Aiwatar da Ikon Samun Dama tare da SELinux ko AppArmor a cikin Linux
Don shawo kan iyakokin da haɓaka hanyoyin tsaro da aka samar ta daidaitattun izini na ugo/rwx da jerin abubuwan sarrafawa, Hukumar Tsaro ta Ƙasar Amurka (NSA) ta ƙirƙiri hanyar Sarrafa Maɗaukaki Mai Sauƙi (MAC) sananne. kamar yadda SELinux (gajeren Linux Ingantaccen Tsaro) don iyakancewa a tsakanin sauran abubuwa, ikon aiwatarwa don samun dama ko aiwatar da wasu ayyuka akan abubuwan tsarin (kamar fayiloli, kundayen adireshi, tashoshin sadarwa, da sauransu) zuwa mafi ƙarancin izini mai yiwuwa, yayin da har yanzu bada izinin yin gyare-gyare na gaba ga wannan ƙirar.
Wani mashahuri kuma mai amfani da MAC shine AppArmor, wanda baya ga abubuwan da SELinux ya samar, ya haɗa da yanayin koyo wanda ke ba da damar tsarin don \koyi yadda takamaiman aikace-aikacen ke aiki, da kuma saita iyaka ta hanyar daidaita bayanan martaba don amfani da aikace-aikacen lafiyayye. .
A cikin CentOS 7, SELinux an haɗa shi a cikin kwaya da kanta kuma an kunna shi a cikin Ƙaddamar da yanayin ta tsohuwa (ƙari akan wannan a cikin sashe na gaba), sabanin openSUSE da Ubuntu waɗanda ke amfani da AppArmor.
A cikin wannan labarin za mu bayyana mahimman abubuwan SELinux da AppArmor da kuma yadda ake amfani da ɗayan waɗannan kayan aikin don amfanin ku dangane da zaɓin rarraba ku.
Gabatarwa zuwa SELinux da Yadda ake Amfani da shi akan CentOS 7
Linux Enhanced Tsaro na iya aiki ta hanyoyi guda biyu:
- Tarfafawa: SELinux ya ƙi samun dama bisa ka'idodin manufofin SELinux, saitin jagororin da ke sarrafa injin tsaro.
- Mai izini: SELinux ba ya hana shiga, amma an shigar da ƙin yarda don ayyukan da da an hana su idan suna aiki a yanayin tilastawa.
Hakanan ana iya kashe SELinux. Kodayake ba yanayin aiki ba ne, har yanzu zaɓi ne. Koyaya, koyon yadda ake amfani da wannan kayan aikin ya fi kawai yin watsi da shi. Ka tuna!
Don nuna yanayin SELinux na yanzu, yi amfani da getenforce. Idan kana son kunna yanayin aiki, yi amfani da setenforce 0 (don saita shi zuwa Izinin) ko setenforce 1 (Tabbatar da).
Tun da wannan canjin ba zai tsira daga sake kunnawa ba, kuna buƙatar gyara fayil ɗin /etc/selinux/config kuma saita madaidaicin SELINUX zuwa ko dai tilastawa, halattacce, ko >nakasasshedomin samun dagewa a kan sake yin aiki:
A bayanin kula, idan getenforce ya dawo An kashe, dole ne ku gyara /etc/selinux/config tare da yanayin aiki da ake so kuma ku sake yi. In ba haka ba, ba za ku iya saita (ko kunna) yanayin aiki tare da setenforce ba.
Ɗaya daga cikin abubuwan da aka saba amfani da su na setenforce ya ƙunshi juyawa tsakanin hanyoyin SELinux (daga tilastawa zuwa izini ko wata hanya) don magance aikace-aikacen da ba daidai ba ko aiki kamar yadda aka zata. Idan yana aiki bayan saita SELinux zuwa Yanayin Izinin, zaku iya amincewa kuna kallon batun izinin SELinux.
Abubuwa guda biyu na al'ada inda za mu iya yin hulɗa da SELinux sune:
- Canza tsoffin tashar jiragen ruwa inda daemon ke saurare.
- Shigar da umarnin DocumentRoot don mai masaukin baki a wajen /var/www/html.
Bari mu kalli waɗannan lokuta biyu ta amfani da misalai masu zuwa.
Ɗaya daga cikin abu na farko da yawancin masu gudanar da tsarin ke yi don tabbatar da sabar su shine canza tashar jiragen ruwa inda SSH daemon ke saurare, yawanci don hana na'urar daukar hoto ta tashar jiragen ruwa da masu kai hari na waje. Don yin wannan, muna amfani da umarnin Port a /etc/ssh/sshd_config tare da sabon lambar tashar jiragen ruwa kamar haka (za mu yi amfani da tashar jiragen ruwa 9999 a wannan yanayin):
Port 9999
Bayan ƙoƙarin sake kunna sabis ɗin kuma duba matsayinsa za mu ga cewa ya kasa farawa:
# systemctl restart sshd # systemctl status sshd
Idan muka kalli /var/log/audit/audit.log, za mu ga cewa an hana sshd farawa daga tashar jiragen ruwa 9999 ta SELinux saboda ita ce tashar da aka keɓe don sabis na Gudanar da JBoss (saƙonnin log SELinux sun haɗa da kalmar AVC domin a sauƙaƙe gano su daga wasu saƙonnin):
# cat /var/log/audit/audit.log | grep AVC | tail -1
A wannan lokacin yawancin mutane za su iya kashe SELinux amma ba za mu iya ba. Za mu ga cewa akwai hanya don SELinux, da sshd sauraron tashar jiragen ruwa daban, don rayuwa cikin jituwa tare. Tabbatar cewa kun shigar da kunshin policycoreutils-python kuma ku gudanar:
# yum install policycoreutils-python
Don duba jerin tashoshin jiragen ruwa inda SELinux ke ba da damar sshd don saurare. A cikin hoton da ke gaba za mu iya ganin cewa an tanada tashar jiragen ruwa 9999 don wani sabis kuma don haka ba za mu iya amfani da shi don gudanar da wani sabis na yanzu ba:
# semanage port -l | grep ssh
Tabbas za mu iya zaɓar wani tashar jiragen ruwa don SSH, amma idan mun tabbata cewa ba za mu buƙaci amfani da wannan takamaiman na'ura don kowane sabis na JBoss ba, za mu iya canza tsarin SELinux ɗin da ke akwai kuma mu sanya tashar zuwa SSH maimakon:
# semanage port -m -t ssh_port_t -p tcp 9999
Bayan haka, zamu iya amfani da umarni na farko don bincika idan an sanya tashar jiragen ruwa daidai, ko zaɓin -lC (gajeren lissafin al'ada):
# semanage port -lC # semanage port -l | grep ssh
Yanzu za mu iya sake farawa SSH kuma haɗi zuwa sabis ɗin ta amfani da tashar jiragen ruwa 9999. Lura cewa wannan canjin ZAI tsira daga sake yi.
Idan kana buƙatar saita mai watsa shiri na Apache ta amfani da kundin adireshi banda /var/www/html azaman DocumentRoot (ka ce, misali, /websrv/sites/gabriel/public_html):
DocumentRoot “/websrv/sites/gabriel/public_html”
Apache zai ƙi ba da abun ciki saboda index.html an yi masa lakabi da default_t SELinux nau'in, wanda Apache ba zai iya samun dama ga:
# wget http://localhost/index.html # ls -lZ /websrv/sites/gabriel/public_html/index.html
Kamar yadda yake tare da misalin da ya gabata, zaku iya amfani da umarni mai zuwa don tabbatar da cewa lallai wannan lamari ne mai alaƙa da SELinux:
# cat /var/log/audit/audit.log | grep AVC | tail -1
Don canza lakabin /websrv/sites/gabriel/public_html akai-akai zuwa httpd_sys_content_t, yi:
# semanage fcontext -a -t httpd_sys_content_t "/websrv/sites/gabriel/public_html(/.*)?"
Umurnin da ke sama zai ba Apache damar karantawa-kawai zuwa waccan adireshin da abinda ke ciki.
A ƙarshe, don amfani da manufofin (kuma sanya alamar ta canza tasiri nan da nan), yi:
# restorecon -R -v /websrv/sites/gabriel/public_html
Yanzu ya kamata ku sami damar shiga cikin kundin adireshi:
# wget http://localhost/index.html
Don ƙarin bayani akan SELinux, koma zuwa Fedora 22 SELinux da jagorar gudanarwa.