Настройка политик SELinux - CentOS Wiki

Логика и политика работы SELinux

Security Enhanced Linux - SELinux разработан в агенстве национальной безопасности (NSA) в 2000 году. Проект распространяется по лицензии GPL. Основной целью проекта является достижение такого уровня защищенности компьютерной системы, чтобы можно было спокойно использовать ее в военных и правительственных организациях. SeLinux являет собой дополнительное расширение к ядру, целью которого является увеличение его защищенности и возможность строго и гибко регулировать права доступа к системе для конкретных пользователей.

Какая логика работы мне нужна?

getsebool -a

покажет вам все варианты защиты, которые вы можете изменить. При активированном selinux вы увидите список, который даст вам информацию о необходимости конфигурировать логику защиты заданных сервисов.

 

Sestatus

Для того чтобы посмотреть активирован или нет SELinux введите:

# sestatus

Соответственно

enforsing - принудительный режим

permissive - режим предупреждения

Примечание: Вы не можете изменять все политики перечисленные ниже, а только те, которые вам выдал getsebool -a. Список показанный ниже выдан system-config-selinux и показывает все политики, которые могут быть использованы в зависимости от установленных пакетов

Пример: SELinux не позволит вашему httpd демону взаимодействовать с LDAP сервером на той же машине. Вы должны иметь возможность аутентифицироваться на LDAP. Вы знаете, что интересующие вас политики содержат слово httpd.

[root@localhost ~]# getsebool -a | grep httpd
allow_httpd_anon_write --> off
allow_httpd_bugzilla_script_anon_write --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_nagios_script_anon_write --> off
allow_httpd_squid_script_anon_write --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
httpd_disable_trans --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_rotatelogs_disable_trans --> off
httpd_ssi_exec --> off
httpd_suexec_disable_trans --> off
httpd_tty_comm --> on
httpd_unified --> on

 

httpd_can_network_connect вызывает интерес - давайте сравним со списком ниже.

httpd_can_network_connect (HTTPD Service):: Allow HTTPD scripts and modules to connect to the network. (Разрешить HTTPD скриптам и модулям подключения к сети).

Похоже, это то что нам нужно ...

setsebool -P httpd_can_network_connect on

Оказалось именно это и нужно. Вуаля - все работает.

 

system-config-selinux

system-config-selinux - графический интерфейс для управления настройками политик SELinux. Если у вас имеется GUI (графический интерфейс пользователя), то хорошей идеей будет установить данный пакет и вносить изменения с помощью него.

Это можно сделать следующим образом:

yum install policycoreutils-gui
      

 

Список политик SELinux

acct_disable_trans (SELinux Service Protection)

allow_cvs_read_shadow (CVS)

allow_daemons_dump_core (Admin)

allow_daemons_use_tty (Admin)

allow_execheap (Memory Protection)

allow_execmem (Memory Protection)

allow_execmod (Memory Protection)

allow_execstack (Memory Protection)

allow_ftpd_full_access (FTP)

allow_ftpd_anon_write (FTP)

allow_ftpd_use_cifs (FTP)

allow_ftpd_use_nfs (FTP)

allow_gpg_execstack (Memory Protection)

allow_gssd_read_tmp (NFS)

allow_httpd_anon_write (HTTPD Service)

allow_httpd_mod_auth_pam (HTTPD Service)

allow_httpd_sys_script_anon_write (HTTPD Service)

allow_java_execstack (Memory Protection)

allow_kerberos (Kerberos)

allow_mount_anyfile (Mount)

allow_mounton_anydir (Mount)

allow_mplayer_execstack (Memory Protection)

allow_nfsd_anon_write (NFS)

allow_polyinstantiation (Polyinstatiation)

allow_ptrace (Compatibility)

allow_rsync_anon_write (rsync)

allow_smbd_anon_write (Samba)

allow_ssh_keysign (SSH)

allow_unconfined_execmem_dyntrans (Memory Protection)

allow_user_mysql_connect (Databases)

allow_user_postgresql_connect (Databases)

allow_write_xshm (XServer)

allow_ypbind (NIS)

allow_zebra_write_config (Zebra)

amanda_disable_trans (SELinux Service Protection)

amavis_disable_trans (SELinux Service Protection)

apmd_disable_trans (SELinux Service Protection)

arpwatch_disable_trans (SELinux Service Protection)

auditd_disable_trans (SELinux Service Protection)

automount_disable_trans (Mount)

avahi_disable_trans (SELinux Service Protection)

bluetooth_disable_trans (SELinux Service Protection)

canna_disable_trans (SELinux Service Protection)

cardmgr_disable_trans (SELinux Service Protection)

ccs_disable_trans (SELinux Service Protection)

cdrecord_read_content (User Privs)

ciped_disable_trans (SELinux Service Protection)

clamd_disable_trans (SELinux Service Protection)

clamscan_disable_trans (SELinux Service Protection)

clvmd_disable_trans (SELinux Service Protection)

comsat_disable_trans (SELinux Service Protection)

courier_authdaemon_disable_trans (SELinux Service Protection)

courier_pcp_disable_trans (SELinux Service Protection)

courier_pop_disable_trans (SELinux Service Protection)

courier_sqwebmail_disable_trans (SELinux Service Protection)

courier_tcpd_disable_trans (SELinux Service Protection)

cpucontrol_disable_trans (SELinux Service Protection)

cpuspeed_disable_trans (SELinux Service Protection)

cron_can_relabel (Cron)

crond_disable_trans (Cron)

cupsd_config_disable_trans (Printing)

cupsd_disable_trans (Printing)

cupsd_lpd_disable_trans (Printing)

cvs_disable_trans (CVS)

cyrus_disable_trans (SELinux Service Protection)

dbskkd_disable_trans (SELinux Service Protection)

dbusd_disable_trans (SELinux Service Protection)

dccd_disable_trans (SELinux Service Protection)

dccifd_disable_trans (SELinux Service Protection)

dccm_disable_trans (SELinux Service Protection)

ddt_client_disable_trans (SELinux Service Protection)

devfsd_disable_trans (SELinux Service Protection)

dhcpc_disable_trans (SELinux Service Protection)

dhcpd_disable_trans (SELinux Service Protection)

dictd_disable_trans (SELinux Service Protection)

direct_sysadm_daemon (Admin)

disable_evolution_trans (Web Applications)

disable_games_trans (Games)

disable_mozilla_trans (Web Applications)

disable_thunderbird_trans (Web Applications)

distccd_disable_trans (SELinux Service Protection)

dmesg_disable_trans (SELinux Service Protection)

dnsmasq_disable_trans (SELinux Service Protection)

dovecot_disable_trans (SELinux Service Protection)

entropyd_disable_trans (SELinux Service Protection)

fcron_crond (Cron)

fetchmail_disable_trans (SELinux Service Protection)

fingerd_disable_trans (SELinux Service Protection)

freshclam_disable_trans (SELinux Service Protection)

fsdaemon_disable_trans (SELinux Service Protection)

ftpd_disable_trans (FTP)

ftpd_is_daemon (FTP)

ftp_home_dir (FTP)

global_ssp (Admin)

gpm_disable_trans (SELinux Service Protection)

gssd_disable_trans (NFS)

hald_disable_trans (SELinux Service Protection)

hide_broken_symptoms (Compatibility)

hostname_disable_trans (SELinux Service Protection)

hotplug_disable_trans (SELinux Service Protection)

howl_disable_trans (SELinux Service Protection)

hplip_disable_trans (Printing)

httpd_builtin_scripting (HTTPD Service)

httpd_can_network_connect_db (HTTPD Service)

httpd_can_network_connect (HTTPD Service)

httpd_can_network_relay (HTTPD Service)

httpd_disable_trans (HTTPD Service)

httpd_enable_cgi (HTTPD Service)

httpd_enable_ftp_server (HTTPD Service)

httpd_enable_homedirs (HTTPD Service)

httpd_rotatelogs_disable_trans (SELinux Service Protection)

httpd_ssi_exec (HTTPD Service)

httpd_suexec_disable_trans (HTTPD Service)

httpd_tty_comm (HTTPD Service)

httpd_unified (HTTPD Service)

hwclock_disable_trans (SELinux Service Protection)

i18n_input_disable_trans (SELinux Service Protection)

imazesrv_disable_trans (SELinux Service Protection)

inetd_child_disable_trans (SELinux Service Protection)

inetd_disable_trans (SELinux Service Protection)

innd_disable_trans (SELinux Service Protection)

iptables_disable_trans (SELinux Service Protection)

ircd_disable_trans (SELinux Service Protection)

irqbalance_disable_trans (SELinux Service Protection)

iscsid_disable_trans (SELinux Service Protection)

jabberd_disable_trans (SELinux Service Protection)

kadmind_disable_trans (Kerberos)

klogd_disable_trans (SELinux Service Protection)

krb5kdc_disable_trans (Kerberos)

ktalkd_disable_trans (SELinux Service Protection)

kudzu_disable_trans (SELinux Service Protection)

locate_disable_trans (SELinux Service Protection)

lpd_disable_trans (SELinux Service Protection)

lrrd_disable_trans (SELinux Service Protection)

lvm_disable_trans (SELinux Service Protection)

mailman_mail_disable_trans (SELinux Service Protection)

mail_read_content (Web Applications)

mdadm_disable_trans (SELinux Service Protection)

monopd_disable_trans (SELinux Service Protection)

mozilla_read_content (Web Applications)

mrtg_disable_trans (SELinux Service Protection)

mysqld_disable_trans (Databases)

nagios_disable_trans (SELinux Service Protection)

named_disable_trans (Name Service)

named_write_master_zones (Name Service)

nessusd_disable_trans (SELinux Service Protection)

NetworkManager_disable_trans (SELinux Service Protection)

nfsd_disable_trans (NFS)

nfs_export_all_ro (NFS)

nfs_export_all_rw (NFS)

nmbd_disable_trans (Samba)

nrpe_disable_trans (SELinux Service Protection)

nscd_disable_trans (Name Service)

nsd_disable_trans (SELinux Service Protection)

ntpd_disable_trans (SELinux Service Protection)

oddjob_disable_trans (SELinux Service Protection)

oddjob_mkhomedir_disable_trans (SELinux Service Protection)

openvpn_disable_trans (SELinux Service Protection)

pam_console_disable_trans (SELinux Service Protection)

pegasus_disable_trans (SELinux Service Protection)

perdition_disable_trans (SELinux Service Protection)

portmap_disable_trans (SELinux Service Protection)

portslave_disable_trans (SELinux Service Protection)

postfix_disable_trans (SELinux Service Protection)

postgresql_disable_trans (Databases)

pppd_can_insmod (pppd)

pppd_disable_trans (pppd)

pppd_disable_trans (pppd)

pppd_for_user (pppd)

pptp_disable_trans (SELinux Service Protection)

prelink_disable_trans (SELinux Service Protection)

privoxy_disable_trans (SELinux Service Protection)

ptal_disable_trans (SELinux Service Protection)

pxe_disable_trans (SELinux Service Protection)

pyzord_disable_trans (SELinux Service Protection)

quota_disable_trans (SELinux Service Protection)

radiusd_disable_trans (SELinux Service Protection)

radvd_disable_trans (SELinux Service Protection)

rdisc_disable_trans (SELinux Service Protection)

readahead_disable_trans (SELinux Service Protection)

read_default_t (Admin)

read_untrusted_content (Web Applications)

restorecond_disable_trans (SELinux Service Protection)

rhgb_disable_trans (SELinux Service Protection)

ricci_disable_trans (SELinux Service Protection)

ricci_modclusterd_disable_trans (SELinux Service Protection)

rlogind_disable_trans (SELinux Service Protection)

rpcd_disable_trans (SELinux Service Protection)

rshd_disable_trans (SELinux Service Protection)

rsync_disable_trans (rsync)

run_ssh_inetd (SSH)

samba_enable_home_dirs (Samba

samba_share_nfs (Samba)

allow_saslauthd_read_shadow (SASL authentication server)

saslauthd_disable_trans (SASL authentication server)

scannerdaemon_disable_trans (SELinux Service Protection)

secure_mode (Admin)

secure_mode_insmod (Admin)

secure_mode_policyload (Admin)

sendmail_disable_trans (SELinux Service Protection)

setrans_disable_trans (SELinux Service Protection)

setroubleshootd_disable_trans (SELinux Service Protection)

slapd_disable_trans (SELinux Service Protection)

slrnpull_disable_trans (SELinux Service Protection)

smbd_disable_trans (Samba)

snmpd_disable_trans (SELinux Service Protection)

snort_disable_trans (SELinux Service Protection)

soundd_disable_trans (SELinux Service Protection)

sound_disable_trans (SELinux Service Protection)

spamassassin_can_network (Spam Assassin)

spamd_disable_trans (spam Protection)

spamd_enable_home_dirs (spam Protection)

spammassasin_can_network (spam Protection)

speedmgmt_disable_trans (SELinux Service Protection)

squid_connect_any (Squid)

squid_disable_trans (Squid)

ssh_keygen_disable_trans (SSH)

ssh_sysadm_login (SSH)

staff_read_sysadm_file (Admin)

stunnel_disable_trans (Universal SSL tunnel)

stunnel_is_daemon (Universal SSL tunnel)

swat_disable_trans (SELinux Service Protection)

sxid_disable_trans (SELinux Service Protection)

syslogd_disable_trans (SELinux Service Protection)

system_crond_disable_trans (SELinux Service Protection)

tcpd_disable_trans (SELinux Service Protection)

telnetd_disable_trans (SELinux Service Protection)

tftpd_disable_trans (SELinux Service Protection)

transproxy_disable_trans (SELinux Service Protection)

udev_disable_trans (SELinux Service Protection)

uml_switch_disable_trans (SELinux Service Protection)

unlimitedInetd (Admin)

unlimitedRC (Admin)

unlimitedRPM (Admin)

unlimitedUtils (Admin)

updfstab_disable_trans (SELinux Service Protection)

uptimed_disable_trans (SELinux Service Protection)

use_lpd_server (Printing)

use_nfs_home_dirs (NFS)

user_canbe_sysadm (User Privs)

user_can_mount (Mount)

user_direct_mouse (User Privs)

user_dmesg (User Privs)

user_net_control (User Privs)

user_ping (User Privs)

user_rw_noexattrfile (User Privs)

user_rw_usb (User Privs)

user_tcp_server (User Privs)

user_ttyfile_stat (User Privs)

use_samba_home_dirs (Samba)

uucpd_disable_trans (SELinux Service Protection)

vmware_disable_trans (SELinux Service Protection)

watchdog_disable_trans (SELinux Service Protection)

winbind_disable_trans (Samba)

write_untrusted_content (Web Applications)

xdm_disable_trans (SELinux Service Protection)

xdm_sysadm_login (XServer)

xend_disable_trans (SELinux Service Protection)

xen_use_raw_disk (XEN)

xfs_disable_trans (SELinux Service Protection)

xm_disable_trans (SELinux Service Protection)

ypbind_disable_trans (NIS)

yppasswdd_disable_trans (NIS)

ypserv_disable_trans (SELinux Service Protection)

ypxfr_disable_trans (NIS)

zebra_disable_trans (SELinux Service Protection)

httpd_use_cifs (HTTPD Service)

httpd_use_nfs (HTTPD Service)

samba_domain_controller (Samba)

samba_export_all_ro (Samba)

samba_export_all_rw (Samba)

webadm_manage_users_files (HTTPD Service)

webadm_read_users_files (HTTPD Service)

Автор: Александр