SELinux 了解及CentOS7 中 semanage命令的安装

5,862 阅读5分钟

SELinux 安全子系统

SELinux(Security-Enhanced Linux)是美国国家安全局在Linux开源社区的帮助下开发的一个强制访问控制(MAC,Mandatory Access Control)的安全子系统。RHEL 7系统使用SELinux技术的目的是为了让各个服务进程都受到约束,使其仅获取到本应获取的资源。

例如,您在自己的电脑上下载了一个美图软件,当您全神贯注地使用它给照片进行美颜的时候,它却在后台默默监听着浏览器中输入的密码信息,而这显然不应该是它应做的事情。SELinux安全子系统就是为了杜绝此类情况而设计的,它能够从多方面监控违法行为:对服务程序的功能进行限制(SELinux域限制可以确保服务程序做不了出格的事情);对文件资源的访问限制(SELinux安全上下文确保文件资源只能被其所属的服务程序进行访问)。

SELinux服务有三种配置模式:

  • enforcing:强制启用安全策略模式,将拦截服务的不合法请求。
  • permissive:遇到服务越权访问时,只发出警告而不强制拦截。
  • disabled:对于越权的行为不警告也不拦截。

我这里默认就是 enforcing的(可查看该服务的主配置文件 /etc/selinux/config)。


vi /etc/selinux/config
 
关闭:SELINUX=disabled
开启:SELINUX=1

重启
reboot
查看状态
sestatus


把SELinux当前的运行模式修改为禁用(通过命令 setenforce [0|1],0代表禁用、1代表启用),该修改在重启系统后失效

可以通过 getenforce 命令查看 SELinux服务的运行状态。

# setenforce 0
# getenforce 
Permissive

httpd服务程序的功能是允许用户访问网站内容,因此SELinux肯定会默认放行用户对网站的请求操作。但是,我们将网站数据的默认保存目录修改为了/home/wwwroot,而这就产生问题了。/home目录是用来存放普通用户的家目录数据的,而现在,httpd提供的网站服务却要去获取普通用户家目录中的数据了,这显然违反了SELinux的监管原则。

把SELinux服务恢复到强制启用安全策略模式,然后分别查看原始网站数据的保存目录与当前网站数据的保存目录是否拥有不同的SELinux安全上下文值:

# ls -Zd /var/www/html
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/htm
# ls -Zd /home/safiri
drwx------. safiri safiri unconfined_u:object_r:user_home_dir_t:s0 /home/safiri

用户段system_u代表系统进程的身份 角色段object_r代表文件目录的角色 类型段httpd_sys_content_t代表网站服务的系统文件。

针对当前这种情况,我们只需要使用semanage命令,将当前网站目录/home/wwwroot的SELinux安全上下文修改为跟原始网站目录的一样就可以了。

semanage 命令

semanage命令用于管理SELinux的策略,格式为“semanage [选项] [文件]”。常用参数及作用: -l 查询、-a 添加、-m 修改、-d 删除

向新的网站数据目录中新添加一条SELinux安全上下文,让这个目录以及里面的所有文件能够被httpd服务程序所访问到:

设置后,还需使用 restorecon 命令使设置立即生效,-Rv参数对指定的目录进行递归操作,以及显示SELinux安全上下文的修改过程。最后,再次刷新页面,就可以正常看到网页内容了。

安装semanage

# yum provides semanage 

***********
*********
****省略内容****
***********
# Filename : /usr/sbin/semanage

以上命令执行成功后,再执行:
# yum -y install policycoreutils-python.x86_64

可能用到的安装seinfo/sesearch
# yum install setools-console.x86_64

遇到的错误

ValueError: 没有管理 SELinux 策略或者无法访问存储。

ValueError: SELinux policy is not managed or store cannot be accessed.

Cannot set persistent booleans without managed policy.

以上错误找了好久的解决办法:

blog.siphos.be/2014/10/mig…


In a few moments, SELinux users which have the \~arch KEYWORDS set (either globally or for the SELinux utilities in particular) will notice that the SELinux userspace will upgrade to version 2.4 (release candidate 5 for now). This upgrade comes with a manual step that needs to be performed after upgrade. The information is mentioned as post-installation message of the policycoreutils package, and basically sais that you need to execute:

~# /usr/libexec/selinux/semanage_migrate_store
The reason is that the SELinux utilities expect the SELinux policy module store (and the semanage related files) to be in /var/lib/selinux and no longer in /etc/selinux. Note that this does not mean that the SELinux policy itself is moved outside of that location, nor is the basic configuration file (/etc/selinux/config). It is what tools such as semanage manage that is moved outside that location.

I tried to automate the migration as part of the packages themselves, but this would require the portage_t domain to be able to move, rebuild and load policies, which it can't (and to be honest, shouldn't). Instead of augmenting the policy or making updates to the migration script as delivered by the upstream project, we currently decided to have the migration done manually. It is a one-time migration anyway.

If for some reason end users forget to do the migration, then that does not mean that the system breaks or becomes unusable. SELinux still works, SELinux aware applications still work; the only thing that will fail are updates on the SELinux configuration through tools like semanage or setsebool - the latter when you want to persist boolean changes.

~# semanage fcontext -l
ValueError: SELinux policy is not managed or store cannot be accessed.

~# setsebool -P allow_ptrace on
Cannot set persistent booleans without managed policy.
If you get those errors or warnings, all that is left to do is to do the migration. Note in the following that there is a warning about 'else' blocks that are no longer supported: that's okay, as far as I know (and it was mentioned on the upstream mailinglist as well as not something to worry about) it does not have any impact.

~# /usr/libexec/selinux/semanage_migrate_store
Migrating from /etc/selinux/mcs/modules/active to /var/lib/selinux/mcs/active
Attempting to rebuild policy from /var/lib/selinux
sysnetwork: Warning: 'else' blocks in optional statements are unsupported in CIL. Dropping from output.
You can also add in -c so that the old policy module store is cleaned up. You can also rerun the command multiple times:

~# /usr/libexec/selinux/semanage_migrate_store -c
warning: Policy type mcs has already been migrated, but modules still exist in the old store. Skipping store.
Attempting to rebuild policy from /var/lib/selinux
You can manually clean up the old policy module store like so:

~# rm -rf /etc/selinux/mcs/modules
So... don't worry - the change is small and does not break stuff. And for those wondering about CIL I'll talk about it in one of my next posts.