These days, security is one of those things everyone talks about and in this arena, many actually do something about it. Using mandatory-access-control (MAC) systems likeSELinuxandApparmorcan significantly improve the security of a system, but only if they’re used. For this discussion, we concentrate on SELinux. However, the ideas are applicable to most access-control systems.
安全增强的Linux或Selinux最初是由US National Security Agency (NSA)。It’s standard fare onRed HatEnterprise Linux(RHEL),称为Centos的社区版本,Fedora Linux。它可以使用许多其他化身,尽管默认情况下并不总是安装或打开。
Disabling SELinux is easy. Just runsetenforce 0。Turning it off permanently is done by settingSELINUX=disabledin the /etc/selinux/config file for CentOS or Fedora.
JUST DON'T DO IT.
Too many “tips” on the web tell readers to do just this when a particular application will not run with SELinux. It’s usually because they’re too lazy to figure out why. While this will typically get an application to run also turns a relatively secure system to a relatively insecure system.
这些技巧大多数的原因是,Selinux或其他访问控制系统的好表现很少,可以很容易地找到并很容易获得。关于Selinux的一些好书也往往很艰巨。不阅读它们的借口是安全并不重要,不是我的工作等。
Unfortunately, getting things to work under SELinux is actually not that hard. Still, there are many cases where it can be more challenging. More on that later.
So, before you disable SELinux completely, take a look at some of the less severe changes that will likely get your application to run.
First off, one needs to understand what SELinux is up to. Really providing a good SELinux overview does take at least a chapter or two of a book, so this will be a bit abbreviated.
从本质上讲,Selinux保护的所有项目,包括文件,目录,端口等,都具有表单用户的标签:角色:类型。列出文件和目录的标签已内置在LS中(Fig. 1)。The labels are used by SELinux to determine what security profiles apply to the item.
1. LS -Z命令列出了用于文件和目录的SELINUX标签。
可以使用chcon程序,但是最好使用使用该上下文管理的SELINUX上下文semanage程序以及Restoreconprogram(Fig. 2)。通常,已配置为SELINUX的应用程序将包括一个配置文件,其上下文定义了如何为文件,目录等设置标签。
2. RestoreCon应用程序基于保存的文件上下文(FContext)更改文件和目录标签。Semange程序用于操纵Selinux上下文。
What often happens is that a user will create or edit files associated with an application such that the labels are incorrect. Of course, SELinux then prevents the application from using these files, as it should. RunningRestoreconon files and directories where errors occur should be the first step to getting an application to run properly under SELinux.
SELinux Audit Trail
The file /var/log/audit/audit.log(Fig. 3)in CentOS and Fedora is where SELinux errors and actions are logged. Actions that are denied can be found by filtering the file using tools likegrep。The log entries tend to be cryptic, but they provide information that can be used to address applications that aren’t working with SELinux.
3.可以使用诸如GREP之类的工具来显示file/var/log/audit/audit.log,以显示Selinux拒绝的操作。
请记住,Selinux可以以三种模式之一进行运行:OFF,宽容和执行。前者没有做任何事情。允许和执行的Selinux观看系统。但是,允许的人在执行时只需将条目添加到审核日志文件中,以防止应用程序使用项目。我们始终希望Selinux执行,但我们也希望应用程序运行。
之后的典型建议setenforce 0is to run SELinux in permissive mode so that it will hopefully generate an audit trail with denial that can then be used to generate a security profile that allows an application to run. The profile can be generated using the log entries and theAudit2allow程序。
虽然GREP和类似工具对于过滤审核日志很有用,但SELINUX随附ausearchprogram that’s often preferable for use withAudit2allow(图4)。It can filter entries based on many criteria from hosts to process ids. Check out the main pages forausearchandAudit2allowas with most of the SELinux-related programs mentioned here, since they have many options not covered in this article.
4. Theausearchapplication can filter the audit log so thatAudit2allow能够生成一个使用的配置文件,该配置文件可以使用半模型。
The challenge withAudit2allowis that it will create a profile that enables an application to do more than it could without the profile. However, it may not be sufficient to allow the application to run all of the time. This is because the audit log will only have problems related to what the application did during the period of the log. The profile may be sufficient if all of the application’s actions were tested. However, if some were not, then it’s possible that the generated profile would let the application run for some time but then fail or have errors at some point when encountering actions that weren’t tested. Running SELinux in permissive mode again would allow the new denied actions to be recorded so that a new profile could be created.
Using anAudit2allowgenerated profile may provide an application with more access than one may prefer, but this is still better from a security standpoint than allowing all applications free reign within a system. It’s true that the basic Linux security mechanism would still be in play; still, these are more liberal than the confinement provided by SELinux. As noted, the challenge with theAudit2allowapproach is knowing whether the generated profile is sufficient.
我建议您检查将与Audit2allow第一次是否改变labels will fix the problem. Often setting a file or directory context usingsemanage, mentioned earlier, will let a program run.
SELinux Variables
对于没有SELINUX配置文件的应用程序,可能需要使用AUDIT2ALAR扩展应用程序的安全限制,但是许多应用程序都带有包括SELINUX变量的配置文件。这些变量可用于以受控方式更改安全限制。当试图获得两个支持SELINUX的程序一起工作时,它们通常很方便,例如Samba文件服务器和Apache Web服务器(HTTPD)。
使用SELINUX变量使用setseboolandgetsebool(Fig. 5)。通常,这些布尔人大大扩大了相关安全档案的特定方面的限制。例如,Apache Web服务器通常仅限于它可以使用的端口。设置httpd_can_network_connectvariableonessentially lets the application use any port. This is often done if the port required is unknown or would change in an unknown fashion. It would be better to create a profile that allowed a specific port or range of ports. Nonetheless, at least using the variable doesn’t open other areas where the web server may be limited to.
5. A list of SELinux variables and their values can be obtained usinggetsebool。
As noted, these variables are sometimes employed to allow two SELinux-enabled programs to work together. This is because profiles are often designed to give an application access to its resources but prevent other programs from accessing them. That would not be the case if a Samba file share was being used for a website.
There are other ways to enable such sharing to occur, but examining even basic examples is beyond the scope of this article. Suffice it to say that you don’t want to disable SELinux and allow for expanded security boundaries using SELinux variables; it’s much preferred to having no SELinux support.
允许域
在宽松模式下运行SELINUX允许所有应用程序在不生成SELINUX的情况下运行。但是,问题仍然记录在审计步道中。可以使用允许域以更有限的基础提供此支持(Fig. 6)。In this case, SELinux runs in enforcing mode, limiting most applications, though ones within a permissive domain will not have these restrictions causing errors. Any denials will still be logged, but the applications will be allowed to continue unimpeded.
6. Permissive domains provide a selective way of expanding a domain’s security limitations.
Again, using this approach expands the security limits, though it’s in a known fashion where a user, manager, or developer can determine whether this scope is sufficient for a system. Likewise, it’s more limited than turning off SELinux completely.
Some More SELinux Tools
使用SELINUX时,其他工具会派上用场。这些包括:
- aureport – provides a filtered and formatted report of the audit log
- avcstat – shows access vector cache statistics
- SEALART - GUI监视系统的一部分
- Seinfo - SDF
- Sesearch - 搜索规则的SELINUX政策
- sediff – displays differences between SELinux policies
- sechecker – checks SELinux policies
- findcon -搜索文件或目录desired SELinux contenxt
Most of these aren’t installed when SELinux is running, as they’re often used for status, development, or debugging chores. A system secured using SELinux doesn’t require them, but they’re invaluable when trying to get an application working under SELinux. For example, trysesearch -s httpd_t -allow -d -d。It lists all of the rules that are associated with files labeled with, or based on, the type httpd_t.
Here are some useful links for more information on SELinux and other security modules:
- https://github.com/selinuxproject
- http://selinuxproject.org(由https://github.com/selinuxproject取代)
- NSA SELinux documentation
- SELinux User's and Administrator's Guide
- Fedora Project Selinux
- org Linux Security Module Usage
- Apparmor
- Simplified Mandatory Access Control Kernel (SMACK)– used byTizen Linux
- TOMOYO Linux
Selinux和开发人员
Providing an application without SELinux support if that application is targeted at platforms where it would be available should be verboten. Security has become critical to the proper operation of PCs, servers, and embedded systems, and not providing this type of security is just poor development practice. It’s also something that’s significantly easier for a developer to include rather than having something attempt to shoehorn an application into an SELinux system after the fact.
Providing support for SELinux, or other access-control systems, requires some understanding of the security environment, which is actually much simpler than most developers might think. Unfortunately, that’s an article for another day.
希望本文提供足够的动力来防止您禁用Selinux。
Read more articles at theTechXchange:Cybersecurity
