SELinux安全性概念和初始化过程

 

  问题和解决方法

redhat linux4开始引入SELinux安全子系统,目的是解决传统linux在一下方面不足:

 1 存在特权用户root

 2SUID程序的权限升级

 3DACDiscretionary Access Control)问题:目录所有者可以对文件进行所有操作

SELinux特点:

 1 访问的控制彻底化 (MAC-Mandatory Access Control) 对所有的文件、目录、端口等资源访问都是基于策略设定的。

 2 对于进程只赋予最小的权限

  TE(Type Enforcement) -对于进程只赋予最小的权限,对松油的文件都赋予一个叫type的文件类型标签,对于所有的进程也赋予各自一个叫domain的标签,domain标签能执行的操作由access vector的策略里定好。

3 domain迁移-防止权限升级

   Domain_auto_trans(fu_t,azureus_exec_t,azureus_t), 即使在在fu_t域(权限较大)执行了标识为azureus_ exec_t的文件时,domainfu_t迁移到azureus_t.

4 对于用户赋予最小的权限

  RBAC (role base access control),对于用户来说,被划分为一些ROLE,ROLE可以执行那些domain也是策略里设定的。

 SELinux在传统的DAC后执行。

 

二概念

 1对象(object): 所有可以被读取的对象,如文件、目录、进程、外部装置、网络socket

 2 主体 (subject): 把进程(process)称为主体

 3 类型 (type)

     允许为系统中的每一个主体或者对象定义一个类型(type),如为webserver定义了一个httpd_t的类型,用户的主目录也有一个user_home_t的类型

4 领域 (domain)

     定义进程的类型,称为领域(domain),例如httpd就是httpd_t领域的进程

5 用户

 SELinux通过用户(user)代表某一些账号的识别数据,例如,system_u代表系统上所有的服务器账号的识别数据

6角色

  角色用来代表某一些用户或对象的组合,object_r这个角色就代表例如文件或设备的系统对象

7安全原则

    Targetedstrictmls三个安全原则,Targeted用来保护常见的网络服务(默认)strict用来提供符合RBAC机制的安全性,mls用来提供符合mls机制的安全性

8 安全上下文

    Securitycontext 是一组与某一个进程或对象有关的属性,每个进程与对象都会记录一条安全上下文

 

  初始化过程

  Inità挂载procfsà寻找内核是否提供selinuxfs文件系统à查看/etc/sysconfig/seliuxSELINUX参数,是否启动à启动到Permissiveà是否切换到强制模式àselinuxfs文件系统挂载到/selinux目录à加载安全原则/etc/selinux/TYPE/policy/policy.VERSIONà设置上下文 /etc/selinux/TYPE/contexts中的相关文件

 

配置SElinux

环境:

linux samba服务器端:    主机名: Linux-180   IP172.16.40.180

 

先停掉系统的防火墙设置策略!!

 

把服务器和客户端iptables服务关掉!!

#service iptables stop

 

在服务器和客户端都运行:

  #setenforce  0

 [root@Linux-180 network-scripts]# getenforce

Permissive

 

 

 

查看当前SELinux状态

[root@Linux-180 selinux]# sestatus

SELinux status:                 enabled

SELinuxfs mount:                /selinux

Current mode:                   enforcing

Mode from config file:          enforcing

Policy version:                 24 tong

Policy from config file:        targeted

 

改变SELinux的状态

通过内核启动参数

1 执行启动加载器(Boot Loader)时直接指定(临时修改)

Boot:linux selinux=N

   N 0则代表停用SELinux功能,1则为代表启动

自动启用参数,设置/boot/grub/grub.conf

[root@Linux-180 selinux]# vi  /boot/grub/grub.conf

# grub.conf generated by anaconda

#

# Note that you do not have to rerun grubafter making changes to this file

# NOTICE: You have a /boot partition.  Thismeans that

#         all kernel and initrd paths are relative to /boot/, eg.

#         root (hd0,0)

#         kernel /vmlinuz-version ro root=/dev/sda2

#         initrd /initrd-[generic-]version.img

#boot=/dev/sda

default=0

timeout=5

splashp_w_picpath=(hd0,0)/grub/splash.xpm.gz

hiddenmenu

passwd --md5$1$bUVxc1$JsPRbn/dN6zp7BHibklfk.

title Red Hat Enterprise Linux(2.6.32-220.el6.i686)

     root(hd0,0)

     kernel/vmlinuz-2.6.32-220.el6.i686 ro root=UUID=43d5b380-a72a-4656-b868-7a7f56435b7ard_NO_LUKS rd_NO_LVM.UTF-8 rd_NO_MD quiet SYSFONT=latarcyrheb-sun16rhgb crashkernel=auto  KEYBOARDTYPE=pcKEYTABLE=us rd_NO_DM  selinux=0           initrd/initramfs-2.6.32-220.el6.i686.img

 

  通过SELinux配置文件/etc/sysconfig/selinux  (链接指向/etc/selinux/config),机器重新启动后才生效

 [root@Linux-180sysconfig]# cd/etc/sysconfig

 [root@Linux-180 sysconfig]# ls -l|grep selinux

lrwxrwxrwx. 1 root root   17  3  6 00:43 selinux -> ../selinux/config

 [root@Linux-180 selinux]# pwd

/etc/selinux

 [root@Linux-180 selinux]# ls -l

总用量 20

-rw-r--r--. 1 root root  458  3  6 00:43 config

-rw-r--r--. 1 root root  113 11  22011 restorecond.conf

-rw-r--r--. 1 root root   76 11  22011 restorecond_user.conf

-rw-r--r--. 1 root root 1766 10 21 2011semanage.conf

drwxr-xr-x. 5 root root 4096  4 16 09:45 targeted

[root@Linux-180 selinux]# more ./config

# This file controls the state of SELinuxon the system.

# SELINUX= can take one of these threevalues:

#    enforcing - SELinux security policy is enforced.

#    permissive - SELinux prints warnings instead of enforcing.

#    disabled - No SELinux policy is loaded.

SELINUX=enforcing

# SELINUXTYPE= can take one of these twovalues:

#    targeted - Targeted processes are protected,

#    mls - Multi Level Security protection.

SELINUXTYPE=targeted

 

  手工修改SELinux模式

[root@Linux-180 selinux]# getenforce

Enforcing

[root@Linux-180 selinux]# setenforce 0

[root@Linux-180 selinux]# getenforce

Permissive

 

 

SELinux上下文的修改

安全上下文

Security context 是一组与某一个进程或对象有关的属性,每个对象都会存储在一条安全上下文中,并将其作为SELinux判断进程能否读取对象的依据

 

1安全上下文的格式

   USER:ROLE:TYPE[:LEVEL][:CATEGORY]

其中targeted安全原则不支持USER字段;

RBAC架构的strictmls原则的环境中,使用ROLE信息,代表一堆TYPE的组合。

[:LEVEL][:CATEGORY]只在mls原则的环境中显示, LEVEL级别从s0-s15,s0机密等级最低;[:CATEGORY]分类从c0-c1023

 

2 查看对象的安全上下文

  #id  -Z

  #ls  -Z /etc/passwd

  #ps  -Z

3 修改对象的安全上下文

 Chcon[OPTION]  CONTEXT  FILES

Chcon [OPTION]  --reference = REF_FILES  FILES 

[OPTION] 包括 –u USER  -r ROLE -t TYPE   -R 递归  -f强制  -v 详细信息

 

恢复原来的对象安全上下文   restorecon [OPTIONS]  [FILES]

 

  #touche test.html

   #ls  -Z test.html

    #chcon  -t httpd_t test.html

   #ls  -Z test.html

 

 

SELinux布尔值

SELinux提供了一些变量,让我们可以快速启动或停用SELinux某些功能

#getsebool  {-a |SEBOOLEAN}

[root@Linux-180 ~]# getsebool -a|grep ftp

allow_ftpd_anon_write --> off

allow_ftpd_full_access --> off

allow_ftpd_use_cifs --> off

allow_ftpd_use_nfs --> off

ftp_home_dir--> off

ftpd_connect_db --> off

httpd_enable_ftp_server --> off

tftp_anon_write --> off

 

[root@Linux-180 ~]# setsebool -P ftp_home_dir  on

 

 [root@Linux-180 ~]# getsebool -a|grep ftp

allow_ftpd_anon_write --> off

allow_ftpd_full_access --> off

allow_ftpd_use_cifs --> off

allow_ftpd_use_nfs --> off

ftp_home_dir--> on

ftpd_connect_db --> off

httpd_enable_ftp_server --> off

tftp_anon_write --> off

 

 

 

 

 

[root@Linux-180 ~]# df -h

文件系统          容量  已用  可用 已用%% 挂载点

/dev/sda2              18G  2.4G  15G  14% /

tmpfs                 376M  444K 375M   1% /dev/shm

/dev/sda1             291M   32M 245M  12% /boot

/dev/sr0               45M   45M    0 100% /media/CDROM_

/dev/sr1              2.9G 2.9G     0 100% /media/RHEL_6.2i386 Disc 1

[root@Linux-180 ~]# umount /dev/sr1

[root@Linux-180 ~]# mount -t iso9660/dev/sr1 /media/mycdrom

mount: block device /dev/sr1 iswrite-protected, mounting read-only

[root@Linux-180 ~]# yum list all|grepsetroubleshoot-server

setroubleshoot-server.i686              3.0.38-2.1.el6                   server

[root@Linux-180 ~]# yum install setroubleshoot-server

Loaded plugins: product-id,refresh-packagekit, security, subscription-manager

Updating certificate-based repositories.

Setting up Install Process

Resolving Dependencies

--> Running transaction check

---> Package setroubleshoot-server.i6860:3.0.38-2.1.el6 will be installed

--> Processing Dependency:setroubleshoot-plugins >= 3.0.0 for package: setroubleshoot-server-3.0.38-2.1.el6.i686

--> Processing Dependency:audit-libs-python >= 1.2.6-3 for package:setroubleshoot-server-3.0.38-2.1.el6.i686

--> Processing Dependency:setools-libs-python for package: setroubleshoot-server-3.0.38-2.1.el6.i686

--> Processing Dependency:policycoreutils-python for package: setroubleshoot-server-3.0.38-2.1.el6.i686

--> Processing Dependency:libqpol.so.1(VERS_1.2) for package: setroubleshoot-server-3.0.38-2.1.el6.i686

--> Processing Dependency: libqpol.so.1for package: setroubleshoot-server-3.0.38-2.1.el6.i686

--> Processing Dependency:libapol.so.4(VERS_4.0) for package: setroubleshoot-server-3.0.38-2.1.el6.i686

--> Processing Dependency: libapol.so.4for package: setroubleshoot-server-3.0.38-2.1.el6.i686

--> Running transaction check

---> Package audit-libs-python.i6860:2.1.3-3.el6 will be installed

---> Package policycoreutils-python.i6860:2.0.83-19.18.el6 will be installed

--> Processing Dependency:libsemanage-python >= 2.0.43-4 for package: policycoreutils-python-2.0.83-19.18.el6.i686

--> Processing Dependency: libcgroup forpackage: policycoreutils-python-2.0.83-19.18.el6.i686

---> Package setools-libs.i6860:3.3.7-4.el6 will be installed

---> Package setools-libs-python.i6860:3.3.7-4.el6 will be installed

---> Packagesetroubleshoot-plugins.noarch 0:3.0.16-1.el6 will be installed

--> Running transaction check

---> Package libcgroup.i686 0:0.37-3.el6will be installed

---> Package libsemanage-python.i6860:2.0.43-4.1.el6 will be installed

--> Finished Dependency Resolution

 

Dependencies Resolved

 

================================================================================

 Package                    Arch       Version                 Repository  Size

================================================================================

Installing:

 setroubleshoot-server      i686      3.0.38-2.1.el6         server     1.3 M

Installing for dependencies:

 audit-libs-python          i686       2.1.3-3.el6             server      56 k

 libcgroup                  i686       0.37-3.el6              server     102 k

 libsemanage-python         i686       2.0.43-4.1.el6          server      80 k

 policycoreutils-python     i686      2.0.83-19.18.el6       server     335 k

 setools-libs               i686       3.3.7-4.el6             server     400 k

 setools-libs-python        i686       3.3.7-4.el6             server     210 k

 setroubleshoot-plugins     noarch    3.0.16-1.el6           server     371 k

 

Transaction Summary

================================================================================

Install       8 Package(s)

 

Total download size: 2.8 M

Installed size: 9.2 M

Is this ok [y/N]: y

Downloading Packages:

--------------------------------------------------------------------------------

Total                                            16 MB/s | 2.8MB     00:00    

Running rpm_check_debug

Running Transaction Test

Transaction Test Succeeded

Running Transaction

 Installing : audit-libs-python-2.1.3-3.el6.i686                           1/8

 Installing : setools-libs-3.3.7-4.el6.i686                                2/8

 Installing : setools-libs-python-3.3.7-4.el6.i686                         3/8

 Installing : libcgroup-0.37-3.el6.i686                                    4/8

 Installing : libsemanage-python-2.0.43-4.1.el6.i686                       5/8

 Installing : policycoreutils-python-2.0.83-19.18.el6.i686                 6/8

 Installing : setroubleshoot-plugins-3.0.16-1.el6.noarch                   7/8

 Installing : setroubleshoot-server-3.0.38-2.1.el6.i686                    8/8

Installed products updated.

 

Installed:

 setroubleshoot-server.i686 0:3.0.38-2.1.el6                                  

 

Dependency Installed:

 audit-libs-python.i686 0:2.1.3-3.el6                                          

 libcgroup.i686 0:0.37-3.el6                                                  

 libsemanage-python.i686 0:2.0.43-4.1.el6                                     

 policycoreutils-python.i686 0:2.0.83-19.18.el6                               

 setools-libs.i686 0:3.3.7-4.el6                                              

 setools-libs-python.i686 0:3.3.7-4.el6                                       

 setroubleshoot-plugins.noarch 0:3.0.16-1.el6                                 

 

Complete!