Linux安全:SELinux 管理
SELinux 的管理主要包含其本身的配置管理,权限策略,用户、文件上下文管理等,以及相关故障排查。
状态管理
在开始之前,需要注意的是,有用 SELinux 是属于内核模块的,所以对其的多数配置变更都是需要重新才能生效的。
SELinux有三种状态:
* enforcing 强制模式,阻止违反规则的行为并记录到日志中
* permissive 宽容模式,不阻止违反规则的行为,仅记录到日志中
* disabled 关闭SELinux
查看工作模式
获取状态信息有多种方式,如下:
* 命令行工具 getenforce
# getenforce
Enforcing
- 查看虚文件系统状态
# cat /sys/fs/selinux/enforce
1
- 通过配置查看状态
# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
修改工作模式
- 命令行工具(临时修改)
# setenforce
usage: setenforce [ Enforcing | Permissive | 1 | 0 ]
- 修改配置(永久修改,需重启),修改配置文件/etc/selinux/config中的SELINUX,从原有disabled修改为enforcing,并且重新启动,
查看标签/上下文
- 当前登录用户的SELinux上下文,
id -Z
# id -Z
unconfined_u:unconfined_r:unconfined_t:s0
- 文件的SELinux上下文查看,
ls -Z
# ls -alZ /
dr-xr-xr-x. root root system_u:object_r:root_t:s0 .
dr-xr-xr-x. root root system_u:object_r:root_t:s0 ..
-rw-r--r--. root root unconfined_u:object_r:etc_runtime_t:s0 .autorelabel
lrwxrwxrwx. root root system_u:object_r:bin_t:s0 bin -> usr/bin
dr-xr-xr-x. root root system_u:object_r:boot_t:s0 boot
drwxr-xr-x. root root system_u:object_r:unlabeled_t:s0 data
drwxr-xr-x. root root system_u:object_r:device_t:s0 dev
drwxr-xr-x. root root system_u:object_r:etc_t:s0 etc
drwxr-xr-x. root root system_u:object_r:home_root_t:s0 home
lrwxrwxrwx. root root system_u:object_r:lib_t:s0 lib -> usr/lib
lrwxrwxrwx. root root system_u:object_r:lib_t:s0 lib64 -> usr/lib64
drwx------. root root system_u:object_r:lost_found_t:s0 lost+found
drwxr-xr-x. root root system_u:object_r:mnt_t:s0 media
drwxr-xr-x. root root system_u:object_r:mnt_t:s0 mnt
drwxr-xr-x. root root system_u:object_r:usr_t:s0 opt
dr-xr-xr-x. root root system_u:object_r:proc_t:s0 proc
dr-xr-x---. root root system_u:object_r:admin_home_t:s0 root
drwxr-xr-x. root root system_u:object_r:var_run_t:s0 run
lrwxrwxrwx. root root system_u:object_r:bin_t:s0 sbin -> usr/sbin
drwxr-xr-x. root root system_u:object_r:var_t:s0 srv
dr-xr-xr-x. root root system_u:object_r:sysfs_t:s0 sys
drwxrwxrwt. root root system_u:object_r:tmp_t:s0 tmp
drwxr-xr-x. root root system_u:object_r:usr_t:s0 usr
drwxr-xr-x. root root system_u:object_r:var_t:s0 var
- 进程的SELinux上下文查看,
ps -Z
# ps -eZ|grep systemd
system_u:system_r:kernel_t:s0 1 ? 00:06:22 systemd
system_u:system_r:kernel_t:s0 378 ? 00:13:02 systemd-journal
system_u:system_r:kernel_t:s0 414 ? 00:00:00 systemd-udevd
system_u:system_r:kernel_t:s0 663 ? 00:01:22 systemd-logind
SELinux用户管理
在SELinux上下文中,第一部分的信息是SELinux用户,第二部分的信息是SELinux角色。
SELinux使用用户的目的是在上下文中拥有一个不变的信息(即用户无法更改自己的标识),以进行审核(谁做了什么)以及访问控制。
但是SELinux用户与Linux帐户不同,为此需要建立映射关系,这些映射将Linux用户映射到SELinux用户。
管理映射关系
# semanage login
usage: semanage login [-h] [-n] [-N] [-S STORE] [ --add -s SEUSER -r RANGE LOGIN | --delete LOGIN | --deleteall | --extract | --list -C | --modify -s SEUSER -r RANGE LOGIN ]
positional arguments:
login login_name | %groupname
optional arguments:
-h, --help show this help message and exit
-C, --locallist List login local customizations
-n, --noheading Do not print heading when listing login object types
-N, --noreload Do not reload policy after commit
-S STORE, --store STORE
Select an alternate SELinux Policy Store to manage
-r RANGE, --range RANGE
MLS/MCS Security Range (MLS/MCS Systems only) SELinux
Range for SELinux login mapping defaults to the
SELinux user record range.
-a, --add Add a record of the login object type
-d, --delete Delete a record of the login object type
-m, --modify Modify a record of the login object type
-l, --list List records of the login object type
-E, --extract Extract customizable commands, for use within a
transaction
-D, --deleteall Remove all login objects local customizations
-s SEUSER, --seuser SEUSER
SELinux user name
查看映射关系
# semanage login -l
创建新的映射
# semanage login -a -s staff_u tom
修改映射关系
# semanage login -m -s sysadm_u tom 如何修改默认的关系?
删除映射关系
# semanage login -d tom
管理SELinux用户
# semanage user
usage: semanage user [-h] [-n] [-N] [-S STORE] [ --add ( -L LEVEL -R ROLES -r RANGE -s SEUSER selinux_name) | --delete selinux_name | --deleteall | --extract | --list -C | --modify ( -L LEVEL -R ROLES -r RANGE -s SEUSER selinux_name ) ]
positional arguments:
selinux_name selinux_name
optional arguments:
-h, --help show this help message and exit
-C, --locallist List user local customizations
-n, --noheading Do not print heading when listing user object types
-N, --noreload Do not reload policy after commit
-S STORE, --store STORE
Select an alternate SELinux Policy Store to manage
-a, --add Add a record of the user object type
-d, --delete Delete a record of the user object type
-m, --modify Modify a record of the user object type
-l, --list List records of the user object type
-E, --extract Extract customizable commands, for use within a
transaction
-D, --deleteall Remove all user objects local customizations
-L LEVEL, --level LEVEL
Default SELinux Level for SELinux user. (MLS/MCS
Systems only)
-r RANGE, --range RANGE
MLS/MCS Security Range (MLS/MCS Systems only) SELinux
Range for SELinux login mapping defaults to the
SELinux user record range.
-R ROLES, --roles ROLES
SELinux Roles. You must enclose multiple roles within
quotes, separate by spaces. Or specify -R multiple
times.
查看用户
# semanage user -l
创建自定义用户
# semanage user -a -R staff_r swift_u
修改自定义用户
# semanage user -m -R "staff_r sysadm_r" swift_u
删除自定义用户
# semanage user -d swift_u
Selinux 布尔值管理
在Selinux策略中,有很多访问权限是通过允许被不允许来控制的,该控制字段就是SELinux布尔值。
SELinux布尔值是一个字符串(可赋予具体含义)来改变SELinux发挥作用。使用getsebool工具可以显示布尔值列表和当前值。
# getsebool -a
abrt_anon_write --> off
abrt_handle_event --> off
abrt_upload_watch_anon_write --> on
antivirus_can_scan_system --> off
antivirus_use_jit --> off
...
查看布尔值信息
并不是所有布尔值都命名都能让人轻易读懂。使用semanage boolean –l可以知道布尔值的相关描述。
# semanage boolean -l|grep httpd
httpd_can_network_relay (关 , 关) Allow httpd to can network relay
httpd_can_connect_mythtv (关 , 关) Allow httpd to can connect mythtv
httpd_can_network_connect_db (关 , 关) Allow httpd to can network connect db
httpd_use_gpg (关 , 关) Allow httpd to use gpg
httpd_dbus_sssd (关 , 关) Allow httpd to dbus sssd
...
修改布尔值状态
semanage boolean -h
usage: semanage boolean [-h] [-n] [-N] [-S STORE] [ --extract | --deleteall | --list -C | --modify ( --on | --off ) boolean ]
positional arguments:
boolean boolean
optional arguments:
-h, --help show this help message and exit
-C, --locallist List boolean local customizations
-n, --noheading Do not print heading when listing boolean object types
-N, --noreload Do not reload policy after commit
-S STORE, --store STORE
Select an alternate SELinux Policy Store to manage
-m, --modify Modify a record of the boolean object type
-l, --list List records of the boolean object type
-E, --extract Extract customizable commands, for use within a
transaction
-D, --deleteall Remove all boolean objects local customizations
-1, --on Enable the boolean
-0, --off Disable the boolean
改变SELinux布尔值也可以通过setsebool(增加需要设置的布尔值,on或者off)
# setsebool user_exec_content off
Selinux文件的上下文管理
上文已经提到,文件的上下文可用通过使用-Z的参数来查看,ls -Z,下面着重关注上下文的修改
通过chcon修改上下文
chcon --help
用法: chcon [选项]... 环境 文件...
或: chcon [选项]... [-u 用户] [-r 角色] [-l 范围] [-t 类型] 文件...
或: chcon [选项]... --reference=参考文件 文件...
Change the SELinux security context of each FILE to CONTEXT.
With --reference, change the security context of each FILE to that of RFILE.
Mandatory arguments to long options are mandatory for short options too.
--dereference affect the referent of each symbolic link (this is
the default), rather than the symbolic link itself
-h, --no-dereference affect symbolic links instead of any referenced file
-u, --user=USER set user USER in the target security context
-r, --role=ROLE set role ROLE in the target security context
-t, --type=TYPE set type TYPE in the target security context
-l, --range=RANGE set range RANGE in the target security context
--no-preserve-root do not treat '/' specially (the default)
--preserve-root fail to operate recursively on '/'
--reference=RFILE use RFILE's security context rather than specifying
a CONTEXT value
-R, --recursive operate on files and directories recursively
-v, --verbose output a diagnostic for every file processed
The following options modify how a hierarchy is traversed when the -R
option is also specified. If more than one is specified, only the final
one takes effect.
-H if a command line argument is a symbolic link
to a directory, traverse it
-L traverse every symbolic link to a directory
encountered
-P do not traverse any symbolic links (default)
--help 显示此帮助信息并退出
--version 显示版本信息并退出
GNU coreutils online help: <http: www.gnu.org="" software="" coreutils="">
请向<http: translationproject.org="" team="" zh_cn.html=""> 报告chcon 的翻译错误
要获取完整文档,请运行:info coreutils 'chcon invocation'
```</http:></http:>
```bash
# chcon -v -t system_cron_spool_t /etc/cron.d/checktime
changing security context of '/etc/cron.d/checktime'
# ls -Z /etc/cron.d/
system_u:object_r:system_cron_spool_t:s0 0hourly
unconfined_u:object_r:system_cron_spool_t:s0 checktime
通过restorecon恢复上下文
restorecon /etc/cron.d/checktime 如果使用-F选项,则可恢复所有字段
管理默认的上下文 semanage fcontext
# semanage fcontext -h
usage: semanage fcontext [-h] [-n] [-N] [-S STORE] [ --add ( -t TYPE -f FTYPE -r RANGE -s SEUSER | -e EQUAL ) FILE_SPEC ) | --delete ( -t TYPE -f FTYPE | -e EQUAL ) FILE_SPEC ) | --deleteall | --extract | --list -C | --modify ( -t TYPE -f FTYPE -r RANGE -s SEUSER | -e EQUAL ) FILE_SPEC ) ]
positional arguments:
file_spec file_spec
optional arguments:
-h, --help show this help message and exit
-C, --locallist List fcontext local customizations
-n, --noheading Do not print heading when listing fcontext object
types
-N, --noreload Do not reload policy after commit
-S STORE, --store STORE
Select an alternate SELinux Policy Store to manage
-a, --add Add a record of the fcontext object type
-d, --delete Delete a record of the fcontext object type
-m, --modify Modify a record of the fcontext object type
-l, --list List records of the fcontext object type
-E, --extract Extract customizable commands, for use within a
transaction
-D, --deleteall Remove all fcontext objects local customizations
-e EQUAL, --equal EQUAL
Substitute target path with sourcepath when generating
default label. This is used with fcontext. Requires
source and target path arguments. The context labeling
for the target subtree is made equivalent to that
defined for the source.
-f {a,f,d,c,b,s,l,p}, --ftype {a,f,d,c,b,s,l,p}
File Type. This is used with fcontext. Requires a file
type as shown in the mode field by ls, e.g. use 'd' to
match only directories or 'f' to match only regular
files. The following file type options can be passed:
f (regular file),d (directory),c (character device), b
(block device),s (socket),l (symbolic link), p (named
pipe). If you do not specify a file type, the file
type will default to "all files".
-s SEUSER, --seuser SEUSER
SELinux user name
-t TYPE, --type TYPE SELinux Type for the object
-r RANGE, --range RANGE
MLS/MCS Security Range (MLS/MCS Systems only) SELinux
Range for SELinux login mapping defaults to the
SELinux user record range.
# semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
# restorecon -R -v /web
总结
相关配置文件
- /etc/selinux/config 工作模式管理
- /sys/fs/selinux/ Selinux所有配置所在的虚文件系统目录
- /var/log/message 审计日志文件
相关命令行工具
- getenforce 查看Selinux状态
- setenforce 设置Selinux状态
- semanage 接子命令,查看、管理所有Selinux相关配置
- getsebool 查看Selinux布尔值
- setsebool 设置Selinux布尔值
- restorecon 恢复文件上下文配置
- chcon 设置文件的Selinux上下文
其它相关工具
其它还有很多Selinux相关的实用工具,在此不一一介绍了,主要为以下几类程序集
* coreutils
* libselinux-utils
* policycoreutils
* policycoreutils-python-utils
具体包含的命令行工具可通过rpm命令来查看,如:
# rpm -ql libselinux-utils |grep bin
/usr/sbin/avcstat
/usr/sbin/getenforce
/usr/sbin/getsebool
/usr/sbin/matchpathcon
/usr/sbin/selabel_digest
/usr/sbin/selabel_lookup
/usr/sbin/selabel_lookup_best_match
/usr/sbin/selabel_partial_match
/usr/sbin/selinux_restorecon
/usr/sbin/selinuxconlist
/usr/sbin/selinuxdefcon
/usr/sbin/selinuxenabled
/usr/sbin/selinuxexeccon
/usr/sbin/setenforce