20160803 SELinux
SELinux(Secure Enhanced Linux)
1. 접근 통제(Access Control)
식별 및 인증된 사용자가 허가된 범위 내에서 시스템 내부정보에 대한 접근을 허용하는 기술적 방법을 접근제어(Access Control)라고 한다.
(1). 접근 통제의 유형
접근 통제(Access Control) 유형
임의적 접근 통제(Discretionary AC(DAC))- 신원기반 접근 통제(Identify-based)- 사용자기반 접근 통제(User-directed)- 혼합방식 접근 통제(Hybrid)
강제적 접근 통제(Mandatory AC(MAC))- 규칙기반 접근 통제(Rule-based)- 관리기반 접근 통제(Administratively)
비임의적 접근 통제(Non discretionary AC(NDAC))- 역할기반 접근 통제(Role-based)- 직무기반 접근 통제(Task-based)- 래티스 접근 통제(Lattice-based)
(2) 접근 통제 유형에 따른 대표적인 예
임의적 접근 통제 방식의 대표적인 예
# ls -l file1.txt
-rw-r--r-- 1 user01 user01 453 <시간> file1
강제적 접근 통제 방식의 대표적인 예
(주체의 비밀 취급 인가 레벨) (객체의 민감도 레이블)
Top Secret Top Secret
Secret Secret
Confidential Confidential
SBU
Unclassified
비임의적 접근 통제 방식의 대표적인 예
■ RBAC
사용자 <--> 역할 <-----> 허가 <--> 정보
-------------------------------------
■ 이전의 웹서비스 Open 절차
(ㄱ) 웹 서비스 프로그램 설치
(ㄴ) 웹 서비스 설정
(ㄷ) 웹 서비스 기동
(ㄹ) 방화벽 서비스 Open
■ SELinux 체계의 웹서비스 Open 절차
(ㄱ) 웹 서비스 프로그램 설치
(ㄴ) 웹 서비스 설정
(ㄷ) 웹 서비스 기동
(ㄹ) 방화벽 서비스 Open
(ㅁ) SELinux 설정
-------------------------------------
[실습] SELinux Mode 전환
■ 사용시스템
- CentOS 6.X(ids.example.com)
① 현재 SELinux Mode 확인
[참고] sestatus 명령어의 출력 결과 중 Current mode가 enforcing 아닌경우
# sestatus
SELinux status: disabled
# setenforce 1
SELinux status: disabled
# setenforce 0
SELinux status: disabled
# vi /etc/sysconfig/selinux
SELINUX=enforcing
# reboot
| enforcing/permissive | disabled |
|<--- setenforce ----> |
|<---------------- reboot ------->|
# sestatus
SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing /* configuration in memory */ Mode from config file: enforcing /* configuration for /etc/sysconfig/selinux */ Policy version: 24 Policy from config file: targeted |
# getenforce
Enforcing |
② enforcing Mode -> permissive Mode 전환
# setenforce
usage: setenforce [ Enforcing | Permissive | 1 | 0 ] |
# setenforce 0 (# setenforce Permissive)
# sestatus
SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 24 Policy from config file: targeted |
# getenforce
Permissive |
③ permissive Mode -> enforcing Mode 전환
# setenforce 1 (# setenforce Enforcing)
# sestatus
SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted |
# getenforce
Enforcing |
[실습] SELinux 관련 패키지 설치
# yum -y install policycoreutils \
selinux-policy \
selinux-policy-targeted \
libselinux \
libselinux-utils \
libselinux-python
Loaded plugins: fastestmirror, refresh-packagekit, security Loading mirror speeds from cached hostfile * base: ftp.daum.net * extras: ftp.daum.net * updates: ftp.daum.net base | 3.7 kB 00:00 extras | 3.3 kB 00:00 updates | 3.4 kB 00:00 updates/primary_db | 5.4 MB 00:01 Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package libselinux.x86_64 0:2.0.94-5.3.el6 will be updated ---> Package libselinux.x86_64 0:2.0.94-5.3.el6_4.1 will be an update ---> Package libselinux-python.x86_64 0:2.0.94-5.3.el6 will be updated ---> Package libselinux-python.x86_64 0:2.0.94-5.3.el6_4.1 will be an update ---> Package libselinux-utils.x86_64 0:2.0.94-5.3.el6 will be updated ---> Package libselinux-utils.x86_64 0:2.0.94-5.3.el6_4.1 will be an update ---> Package policycoreutils.x86_64 0:2.0.83-19.30.el6 will be updated ---> Package policycoreutils.x86_64 0:2.0.83-19.39.el6 will be an update ---> Package selinux-policy.noarch 0:3.7.19-195.el6 will be updated ---> Package selinux-policy.noarch 0:3.7.19-231.el6_5.3 will be an update ---> Package selinux-policy-targeted.noarch 0:3.7.19-195.el6 will be updated ---> Package selinux-policy-targeted.noarch 0:3.7.19-231.el6_5.3 will be an update --> Finished Dependency Resolution
Dependencies Resolved
============================================================================================================================= Package Arch Version Repository Size ============================================================================================================================= Updating: libselinux x86_64 2.0.94-5.3.el6_4.1 base 108 k libselinux-python x86_64 2.0.94-5.3.el6_4.1 base 202 k libselinux-utils x86_64 2.0.94-5.3.el6_4.1 base 81 k policycoreutils x86_64 2.0.83-19.39.el6 base 648 k selinux-policy noarch 3.7.19-231.el6_5.3 updates 825 k selinux-policy-targeted noarch 3.7.19-231.el6_5.3 updates 2.8 M
Transaction Summary ============================================================================================================================= Upgrade 6 Package(s)
Total download size: 4.6 M Downloading Packages: (1/6): libselinux-2.0.94-5.3.el6_4.1.x86_64.rpm | 108 kB 00:00 (2/6): libselinux-python-2.0.94-5.3.el6_4.1.x86_64.rpm | 202 kB 00:00 (3/6): libselinux-utils-2.0.94-5.3.el6_4.1.x86_64.rpm | 81 kB 00:00 (4/6): policycoreutils-2.0.83-19.39.el6.x86_64.rpm | 648 kB 00:00 (5/6): selinux-policy-3.7.19-231.el6_5.3.noarch.rpm | 825 kB 00:00 (6/6): selinux-policy-targeted-3.7.19-231.el6_5.3.noarch.rpm | 2.8 MB 00:01 ----------------------------------------------------------------------------------------------------------------------------- Total 1.9 MB/s | 4.6 MB 00:02 warning: rpmts_HdrFromFdno: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 Importing GPG key 0xC105B9DE: Userid : CentOS-6 Key (CentOS 6 Official Signing Key) <centos-6-key@centos.org> Package: centos-release-6-4.el6.centos.10.x86_64 (@anaconda-CentOS-201303020151.x86_64/6.4) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Updating : libselinux-2.0.94-5.3.el6_4.1.x86_64 1/12 Updating : libselinux-utils-2.0.94-5.3.el6_4.1.x86_64 2/12 Updating : policycoreutils-2.0.83-19.39.el6.x86_64 3/12 Updating : selinux-policy-3.7.19-231.el6_5.3.noarch 4/12 Updating : selinux-policy-targeted-3.7.19-231.el6_5.3.noarch 5/12 Updating : libselinux-python-2.0.94-5.3.el6_4.1.x86_64 6/12 Cleanup : selinux-policy-targeted-3.7.19-195.el6.noarch 7/12 Cleanup : selinux-policy-3.7.19-195.el6.noarch 8/12 Cleanup : policycoreutils-2.0.83-19.30.el6.x86_64 9/12 Cleanup : libselinux-utils-2.0.94-5.3.el6.x86_64 10/12 Cleanup : libselinux-python-2.0.94-5.3.el6.x86_64 11/12 Cleanup : libselinux-2.0.94-5.3.el6.x86_64 12/12 Verifying : libselinux-python-2.0.94-5.3.el6_4.1.x86_64 1/12 Verifying : selinux-policy-3.7.19-231.el6_5.3.noarch 2/12 Verifying : selinux-policy-targeted-3.7.19-231.el6_5.3.noarch 3/12 Verifying : libselinux-2.0.94-5.3.el6_4.1.x86_64 4/12 Verifying : libselinux-utils-2.0.94-5.3.el6_4.1.x86_64 5/12 Verifying : policycoreutils-2.0.83-19.39.el6.x86_64 6/12 Verifying : libselinux-python-2.0.94-5.3.el6.x86_64 7/12 Verifying : libselinux-utils-2.0.94-5.3.el6.x86_64 8/12 Verifying : selinux-policy-3.7.19-195.el6.noarch 9/12 Verifying : selinux-policy-targeted-3.7.19-195.el6.noarch 10/12 Verifying : policycoreutils-2.0.83-19.30.el6.x86_64 11/12 Verifying : libselinux-2.0.94-5.3.el6.x86_64 12/12
Updated: libselinux.x86_64 0:2.0.94-5.3.el6_4.1 libselinux-python.x86_64 0:2.0.94-5.3.el6_4.1 libselinux-utils.x86_64 0:2.0.94-5.3.el6_4.1 policycoreutils.x86_64 0:2.0.83-19.39.el6 selinux-policy.noarch 0:3.7.19-231.el6_5.3 selinux-policy-targeted.noarch 0:3.7.19-231.el6_5.3
Complete! |
# yum -y install selinux-policy-mls \
setroubleshoot \
setroubleshoot-server \
setools-gui \
setools-console \
mcstrans \
policycoretuils-python \
policycoreutils-gui
Loaded plugins: fastestmirror, refresh-packagekit, security Loading mirror speeds from cached hostfile * base: ftp.daum.net * extras: ftp.daum.net * updates: ftp.daum.net Setting up Install Process No package policycoretuils-python available. Resolving Dependencies --> Running transaction check ---> Package mcstrans.x86_64 0:0.3.1-4.el6 will be installed ---> Package policycoreutils-gui.x86_64 0:2.0.83-19.39.el6 will be installed --> Processing Dependency: policycoreutils-python = 2.0.83-19.39.el6 for package: policycoreutils-gui-2.0.83-19.39.el6.x86_64 --> Processing Dependency: gtkhtml2 for package: policycoreutils-gui-2.0.83-19.39.el6.x86_64 --> Processing Dependency: gnome-python2-gtkhtml2 for package: policycoreutils-gui-2.0.83-19.39.el6.x86_64 ---> Package selinux-policy-mls.noarch 0:3.7.19-231.el6_5.3 will be installed --> Processing Dependency: policycoreutils-newrole >= 2.0.78-1 for package: selinux-policy-mls-3.7.19-231.el6_5.3.noarch ---> Package setools-console.x86_64 0:3.3.7-4.el6 will be installed --> Processing Dependency: setools-libs = 3.3.7-4.el6 for package: setools-console-3.3.7-4.el6.x86_64 --> Processing Dependency: libsefs.so.4(VERS_4.0)(64bit) for package: setools-console-3.3.7-4.el6.x86_64 --> Processing Dependency: libseaudit.so.4(VERS_4.1)(64bit) for package: setools-console-3.3.7-4.el6.x86_64 --> Processing Dependency: libqpol.so.1(VERS_1.5)(64bit) for package: setools-console-3.3.7-4.el6.x86_64 --> Processing Dependency: libqpol.so.1(VERS_1.2)(64bit) for package: setools-console-3.3.7-4.el6.x86_64 --> Processing Dependency: libpoldiff.so.1(VERS_1.3)(64bit) for package: setools-console-3.3.7-4.el6.x86_64 --> Processing Dependency: libpoldiff.so.1(VERS_1.2)(64bit) for package: setools-console-3.3.7-4.el6.x86_64 --> Processing Dependency: libapol.so.4(VERS_4.1)(64bit) for package: setools-console-3.3.7-4.el6.x86_64 --> Processing Dependency: libapol.so.4(VERS_4.0)(64bit) for package: setools-console-3.3.7-4.el6.x86_64 --> Processing Dependency: libsefs.so.4()(64bit) for package: setools-console-3.3.7-4.el6.x86_64 --> Processing Dependency: libseaudit.so.4()(64bit) for package: setools-console-3.3.7-4.el6.x86_64 --> Processing Dependency: libqpol.so.1()(64bit) for package: setools-console-3.3.7-4.el6.x86_64 --> Processing Dependency: libpoldiff.so.1()(64bit) for package: setools-console-3.3.7-4.el6.x86_64 --> Processing Dependency: libapol.so.4()(64bit) for package: setools-console-3.3.7-4.el6.x86_64 ---> Package setools-gui.x86_64 0:3.3.7-4.el6 will be installed --> Processing Dependency: setools-libs-tcl = 3.3.7-4.el6 for package: setools-gui-3.3.7-4.el6.x86_64 --> Processing Dependency: tk >= 8.4.9 for package: setools-gui-3.3.7-4.el6.x86_64 --> Processing Dependency: tcl >= 8.4.9 for package: setools-gui-3.3.7-4.el6.x86_64 --> Processing Dependency: bwidget >= 1.8 for package: setools-gui-3.3.7-4.el6.x86_64 ---> Package setroubleshoot.x86_64 0:3.0.47-6.el6 will be installed ---> Package setroubleshoot-server.x86_64 0:3.0.47-6.el6 will be installed --> Processing Dependency: setroubleshoot-plugins >= 3.0.14 for package: setroubleshoot-server-3.0.47-6.el6.x86_64 --> Processing Dependency: setools-libs-python >= 3.3.7-4 for package: setroubleshoot-server-3.0.47-6.el6.x86_64 --> Processing Dependency: audit-libs-python >= 1.2.6-3 for package: setroubleshoot-server-3.0.47-6.el6.x86_64 --> Processing Dependency: python-slip-dbus for package: setroubleshoot-server-3.0.47-6.el6.x86_64 --> Running transaction check ---> Package audit-libs-python.x86_64 0:2.2-4.el6_5 will be installed --> Processing Dependency: audit-libs = 2.2-4.el6_5 for package: audit-libs-python-2.2-4.el6_5.x86_64 ---> Package bwidget.noarch 0:1.8.0-5.1.el6 will be installed ---> Package gnome-python2-gtkhtml2.x86_64 0:2.25.3-20.el6 will be installed ---> Package gtkhtml2.x86_64 0:2.11.1-7.el6 will be installed ---> Package policycoreutils-newrole.x86_64 0:2.0.83-19.39.el6 will be installed ---> Package policycoreutils-python.x86_64 0:2.0.83-19.39.el6 will be installed --> Processing Dependency: libsemanage-python >= 2.0.43-4 for package: policycoreutils-python-2.0.83-19.39.el6.x86_64 --> Processing Dependency: libcgroup for package: policycoreutils-python-2.0.83-19.39.el6.x86_64 ---> Package python-slip-dbus.noarch 0:0.2.20-1.el6_2 will be installed --> Processing Dependency: python-decorator for package: python-slip-dbus-0.2.20-1.el6_2.noarch ---> Package setools-libs.x86_64 0:3.3.7-4.el6 will be installed ---> Package setools-libs-python.x86_64 0:3.3.7-4.el6 will be installed ---> Package setools-libs-tcl.x86_64 0:3.3.7-4.el6 will be installed ---> Package setroubleshoot-plugins.noarch 0:3.0.40-2.el6 will be installed ---> Package tcl.x86_64 1:8.5.7-6.el6 will be installed ---> Package tk.x86_64 1:8.5.7-5.el6 will be installed --> Running transaction check ---> Package audit-libs.x86_64 0:2.2-2.el6 will be updated --> Processing Dependency: audit-libs = 2.2-2.el6 for package: audit-2.2-2.el6.x86_64 ---> Package audit-libs.x86_64 0:2.2-4.el6_5 will be an update ---> Package libcgroup.x86_64 0:0.40.rc1-6.el6_5.1 will be installed ---> Package libsemanage-python.x86_64 0:2.0.43-4.2.el6 will be installed ---> Package python-decorator.noarch 0:3.0.1-3.1.el6 will be installed --> Running transaction check ---> Package audit.x86_64 0:2.2-2.el6 will be updated ---> Package audit.x86_64 0:2.2-4.el6_5 will be an update --> Finished Dependency Resolution
Dependencies Resolved
=================================================================================== Package Arch Version Repository Size =================================================================================== Installing: mcstrans x86_64 0.3.1-4.el6 base 85 k policycoreutils-gui x86_64 2.0.83-19.39.el6 base 209 k selinux-policy-mls noarch 3.7.19-231.el6_5.3 updates 2.3 M setools-console x86_64 3.3.7-4.el6 base 328 k setools-gui x86_64 3.3.7-4.el6 base 242 k setroubleshoot x86_64 3.0.47-6.el6 base 118 k setroubleshoot-server x86_64 3.0.47-6.el6 base 1.3 M Installing for dependencies: audit-libs-python x86_64 2.2-4.el6_5 updates 59 k bwidget noarch 1.8.0-5.1.el6 base 166 k gnome-python2-gtkhtml2 x86_64 2.25.3-20.el6 base 22 k gtkhtml2 x86_64 2.11.1-7.el6 base 154 k libcgroup x86_64 0.40.rc1-6.el6_5.1 updates 126 k libsemanage-python x86_64 2.0.43-4.2.el6 base 81 k policycoreutils-newrole x86_64 2.0.83-19.39.el6 base 112 k policycoreutils-python x86_64 2.0.83-19.39.el6 base 343 k python-decorator noarch 3.0.1-3.1.el6 base 14 k python-slip-dbus noarch 0.2.20-1.el6_2 base 30 k setools-libs x86_64 3.3.7-4.el6 base 400 k setools-libs-python x86_64 3.3.7-4.el6 base 222 k setools-libs-tcl x86_64 3.3.7-4.el6 base 197 k setroubleshoot-plugins noarch 3.0.40-2.el6 base 506 k tcl x86_64 1:8.5.7-6.el6 base 1.9 M tk x86_64 1:8.5.7-5.el6 base 1.4 M Updating for dependencies: audit x86_64 2.2-4.el6_5 updates 225 k audit-libs x86_64 2.2-4.el6_5 updates 60 k
Transaction Summary =================================================================================== Install 23 Package(s) Upgrade 2 Package(s)
Total download size: 11 M Downloading Packages: (1/25): audit-2.2-4.el6_5.x86_64.rpm | 225 kB 00:00 (2/25): audit-libs-2.2-4.el6_5.x86_64.rpm | 60 kB 00:00 (3/25): audit-libs-python-2.2-4.el6_5.x86_64.rpm | 59 kB 00:00 (4/25): bwidget-1.8.0-5.1.el6.noarch.rpm | 166 kB 00:00 (5/25): gnome-python2-gtkhtml2-2.25.3-20.el6.x86_64.rpm | 22 kB 00:00 (6/25): gtkhtml2-2.11.1-7.el6.x86_64.rpm | 154 kB 00:00 (7/25): libcgroup-0.40.rc1-6.el6_5.1.x86_64.rpm | 126 kB 00:00 (8/25): libsemanage-python-2.0.43-4.2.el6.x86_64.rpm | 81 kB 00:00 (9/25): mcstrans-0.3.1-4.el6.x86_64.rpm | 85 kB 00:00 (10/25): policycoreutils-gui-2.0.83-19.39.el6.x86_64.rpm | 209 kB 00:00 (11/25): policycoreutils-newrole-2.0.83-19.39.el6.x86_64.rp | 112 kB 00:00 (12/25): policycoreutils-python-2.0.83-19.39.el6.x86_64.rpm | 343 kB 00:00 (13/25): python-decorator-3.0.1-3.1.el6.noarch.rpm | 14 kB 00:00 (14/25): python-slip-dbus-0.2.20-1.el6_2.noarch.rpm | 30 kB 00:00 (15/25): selinux-policy-mls-3.7.19-231.el6_5.3.noarch.rpm | 2.3 MB 00:00 (16/25): setools-console-3.3.7-4.el6.x86_64.rpm | 328 kB 00:00 (17/25): setools-gui-3.3.7-4.el6.x86_64.rpm | 242 kB 00:00 (18/25): setools-libs-3.3.7-4.el6.x86_64.rpm | 400 kB 00:00 (19/25): setools-libs-python-3.3.7-4.el6.x86_64.rpm | 222 kB 00:00 (20/25): setools-libs-tcl-3.3.7-4.el6.x86_64.rpm | 197 kB 00:00 (21/25): setroubleshoot-3.0.47-6.el6.x86_64.rpm | 118 kB 00:00 (22/25): setroubleshoot-plugins-3.0.40-2.el6.noarch.rpm | 506 kB 00:00 (23/25): setroubleshoot-server-3.0.47-6.el6.x86_64.rpm | 1.3 MB 00:00 (24/25): tcl-8.5.7-6.el6.x86_64.rpm | 1.9 MB 00:00 (25/25): tk-8.5.7-5.el6.x86_64.rpm | 1.4 MB 00:00 ----------------------------------------------------------------------------------- Total 1.8 MB/s | 11 MB 00:05 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Updating : audit-libs-2.2-4.el6_5.x86_64 1/27 Installing : setools-libs-3.3.7-4.el6.x86_64 2/27 Installing : 1:tcl-8.5.7-6.el6.x86_64 3/27 Installing : 1:tk-8.5.7-5.el6.x86_64 4/27 Installing : setools-libs-python-3.3.7-4.el6.x86_64 5/27 Installing : audit-libs-python-2.2-4.el6_5.x86_64 6/27 Installing : gtkhtml2-2.11.1-7.el6.x86_64 7/27 Installing : gnome-python2-gtkhtml2-2.25.3-20.el6.x86_64 8/27 Installing : bwidget-1.8.0-5.1.el6.noarch 9/27 Installing : setools-libs-tcl-3.3.7-4.el6.x86_64 10/27 Installing : setools-console-3.3.7-4.el6.x86_64 11/27 Updating : audit-2.2-4.el6_5.x86_64 12/27 Installing : policycoreutils-newrole-2.0.83-19.39.el6.x86_64 13/27 Installing : python-decorator-3.0.1-3.1.el6.noarch 14/27 Installing : python-slip-dbus-0.2.20-1.el6_2.noarch 15/27 Installing : libsemanage-python-2.0.43-4.2.el6.x86_64 16/27 Installing : mcstrans-0.3.1-4.el6.x86_64 17/27 Installing : libcgroup-0.40.rc1-6.el6_5.1.x86_64 18/27 Installing : policycoreutils-python-2.0.83-19.39.el6.x86_64 19/27 Installing : setroubleshoot-plugins-3.0.40-2.el6.noarch 20/27 Installing : setroubleshoot-server-3.0.47-6.el6.x86_64 21/27 Installing : setroubleshoot-3.0.47-6.el6.x86_64 22/27 Installing : policycoreutils-gui-2.0.83-19.39.el6.x86_64 23/27 Installing : selinux-policy-mls-3.7.19-231.el6_5.3.noarch 24/27 Installing : setools-gui-3.3.7-4.el6.x86_64 25/27 Cleanup : audit-2.2-2.el6.x86_64 26/27 Cleanup : audit-libs-2.2-2.el6.x86_64 27/27 Verifying : setroubleshoot-server-3.0.47-6.el6.x86_64 1/27 Verifying : setools-console-3.3.7-4.el6.x86_64 2/27 Verifying : setools-libs-python-3.3.7-4.el6.x86_64 3/27 Verifying : 1:tcl-8.5.7-6.el6.x86_64 4/27 Verifying : libcgroup-0.40.rc1-6.el6_5.1.x86_64 5/27 Verifying : setools-libs-3.3.7-4.el6.x86_64 6/27 Verifying : python-slip-dbus-0.2.20-1.el6_2.noarch 7/27 Verifying : policycoreutils-gui-2.0.83-19.39.el6.x86_64 8/27 Verifying : audit-libs-python-2.2-4.el6_5.x86_64 9/27 Verifying : setroubleshoot-3.0.47-6.el6.x86_64 10/27 Verifying : audit-2.2-4.el6_5.x86_64 11/27 Verifying : setroubleshoot-plugins-3.0.40-2.el6.noarch 12/27 Verifying : gnome-python2-gtkhtml2-2.25.3-20.el6.x86_64 13/27 Verifying : policycoreutils-python-2.0.83-19.39.el6.x86_64 14/27 Verifying : setools-gui-3.3.7-4.el6.x86_64 15/27 Verifying : selinux-policy-mls-3.7.19-231.el6_5.3.noarch 16/27 Verifying : gtkhtml2-2.11.1-7.el6.x86_64 17/27 Verifying : bwidget-1.8.0-5.1.el6.noarch 18/27 Verifying : setools-libs-tcl-3.3.7-4.el6.x86_64 19/27 Verifying : mcstrans-0.3.1-4.el6.x86_64 20/27 Verifying : audit-libs-2.2-4.el6_5.x86_64 21/27 Verifying : 1:tk-8.5.7-5.el6.x86_64 22/27 Verifying : libsemanage-python-2.0.43-4.2.el6.x86_64 23/27 Verifying : python-decorator-3.0.1-3.1.el6.noarch 24/27 Verifying : policycoreutils-newrole-2.0.83-19.39.el6.x86_64 25/27 Verifying : audit-2.2-2.el6.x86_64 26/27 Verifying : audit-libs-2.2-2.el6.x86_64 27/27
Installed: mcstrans.x86_64 0:0.3.1-4.el6 policycoreutils-gui.x86_64 0:2.0.83-19.39.el6 selinux-policy-mls.noarch 0:3.7.19-231.el6_5.3 setools-console.x86_64 0:3.3.7-4.el6 setools-gui.x86_64 0:3.3.7-4.el6 setroubleshoot.x86_64 0:3.0.47-6.el6 setroubleshoot-server.x86_64 0:3.0.47-6.el6
Dependency Installed: audit-libs-python.x86_64 0:2.2-4.el6_5 bwidget.noarch 0:1.8.0-5.1.el6 gnome-python2-gtkhtml2.x86_64 0:2.25.3-20.el6 gtkhtml2.x86_64 0:2.11.1-7.el6 libcgroup.x86_64 0:0.40.rc1-6.el6_5.1 libsemanage-python.x86_64 0:2.0.43-4.2.el6 policycoreutils-newrole.x86_64 0:2.0.83-19.39.el6 policycoreutils-python.x86_64 0:2.0.83-19.39.el6 python-decorator.noarch 0:3.0.1-3.1.el6 python-slip-dbus.noarch 0:0.2.20-1.el6_2 setools-libs.x86_64 0:3.3.7-4.el6 setools-libs-python.x86_64 0:3.3.7-4.el6 setools-libs-tcl.x86_64 0:3.3.7-4.el6 setroubleshoot-plugins.noarch 0:3.0.40-2.el6 tcl.x86_64 1:8.5.7-6.el6 tk.x86_64 1:8.5.7-5.el6
Dependency Updated: audit.x86_64 0:2.2-4.el6_5 audit-libs.x86_64 0:2.2-4.el6_5
Complete! |
[실습] audit/rsyslog 서비스 on/off
audit tail(감사 추적) --> auditd
# chkconfig auditd on (# service auditd restart)
# chkconfig rsyslog on (# service rsyslog restart)
# service auditd status
auditd (pid 5031)를 실행하고 있습니다. |
# service rsyslog status
rsyslogd (pid 1768)를 실행하고 있습니다.. |
# tail -f /var/log/audit/audit.log (# grep denied /var/log/audit/audit.log)
..... (중략) ..... type=LOGIN msg=audit(1412904601.114:34683): pid=9446 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old auid=4294967295 new auid=0 old ses=4294967295 new ses=11 type=USER_START msg=audit(1412904601.121:34684): user pid=9446 uid=0 auid=0 ses=11 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_DISP msg=audit(1412904601.158:34685): user pid=9446 uid=0 auid=0 ses=11 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_END msg=audit(1412904601.159:34686): user pid=9446 uid=0 auid=0 ses=11 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=AVC msg=audit(1412910127.774:34815): avc: denied { search } for pid=11591 comm="vsftpd" name="home" dev=dm-0 ino=262145 scontext=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir <CTRL + C> |
-> 아직은 설정을 한 후에 테스트를 하지 않아서 denied 되는 메세지가 audit.log 파일에 쌓여 있지
는 않을 것이다.
[실습] SELinux Mode 전환 및 확인
# cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted |
# sestatus
SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing /* /etc/sysconfig/selinux */ Policy version: 24 Policy from config file: targeted |
-> permissive
# setenforce
usage: setenforce [ Enforcing | Permissive | 1 | 0 ] |
# setenforce 0 = # setenforce permissive
# setenforce 1 = # setenforce enforcing
# setenforce 0
# cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted |
# sestatus
SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 24 Policy from config file: targeted |
# getenforce
Permissive |
# setenforce 1
# sestatus
SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted |
# setenforce 0
# sestatus
SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 24 Policy from config file: targeted |
[실습] SELinux 기본 명령어 사용법 실습
# semanage boolean -l | grep allow_ftpd
# getsebool -a
# getsebool allow_ftpd_full_access
# setsebool allow_ftpd_full_access on
# semanage boolean
/usr/sbin/semanage: semanage [ -S store ] -i [ input_file | - ] semanage [ -S store ] -o [ output_file | - ]
semanage login -{a|d|m|l|D|E} [-nrs] login_name | %groupname semanage user -{a|d|m|l|D|E} [-LnrRP] selinux_name semanage port -{a|d|m|l|D|E} [-nrt] [ -p proto ] port | port_range semanage interface -{a|d|m|l|D|E} [-nrt] interface_spec semanage module -{a|d|m} [--enable|--disable] module semanage node -{a|d|m|l|D|E} [-nrt] [ -p protocol ] [-M netmask] addr semanage fcontext -{a|d|m|l|D|E} [-efnrst] file_spec semanage boolean -{d|l|m} [--on|--off|-1|-0] -F boolean | boolean_file semanage permissive -{d|a|l} [-n] type semanage dontaudit [ on | off ]
Primary Options:
-a, --add Add a OBJECT record NAME -d, --delete Delete a OBJECT record NAME -m, --modify Modify a OBJECT record NAME -i, --input Input multiple semange commands in a transaction -o, --output Output current customizations as semange commands -l, --list List the OBJECTS -E, --extract extract customizable commands -C, --locallist List OBJECTS local customizations -D, --deleteall Remove all OBJECTS local customizations
-h, --help Display this message -n, --noheading Do not print heading when listing OBJECTS -S, --store Select and alternate SELinux store to manage
Object-specific Options (see above):
-f, --ftype File Type of OBJECT "" (all files) -- (regular file) -d (directory) -c (character device) -b (block device) -s (socket) -l (symbolic link) -p (named pipe)
-F, --file Treat target as an input file for command, change multiple settings -p, --proto Port protocol (tcp or udp) or internet protocol version of node (ipv4 or ipv6) -M, --mask Netmask -e, --equal Substitue source path for dest path when labeling -P, --prefix Prefix for home directory labeling -L, --level Default SELinux Level (MLS/MCS Systems only) -R, --roles SELinux Roles (ex: "sysadm_r staff_r") -s, --seuser SELinux User Name -t, --type SELinux Type for the object -r, --range MLS/MCS Security Range (MLS/MCS Systems only) --enable Enable a module --disable Disable a module |
# semanage boolean -l
SELinux boolean State Default Description
ftp_home_dir (off , off) Allow ftp to read and write files in the user home directories smartmon_3ware (off , off) Enable additional permissions needed to support devices on 3ware controllers. xdm_sysadm_login (off , off) Allow xdm logins as sysadm xen_use_nfs (off , off) Allow xen to manage nfs files mozilla_read_content (off , off) Control mozilla content access ssh_chroot_rw_homedirs (off , off) Allow ssh with chroot env to read and write files in the user home directories postgresql_can_rsync (off , off) Allow postgresql to use ssh and rsync for point-in-time recovery allow_console_login (on , on) Allow direct login to the console device. Required for System 390 ..... (중략) ..... httpd_setrlimit (off , off) Allow httpd daemon to change system limits squid_connect_any (on , on) Allow squid to connect to all ports, not just HTTP, FTP, and Gopher ports. virt_use_samba (off , off) Allow virt to manage cifs files cluster_use_execmem (off , off) Allow cluster administrative cluster domains memcheck-amd64- to use executable memory named_write_master_zones (off , off) Allow BIND to write the master zone files. Generally this is used for dynamic DNS or zone transfers. exim_manage_user_files (off , off) Allow exim to create, read, write, and delete unprivileged user files. logging_syslog_can_read_tmp (off , off) Allow syslogd daemon to read user tmp content cron_can_relabel (off , off) Allow system cron jobs to relabel filesystem for restoring file contexts. git_system_use_cifs (off , off) Determine whether Git system daemon can access cifs file systems. |
# getsebool
usage: getsebool -a or getsebool boolean... |
# getsebool -a
abrt_anon_write --> off abrt_handle_event --> off allow_console_login --> on allow_cvs_read_shadow --> off allow_daemons_dump_core --> on allow_daemons_use_tcp_wrapper --> off allow_daemons_use_tty --> on allow_domain_fd_use --> on allow_execheap --> off allow_execmem --> on ..... (중략) ..... virt_use_sysfs --> on virt_use_usb --> on virt_use_xserver --> off webadm_manage_user_files --> off webadm_read_user_files --> off wine_mmap_zero_ignore --> off xdm_exec_bootloader --> off xdm_sysadm_login --> off xen_use_nfs --> off xguest_connect_network --> on xguest_mount_media --> on xguest_use_bluetooth --> on xserver_object_manager --> off zabbix_can_network --> off |
# getsebool allow_console_login
allow_console_login --> on |
# semanage boolean -l | grep ftp
ftp_home_dir (off , off) Allow ftp to read and write files in the user home directories allow_ftpd_full_access (off , off) Allow ftp servers to login to local users and read/write all files on the system, governed by DAC. allow_ftpd_use_cifs (off , off) Allow ftp servers to use cifs used for public file transfer services. allow_ftpd_use_nfs (off , off) Allow ftp servers to use nfs used for public file transfer services. allow_ftpd_anon_write (off , off) Allow ftp servers to upload files, used for public file transfer services. Directories must be labeled public_content_rw_t. tftp_anon_write (off , off) Allow tftp to modify public files used for public file transfer services. ftpd_use_passive_mode (off , off) Allow ftp servers to use bind to all unreserved ports for passive mode tftp_use_cifs (off , off) Allow tftp to read from a CIFS store for public file transfer services. tftp_use_nfs (off , off) Allow tftp to read from a NFS store for public file transfer services. ftpd_use_fusefs (off , off) Allow ftpd to use ntfs/fusefs volumes. ftpd_connect_db (off , off) Allow ftp servers to use connect to mysql database httpd_enable_ftp_server (off , off) Allow httpd to act as a FTP server by listening on the ftp port. |
# getsebool allow_ftpd_full_access
allow_ftpd_full_access --> off |
# setsebool allow_ftpd_full_access on
# getsebool allow_ftpd_full_access
allow_ftpd_full_access --> on |
# semanage boolean -l | grep allow_ftpd
allow_ftpd_full_access (on , off) Allow ftp servers to login to local users and read/write all files on the system, governed by DAC. allow_ftpd_use_cifs (off , off) Allow ftp servers to use cifs used for public file transfer services. allow_ftpd_use_nfs (off , off) Allow ftp servers to use nfs used for public file transfer services. allow_ftpd_anon_write (off , off) Allow ftp servers to upload files, used for public file transfer services. Directories must be labeled public_content_rw_t |
[실습] SELinux 설정 테스트(FTP Server/FTP Client)
사용시스템
- id.example.com(192.168.20.203)
- kaliLinux(192.168.20.50)
실습 시나리오
CentOS 6.X Kali Linux
(192.168.20.203) (192.168.20.50)
----- SELinux Server ---- ------ Client ------
FTP Server FTP Client
# ftp <서버 IP>
------------------------- -------------------
(on FTP Server) CentOS 6.X
(필요하면 명령어 수행)
# cat /etc/resolv.conf /* 외부 DNS 서버 지정 */
# yum -y install ftp vsftpd /* FTP 서버/클라이언트 패키지 설치 */
# sed -i 's/^root/#root/' /etc/vsftpd/ftpusers /* root 사용자 허용 */
# sed -i 's/^root/#root/' /etc/vsftpd/user_list /* root 사용자 허용 */
# chkconfig vsftpd on /* (부팅) FTP 서비스 on */
# service vsftpd start /* (현재) FTP 서비스 start */
# chkconfig iptables off /* (부팅) 방화벽 서비스 off */
# service iptables stop /* (현재) 방화벽 서비스 stop */
# setsebool allow_ftpd_full_access off
# getsebool allow_ftpd_full_access
allow_ftpd_full_access --> off |
# tail -f /var/log/audit/audit.log
-> 모니터링한다.
(on FTP Client) KaliLinux
(전제조건) user01 사용자 추가
(CentOS 6.X)# useradd user01
# echo user01 | passwd --stdin user01
(KaliLinux) # useradd -m -s /bin/bash user01
# echo user01 | passwd --stdin user01
# su - user01
$ dd if=/dev/zero of=test.txt bs=1M count=5
5+0 records in 5+0 records out 5242880 bytes (5.2 MB) copied, 0.0127335 s, 412 MB/s |
# ftp 192.168.20.203 /* KaliLinux(192.168.20.50) -> ids.example.com(192.168.20.203) */
Connected to 192.168.10.250. 220 (vsFTPd 2.2.2) Name (192.168.10.250:root): user01 331 Please specify the password. Password: (user01 사용자 암호 입력) 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. 226 Directory send OK. ftp> passive Passive mode on. ftp> put test.txt /* KaliLinux(현재DIR/test.txt) -> IDS(/home/user01/test.txt) */ local: test.txt remote: test.txt 227 Entering Passive Mode (192,168,10,250,214,87). 150 Ok to send data. 226 Transfer complete. 5242880 bytes sent in 0.11 secs (44618.3 kB/s) ftp> lcd /tmp Local directory now /tmp ftp> get test.txt /* IDS(/home/user01/test.txt) -> KaliLinux(/tmp/test.txt) */ local: test.txt remote: test.txt 227 Entering Passive Mode (192,168,10,250,254,215). 150 Opening BINARY mode data connection for test.txt (5242880 bytes). 226 Transfer complete. 5242880 bytes received in 0.08 secs (61780.5 kB/s) ftp> quit 221 Goodbye |
$
(on FTP Server) CentOS 6.X
# tail -f /var/log/audit/audit.log
type=USER_AUTH msg=audit(1412947954.776:104): user pid=3831 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="user01" exe="/usr/sbin/vsftpd" hostname=192.168.10.100 addr=192.168.10.100 terminal=ftp res=success' type=USER_ACCT msg=audit(1412947954.780:105): user pid=3831 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="user01" exe="/usr/sbin/vsftpd" hostname=192.168.10.100 addr=192.168.10.100 terminal=ftp res=success' type=CRED_ACQ msg=audit(1412947954.780:106): user pid=3831 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="user01" exe="/usr/sbin/vsftpd" hostname=192.168.10.100 addr=192.168.10.100 terminal=ftp res=success' ..... (중략) ..... |
-> 모니터링 윈도우에 위와 같은 메세지가 출력된다.
-> 메세지는 출력되지만 서비스가 안되는 것은 아니다.
# sestatus
SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 24 Policy from config file: targeted |
# setenforce 1
# sestatus
SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted |
# getsebool allow_ftpd_full_access
allow_ftpd_full_access --> off |
(on FTP Client) KaliLinux
$ ftp 192.168.20.203
Connected to 192.168.10.250. 220 (vsFTPd 2.2.2) Name (192.168.10.250:root): user01 331 Please specify the password. Password: (user01 사용자의 암호 입력) 500 OOPS: cannot change directory:/home/user01 Login failed. ftp> quit 421 Service not available, remote server has closed connection |
-> root 사용자도 접근되지 않음
$ ftp 192.168.20.203
Connected to 192.168.10.250. 220 (vsFTPd 2.2.2) Name (192.168.10.250:root): anonymous 331 Please specify the password. Password: (id@naver.com) 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files.
(필요하면 명령어 수행) (192.168.20.203) CentOS 6.X # cd /var/ftp/pub # cp /etc/passwd /var/ftp/pub/test.txt
ftp> cd pub 250 Directory successfully changed. ftp> dir 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-r--r-- 1 0 0 1571 Oct 10 02:39 test.txt 226 Directory send OK. ftp> mget test.txt mget test.txt? y 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for test.txt (1571 bytes). 226 Transfer complete. 1571 bytes received in 0.00 secs (2293.2 kB/s) ftp> quit 221 Goodbye. |
(on FTP Server) CentOS 6.X
# setsebool allow_ftpd_full_access on
# getsebool allow_ftpd_full_access
allow_ftpd_full_access --> on |
# sestatus
SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted |
(on FTP Client) KaliLinux
# ftp 192.168.20.203
$ ftp 192.168.10.250 Connected to 192.168.10.250. 220 (vsFTPd 2.2.2) Name (192.168.10.250:root): user01 331 Please specify the password. Password: (user01 사용자 암호 입력) 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> dir 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-r--r-- 1 501 501 5242880 Oct 10 02:27 test.txt 226 Directory send OK. ftp> mget test.txt mget test.txt? y 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for test.txt (5242880 bytes). 226 Transfer complete. 5242880 bytes received in 0.06 secs (80610.9 kB/s) ftp> quit 221 Goodbye. |
$ ftp 192.168.20.203
Connected to 192.168.10.250. 220 (vsFTPd 2.2.2) Name (192.168.10.250:root): anonymous 331 Please specify the password. Password: (id@naver.com) 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> cd pub 250 Directory successfully changed. ftp> dir 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-r--r-- 1 0 0 1571 Oct 10 02:39 test.txt 226 Directory send OK. ftp> mget test.txt mget test.txt? y 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for test.txt (1571 bytes). 226 Transfer complete. 1571 bytes received in 0.00 secs (1543.4 kB/s) ftp> quit 221 Goodbye. |
(정리) 리눅스 서버에서
■ 만약 SELinux 기능을 enforcing 방식으로 설정할려고 한다면
# vi /etc/sysconfig/selinux
SELINUX=enforcing
SELINUXTYPE=targeted
# setenforce 1
■ 새로운 서비스(EX: FTP)를 Open 하는 경우의 "서비스 Open 설정 절차"
(ㄱ) 프로그램 설치(EX: ?)
# yum -y install ftp vsftpd
(ㄴ) 프로그램 설정
# sed -i 's/^root/#root/' /etc/vsftpd/ftpuser
# sed -i 's/^root/#root/' /etc/vsftpd/user_list
(ㄷ) 서비스를 ON(EX: system-config-services)
# chkconfig vsftpd on
# service vsftpd start
(ㄹ) 방화벽에 서비스를 등록(EX: system-config-firewall)
# iptables -A INPUT -m state --state NEW -p tcp --dport 20-21 -j ACCEPT
# service iptables save /* /etc/sysconfig/iptables */
(ㅁ) SELinux 설정 설정(EX: system-config-selinux)
# setsebool allow_ftpd_full_access on
# setsebool -P allow_ftpd_full_access on
[실습] 임시적으로 context type 변경하는 경우 및 복구 실습
# cd
# mkdir text && cd text
# touch file1
# ls -Z
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 file1 |
# chcon -t samba_share_t file1
# ls -Z
-rw-r--r--. root root unconfined_u:object_r:samba_share_t:s0 file1 |
# restorecon -v file1
restorecon reset /root/text/file1 context unconfined_u:object_r:samba_share_t:s0->unconfined_u:object_r:admin_home_t:s0 |
# ls -Z
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 file1 |
[실습] file에 대한 contexts 설정된 파일 확인
# cd /etc/selinux/targeted/contexts/files
# ls
file_contexts file_contexts.homedirs file_contexts.local media |
# cat /etc/selinux/targeted/contexts/files/file_contexts | more
/.* system_u:object_r:default_t:s0 /[^/]+ -- system_u:object_r:etc_runtime_t:s0 /a?quota\.(user|group) -- system_u:object_r:quota_db_t:s0 /nsr(/.*)? system_u:object_r:var_t:s0 /sys(/.*)? system_u:object_r:sysfs_t:s0 /xen(/.*)? system_u:object_r:xen_image_t:s0 /mnt(/[^/]*) -l system_u:object_r:mnt_t:s0 /mnt(/[^/]*)? -d system_u:object_r:mnt_t:s0 /bin/.* system_u:object_r:bin_t:s0 /dev/.* system_u:object_r:device_t:s0 /lib/.* system_u:object_r:lib_t:s0 /var/.* system_u:object_r:var_t:s0 /srv/.* system_u:object_r:var_t:s0 /tmp/.* <<none>> /usr/.* system_u:object_r:usr_t:s0 /opt/.* system_u:object_r:usr_t:s0 /etc/.* system_u:object_r:etc_t:s0 /root(/.*)? system_u:object_r:admin_home_t:s0 /dev/[0-9].* -c system_u:object_r:usb_device_t:s0 /mnt/[^/]*/.* <<none>> /dev/.*mouse.* -c system_u:object_r:mouse_device_t:s0 /rhev(/[^/]*)? -d system_u:object_r:mnt_t:s0 /dev/.*tty[^/]* -c system_u:object_r:tty_device_t:s0
..... (중략) .....
/usr/share/gitolite3/triggers/post-compile/ssh-authkeys-shell-users -- sys tem_u:object_r:bin_t:s0 /usr/share/gitolite3/triggers/post-compile/update-gitweb-access-list -- sys tem_u:object_r:bin_t:s0 /usr/share/system-config-securitylevel/system-config-securitylevel\.py -- sys tem_u:object_r:bin_t:s0 /usr/share/system-config-services/system-config-services-mechanism\.py -- sys tem_u:object_r:initrc_exec_t:s0 /usr/share/gitolite3/triggers/post-compile/update-git-daemon-access-list --system_u:object_r:bin_t:s0 |
-> 나중에 restorecon 명령어 수행시 참고되는 파일이다.
[실습] 디렉토리 하위의 모든 파일에 대한 context type을 변경 또는 복구
# mkdir /web
# touch /web/file{1,2,3}
# ls -Z /web
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 file1 -rw-r--r--. root root unconfined_u:object_r:default_t:s0 file2 -rw-r--r--. root root unconfined_u:object_r:default_t:s0 file3 |
# chcon -R -t httpd_sys_content_t /web
# ls -dZ /web
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 /web |
# ls -lZ /web
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 file1 -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 file2 -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 file3 |
# restorecon -R -v /web
restorecon reset /web context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:default_t:s0 restorecon reset /web/file2 context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:default_t:s0 restorecon reset /web/file3 context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:default_t:s0 restorecon reset /web/file1 context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:default_t:s0 |
[실습] context type 영구적으로 변경하기
(임시적으로 변경) chcon CMD 사용
(영구적으로 변경) semanage fcontext CMD 사용
# touch /etc/file1
# ls -Z /etc/file1
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/file1 |
# semanage fcontext -a -t samba_share_t /etc/file1
#
-> 약간 시간이 걸림(약 5 ~ 8초)
# semanage --help
-a, --add Add a OBJECT record NAME
-t, --type SELinux Type for the object
-d, --delete Delete a OBJECT record NAME
# ls -Z /etc/file1
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/file1 |
-> 현재 설정이 바뀌었는가?
# cat /etc/selinux/targeted/contexts/files/file_contexts.local
# This file is auto-generated by libsemanage # Do not edit directly.
/etc/file1 system_u:object_r:samba_share_t:s0 |
-> 이 내용은 재부팅이 되어도 지속적으로 동작한다.
# semanage fcontext -d /etc/file1
#
-> 약간 시간이 걸림
# cat /etc/selinux/targeted/contexts/files/file_contexts.local
# This file is auto-generated by libsemanage # Do not edit directly.
|
[실습] 파일 복사(Copy)/이동(Move)/삭제(Delete)
(필요하면 명령어 수행)
# cat /etc/resolv.conf
# yum -y install httpd httpd-tools httpd-manual
# su - user01
$ touch file1
$ ls -Z file1
-rw-rw-r--. user01 user01 unconfined_u:object_r:user_home_t:s0 file1 -rw-r--r--. user01 user01 unconfined_u:object_r:user_home_t:s0 test.txt |
$ ls -dZ /var/www/html
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html |
$ exit
# cd /home/user01
# ls -Z file1
-rw-rw-r--. user01 user01 unconfined_u:object_r:user_home_t:s0 file1 |
# cp file1 /var/www/html
# ls -Z /var/www/html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 file1 |
# cd /root/text
# ls -Z
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 file1 |
# cp --preserve=context file1 /var/www
# ls -Z /var/www
drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 cgi-bin drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 error -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 file1 drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 icons drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 manual |
# su - user01
$ ls -Z
-rw-rw-r--. user01 user01 unconfined_u:object_r:user_home_t:s0 file1 |
$ cp -Z system_u:object_r:samba_share_t:s0 file1 file2
$ ls -Z
-rw-rw-r--. user01 user01 unconfined_u:object_r:user_home_t:s0 file1 -rw-rw-r--. user01 user01 system_u:object_r:samba_share_t:s0 file2 |
$ exit
# ls -Z
-rw-rw-r--. user01 user01 unconfined_u:object_r:user_home_t:s0 file1 -rw-rw-r--. user01 user01 system_u:object_r:samba_share_t:s0 file2 -rw-r--r--. user01 user01 unconfined_u:object_r:user_home_t:s0 test.txt |
# cp -Z system_u:object_r:samba_share_t:s0 file1 file2
# ls -Z
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 file1 -rw-r--r--. root root system_u:object_r:samba_share_t:s0 file2 |
# ls -Z /var/www/html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 file1 |
# rm -rf /var/www/html/file1
#
# pwd
/root/text |
# ls -Z
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 file1 -rw-r--r--. root root system_u:object_r:samba_share_t:s0 file2 |
# mv file1 /var/www/html
# ls -Z /var/www/html/file1
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 file1 |
# cd /var/www/html
# rm -rf file1
# touch file{1,2,3}
# ls -Z file*
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 file1 -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 file2 -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 file3 |
# chcon -t samba_share_t file1
# ls -Z file*
-rw-r--r--. root root unconfined_u:object_r:samba_share_t:s0 file1 -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 file2 -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 file3 |
# matchpathcon -V /var/www/html/file* file1 (# matchpathcon -V /var/www/html/*)
/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0 /var/www/html/file2 verified. /var/www/html/file3 verified. |
# restorecon -v file1
restorecon reset /var/www/html/file1 context unconfined_u:object_r:samba_share_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 |
# ls -Z file*
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 file1 -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 file2 -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 file3 |
(정리) 예제 : 웹서비스(httpd, /etc/httpd/conf/httpd.conf, 80)
데몬 이름 : /usr/sbin/httpd
주 설정 파일 : /etc/httpd/conf/httpd.conf
서비스 포트 : 80
웹 디렉토리 : /var/www/html
■ 새로운 서비스(EX: FTP)를 Open 하는 경우의 "서비스 Open 설정 절차"
(ㄱ) 소프트웨어 설치
# yum -y install httpd httpd-tools
(ㄴ) 서비스를 ON
# chkconfig httpd on
# service httpd start
(ㄴ) 방화벽에 서비스를 등록
# iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
# service iptables save /* /etc/sysconfig/iptables */
(ㄷ) SELinux 설정 설정
(서비스 boolean 설정)
# getsebool -a | grep httpd
-> audit messages (AVC denied 메세지를 확인)
-> 적당한 기능 on
(EX) # setsebool httpd_enable_homedirs on
# setsebool -P httpd_enable_homedires on
(서비스 데몬이 읽어 들이는 파일)
-> audit messages (AVC denied 메세지를 확인)
(EX) # mv /home/user01/index.html /var/www/html
# chcon -t httpd_sys_content_t /var/www/html/index.html
# semanage fcontext -a -t httpd_sys_content_t /var/www/html/index.html
u: user
r: role
t: type
s: security level
'모의해킹 침해대응 전문가 과정' 카테고리의 다른 글
20160804 Linux and Unix sudo command (0) | 2016.08.04 |
---|---|
20160804 SELinux (0) | 2016.08.04 |
20160803 소프트웨어 관리 (0) | 2016.08.03 |
20160802 웹 방화벽 (0) | 2016.08.02 |
20160802 Snort (0) | 2016.08.02 |