SELinux安全性概念和初始化过程
一 问题和解决方法
从redhat linux4开始引入SELinux安全子系统,目的是解决传统linux在一下方面不足:
1 存在特权用户root
2SUID程序的权限升级
3DAC(Discretionary Access Control)问题:目录所有者可以对文件进行所有操作
SELinux特点:
1 访问的控制彻底化 (MAC-Mandatory Access Control) 对所有的文件、目录、端口等资源访问都是基于策略设定的。
2 对于进程只赋予最小的权限
TE(Type Enforcement) -对于进程只赋予最小的权限,对松油的文件都赋予一个叫type的文件类型标签,对于所有的进程也赋予各自一个叫domain的标签,domain标签能执行的操作由access vector的策略里定好。
3 domain迁移-防止权限升级
Domain_auto_trans(fu_t,azureus_exec_t,azureus_t), 即使在在fu_t域(权限较大)执行了标识为azureus_ exec_t的文件时,domain从fu_t迁移到azureus_t域.
4 对于用户赋予最小的权限
RBAC (role base access control),对于用户来说,被划分为一些ROLE,ROLE可以执行那些domain也是策略里设定的。
SELinux在传统的DAC后执行。
二概念
1对象(object): 所有可以被读取的对象,如文件、目录、进程、外部装置、网络socket
2 主体 (subject): 把进程(process)称为主体
3 类型 (type)
允许为系统中的每一个主体或者对象定义一个类型(type),如为webserver定义了一个httpd_t的类型,用户的主目录也有一个user_home_t的类型
4 领域 (domain)
定义进程的类型,称为领域(domain),例如httpd就是httpd_t领域的进程
5 用户
SELinux通过用户(user)代表某一些账号的识别数据,例如,system_u代表系统上所有的服务器账号的识别数据
6角色
角色用来代表某一些用户或对象的组合,object_r这个角色就代表例如文件或设备的系统对象
7安全原则
Targeted、strict、mls三个安全原则,Targeted用来保护常见的网络服务(默认),strict用来提供符合RBAC机制的安全性,mls用来提供符合mls机制的安全性
8 安全上下文
Securitycontext 是一组与某一个进程或对象有关的属性,每个进程与对象都会记录一条安全上下文
三 初始化过程
Inità挂载procfsà寻找内核是否提供selinuxfs文件系统à查看/etc/sysconfig/seliux中SELINUX参数,是否启动à启动到Permissiveà是否切换到强制模式à把selinuxfs文件系统挂载到/selinux目录à加载安全原则/etc/selinux/TYPE/policy/policy.VERSIONà设置上下文 /etc/selinux/TYPE/contexts中的相关文件
二配置SElinux
环境:
linux samba服务器端: 主机名: Linux-180 IP:172.16.40.180
先停掉系统的防火墙设置策略!!:
把服务器和客户端iptables服务关掉!!
#service iptables stop
在服务器和客户端都运行:
#setenforce 0
[root@Linux-180 network-scripts]# getenforce
Permissive
查看当前SELinux状态
[root@Linux-180 selinux]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24 tong
Policy from config file: targeted
改变SELinux的状态
一 通过内核启动参数
1 执行启动加载器(Boot Loader)时直接指定(临时修改)
Boot:linux selinux=N
N 为0则代表停用SELinux功能,1则为代表启动
2 自动启用参数,设置/boot/grub/grub.conf
[root@Linux-180 selinux]# vi /boot/grub/grub.conf
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grubafter making changes to this file
# NOTICE: You have a /boot partition. Thismeans that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/sda2
# initrd /initrd-[generic-]version.img
#boot=/dev/sda
default=0
timeout=5
splashp_w_picpath=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
passwd --md5$1$bUVxc1$JsPRbn/dN6zp7BHibklfk.
title Red Hat Enterprise Linux(2.6.32-220.el6.i686)
root(hd0,0)
kernel/vmlinuz-2.6.32-220.el6.i686 ro root=UUID=43d5b380-a72a-4656-b868-7a7f56435b7ard_NO_LUKS rd_NO_LVM.UTF-8 rd_NO_MD quiet SYSFONT=latarcyrheb-sun16rhgb crashkernel=auto KEYBOARDTYPE=pcKEYTABLE=us rd_NO_DM selinux=0 initrd/initramfs-2.6.32-220.el6.i686.img
二 通过SELinux配置文件/etc/sysconfig/selinux (链接指向/etc/selinux/config),机器重新启动后才生效
[root@Linux-180sysconfig]# cd/etc/sysconfig
[root@Linux-180 sysconfig]# ls -l|grep selinux
lrwxrwxrwx. 1 root root 17 3月 6 00:43 selinux -> ../selinux/config
[root@Linux-180 selinux]# pwd
/etc/selinux
[root@Linux-180 selinux]# ls -l
总用量 20
-rw-r--r--. 1 root root 458 3月 6 00:43 config
-rw-r--r--. 1 root root 113 11月 22011 restorecond.conf
-rw-r--r--. 1 root root 76 11月 22011 restorecond_user.conf
-rw-r--r--. 1 root root 1766 10月 21 2011semanage.conf
drwxr-xr-x. 5 root root 4096 4月 16 09:45 targeted
[root@Linux-180 selinux]# more ./config
# This file controls the state of SELinuxon the system.
# SELINUX= can take one of these threevalues:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these twovalues:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
三 手工修改SELinux模式
[root@Linux-180 selinux]# getenforce
Enforcing
[root@Linux-180 selinux]# setenforce 0
[root@Linux-180 selinux]# getenforce
Permissive
SELinux上下文的修改
安全上下文
Security context 是一组与某一个进程或对象有关的属性,每个对象都会存储在一条安全上下文中,并将其作为SELinux判断进程能否读取对象的依据。
1安全上下文的格式
USER:ROLE:TYPE[:LEVEL][:CATEGORY]
其中targeted安全原则不支持USER字段;
在RBAC架构的strict与mls原则的环境中,使用ROLE信息,代表一堆TYPE的组合。
[:LEVEL][:CATEGORY]只在mls原则的环境中显示, LEVEL级别从s0-s15,s0机密等级最低;[:CATEGORY]分类从c0-c1023
2 查看对象的安全上下文
#id -Z
#ls -Z /etc/passwd
#ps -Z
3 修改对象的安全上下文
Chcon[OPTION] CONTEXT FILES
Chcon [OPTION] --reference = REF_FILES FILES
[OPTION] 包括 –u USER -r ROLE -t TYPE -R 递归 -f强制 -v 详细信息
恢复原来的对象安全上下文 restorecon [OPTIONS] [FILES]
如 #touche test.html
#ls -Z test.html
#chcon -t httpd_t test.html
#ls -Z test.html
SELinux布尔值
SELinux提供了一些变量,让我们可以快速启动或停用SELinux某些功能
#getsebool {-a |SEBOOLEAN}
[root@Linux-180 ~]# getsebool -a|grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir--> off
ftpd_connect_db --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
[root@Linux-180 ~]# setsebool -P ftp_home_dir on
[root@Linux-180 ~]# getsebool -a|grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir--> on
ftpd_connect_db --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
[root@Linux-180 ~]# df -h
文件系统 容量 已用 可用 已用%% 挂载点
/dev/sda2 18G 2.4G 15G 14% /
tmpfs 376M 444K 375M 1% /dev/shm
/dev/sda1 291M 32M 245M 12% /boot
/dev/sr0 45M 45M 0 100% /media/CDROM_
/dev/sr1 2.9G 2.9G 0 100% /media/RHEL_6.2i386 Disc 1
[root@Linux-180 ~]# umount /dev/sr1
[root@Linux-180 ~]# mount -t iso9660/dev/sr1 /media/mycdrom
mount: block device /dev/sr1 iswrite-protected, mounting read-only
[root@Linux-180 ~]# yum list all|grepsetroubleshoot-server
setroubleshoot-server.i686 3.0.38-2.1.el6 server
[root@Linux-180 ~]# yum install setroubleshoot-server
Loaded plugins: product-id,refresh-packagekit, security, subscription-manager
Updating certificate-based repositories.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package setroubleshoot-server.i6860:3.0.38-2.1.el6 will be installed
--> Processing Dependency:setroubleshoot-plugins >= 3.0.0 for package: setroubleshoot-server-3.0.38-2.1.el6.i686
--> Processing Dependency:audit-libs-python >= 1.2.6-3 for package:setroubleshoot-server-3.0.38-2.1.el6.i686
--> Processing Dependency:setools-libs-python for package: setroubleshoot-server-3.0.38-2.1.el6.i686
--> Processing Dependency:policycoreutils-python for package: setroubleshoot-server-3.0.38-2.1.el6.i686
--> Processing Dependency:libqpol.so.1(VERS_1.2) for package: setroubleshoot-server-3.0.38-2.1.el6.i686
--> Processing Dependency: libqpol.so.1for package: setroubleshoot-server-3.0.38-2.1.el6.i686
--> Processing Dependency:libapol.so.4(VERS_4.0) for package: setroubleshoot-server-3.0.38-2.1.el6.i686
--> Processing Dependency: libapol.so.4for package: setroubleshoot-server-3.0.38-2.1.el6.i686
--> Running transaction check
---> Package audit-libs-python.i6860:2.1.3-3.el6 will be installed
---> Package policycoreutils-python.i6860:2.0.83-19.18.el6 will be installed
--> Processing Dependency:libsemanage-python >= 2.0.43-4 for package: policycoreutils-python-2.0.83-19.18.el6.i686
--> Processing Dependency: libcgroup forpackage: policycoreutils-python-2.0.83-19.18.el6.i686
---> Package setools-libs.i6860:3.3.7-4.el6 will be installed
---> Package setools-libs-python.i6860:3.3.7-4.el6 will be installed
---> Packagesetroubleshoot-plugins.noarch 0:3.0.16-1.el6 will be installed
--> Running transaction check
---> Package libcgroup.i686 0:0.37-3.el6will be installed
---> Package libsemanage-python.i6860:2.0.43-4.1.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
setroubleshoot-server i686 3.0.38-2.1.el6 server 1.3 M
Installing for dependencies:
audit-libs-python i686 2.1.3-3.el6 server 56 k
libcgroup i686 0.37-3.el6 server 102 k
libsemanage-python i686 2.0.43-4.1.el6 server 80 k
policycoreutils-python i686 2.0.83-19.18.el6 server 335 k
setools-libs i686 3.3.7-4.el6 server 400 k
setools-libs-python i686 3.3.7-4.el6 server 210 k
setroubleshoot-plugins noarch 3.0.16-1.el6 server 371 k
Transaction Summary
================================================================================
Install 8 Package(s)
Total download size: 2.8 M
Installed size: 9.2 M
Is this ok [y/N]: y
Downloading Packages:
--------------------------------------------------------------------------------
Total 16 MB/s | 2.8MB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : audit-libs-python-2.1.3-3.el6.i686 1/8
Installing : setools-libs-3.3.7-4.el6.i686 2/8
Installing : setools-libs-python-3.3.7-4.el6.i686 3/8
Installing : libcgroup-0.37-3.el6.i686 4/8
Installing : libsemanage-python-2.0.43-4.1.el6.i686 5/8
Installing : policycoreutils-python-2.0.83-19.18.el6.i686 6/8
Installing : setroubleshoot-plugins-3.0.16-1.el6.noarch 7/8
Installing : setroubleshoot-server-3.0.38-2.1.el6.i686 8/8
Installed products updated.
Installed:
setroubleshoot-server.i686 0:3.0.38-2.1.el6
Dependency Installed:
audit-libs-python.i686 0:2.1.3-3.el6
libcgroup.i686 0:0.37-3.el6
libsemanage-python.i686 0:2.0.43-4.1.el6
policycoreutils-python.i686 0:2.0.83-19.18.el6
setools-libs.i686 0:3.3.7-4.el6
setools-libs-python.i686 0:3.3.7-4.el6
setroubleshoot-plugins.noarch 0:3.0.16-1.el6
Complete!