SELinux 瞭解及CentOS7 中 semanage命令的安裝
SELinux 安全子系統
SELinux(Security-Enhanced Linux)是美國國家安全域性在Linux開源社群的幫助下開發的一個強制訪問控制(MAC,Mandatory Access Control)的安全子系統。RHEL 7系統使用SELinux技術的目的是為了讓各個服務程式都受到約束,使其僅獲取到本應獲取的資源。
例如,您在自己的電腦上下載了一個美圖軟體,當您全神貫注地使用它給照片進行美顏的時候,它卻在後臺默默監聽著瀏覽器中輸入的密碼資訊,而這顯然不應該是它應做的事情。SELinux安全子系統就是為了杜絕此類情況而設計的,它能夠從多方面監控違法行為:對服務程式的功能進行限制(SELinux域限制可以確保服務程式做不了出格的事情);對檔案資源的訪問限制(SELinux安全上下文確保檔案資源只能被其所屬的服務程式進行訪問)。
SELinux服務有三種配置模式:
- enforcing:強制啟用安全策略模式,將攔截服務的不合法請求。
- permissive:遇到服務越權訪問時,只發出警告而不強制攔截。
- disabled:對於越權的行為不警告也不攔截。
我這裡預設就是 enforcing的(可檢視該服務的主配置檔案 /etc/selinux/config)。
vi /etc/selinux/config
關閉:SELINUX=disabled
開啟:SELINUX=1
重啟
reboot
檢視狀態
sestatus
複製程式碼把SELinux當前的執行模式修改為禁用(通過命令 setenforce [0|1],0代表禁用、1代表啟用),該修改在重啟系統後失效
可以通過 getenforce 命令檢視 SELinux服務的執行狀態。
# setenforce 0
# getenforce
Permissive
複製程式碼httpd服務程式的功能是允許使用者訪問網站內容,因此SELinux肯定會預設放行使用者對網站的請求操作。但是,我們將網站資料的預設儲存目錄修改為了/home/wwwroot,而這就產生問題了。/home目錄是用來存放普通使用者的家目錄資料的,而現在,httpd提供的網站服務卻要去獲取普通使用者家目錄中的資料了,這顯然違反了SELinux的監管原則。
把SELinux服務恢復到強制啟用安全策略模式,然後分別檢視原始網站資料的儲存目錄與當前網站資料的儲存目錄是否擁有不同的SELinux安全上下文值:
# ls -Zd /var/www/html
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/htm
# ls -Zd /home/safiri
drwx------. safiri safiri unconfined_u:object_r:user_home_dir_t:s0 /home/safiri
複製程式碼使用者段system_u代表系統程式的身份
角色段object_r代表檔案目錄的角色
型別段httpd_sys_content_t代表網站服務的系統檔案。
針對當前這種情況,我們只需要使用semanage命令,將當前網站目錄/home/wwwroot的SELinux安全上下文修改為跟原始網站目錄的一樣就可以了。
semanage 命令
semanage命令用於管理SELinux的策略,格式為“semanage [選項] [檔案]”。常用引數及作用: -l 查詢、-a 新增、-m 修改、-d 刪除
向新的網站資料目錄中新新增一條SELinux安全上下文,讓這個目錄以及裡面的所有檔案能夠被httpd服務程式所訪問到:
安裝semanage
# yum provides semanage
***********
*********
****省略內容****
***********
# Filename : /usr/sbin/semanage
以上命令執行成功後,再執行:
# yum -y install policycoreutils-python.x86_64
可能用到的安裝seinfo/sesearch
# yum install setools-console.x86_64
複製程式碼遇到的錯誤
ValueError: 沒有管理 SELinux 策略或者無法訪問儲存。
ValueError: SELinux policy is not managed or store cannot be accessed.
Cannot set persistent booleans without managed policy.
以上錯誤找了好久的解決辦法:
In a few moments,SELinux users which have the \~arch KEYWORDS set (either globally or for the SELinux utilities in particular) will notice that the SELinux userspace will upgrade to version 2.4 (release candidate 5 for now). This upgrade comes with a manual step that needs to be performed after upgrade. The information is mentioned as post-installation message of the policycoreutils package,and basically sais that you need to execute:
~# /usr/libexec/selinux/semanage_migrate_store
The reason is that the SELinux utilities expect the SELinux policy module store (and the semanage related files) to be in /var/lib/selinux and no longer in /etc/selinux. Note that this does not mean that the SELinux policy itself is moved outside of that location,nor is the basic configuration file (/etc/selinux/config). It is what tools such as semanage manage that is moved outside that location.
I tried to automate the migration as part of the packages themselves,but this would require the portage_t domain to be able to move,rebuild and load policies,which it can't (and to be honest,shouldn't). Instead of augmenting the policy or making updates to the migration script as delivered by the upstream project,we currently decided to have the migration done manually. It is a one-time migration anyway.
If for some reason end users forget to do the migration,then that does not mean that the system breaks or becomes unusable. SELinux still works,SELinux aware applications still work; the only thing that will fail are updates on the SELinux configuration through tools like semanage or setsebool - the latter when you want to persist boolean changes.
~# semanage fcontext -l
ValueError: SELinux policy is not managed or store cannot be accessed.
~# setsebool -P allow_ptrace on
Cannot set persistent booleans without managed policy.
If you get those errors or warnings,all that is left to do is to do the migration. Note in the following that there is a warning about 'else' blocks that are no longer supported: that's okay,as far as I know (and it was mentioned on the upstream mailinglist as well as not something to worry about) it does not have any impact.
~# /usr/libexec/selinux/semanage_migrate_store
Migrating from /etc/selinux/mcs/modules/active to /var/lib/selinux/mcs/active
Attempting to rebuild policy from /var/lib/selinux
sysnetwork: Warning: 'else' blocks in optional statements are unsupported in CIL. Dropping from output.
You can also add in -c so that the old policy module store is cleaned up. You can also rerun the command multiple times:
~# /usr/libexec/selinux/semanage_migrate_store -c
warning: Policy type mcs has already been migrated,but modules still exist in the old store. Skipping store.
Attempting to rebuild policy from /var/lib/selinux
You can manually clean up the old policy module store like so:
~# rm -rf /etc/selinux/mcs/modules
So... don't worry - the change is small and does not break stuff. And for those wondering about CIL I'll talk about it in one of my next posts.
複製程式碼