SELinux: differenze tra le versioni
Jump to navigation
Jump to search
(→RHEL) |
|||
(7 versioni intermedie di uno stesso utente non sono mostrate) | |||
Riga 1: | Riga 1: | ||
=Tutorial= |
|||
https://debian-handbook.info/browse/it-IT/stable/sect.selinux.html |
|||
=RHEL= |
=RHEL= |
||
==Cambiare contesto a file e filesystem== |
|||
Con filesyetem locali funziona: |
|||
[root@vm-amq-tst02 opt]# lvcreate -L 3G -n app rootvg |
|||
Logical volume "app" created. |
|||
[root@vm-amq-tst02 opt]# mkdir /app |
|||
[root@vm-amq-tst02 opt]# mkfs -t xfs /dev/rootvg/app |
|||
meta-data=/dev/rootvg/app isize=512 agcount=4, agsize=196608 blks |
|||
= sectsz=4096 attr=2, projid32bit=1 |
|||
= crc=1 finobt=1, sparse=1, rmapbt=0 |
|||
= reflink=1 bigtime=1 inobtcount=1 |
|||
data = bsize=4096 blocks=786432, imaxpct=25 |
|||
= sunit=0 swidth=0 blks |
|||
naming =version 2 bsize=4096 ascii-ci=0, ftype=1 |
|||
log =internal log bsize=4096 blocks=2560, version=2 |
|||
= sectsz=4096 sunit=1 blks, lazy-count=1 |
|||
realtime =none extsz=4096 blocks=0, rtextents=0 |
|||
Discarding blocks...Done. |
|||
[root@vm-amq-tst02 opt]# mount /dev/rootvg/app /app |
|||
[root@vm-amq-tst02 opt]# ls -lartZ /app |
|||
total 0 |
|||
dr-xr-xr-x. 20 root root system_u:object_r:root_t:s0 259 Nov 13 19:25 .. |
|||
drwxr-xr-x. 2 root root system_u:object_r:unlabeled_t:s0 6 Nov 13 19:25 . |
|||
[root@vm-amq-tst02 opt]# semanage fcontext -a -t usr_t /app |
|||
[root@vm-amq-tst02 opt]# restorecon -p -r /app |
|||
[root@vm-amq-tst02 opt]# ls -lartZ /app |
|||
total 0 |
|||
dr-xr-xr-x. 20 root root system_u:object_r:root_t:s0 259 Nov 13 19:25 .. |
|||
drwxr-xr-x. 2 root root system_u:object_r:usr_t:s0 6 Nov 13 19:25 . |
|||
[root@vm-amq-tst02 opt]# |
|||
Con NFS non funziona: |
|||
[root@vm-amq-tst02 opt]# mount /mount/activemq |
|||
[root@vm-amq-tst02 opt]# ls -lartZ /mount/activemq |
|||
total 1 |
|||
drwxrwxrwx. 2 root root system_u:object_r:nfs_t:s0 64 Nov 2 16:43 . |
|||
drwxr-xr-x. 3 root root unconfined_u:object_r:default_t:s0 22 Nov 13 18:52 .. |
|||
[root@vm-amq-tst02 opt]# |
|||
[root@vm-amq-tst02 opt]# semanage fcontext -a -t usr_t /mount/activemq |
|||
[root@vm-amq-tst02 opt]# |
|||
[root@vm-amq-tst02 opt]# restorecon -p -r /mount/activemq |
|||
[root@vm-amq-tst02 opt]# ls -lartZ /mount/activemq |
|||
total 1 |
|||
drwxrwxrwx. 2 root root system_u:object_r:nfs_t:s0 64 Nov 2 16:43 . |
|||
drwxr-xr-x. 3 root root unconfined_u:object_r:default_t:s0 22 Nov 13 18:52 .. |
|||
[root@vm-amq-tst02 opt]# |
|||
NFS è governato dai boolean: |
|||
[root@vm-amq-tst02 opt]# getsebool -a | grep nfs |
|||
cobbler_use_nfs --> off |
|||
colord_use_nfs --> off |
|||
conman_use_nfs --> off |
|||
ftpd_use_nfs --> off |
|||
git_cgi_use_nfs --> off |
|||
git_system_use_nfs --> off |
|||
httpd_use_nfs --> off |
|||
ksmtuned_use_nfs --> off |
|||
logrotate_use_nfs --> off |
|||
mpd_use_nfs --> off |
|||
nagios_use_nfs --> off |
|||
nfs_export_all_ro --> on |
|||
nfs_export_all_rw --> on |
|||
nfsd_anon_write --> off |
|||
openshift_use_nfs --> off |
|||
polipo_use_nfs --> off |
|||
samba_share_nfs --> off |
|||
sanlock_use_nfs --> off |
|||
sge_use_nfs --> off |
|||
tmpreaper_use_nfs --> off |
|||
use_nfs_home_dirs --> off |
|||
virt_use_nfs --> off |
|||
xen_use_nfs --> off |
|||
[root@vm-amq-tst02 opt]# |
|||
==varie== |
|||
semanage fcontext --list |
semanage fcontext --list |
||
Riga 9: | Riga 89: | ||
ls -laZ /etc/nginx/html/ |
ls -laZ /etc/nginx/html/ |
||
https://www.cloudinsidr.com/content/tip-of-the-day-how-to-find-the-correct-selinux-security-contexts-and-adjust-selinux-labels-on-your-linux-system/ |
|||
https://www.systutorials.com/docs/linux/man/8-systemd_selinux/ |
|||
Porcata: |
Porcata: |
||
Riga 22: | Riga 108: | ||
==systemd== |
==systemd== |
||
Systemd consente di modificare il contesto in cui gira un processo. |
Systemd consente di modificare il contesto in cui gira un processo. |
||
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-security-enhanced_linux-systemd_access_control |
|||
[[Categoria:Unix]] |
[[Categoria:Unix]] |
Versione attuale delle 21:31, 13 nov 2022
Tutorial
https://debian-handbook.info/browse/it-IT/stable/sect.selinux.html
RHEL
Cambiare contesto a file e filesystem
Con filesyetem locali funziona:
[root@vm-amq-tst02 opt]# lvcreate -L 3G -n app rootvg Logical volume "app" created. [root@vm-amq-tst02 opt]# mkdir /app [root@vm-amq-tst02 opt]# mkfs -t xfs /dev/rootvg/app meta-data=/dev/rootvg/app isize=512 agcount=4, agsize=196608 blks = sectsz=4096 attr=2, projid32bit=1 = crc=1 finobt=1, sparse=1, rmapbt=0 = reflink=1 bigtime=1 inobtcount=1 data = bsize=4096 blocks=786432, imaxpct=25 = sunit=0 swidth=0 blks naming =version 2 bsize=4096 ascii-ci=0, ftype=1 log =internal log bsize=4096 blocks=2560, version=2 = sectsz=4096 sunit=1 blks, lazy-count=1 realtime =none extsz=4096 blocks=0, rtextents=0 Discarding blocks...Done. [root@vm-amq-tst02 opt]# mount /dev/rootvg/app /app [root@vm-amq-tst02 opt]# ls -lartZ /app total 0 dr-xr-xr-x. 20 root root system_u:object_r:root_t:s0 259 Nov 13 19:25 .. drwxr-xr-x. 2 root root system_u:object_r:unlabeled_t:s0 6 Nov 13 19:25 . [root@vm-amq-tst02 opt]# semanage fcontext -a -t usr_t /app [root@vm-amq-tst02 opt]# restorecon -p -r /app [root@vm-amq-tst02 opt]# ls -lartZ /app total 0 dr-xr-xr-x. 20 root root system_u:object_r:root_t:s0 259 Nov 13 19:25 .. drwxr-xr-x. 2 root root system_u:object_r:usr_t:s0 6 Nov 13 19:25 . [root@vm-amq-tst02 opt]#
Con NFS non funziona:
[root@vm-amq-tst02 opt]# mount /mount/activemq [root@vm-amq-tst02 opt]# ls -lartZ /mount/activemq total 1 drwxrwxrwx. 2 root root system_u:object_r:nfs_t:s0 64 Nov 2 16:43 . drwxr-xr-x. 3 root root unconfined_u:object_r:default_t:s0 22 Nov 13 18:52 .. [root@vm-amq-tst02 opt]# [root@vm-amq-tst02 opt]# semanage fcontext -a -t usr_t /mount/activemq [root@vm-amq-tst02 opt]# [root@vm-amq-tst02 opt]# restorecon -p -r /mount/activemq [root@vm-amq-tst02 opt]# ls -lartZ /mount/activemq total 1 drwxrwxrwx. 2 root root system_u:object_r:nfs_t:s0 64 Nov 2 16:43 . drwxr-xr-x. 3 root root unconfined_u:object_r:default_t:s0 22 Nov 13 18:52 .. [root@vm-amq-tst02 opt]#
NFS è governato dai boolean:
[root@vm-amq-tst02 opt]# getsebool -a | grep nfs cobbler_use_nfs --> off colord_use_nfs --> off conman_use_nfs --> off ftpd_use_nfs --> off git_cgi_use_nfs --> off git_system_use_nfs --> off httpd_use_nfs --> off ksmtuned_use_nfs --> off logrotate_use_nfs --> off mpd_use_nfs --> off nagios_use_nfs --> off nfs_export_all_ro --> on nfs_export_all_rw --> on nfsd_anon_write --> off openshift_use_nfs --> off polipo_use_nfs --> off samba_share_nfs --> off sanlock_use_nfs --> off sge_use_nfs --> off tmpreaper_use_nfs --> off use_nfs_home_dirs --> off virt_use_nfs --> off xen_use_nfs --> off [root@vm-amq-tst02 opt]#
varie
semanage fcontext --list
grep nginx /etc/selinux/targeted/contexts/files/file_contexts
ls -laZ /etc/nginx/html/
https://www.cloudinsidr.com/content/tip-of-the-day-how-to-find-the-correct-selinux-security-contexts-and-adjust-selinux-labels-on-your-linux-system/
https://www.systutorials.com/docs/linux/man/8-systemd_selinux/
Porcata:
Easy but bad solution, allow init_t to run in permissive mode. At least you don't have to run the whole system in permissive mode...
Enable: # semanage permissive -a init_t
Disable: # semanage permissive -d init_t
systemd
Systemd consente di modificare il contesto in cui gira un processo.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-security-enhanced_linux-systemd_access_control