Esinye sezizathu zempumelelo enkulu ye-Linux OS kumadivayisi eselula namaseva ashumekiwe izinga eliphezulu lokuvikeleka kwe-kernel, izinsiza ezihlobene nezinhlelo zokusebenza. Kodwa uma ekwakhiweni kwe-Linux kernel, ngakho-ke akunakwenzeka ukuthola isikwele esibhekele ukuphepha kanjalo. Iphi i-subsystem yezokuphepha ye-Linux futhi ihlanganisani?
Isendlalelo ku-Linux Security Modules kanye ne-SELinux
I-Security Enhanced Linux iyisethi yemithetho nezindlela zokufinyelela ezisekelwe kumamodeli okufinyelela ayisibopho nasekelwe endimeni ukuze kuvikelwe amasistimu e-Linux ezingozini ezingase zibe khona futhi kulungiswe ukushiyeka kwe-Discretionary Access Control (DAC), uhlelo lwezokuphepha lwe-Unix oluvamile. Le phrojekthi yasuka emathunjini e-US National Security Agency, futhi yathuthukiswa ngokuqondile ikakhulukazi osonkontileka i-Secure Computing Corporation kanye ne-MITER, kanye nenani lamalabhorethri ocwaningo.
Amamojula Okuphepha e-Linux
U-Linus Torvalds wenze inqwaba yamazwana mayelana nentuthuko entsha ye-NSA ukuze ifakwe kuhlu oluyinhloko lwe-Linux. Uchaze indawo evamile, eneqoqo lezinqamuleli zokulawula ukusebenza ngezinto kanye nesethi yezinkambu ezithile zokuvikela ezakhiweni zedatha ye-kernel ukuze kugcinwe izimfanelo ezihambisanayo. Le ndawo ingase isetshenziswe amamojula e-kernel alayishekayo ukuze kusetshenziswe noma iyiphi imodeli yokuphepha efiselekayo. I-LSM yafaka ngokugcwele i-Linux kernel v2.6 ngo-2003.
Uhlaka lwe-LSM luhlanganisa izindawo zokuqapha ezakhiweni zedatha kanye nezingcingo zokunqamula imisebenzi ezindaweni ezibucayi kukhodi ye-kernel ukuze uzikhohlise futhi wenze ukulawula ukufinyelela. Futhi yengeza ukusebenza kokubhalisa amamojula okuphepha. Isixhumi esibonakalayo /sys/kernel/security/lsm siqukethe uhlu lwamamojula asebenzayo ohlelweni. Amahhuku e-LSM agcinwa ezinhlwini ezibizwa ngohlelo olucaciswe kokuthi CONFIG_LSM. Imibhalo enemininingwane kumahhuku ifakiwe kunhlokweni yefayela ihlanganisa/linux/lsm_hooks.h.
Isistimu engaphansi ye-LSM yenze kwaba nokwenzeka ukuqedela ukuhlanganiswa okuphelele kwe-SELinux nenguqulo efanayo ye-Linux kernel v2.6 ezinzile. Cishe ngokushesha, i-SELinux yaba indinganiso ye-de facto yendawo evikelekile ye-Linux futhi yafakwa ekusakazweni okudume kakhulu: I-RedHat Enterprise Linux, i-Fedora, i-Debian, Ubuntu.
I-SELinux Glossary
- Ubunikazi - Umsebenzisi we-SELinux akafani ne-id evamile yomsebenzisi we-Unix/Linux; angahlala ndawonye ohlelweni olufanayo, kodwa ahluke ngokuphelele ngomqondo. I-akhawunti ngayinye ye-Linux ejwayelekile ingahambisana neyodwa noma ngaphezulu ku-SELinux. Umazisi we-SELinux uyingxenye yawo wonke umongo wokuphepha, onquma ukuthi yiziphi izizinda ongazijoyina noma ongakwazi ukuzijoyina.
- Izizinda - Ku-SELinux, isizinda siwumongo wokwenziwa wesihloko, okungukuthi inqubo. Isizinda sinquma ngokuqondile ukufinyelela inqubo enakho. Isizinda ngokuyisisekelo siwuhlu lwalokho izinqubo ezingenziwa noma lokho inqubo engayenza ngezinhlobo ezahlukene. Ezinye izibonelo zezizinda zithi sysadm_t zokuphatha uhlelo, kanye ne-user_t okuyisizinda esivamile somsebenzisi esingenamalungelo. Uhlelo lwe-init lusebenza kusizinda se-init_t, futhi inqubo eqanjwe igama isebenza kusizinda esinegama_t.
- Izindima - Yini esebenza njengomxhumanisi phakathi kwezizinda nabasebenzisi be-SELinux. Izindima zinquma ukuthi yiziphi izizinda umsebenzisi angaba kuzo nokuthi yiziphi izinhlobo zezinto angafinyelela kuzo. Le ndlela yokulawula ukufinyelela ivimbela usongo lokuhlaselwa kokwanda kwelungelo. Izindima zibhalwa kumodeli yezokuphepha ye-Role Based Access Control (RBAC) esetshenziswa ku-SELinux.
- Izinhlobo - Uhlobo Lokuphoqelela Uhlu lwemfanelo olunikezwa into futhi lunquma ukuthi ubani ongalufinyelela. Ngokufanayo nencazelo yesizinda, ngaphandle kokuthi isizinda sisebenza kunqubo, futhi uhlobo lusebenza ezintweni ezifana nezinkomba, amafayela, amasokhethi, njll.
- Izihloko nezinto - Izinqubo ziyizihloko futhi ziqhutshwa kumongo othile, noma isizinda sokuvikela. Izinsiza zesistimu yokusebenza: amafayela, izinkomba, amasokhethi, njll., yizinto ezinikezwe uhlobo oluthile, ngamanye amazwi, izinga lobumfihlo.
- Izinqubomgomo ze-SELinux - I-SELinux isebenzisa izinqubomgomo ezahlukahlukene ukuvikela uhlelo. Inqubomgomo ye-SELinux ichaza ukufinyelela kwabasebenzisi ezindimeni, izindima ezizindeni, nezizinda ezinhlotsheni. Okokuqala, umsebenzisi ugunyazwe ukuthola indima, bese indima igunyaziwe ukufinyelela izizinda. Ekugcineni, isizinda singakwazi ukufinyelela izinhlobo ezithile zezinto kuphela.
Izakhiwo ze-LSM ne-SELinux
Ngaphandle kwegama, ama-LSM awawona amamojula e-Linux alayishekayo. Kodwa-ke, njenge-SELinux, ihlanganiswe ngqo ku-kernel. Noma yiluphi ushintsho kukhodi yomthombo ye-LSM ludinga ukuhlanganiswa kwe-kernel entsha. Inketho ehambisanayo kufanele inikwe amandla kuzilungiselelo ze-kernel, ngaphandle kwalokho ikhodi ye-LSM ngeke isebenze ngemva kokuqalisa. Kodwa nakulokhu, inganikwa amandla inketho ye-OS bootloader.
Isitaki sokuhlola se-LSM
I-LSM ifakwe izingwegwe ku-core kernel function ezingaba usizo ekuhlolweni. Esinye sezici eziyinhloko zama-LSM ukuthi anqwabelene. Ngakho, ukuhlola okujwayelekile kusakwenziwa, futhi isendlalelo ngasinye se-LSM sengeza kuphela izilawuli nezilawuli ezengeziwe. Lokhu kusho ukuthi ukuvinjelwa akukwazi ukuhlehliswa. Lokhu kuboniswa emfanekisweni; uma umphumela wokuhlolwa kwe-DAC okujwayelekile ukwehluleka, khona-ke udaba ngeke lufinyelele ngisho nezingwegwe ze-LSM.
I-SELinux yamukela i-Flask security architecture yohlelo lokusebenza locwaningo lwe-Fluke, ikakhulukazi isimiso selungelo elincane. Ingqikithi yalo mqondo, njengoba igama layo libonisa, ukunikeza umsebenzisi noma ukucubungula kuphela lawo malungelo adingekayo ukuze enze izenzo ezihlosiwe. Lesi simiso sisetshenziswa kusetshenziswa ukuthayipha kokufinyelela okuphoqelelwe, ngaleyo ndlela ukulawula ukufinyelela ku-SELinux kusekelwe kusizinda => imodeli yohlobo.
Ngenxa yokuthayipha kokufinyelela okuphoqelelwe, i-SELinux inamandla amakhulu kakhulu okulawula ukufinyelela kunemodeli evamile ye-DAC esetshenziswa ezinhlelweni zokusebenza ze-Unix/Linux. Isibonelo, ungakhawulela inombolo yembobo yenethiwekhi iseva ye-ftp ezoxhumeka kuyo, uvumele ukubhala nokushintsha amafayela kufolda ethile, kodwa ungawasusi.
Izingxenye eziyinhloko ze-SELinux yilezi:
- Iseva Yokuphoqelela Inqubomgomo - Indlela eyinhloko yokuhlela ukulawula ukungena.
- Isizindalwazi senqubomgomo yezokuphepha yesistimu.
- Ukusebenzisana nesinqamuleli somcimbi we-LSM.
- Selinuxfs - I-Pseudo-FS, efanayo ne-/proc futhi ifakwe ku-/sys/fs/selinux. Igcwaliswe ngamandla yi-Linux kernel ngesikhathi sokusebenza futhi iqukethe amafayela aqukethe ulwazi lwesimo se-SELinux.
- Finyelela i-Vector Cache - Indlela eyisizayo yokwandisa umkhiqizo.
Isebenza kanjani i-SELinux
Konke kusebenza kanje.
- Isihloko esithile, ngokwemibandela ye-SELinux, senza isenzo esivunyelwe entweni ngemva kokuhlolwa kwe-DAC, njengoba kuboniswe esithombeni esiphezulu. Lesi sicelo sokwenza umsebenzi siya kusinqamuli somcimbi we-LSM.
- Ukusuka lapho, isicelo, kanye nengqikithi yokuphepha kwesihloko kanye nento, sidluliselwa kumojula ye-SELinux Abstraction kanye ne-Hook Logic, enesibopho sokusebenzisana ne-LSM.
- Isiphathimandla esithatha izinqumo mayelana nokufinyelela kwesihloko entweni Iseva Yokuphoqelela Inqubomgomo futhi ithola idatha ku-SELinux AnHL.
- Ukuze wenze izinqumo mayelana nokufinyelela noma ukwenqatshwa, Iseva Yokuphoqelela Inqubomgomo iphendukela ku-Access Vector Cache (AVC) isistimu engaphansi yokugcina inqolobane ngemithetho esetshenziswa kakhulu.
- Uma isixazululo somthetho ohambisanayo singatholakali kunqolobane, isicelo sizodluliselwa kusizindalwazi senqubomgomo yezokuphepha.
- Umphumela wosesho ovela kusizindalwazi kanye ne-AVC ubuyiselwa Kuseva Yokuphoqelela Inqubomgomo.
- Uma inqubomgomo etholiwe ifana nesenzo esiceliwe, khona-ke ukusebenza kuvunyelwe. Uma kungenjalo, ukusebenza kunqatshelwe.
Ukuphatha izilungiselelo ze-SELinux
I-SELinux isebenza ngeyodwa yezindlela ezintathu:
- Ukuphoqelela - Ukuthobela ngokuqinile izinqubomgomo zokuphepha.
- Kuyavumela - Ukwephulwa kwemikhawulo kuvunyelwe; inothi elihambisanayo lenziwa kujenali.
- IkhutshaziweβIzinqubomgomo zokuphepha azisebenzi.
Ungabona ukuthi i-SELinux ikuyiphi imodi ngomyalo olandelayo.
[admin@server ~]$ getenforce
PermissiveUkushintsha imodi ngaphambi kokuqalisa kabusha, isibonelo, ukuyisethela ekuphoqeleleni, noma 1. Ipharamitha evumelayo ihambisana nekhodi yenombolo 0.
[admin@server ~]$ setenfoce enforcing
[admin@server ~]$ setenfoce 1 #ΡΠΎ ΠΆΠ΅ ΡΠ°ΠΌΠΎΠ΅
Ungakwazi futhi ukushintsha imodi ngokuhlela ifayela:
[admin@server ~]$ cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=okuhlosiwe
Umehluko nge-setenfoce ukuthi lapho uhlelo lokusebenza luqala, imodi ye-SELinux izosethwa ngokuvumelana nenani lepharamitha ye-SELINUX kufayela lokumisa. Ukwengeza, izinguquko ekuphoqeleleni <=> okukhutshaziwe ziqala ukusebenza kuphela ngokuhlela ifayela /etc/selinux/config nangemva kokuqalisa kabusha.
Buka umbiko wesimo omfushane:
[admin@server ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
Ukuze ubuke izici ze-SELinux, ezinye izinsiza ezijwayelekile zisebenzisa ipharamitha -Z.
[admin@server ~]$ ls -lZ /var/log/httpd/
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20200920
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20200927
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20201004
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 access_log-20201011
[admin@server ~]$ ps -u apache -Z
LABEL PID TTY TIME CMD
system_u:system_r:httpd_t:s0 2914 ? 00:00:04 httpd
system_u:system_r:httpd_t:s0 2915 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0 2916 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0 2917 ? 00:00:00 httpd
...
system_u:system_r:httpd_t:s0 2918 ? 00:00:00 httpdUma kuqhathaniswa nokuphumayo okujwayelekile kuka-ls -l, kunezinkambu ezengeziwe ezengeziwe ngefomethi elandelayo:
<user>:<role>:<type>:<level>
Inkambu yokugcina isho okuthile okufana nokuhlukaniswa kwezokuphepha futhi iqukethe inhlanganisela yezinto ezimbili:
- s0 - ukubaluleka, futhi kubhalwe njengesikhawu seleveli ephezulu
- c0, c1β¦ c1023 - isigaba.
Ukushintsha ukucushwa kokufinyelela
Sebenzisa i-semodule ukuze ulayishe, wengeze, futhi ususe amamojula we-SELinux.
[admin@server ~]$ semodule -l |wc -l #ΡΠΏΠΈΡΠΎΠΊ Π²ΡΠ΅Ρ
ΠΌΠΎΠ΄ΡΠ»Π΅ΠΉ
408
[admin@server ~]$ semodule -e abrt #enable - Π°ΠΊΡΠΈΠ²ΠΈΡΠΎΠ²Π°ΡΡ ΠΌΠΎΠ΄ΡΠ»Ρ
[admin@server ~]$ semodule -d accountsd #disable - ΠΎΡΠΊΠ»ΡΡΠΈΡΡ ΠΌΠΎΠ΄ΡΠ»Ρ
[admin@server ~]$ semodule -r avahi #remove - ΡΠ΄Π°Π»ΠΈΡΡ ΠΌΠΎΠ΄ΡΠ»ΡIqembu lokuqala lawula ukungena ngemvume ixhuma umsebenzisi we-SELinux kumsebenzisi wesistimu yokusebenza, eyesibili ibonisa uhlu. Ekugcineni, umyalo wokugcina one- -r switch ususa ukumepha kwabasebenzisi be-SELinux kuma-akhawunti e-OS. Incazelo ye-syntax yamanani e-MLS/MCS Range isesigabeni sangaphambilini.
[admin@server ~]$ semanage login -a -s user_u karol
[admin@server ~]$ semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
system_u system_u s0-s0:c0.c1023 *
[admin@server ~]$ semanage login -d karol
Ithimba susa umsebenzisi esetshenziswa ukuphatha amamephu phakathi kwabasebenzisi be-SELinux nezindima.
[admin@server ~]$ semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
guest_u user s0 s0 guest_r
staff_u staff s0 s0-s0:c0.c1023 staff_r sysadm_r
...
user_u user s0 s0 user_r
xguest_u user s0 s0 xguest_r
[admin@server ~]$ semanage user -a -R 'staff_r user_r'
[admin@server ~]$ semanage user -d test_uAmapharamitha womyalo:
- -engeza ukufakwa kwemephu yendima yangokwezifiso;
- -l uhlu lwabasebenzisi abafanayo nezindima;
- -d susa ukufakwa kwemephu yendima yomsebenzisi;
- -R uhlu lwezindima ezixhunywe kumsebenzisi;
Amafayela, Izimbobo kanye Namanani Aphusile
Imojuli ngayinye ye-SELinux inikeza isethi yemithetho yokumaka ifayela, kodwa ungakwazi futhi ukwengeza imithetho yakho uma kunesidingo. Isibonelo, sifuna iseva yewebhu ibe namalungelo okufinyelela kufolda /srv/www.
[admin@server ~]$ semanage fcontext -a -t httpd_sys_content_t "/srv/www(/.*)?
[admin@server ~]$ restorecon -R /srv/www/Umyalo wokuqala ubhalisa imithetho emisha yokumaka, kanti owesibili usetha kabusha, noma kunalokho usetha, izinhlobo zamafayela ngokuhambisana nemithetho yamanje.
Ngokufanayo, izimbobo ze-TCP/UDP zimakwa ngendlela yokuthi yizinsizakalo ezifanele kuphela ezingalalela kuzo. Isibonelo, ukuze iseva yewebhu ilalele ku-port 8080, udinga ukusebenzisa umyalo.
[admin@server ~]$ semanage port -m -t http_port_t -p tcp 8080Inani elibalulekile lamamojula we-SELinux anemingcele engathatha amanani we-Boolean. Lonke uhlu lwamapharamitha anjalo lungabonwa kusetshenziswa getsebool -a. Ungashintsha amanani we-boolean usebenzisa i- setsebool.
[admin@server ~]$ getsebool httpd_enable_cgi
httpd_enable_cgi --> on
[admin@server ~]$ setsebool -P httpd_enable_cgi off
[admin@server ~]$ getsebool httpd_enable_cgi
httpd_enable_homedirs --> off
Indawo yokusebenzela, thola ukufinyelela ku-interface ye-PGadmin-web
Ake sibheke isibonelo esisebenzayo: sifake i-pgadmin7.6-web ku-RHEL 4 ukuze ilawule isizindalwazi se-PostgreSQL. Sahamba kancane ngezilungiselelo ze-pg_hba.conf, postgresql.conf kanye ne-config_local.py, setha izimvume zefolda, ifake amamojula ePython angekho kupayipi. Konke sekumi ngomumo, siyethula futhi siyakwamukela 500 Iphutha leseva yangaphakathi.
Siqala ngabasolwa abajwayelekile, sibheka /var/log/httpd/error_log. Kukhona okufakiwe okuthakazelisayo lapho.
[timestamp] [core:notice] [pid 23689] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
...
[timestamp] [wsgi:error] [pid 23690] [Errno 13] Permission denied: '/var/lib/pgadmin'
[timestamp] [wsgi:error] [pid 23690]
[timestamp] [wsgi:error] [pid 23690] HINT : You may need to manually set the permissions on
[timestamp] [wsgi:error] [pid 23690] /var/lib/pgadmin to allow apache to write to it.
Kuleli qophelo, abaphathi abaningi be-Linux bazolingeka kakhulu ukuthi basebenzise i-setencorce 0, futhi lokho kuzoba ukuphela kwayo. Eqinisweni, ngenza lokho nje okokuqala. Lokhu kuyiqiniso futhi kuyindlela yokuphuma, kodwa kude nokuhle kakhulu.
Ngaphandle kwemiklamo enzima, i-SELinux ingasebenziseka kalula. Vele ufake iphakheji ye-setroubleshoot bese ubuka ilogi yesistimu.
[admin@server ~]$ yum install setroubleshoot
[admin@server ~]$ journalctl -b -0
[admin@server ~]$ service restart auditd
Sicela uqaphele ukuthi isevisi ehloliwe kufanele iqalwe kabusha ngale ndlela, futhi ingasebenzisi i-systemctl, naphezu kokuba khona kwe-systemd ku-OS. Kulogi yesistimu izokhonjiswa hhayi kuphela iqiniso lokuvimbela, kodwa futhi isizathu futhi indlela yokunqoba ukuvinjelwa.
Senza le miyalo:
[admin@server ~]$ setsebool -P httpd_can_network_connect 1
[admin@server ~]$ setsebool -P httpd_can_network_connect_db 1
Sihlola ukufinyelela kukhasi lewebhu le-pgadmin4-web, yonke into iyasebenza.
Source: www.habr.com