Tuesday, March 18, 2008

selinux on RHEL5.1

今天在RHEL5.1中,將selinux enable起來,在此分享一下心得:

1. Enable selinux:
[root@dns html]# vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
-> 將SELINUX=disabled改成SELINUX=enforcing,並重新開機。

2.查看目前selinux的狀態:
[root@dns html]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
如果要查詢到更多的資訊,可加上 -v參數:
[root@dns html]# sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted

Process contexts:
Current context: root:system_r:unconfined_t:SystemLow-SystemHigh
Init context: system_u:system_r:init_t
/sbin/mingetty system_u:system_r:getty_t
/usr/sbin/sshd system_u:system_r:unconfined_t:SystemLow-SystemHigh

File contexts:
Controlling term: root:object_r:devpts_t
/etc/passwd system_u:object_r:etc_t
/etc/shadow system_u:object_r:shadow_t
/bin/bash system_u:object_r:shell_exec_t
/bin/login system_u:object_r:login_exec_t
/bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/sbin/agetty system_u:object_r:getty_exec_t
/sbin/init system_u:object_r:init_exec_t
/sbin/mingetty system_u:object_r:getty_exec_t
/usr/sbin/sshd system_u:object_r:sshd_exec_t
/lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:lib_t
/lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t

3.查看selinux對daemon的booleans,以查尋httpd為例:
[root@dns html]# getsebool -a | grep httpd
allow_httpd_anon_write --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
httpd_disable_trans --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_rotatelogs_disable_trans --> off
httpd_ssi_exec --> off
httpd_suexec_disable_trans --> off
httpd_tty_comm --> off
httpd_unified --> on

如果要設定booleans,可利用setsebool,比如說當我不想要selinux控管httpd時,可以這樣做:
[root@dns html]# setsebool -P httpd_disable_trans 1
[root@dns html]# getsebool -a | grep httpd_disable_trans
httpd_disable_trans --> on
其中0代表off,1代表on,而-P的參數是代表下次開機時套用新的boolean值。

現在來個狀況練習一下,在selinux enable的狀況下,允許匿名的ftp account可以get與put file,並且可以overwrite。

1. 設定vsftpd(請參考以下的configure):
[root@dns html]# cat /etc/vsftpd/vsftpd.conf | grep -v "^$" | grep -v "^#"
anonymous_enable=YES
anon_other_write_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
anon_upload_enable=YES
anon_mkdir_write_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

在以往沒有開啟selinux時,已經達成了題目需求,但當selinux開啟時,是會踢到鐵板的,看一下以下的示範吧:
chiu-lawrencede-ibook-g4:~ Lawrence$ ftp 10.5.30.147
Connected to 10.5.30.147.
220 (vsFTPd 2.0.5)
Name (10.5.30.147:Lawrence): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd pub
250 Directory successfully changed.
ftp> put backup.sh
local: backup.sh remote: backup.sh
229 Entering Extended Passive Mode (|||50891|)
553 Could not create file.
ftp>

查看一下ftp的booleans:
[root@dns pub]# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_disable_trans --> off
ftpd_is_daemon --> on
httpd_enable_ftp_server --> off
tftpd_disable_trans --> off
看到了嗎?allow_ftpd_anon_write --> off與allow_ftpd_full_access --> off,來enable它們吧!
[root@dns pub]# setsebool -P allow_ftpd_anon_write 1
[root@dns pub]# setsebool -P allow_ftpd_full_access 1

再試一次put檔案:
chiu-lawrencede-ibook-g4:~ Lawrence$ ftp 10.5.30.147
Connected to 10.5.30.147.
220 (vsFTPd 2.0.5)
Name (10.5.30.147:Lawrence): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd pub
250 Directory successfully changed.
ftp> put backup.sh
local: backup.sh remote: backup.sh
229 Entering Extended Passive Mode (|||50580|)
150 Ok to send data.
100% |***********************************************************************************| 666 1.92 MB/s 00:00
226 File receive OK.
666 bytes sent in 00:00 (1.62 KB/s)
ftp> put backup.sh
local: backup.sh remote: backup.sh
229 Entering Extended Passive Mode (|||37711|)
150 Ok to send data.
100% |***********************************************************************************| 666 2.76 MB/s 00:00
226 File receive OK.
666 bytes sent in 00:00 (2.92 KB/s)
ftp>

完成。

No comments: