SELinux
Jump to navigation
Jump to search
Tutorial
https://debian-handbook.info/browse/it-IT/stable/sect.selinux.html
RHEL
Cambiare contesto a file e filesystem
Con filesyetem locali funziona:
[root@vm-amq-tst02 opt]# lvcreate -L 3G -n app rootvg
Logical volume "app" created.
[root@vm-amq-tst02 opt]# mkdir /app
[root@vm-amq-tst02 opt]# mkfs -t xfs /dev/rootvg/app
meta-data=/dev/rootvg/app isize=512 agcount=4, agsize=196608 blks
= sectsz=4096 attr=2, projid32bit=1
= crc=1 finobt=1, sparse=1, rmapbt=0
= reflink=1 bigtime=1 inobtcount=1
data = bsize=4096 blocks=786432, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0, ftype=1
log =internal log bsize=4096 blocks=2560, version=2
= sectsz=4096 sunit=1 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
Discarding blocks...Done.
[root@vm-amq-tst02 opt]# mount /dev/rootvg/app /app
[root@vm-amq-tst02 opt]# ls -lartZ /app
total 0
dr-xr-xr-x. 20 root root system_u:object_r:root_t:s0 259 Nov 13 19:25 ..
drwxr-xr-x. 2 root root system_u:object_r:unlabeled_t:s0 6 Nov 13 19:25 .
[root@vm-amq-tst02 opt]# semanage fcontext -a -t usr_t /app
[root@vm-amq-tst02 opt]# restorecon -p -r /app
[root@vm-amq-tst02 opt]# ls -lartZ /app
total 0
dr-xr-xr-x. 20 root root system_u:object_r:root_t:s0 259 Nov 13 19:25 ..
drwxr-xr-x. 2 root root system_u:object_r:usr_t:s0 6 Nov 13 19:25 .
[root@vm-amq-tst02 opt]#
Con NFS non funziona:
[root@vm-amq-tst02 opt]# mount /mount/activemq [root@vm-amq-tst02 opt]# ls -lartZ /mount/activemq total 1 drwxrwxrwx. 2 root root system_u:object_r:nfs_t:s0 64 Nov 2 16:43 . drwxr-xr-x. 3 root root unconfined_u:object_r:default_t:s0 22 Nov 13 18:52 .. [root@vm-amq-tst02 opt]# [root@vm-amq-tst02 opt]# semanage fcontext -a -t usr_t /mount/activemq [root@vm-amq-tst02 opt]# [root@vm-amq-tst02 opt]# restorecon -p -r /mount/activemq [root@vm-amq-tst02 opt]# ls -lartZ /mount/activemq total 1 drwxrwxrwx. 2 root root system_u:object_r:nfs_t:s0 64 Nov 2 16:43 . drwxr-xr-x. 3 root root unconfined_u:object_r:default_t:s0 22 Nov 13 18:52 .. [root@vm-amq-tst02 opt]#
NFS è governato dai boolean:
[root@vm-amq-tst02 opt]# getsebool -a | grep nfs cobbler_use_nfs --> off colord_use_nfs --> off conman_use_nfs --> off ftpd_use_nfs --> off git_cgi_use_nfs --> off git_system_use_nfs --> off httpd_use_nfs --> off ksmtuned_use_nfs --> off logrotate_use_nfs --> off mpd_use_nfs --> off nagios_use_nfs --> off nfs_export_all_ro --> on nfs_export_all_rw --> on nfsd_anon_write --> off openshift_use_nfs --> off polipo_use_nfs --> off samba_share_nfs --> off sanlock_use_nfs --> off sge_use_nfs --> off tmpreaper_use_nfs --> off use_nfs_home_dirs --> off virt_use_nfs --> off xen_use_nfs --> off [root@vm-amq-tst02 opt]#
varie
semanage fcontext --list
grep nginx /etc/selinux/targeted/contexts/files/file_contexts
ls -laZ /etc/nginx/html/
https://www.cloudinsidr.com/content/tip-of-the-day-how-to-find-the-correct-selinux-security-contexts-and-adjust-selinux-labels-on-your-linux-system/
https://www.systutorials.com/docs/linux/man/8-systemd_selinux/
Porcata:
Easy but bad solution, allow init_t to run in permissive mode. At least you don't have to run the whole system in permissive mode...
Enable: # semanage permissive -a init_t
Disable: # semanage permissive -d init_t
systemd
Systemd consente di modificare il contesto in cui gira un processo.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-security-enhanced_linux-systemd_access_control