我们到底该不该使用SELinux?

Share

首先,我得为取的这个标题道歉,因为相关的介绍很多,但是又能有多少人直接认知它呢?

2001年上半年,美国国家安全局向开放源码社区发布了一个安全性增强型版本的 Linux (Security-Enhanced Linux ,SELinux)包括所有代码!到现在,可以毫不夸张的说,它成了linux服务器维护员们的一块心病,到底是打开呢?还是关闭?打开的话由于它过于复杂,又缺乏有效的配置工具(知道近几年来才陆陆续续的出现一些)。不打开悬着的心放不下,因为关闭它后,裸linux的安全直下一个等级。

当别人打电话给我问“新装的linux为什么其他机器访问不了?ftp访问不了?Home目录下的应用访问不了?”的时候,我的第一句话就是问“SELinux打开了没有?”,相信这也是很多管理员的回答,但是作为我个人来说,还是比较钟情它的,很多服务器一直是开着的。在这里我还是建议,不要彻底的关掉了,至少打开到Permissive的方式(只记录风险操作,并不阻挡)!

至于它的工作原理,个人认为说的还全面的这里有:揭开 SE Linux 的秘密,请特别关注他的参考资料。要进去读之后才知道真正的linux。我这里就不翻版了!

以Redhat为例,RHEL4被作为试验品,有15个可由应用程序访问的目标程序组。然而,在RHEL5之中目标程序组达到了200个,引用Redhat的Walsh的话说就是:“RHEL5的目标是让SELinux无处不开。”!由此他们在RHEL5中引入了SELinux故障排解器(Troubleshooter),故障排解器(Troubleshooter)也被称为故障排解集合(settroubleshoot),是一个为存取向量高速缓存(AVC)消息监视稽核记录文件的工具。


SELinux的三种模式的介绍和Troubleshooter巧妙的运用:

Enforcing
  This should be the default mode.
  The kernel is blocking all access unless they are explicitly allowed. All denied accesses are reported in the logging system as AVC (Access Vector Cache), unless policy writers have explicitly told the kernel to dontaudit the message.
Permissive
  The kernel will report Access Violations in the form of AVC messages but will allow the access.
  The kernel will also continue to create properly labeled files.
  There is a couple of major differences with the way the kernel reports these avc messages.
      The kernel will only report the first access violation in permissive mode for a confined domain on a particular object, where as in enforcing mode, it will report each and every denied access.
      You can get many additional AVC messages that would never have shown up in enforcing mode. For example if a confined domain was not allowed to read a directory or any of the files in it. In enforcing mode the directory access would be denied and one AVC message would be generated. In Permissive mode, the directory access would generate an AVC, and each file read would generate an AVC.
  When reporting AVC Messages we would prefer that you report avc messages in Enforcing mode. But sometimes Permissive mode is necessary to get all the AVC Messages. You can boot the kernel in permissive mode with the enforcing=0 switch.
  You can use setenforce 0 to turn on permissive mode. setenforce 1 to turn on enforcing mode.
Disabled
  Turns off SELinux enforcement entirely and also stops the creation of proper labels on the files.
  You should only disable SELinux if you do not intend to use it. You should use permissive mode when diagnosing a problem.
  If you want to disable SELinux, you need to edit /etc/selinux/config and change the SELINUX line to disabled. You will then need to reboot the machine, since SELinux is running within the kernel.
  If you wish to reenable SELinux you will need to relabel the entire file system.

Managing File Context
cp vs. mv
  The cp command creates the new file will either the context of the destination file, if it exists, or the security context of the destination directory.
  The mv command attempts to maintain the security context of the file being moved.
  This can lead to some problems in file context. For example, in targeted policy, if you were to cp /etc/resolv.conf /tmp and do some editing of /tmp/resolv.conf. Then you moved resolv.conf back to /etc with the mv /tmp/resolv.conf /etc. The file will end up with the tmp_t security context type instead of the net_conf_t type. Many domains will now not be able to read resolv.conf, resulting in failures. You can easily clear this up with restorecon /etc/resolv.conf.
AVC Messages
  Sometimes the auditlog information is tough to read and understand; a lot of times I run audit2allow on it to clear up the output.
Audit Daemon
  In Fedora Core 5/Rawhide the Audit system has moved some of the AVC messages to /var/log/audit/audit.log. Some AVC messages continue to show up in the /var/log/messages file though. Usually these show up when the audit d?mon is not running.
  You can use the ausearch -m avc command to display the avc messages from the audit log. There are other useful commands such as -x to specify the executable. The -ts option allows you to specify the time you want to see messages afterwards.

AVC Messages are missing

SELinux has some messages that it will not audit. There are dontaudit rules written in policy. Usually these are expected denials and they just cause the application to take a different code path. Sometimes these dontaudit rules might cover up a failure. Prior to reference policy you were required to install selinux-policy-targeted-sources and then execute make -C /etc/selinux/targeted/src/policy enableaudit reload When you were done with the audit messages you would execute make -C /etc/selinux/targeted/src/policy reload. With reference policy you need to replace the base policy package with the enableaudit policy package. semodule -b /usr/share/selinux/targeted/enableaudit.pp. When you have completed your checking, you need to execute semodule -b /usr/share/selinux/targeted/base.pp.

例如:在HOME目录下的”Forbidden / You don't have permission to access / on this server.” error. 就可以使用以下命令解决:

chcon -R -h -t httpd_sys_content_t /home/path/to/your/dir

本文到了这里,该不该使用相信各位心里有了一杆秤了。我比较喜欢叫SELinux为内核的贴身内衣,最后一道独立的防线,所以,请不要让你的linux裸奔!