1|0]
10. Ukuhlola Isimo se-SELinux: # sestatus
11. Ifayela lokumisa: /etc/selinux/config
12. Indlela i-SE esebenza ngayoLinuxNasi isibonelo sokumaka iseva yewebhu ye-Apache:
- Ukumelwa kanambambili:
/usr/sbin/httpd→httpd_exec_t - Uhla lwemibhalo lokucushwa:
/etc/httpd→httpd_config_t - Uhlu lwemibhalo yefayela lokungena:
/var/log/httpd → httpd_log_t - Inkomba yokuqukethwe:
/var/www/html → httpd_sys_content_t - Yethula umbhalo:
/usr/lib/systemd/system/httpd.service → httpd_unit_file_d - Inqubo:
/usr/sbin/httpd -DFOREGROUND → httpd_t - Amachweba:
80/tcp, 443/tcp → httpd_t, http_port_t
Inqubo esebenza kumongo httpd_t, ingahlanganyela nento enelebuli httpd_something_t.
13. Imiyalo eminingi yamukela impikiswano -Z ukuze ubuke, udale futhi uguqule umongo:
ls -Zid -Zps -Znetstat -Zcp -Zmkdir -Z
Okuqukethwe kuyasungulwa uma amafayela edalwa ngokusekelwe kumongo wohlu lwawo lomzali (ngaphandle kokunye). Ama-RPM angasungula okuqukethwe njengaphakathi nokufakwa.
14. Kunezizathu ezine eziyinhloko zamaphutha e-SELinux, ezichazwe ngokuningiliziwe ezigabeni 15-21 ngezansi:
- Izinkinga zokulebula
- Ngenxa yento ethi SELinux kumele wazi
- Iphutha kunqubomgomo/uhlelo lokusebenza lwe-SELinux
- Ulwazi lwakho lungase lube sengozini
15. Inkinga yokulebula: uma amafayela akho engaphakathi /srv/myweb amakwe ngokungalungile, ukufinyelela kungase kunqatshelwe. Nazi ezinye izindlela zokulungisa lokhu:
- Uma ulazi ilebula:
# semanage fcontext -a -t httpd_sys_content_t '/srv/myweb(/.*)?' - Uma ulazi ifayela elinezimpawu ezilinganayo:
# semanage fcontext -a -e /srv/myweb /var/www - Ukubuyisela umongo (kuzo zombili izimo):
# restorecon -vR /srv/myweb
16. Inkinga yokulebula: uma uhambisa ifayela esikhundleni sokulikopisha, ifayela lizogcina umongo walo wangempela. Ukulungisa le nkinga:
- Shintsha umyalo wokuqukethwe ilebula:
# chcon -t httpd_system_content_t /var/www/html/index.html - Shintsha umyalo wokuqukethwe ngelebula yesixhumanisi:
# chcon --reference /var/www/html/ /var/www/html/index.html - Buyisela umongo (kuzo zombili izimo):
# restorecon -vR /var/www/html/
17. Uma SELinux kudingeka ukwazi, ukuthi i-HTTPD ilalele ku-port 8585, tshela i-SELinux:
# semanage port -a -t http_port_t -p tcp 8585
18. SELinux kudingeka ukwazi Amanani e-Boolean akuvumela ukuthi ushintshe izingxenye zenqubomgomo ye-SELinux ngesikhathi sokusebenza ngaphandle kolwazi lokubhala kabusha inqubomgomo ye-SELinuxIsibonelo, uma ufuna i-httpd ithumele i-imeyili, faka: # setsebool -P httpd_can_sendmail 1
19. SELinux kudingeka ukwazi amanani anengqondo okuvumela/ukukhubaza izilungiselelo ze-SELinux:
- Ukubona wonke amanani we-boolean:
# getsebool -a - Ukuze ubone incazelo ngayinye:
# semanage boolean -l - Ukuze usethe inani le-boolean:
# setsebool [_boolean_] [1|0] - Ukuze ufake unomphela, engeza
-P. Isibonelo:# setsebool httpd_enable_ftp_server 1 -P
20. Izinqubomgomo/Izicelo ze-SELinux kungase kube namaphutha, okuhlanganisa:
- Izindlela zekhodi ezingajwayelekile
- Ukucushwa
- Iqondisa kabusha i-stdout
- Ukuvuza kwesichazi sefayela
- Inkumbulo esebenzisekayo
- Imitapo yolwazi eyakhiwe kabi
Amathikithi avuliwe (ungathumeli umbiko ku-Bugzilla; i-Bugzilla ayinayo i-SLA).
21. Ulwazi lwakho lungase lube sengoziniuma unezizinda ezikhawulelwe ezizama ukwenza lokhu:
- Layisha amamojula e-kernel
- Khubaza imodi ephoqelelwe ye-SELinux
- Bhala ku
etc_t/shadow_t - Shintsha imithetho ye-iptables
22. Amathuluzi e-SELinux kokuthuthukisa amamojula enqubomgomo:
# yum -y install setroubleshoot setroubleshoot-server
Qalisa kabusha noma qala kabusha auditd ngemva kokufakwa.
23. Sebenzisa
journalctl ukuze ubonise uhlu lwawo wonke amalogi ahlobene nawo setroubleshoot:
# journalctl -t setroubleshoot --since=14:20
24. Sebenzisa journalctl ukufaka ohlwini zonke izingodo ezihlotshaniswa nethegi ethile ye-SELinux. Isibonelo:
# journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0
25. Uma kwenzeka iphutha le-SELinux sebenzisa ilogi setroubleshoot inikeza izixazululo eziningana ezingenzeka.
Ngokwesibonelo, kusukela journalctl:
Jun 14 19:41:07 web1 setroubleshoot: SELinux is preventing httpd from getattr access on the file /var/www/html/index.html. For complete message run: sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e
# sealert -l 12fd8b04-0119-4077-a710-2d0e0ee5755e
SELinux is preventing httpd from getattr access on the file /var/www/html/index.html.
***** Plugin restorecon (99.5 confidence) suggests ************************
If you want to fix the label,
/var/www/html/index.html default label should be httpd_syscontent_t.
Then you can restorecon.
Do
# /sbin/restorecon -v /var/www/html/index.html26. Ukungena ngemvume: SELinux uqopha ulwazi ezindaweni eziningi:
- / var / log / imilayezo
- /var/log/audit/audit.log
- /var/lib/setroubleshoot/setroubleshoot_database.xml
27. Ukungena ngemvume: Ukuthola Amaphutha e-SELinux ku-audit log:
# ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today
28. Ukuthola imiyalezo ye-SELinux Finyelela i-Vector Cache (AVC) ukuze uthole isevisi ethile:
# ausearch -m avc -c httpd
29. Okusetshenziswayo audit2allow iqoqa ulwazi oluvela kumarekhodi emisebenzi engavunyelwe bese ikhiqiza imithetho yenqubomgomo yemvume ye-SELinux. Isibonelo:
- Ukudala incazelo efundeka umuntu yokuthi kungani ukufinyelela kunqatshelwe:
# audit2allow -w -a - Ukuze ubuke uhlobo lomthetho lokuphoqelela oluvumela ukufinyelela okunqatshelwe:
# audit2allow -a - Ukuze udale imojuli yangokwezifiso:
# audit2allow -a -M mypolicy - Inketho
-Midala uhlobo lwefayela lokuphoqelela (.te) elinegama elishiwo futhi ihlanganise isimiso sibe yiphakheji yenqubomgomo (.pp):mypolicy.pp mypolicy.te - Ukufaka imojuli yangokwezifiso:
# semodule -i mypolicy.pp
30. Ukuze ulungiselele inqubo ehlukile (isizinda) ukuze isebenze kumodi yokuvuma: # semanage permissive -a httpd_t
31. Uma ungasafuni ukuthi isizinda sivumeleke: # semanage permissive -d httpd_t
32. Ukuze ukhubaze zonke izizinda ezivumelekile: # semodule -d permissivedomains
33. Ukunika amandla inqubomgomo ye-MLS SELinux: # yum install selinux-policy-mls
в /etc/selinux/config:
SELINUX=ivumela
SELINUXTYPE=mls
Qiniseka ukuthi i-SELinux isebenza ngendlela evumelayo: # setenforce 0
Sebenzisa umbhalo fixfilesukuze uqinisekise ukuthi amafayela alebulwe kabusha ekuqaliseni kabusha okulandelayo:
# fixfiles -F onboot # reboot
34. Dala umsebenzisi ngebanga elithile le-MLS: # useradd -Z staff_u john
Ukusebenzisa umyalo useradd, faka umsebenzisi omusha kumsebenzisi we-SE okhonaLinux (esimweni esinjalo, staff_u).
35. Ukubuka ukuxhumana phakathi kwabasebenzisi be-SELinux и Linux: # semanage login -l
36. Chaza ububanzi obuthile bomsebenzisi: # semanage login --modify --range s2:c100 john
37. Ukulungisa ilebula yohlu lwasekhaya lomsebenzisi (uma kunesidingo): # chcon -R -l s2:c100 /home/john
38. Ukuze ubuke izigaba zamanje: # chcat -L
39. Ukuze ushintshe izigaba noma uqale ukudala eyakho, hlela ifayela ngendlela elandelayo:
/etc/selinux/_<selinuxtype>_/setrans.conf
40. Ukuze usebenzise umyalo noma iskripthi kufayela elithile, indima, nomongo womsebenzisi:
# runcon -t initrc_t -r system_r -u user_u yourcommandhere
-tumongo wefayela-rumongo wendima-uumongo womsebenzisi
41. Iziqukathi ezisebenza nge-SE zikhutshaziweLinux:
- I-Podman:
# podman run --security-opt label=disable … - I-Docker:
# docker run --security-opt label=disable …
42. Uma udinga ukunika isiqukathi ukufinyelela okugcwele ohlelweni:
- I-Podman:
# podman run --privileged … - I-Docker:
# docker run --privileged …
Manje usuyazi impendulo. Ngakho-ke ngicela: ungesabi uvule i-SELinux.
Izinkomba:
- by
- nguDan Walsh
- by
- by
Source: www.habr.com
