123
分类: LINUX
2017-06-25 13:03:52
操作系统:Centos 6.5 x86_64
业务程序:apache-tomcat-8
SELinux配置工具包安装:yum install -y policycoreutils-python setools-console
SELinux配置要求:Enforcing模式,执行targeted策略。即:
[root@localhost ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
[root@localhost ~]#
[root@localhost ~]# id
uid=0(root) gid=0(root) 组=0(root) 环境=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@localhost ~]#
[root@localhost ~]# semanage login -l
登录名 SELinux 用户 MLS/MCS 范围
__default unconfined_u__ s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
[root@localhost ~]#
由以上输出可知,只给root用户指定了unconfined_u(不受限的SELinux用户,即权限不受限),其他所有用户默认也是以不受限SELinux登录的。这种默认配置实际没什么安全可言。比如:
[yuanzhufu@localhost ~]$ ssh
's password:
[test@localhost ~]$ id
uid=501(test) gid=501(test) 组=501(test) 环境=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[test@localhost ~]$ poweroff
poweroff: Need to be root
[test@localhost ~]$ su
密码:
[root@localhost test]# poweroff
Broadcast message from
(/dev/pts/1) at 12:01 ...
The system is going down for power off NOW!
[root@localhost test]# Connection to 192.168.2.125 closed by remote host.
Connection to 192.168.2.125 closed.
[yuanzhufu@localhost ~]$
由输出可以看出,test以SELinux用户unconfined_u,该SELinux的角色是unconfined_r不受限角色。即只要用这个帐号登录且root或其他管理员密码被攻破,那后果是可想而知。
标记 MLS/ MLS/
SELinux 用户 前缀 MCS 级别 MCS 范围 SELinux 角色
git_shell_u user s0 s0 git_shell_r
guest_u user s0 s0 guest_r
root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r
user_u user s0 s0 user_r
xguest_u user s0 s0 xguest_r
[root@localhost ~]#
第1列“SELinux用户”列出了可用的SELinux用户名单。
为了保证安全,我这里把登录默认SELinux改为guest_u,即来宾用户。这个权限很小,具体它能干什么,有兴趣的同学可以用sesearch --all -t guest_t命令研究,这里不深入。
修改登录默认SELinux用户命令:
[root@localhost ~]# semanage login -m -s guest_u -r s0 default
[root@localhost ~]#
[root@localhost ~]# semanage login -l
登录名 SELinux 用户 MLS/MCS 范围
__default guest_u s0__
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
[root@localhost ~]#
好,我们来测试test用户su到root,还能不能关机什么的。
[yuanzhufu@localhost ~]$ ssh
's password:
Last login: Sun Jun 25 12:01:01 2017 from 192.168.2.230
[test@localhost ~]$ id
uid=501(test) gid=501(test) 组=501(test) 环境=guest_u:guest_r:guest_t:s0
[test@localhost ~]$ su
-bash: su: command not found
[test@localhost ~]$ /bin/su
-bash: /bin/su: 权限不够
[test@localhost ~]$
[test@localhost ~]$ getenforce
getenforce: getenforce() failed[test@localhost ~]$
[test@localhost ~]$
ok,连运行su命令的权限都没有了。
A.修改root用户登录SELinux用户为root:
[root@localhost ~]# semanage login -l
登录名 SELinux 用户 MLS/MCS 范围
default guest_u s0
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
[root@localhost ~]# semanage login -m -s root root
[root@localhost ~]# semanage login -l
登录名 SELinux 用户 MLS/MCS 范围
default guest_u s0
root root s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
[root@localhost ~]#
B.修改root SELinux用户安全上下文配置文件/etc/selinux/targeted/contexts/users/root:
给root加user_r角色:
semanage user -m -R "staff_r sysadm_r system_r unconfined_r user_r" root
使用staff_u的作为模板修改:
[root@localhost ~]# cd /etc/selinux/targeted/contexts/users
[root@localhost users]# ls
guest_u root staff_u unconfined_u user_u xguest_u
[root@localhost users]# mv root root.bak; cp staff_u root
[root@localhost users]#
修改完成后的内容如下:
[root@localhost users]# cat /etc/selinux/targeted/contexts/users/root
system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0
system_r:sshd_t:s0 user_r:user_t:s0
system_r:crond_t:s0 staff_r:staff_t:s0
system_r:xdm_t:s0 user_r:user_t:s0
system_r:initrc_su_t:s0 user_r:user_t:s0
sysadm_r:sysadm_su_t:s0 user_r:user_t:s0
sysadm_r:sysadm_sudo_t:s0 user_r:user_t:s0
[root@localhost users]#
该配置实现的功能是:root用户仅能通过本地终端登录获得管理权限,其他方式都只有普通用户权限。
好,下面我们来测试下。
[yuanzhufu@localhost ~]$ ssh
's password:
Last login: Sun Jun 25 12:06:18 2017 from 192.168.2.230
Could not chdir to home directory /root: Permission denied
-bash: /root/.bash_profile: 权限不够
-bash-4.1# id
uid=0(root) gid=0(root) 组=0(root) 环境=root:user_r:user_t:s0-s0:c0.c1023
-bash-4.1# poweroff
shutdown: Failed to connect to socket /com/ubuntu/upstart: 权限不够
-bash-4.1#
Broadcast message from
(/dev/pts/1) at 12:37 ...
The system is going down for power off NOW!
-bash-4.1# ls
ls: 无法访问root: 权限不够
bin cgroup db.log etc lib lost+found misc net proc sbin srv tmp var
boot data dev home lib64 media mnt opt root selinux sys usr
-bash-4.1# runlevel
N 3
-bash-4.1# passwd
passwd: root:user_r:user_t:s0-s0:c0.c1023 无权限更改 root 的密码
-bash-4.1# passwd test
passwd: root:user_r:user_t:s0-s0:c0.c1023 无权限更改 test 的密码
-bash-4.1#
以ssh登录方式登录,只有user_r角色的权限,不能做管理员相关的工作,如不能关机、修改密码(root自己或其他用户的);下面我们来看看本地终端登录获得的权限:
ok,SELinux安全配置做得已经差不多了。
下面我们来看看tomcat6服务在SELinux开启情况的角色:
嗯,tomcat以unconfined_java_r角色运行。再看看root ssh登录方式能查到不?
呵呵!经过以上改造,相信网站的安全会得到相当程度的提高。具体提高到什么程度,大伙可以整来测试下。
ok,就到这吧,煮饭先!。
