[translated]Implementing Mandatory Access Control

...with SELinux or AppArmor in Linux
This commit is contained in:
alim0x 2016-08-10 21:09:37 +08:00 committed by GitHub
parent 35a7b4b8d3
commit ae99559d8b
2 changed files with 247 additions and 250 deletions

View File

@ -1,250 +0,0 @@
alim0x translating
Implementing Mandatory Access Control with SELinux or AppArmor in Linux
===========================================================================
To overcome the limitations of and to increase the security mechanisms provided by standard ugo/rwx permissions and [access control lists][1], the United States National Security Agency (NSA) devised a flexible Mandatory Access Control (MAC) method known as SELinux (short for Security Enhanced Linux) in order to restrict among other things, the ability of processes to access or perform other operations on system objects (such as files, directories, network ports, etc) to the least permission possible, while still allowing for later modifications to this model.
![](http://www.tecmint.com/wp-content/uploads/2016/06/SELinux-AppArmor-Security-Hardening-Linux.png)
>SELinux and AppArmor Security Hardening Linux
Another popular and widely-used MAC is AppArmor, which in addition to the features provided by SELinux, includes a learning mode that allows the system to “learn” how a specific application behaves, and to set limits by configuring profiles for safe application usage.
In CentOS 7, SELinux is incorporated into the kernel itself and is enabled in Enforcing mode by default (more on this in the next section), as opposed to openSUSE and Ubuntu which use AppArmor.
In this article we will explain the essentials of SELinux and AppArmor and how to use one of these tools for your benefit depending on your chosen distribution.
### Introduction to SELinux and How to Use it on CentOS 7
Security Enhanced Linux can operate in two different ways:
- Enforcing: SELinux denies access based on SELinux policy rules, a set of guidelines that control the security engine.
- Permissive: SELinux does not deny access, but denials are logged for actions that would have been denied if running in enforcing mode.
SELinux can also be disabled. Although it is not an operation mode itself, it is still an option. However, learning how to use this tool is better than just ignoring it. Keep it in mind!
To display the current mode of SELinux, use getenforce. If you want to toggle the operation mode, use setenforce 0 (to set it to Permissive) or setenforce 1 (Enforcing).
Since this change will not survive a reboot, you will need to edit the /etc/selinux/config file and set the SELINUX variable to either enforcing, permissive, or disabled in order to achieve persistence across reboots:
![](http://www.tecmint.com/wp-content/uploads/2016/06/Enable-Disable-SELinux-Mode.png)
>How to Enable and Disable SELinux Mode
On a side note, if getenforce returns Disabled, you will have to edit /etc/selinux/config with the desired operation mode and reboot. Otherwise, you will not be able to set (or toggle) the operation mode with setenforce.
One of the typical uses of setenforce consists of toggling between SELinux modes (from enforcing to permissive or the other way around) to troubleshoot an application that is misbehaving or not working as expected. If it works after you set SELinux to Permissive mode, you can be confident youre looking at a SELinux permissions issue.
Two classic cases where we will most likely have to deal with SELinux are:
- Changing the default port where a daemon listens on.
- Setting the DocumentRoot directive for a virtual host outside of /var/www/html.
Lets take a look at these two cases using the following examples.
#### EXAMPLE 1: Changing the default port for the sshd daemon
One of the first thing most system administrators do in order to secure their servers is change the port where the SSH daemon listens on, mostly to discourage port scanners and external attackers. To do this, we use the Port directive in `/etc/ssh/sshd_config` followed by the new port number as follows (we will use port 9999 in this case):
```
Port 9999
```
After attempting to restart the service and checking its status we will see that it failed to start:
```
# systemctl restart sshd
# systemctl status sshd
```
![](http://www.tecmint.com/wp-content/uploads/2016/06/Check-sshd-Service-Status.png)
>Check SSH Service Status
If we take a look at /var/log/audit/audit.log, we will see that sshd was prevented from starting on port 9999 by SELinux because that is a reserved port for the JBoss Management service (SELinux log messages include the word “AVC” so that they might be easily identified from other messages):
```
# cat /var/log/audit/audit.log | grep AVC | tail -1
```
![](http://www.tecmint.com/wp-content/uploads/2016/06/Check-Linux-Audit-Logs.png)
>Check Linux Audit Logs
At this point most people would probably disable SELinux but we wont. We will see that theres a way for SELinux, and sshd listening on a different port, to live in harmony together. Make sure you have the policycoreutils-python package installed and run:
```
# yum install policycoreutils-python
```
To view a list of the ports where SELinux allows sshd to listen on. In the following image we can also see that port 9999 was reserved for another service and thus we cant use it to run another service for the time being:
```
# semanage port -l | grep ssh
```
Of course we could choose another port for SSH, but if we are certain that we will not need to use this specific machine for any JBoss-related services, we can then modify the existing SELinux rule and assign that port to SSH instead:
```
# semanage port -m -t ssh_port_t -p tcp 9999
```
After that, we can use the first semanage command to check if the port was correctly assigned, or the -lC options (short for list custom):
```
# semanage port -lC
# semanage port -l | grep ssh
```
![](http://www.tecmint.com/wp-content/uploads/2016/06/Assign-Port-to-SSH.png)
>Assign Port to SSH
We can now restart SSH and connect to the service using port 9999. Note that this change WILL survive a reboot.
#### EXAMPLE 2: Choosing a DocumentRoot outside /var/www/html for a virtual host
If you need to [set up a Apache virtual host][2] using a directory other than /var/www/html as DocumentRoot (say, for example, `/websrv/sites/gabriel/public_html`):
```
DocumentRoot “/websrv/sites/gabriel/public_html”
```
Apache will refuse to serve the content because the index.html has been labeled with the default_t SELinux type, which Apache cant access:
```
# wget http://localhost/index.html
# ls -lZ /websrv/sites/gabriel/public_html/index.html
```
![](http://www.tecmint.com/wp-content/uploads/2016/06/Labeled-default_t-SELinux-Type.png)
>Labeled as default_t SELinux Type
As with the previous example, you can use the following command to verify that this is indeed a SELinux-related issue:
```
# cat /var/log/audit/audit.log | grep AVC | tail -1
```
![](http://www.tecmint.com/wp-content/uploads/2016/06/Check-Logs-for-SELinux-Issues.png)
>Check Logs for SELinux Issues
To change the label of /websrv/sites/gabriel/public_html recursively to httpd_sys_content_t, do:
```
# semanage fcontext -a -t httpd_sys_content_t "/websrv/sites/gabriel/public_html(/.*)?"
```
The above command will grant Apache read-only access to that directory and its contents.
Finally, to apply the policy (and make the label change effective immediately), do:
```
# restorecon -R -v /websrv/sites/gabriel/public_html
```
Now you should be able to access the directory:
```
# wget http://localhost/index.html
```
![](http://www.tecmint.com/wp-content/uploads/2016/06/Access-Apache-Directory.png)
>Access Apache Directory
For more information on SELinux, refer to the Fedora 22 [SELinux and Administrator guide][3].
### Introduction to AppArmor and How to Use it on OpenSUSE and Ubuntu
The operation of AppArmor is based on profiles defined in plain text files where the allowed permissions and access control rules are set. Profiles are then used to place limits on how applications interact with processes and files in the system.
A set of profiles is provided out-of-the-box with the operating system, whereas others can be put in place either automatically by applications when they are installed or manually by the system administrator.
Like SELinux, AppArmor runs profiles in two modes. In enforce mode, applications are given the minimum permissions that are necessary for them to run, whereas in complain mode AppArmor allows an application to take restricted actions and saves the “complaints” resulting from that operation to a log (/var/log/kern.log, /var/log/audit/audit.log, and other logs inside /var/log/apparmor).
These logs will show through lines with the word audit in them errors that would occur should the profile be run in enforce mode. Thus, you can try out an application in complain mode and adjust its behavior before running it under AppArmor in enforce mode.
The current status of AppArmor can be shown using:
```
$ sudo apparmor_status
```
![](http://www.tecmint.com/wp-content/uploads/2016/06/Check-AppArmor-Status.png)
>Check AppArmor Status
The image above indicates that the profiles /sbin/dhclient, /usr/sbin/, and /usr/sbin/tcpdump are in enforce mode (that is true by default in Ubuntu).
Since not all applications include the associated AppArmor profiles, the apparmor-profiles package, which provides other profiles that have not been shipped by the packages they provide confinement for. By default, they are configured to run in complain mode so that system administrators can test them and choose which ones are desired.
We will make use of apparmor-profiles since writing our own profiles is out of the scope of the LFCS [certification][4]. However, since profiles are plain text files, you can view them and study them in preparation to create your own profiles in the future.
AppArmor profiles are stored inside /etc/apparmor.d. Lets take a look at the contents of that directory before and after installing apparmor-profiles:
```
$ ls /etc/apparmor.d
```
![](http://www.tecmint.com/wp-content/uploads/2016/06/View-AppArmor-Directory-Content.png)
>View AppArmor Directory Content
If you execute sudo apparmor_status again, you will see a longer list of profiles in complain mode. You can now perform the following operations:
To switch a profile currently in enforce mode to complain mode:
```
$ sudo aa-complain /path/to/file
```
and the other way around (complain > enforce):
```
$ sudo aa-enforce /path/to/file
```
Wildcards are allowed in the above cases. For example,
```
$ sudo aa-complain /etc/apparmor.d/*
```
will place all profiles inside /etc/apparmor.d into complain mode, whereas
```
$ sudo aa-enforce /etc/apparmor.d/*
```
will switch all profiles to enforce mode.
To entirely disable a profile, create a symbolic link in the /etc/apparmor.d/disabled directory:
```
$ sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/
```
For more information on AppArmor, please refer to the [official AppArmor wiki][5] and to the documentation [provided by Ubuntu][6].
### Summary
In this article we have gone through the basics of SELinux and AppArmor, two well-known MACs. When to use one or the other? To avoid difficulties, you may want to consider sticking with the one that comes with your chosen distribution. In any event, they will help you place restrictions on processes and access to system resources to increase the security in your servers.
Do you have any questions, comments, or suggestions about this article? Feel free to let us know using the form below. Dont hesitate to let us know if you have any questions or comments.
--------------------------------------------------------------------------------
via: http://www.tecmint.com/mandatory-access-control-with-selinux-or-apparmor-linux/
作者:[Gabriel Cánepa][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: http://www.tecmint.com/author/gacanepa/
[1]: http://www.tecmint.com/secure-files-using-acls-in-linux/
[2]: http://www.tecmint.com/apache-virtual-hosting-in-centos/
[3]: https://docs.fedoraproject.org/en-US/Fedora/22/html/SELinux_Users_and_Administrators_Guide/index.html
[4]: http://www.tecmint.com/sed-command-to-create-edit-and-manipulate-files-in-linux/
[5]: http://wiki.apparmor.net/index.php/Main_Page
[6]: https://help.ubuntu.com/community/AppArmor

View File

@ -0,0 +1,247 @@
在 Linux 上用 SELinux 或 AppArmor 实现强制访问控制
===========================================================================
为了克服标准 用户-组-其他/读-写-执行 权限以及[访问控制列表][1]的限制以及加强安全机制美国国家安全局NSA设计出一个灵活的强制访问控制MAC方法 SELinuxSecurity Enhanced Linux 的缩写),来限制其他事物,在仍然允许对这个模型后续修改的情况下,让进程尽可能以最小权限访问或在系统对象(如文件,文件夹,网络端口等)上执行其他操作。
![](http://www.tecmint.com/wp-content/uploads/2016/06/SELinux-AppArmor-Security-Hardening-Linux.png)
>SELinux 和 AppArmor 加固 Linux 安全
另一个流行并且广泛使用的 MAC 是 AppArmor相比于 SELinux 它提供额外的特性,包括一个学习模型,让系统“学习”一个特定应用的行为,通过配置文件设置限制实现安全的应用使用。
在 CentOS 7 中SELinux 合并进了内核并且默认启用强制Enforcing模式下一节会介绍这方面更多的内容与使用 AppArmor 的 openSUSE 和 Ubuntu 完全不同。
在这篇文章中我们会解释 SELinux 和 AppArmor 的本质以及如何在你选择的发行版上使用这两个工具之一并从中获益。
### SELinux 介绍以及如何在 CentOS 7 中使用
Security Enhanced Linux 可以以两种不同模式运行:
- 强制EnforcingSELinux 基于 SELinux 策略规则拒绝访问,一个指导准则集合控制安全引擎。
- 宽容PermissiveSELinux 不拒绝访问,但如果在强制模式下会被拒绝的操作会被记录下来。
SELinux 也能被禁用。尽管这不是它的一个操作模式,不过也是一个选项。但学习如何使用这个工具强过只是忽略它。时刻牢记这一点!
使用 getenforce 命令来显示 SELinux 的当前模式。如果你想要更改模式,使用 setenforce 0设置为宽容模式或 setenforce 1强制模式
因为这些设置重启后就失效了,你需要编辑 /etc/selinux/ 的配置文件并设置 SELINUX 变量为 enforcingpermissive 或 disabled 来保存设置让其重启后也有效:
![](http://www.tecmint.com/wp-content/uploads/2016/06/Enable-Disable-SELinux-Mode.png)
>如何启用和禁用 SELinux 模式
还有一点要注意,如果 getenforce 返回 Disabled你得编辑 /etc/selinux/ 配置为你想要的操作模式并重启。否则你无法利用 setenforce 设置(或切换)操作模式。
setenforce 的典型用法之一包括在 SELinux 模式之间切换(从强制到宽容或相反)来定位一个应用是否行为不端或没有像预期一样工作。如果它在你将 SELinux 设置为宽容模式正常工作,你就可以确定你遇到的是 SELinux 权限问题。
两种我们使用 SELinux 可能需要解决的典型案例:
- 改变一个守护进程监听的默认端口。
- 给一个虚拟主机设置 /var/www/html 以外的文档根路径值。
让我们用以下例子来看看这两种情况。
#### 例 1更改 sshd 守护进程的默认端口
大部分系统管理员为了加强服务器安全首先要做的事情之一就是更改 SSH 守护进程监听的端口,主要是为了组织端口扫描和外部攻击。要达到这个目的,我们要更改 `/etc/ssh/sshd_config` 中的 Port 值为以下值(我们在这里使用端口 9999 为例):
```
Port 9999
```
在尝试重启服务并检查它的状态之后,我们会看到它启动失败:
```
# systemctl restart sshd
# systemctl status sshd
```
![](http://www.tecmint.com/wp-content/uploads/2016/06/Check-sshd-Service-Status.png)
>检查 SSH 服务状态
如果我们看看 /var/log/audit/audit.log就会看到 sshd 被 SELinux 组织在端口 9999 上启动,因为他是 JBoss 管理服务的保留端口SELinux 日志信息包含了词语“AVC”所以应该很容易把它同其他信息区分开来
```
# cat /var/log/audit/audit.log | grep AVC | tail -1
```
![](http://www.tecmint.com/wp-content/uploads/2016/06/Check-Linux-Audit-Logs.png)
>检查 Linux 审计日志
在这种情况下大部分人可能会禁用 SELinux但我们不这么做。我们会看到有个让 Selinux 和监听其他端口的 sshd 和谐共处的方法。首先确保你有 policycoreutils-python 这个包,执行:
```
# yum install policycoreutils-python
```
查看 SELinux 允许 sshd 监听的端口列表。在接下来的图片中我们还能看到端口 9999 是为其他服务保留的,所以我们暂时无法用它来运行其他服务:
```
# semanage port -l | grep ssh
```
当然我们可以给 SSH 选择其他端口,但如果我们确定我们不会使用这台机器跑任何 JBoss 相关的服务,我们就可以修改 SELinux 已存在的规则,转而给 SSH 分配那个端口:
```
# semanage port -m -t ssh_port_t -p tcp 9999
```
在那之后,我们可以用第一个 semanage 命令检查端口是否正确分配了,或用 -lC 参数list custom 的简称):
```
# semanage port -lC
# semanage port -l | grep ssh
```
![](http://www.tecmint.com/wp-content/uploads/2016/06/Assign-Port-to-SSH.png)
>给 SSH 分配端口
我们现在可以重启 SSH 服务并通过端口 9999 连接了。注意这个更改重启之后依然有效。
#### 例 2给一个虚拟主机设置 /var/www/html 以外的文档根路径值
如果你需要用除 /var/www/html 以外目录作为文档根目录[设置一个 Apache 虚拟主机][2](也就是说,比如 `/websrv/sites/gabriel/public_html`
```
DocumentRoot “/websrv/sites/gabriel/public_html”
```
Apache 会拒绝提供内容,因为 index.html 已经被标记为了 default_t SELinux 类型Apache 无法访问它:
```
# wget http://localhost/index.html
# ls -lZ /websrv/sites/gabriel/public_html/index.html
```
![](http://www.tecmint.com/wp-content/uploads/2016/06/Labeled-default_t-SELinux-Type.png)
>被标记为 default_t SELinux 类型
和之前的例子一样,你可以用以下命令验证这是不是 SELinux 相关的问题:
```
# cat /var/log/audit/audit.log | grep AVC | tail -1
```
![](http://www.tecmint.com/wp-content/uploads/2016/06/Check-Logs-for-SELinux-Issues.png)
>检查日志确定是不是 SELinux 的问题
要将 /websrv/sites/gabriel/public_html 整个目录内容标记为 httpd_sys_content_t执行
```
# semanage fcontext -a -t httpd_sys_content_t "/websrv/sites/gabriel/public_html(/.*)?"
```
上面这个命令会赋予 Apache 对那个目录以及其内容的读取权限。
最后,要应用这条策略(并让更改的标记立即生效),执行:
```
# restorecon -R -v /websrv/sites/gabriel/public_html
```
现在你应该可以访问这个目录了:
```
# wget http://localhost/index.html
```
![](http://www.tecmint.com/wp-content/uploads/2016/06/Access-Apache-Directory.png)
>访问 Apache 目录
要获取关于 SELinux 的更多信息,参阅 Fedora 22 [SELinux 以及 管理员指南][3]。
### AppArmor 介绍以及如何在 OpenSUSE 和 Ubuntu 上使用它
AppArmor 的操作是基于纯文本文件的规则定义,该文件中含有允许权限和访问控制规则。安全配置文件用来限制应用程序如何与系统中的进程和文件进行交互。
系统初始就提供了一系列的配置文件,但其他的也可以由应用程序安装的时候设置或由系统管理员手动设置。
像 SELinux 一样AppArmor 以两种模式运行。在 enforce 模式下,应用被赋予它们运行所需要的最小权限,但在 complain 模式下 AppArmor 允许一个应用执行有限的操作并将操作造成的“抱怨”记录到日志里(/var/log/kern.log/var/log/audit/audit.log和其它在 /var/log/apparmor 中的日志)。
日志中会显示配置文件在强制模式下运行时会产生错误的记录,它们中带有审计这个词。因此,你可以在 AppArmor 的 enforce 模式下运行之前,先在 complain 模式下尝试运行一个应用并调整它的行为。
可以用这个命令显示 AppArmor 的当前状态:
```
$ sudo apparmor_status
```
![](http://www.tecmint.com/wp-content/uploads/2016/06/Check-AppArmor-Status.png)
>查看 AppArmor 的状态
上面的图片指明配置 /sbin/dhclient/usr/sbin/,和 /usr/sbin/tcpdump 在 enforce 模式下(在 Ubuntu 下默认就是这样的)。
因为不是所有的应用都包含相关的 AppArmor 配置apparmor-profiles 包提供了其它配置给没有提供限制的包。默认它们配置在 complain 模式下运行以便系统管理员能够测试并选择一个所需要的配置。
我们将会利用 apparmor-profiles因为写一份我们自己的配置已经超出了 LFCS [认证][4]的范围了。但是,由于配置都是纯文本文件,你可以查看并学习它们,为以后创建自己的配置做准备。
AppArmor 配置保存在 /etc/apparmor.d 中。让我们来看看这个文件夹在安装 apparmor-profiles 之前和之后有什么不同:
```
$ ls /etc/apparmor.d
```
![](http://www.tecmint.com/wp-content/uploads/2016/06/View-AppArmor-Directory-Content.png)
>查看 AppArmor 文件夹内容
如果你再次执行 sudo apparmor_status你会在 complain 模式看到更长的配置文件列表。你现在可以执行下列操作:
将当前在 enforce 模式下的配置文件切换到 complain 模式:
```
$ sudo aa-complain /path/to/file
```
以及相反的操作complain > enforce
```
$ sudo aa-enforce /path/to/file
```
上面这些例子是允许使用通配符的。举个例子:
```
$ sudo aa-complain /etc/apparmor.d/*
```
会将 /etc/apparmor.d 中的所有配置文件设置为 complain 模式,反之
```
$ sudo aa-enforce /etc/apparmor.d/*
```
会将所有配置文件设置为 enforce 模式。
要完全禁用一个配置,在 /etc/apparmor.d/disabled 目录中创建一个符号链接:
```
$ sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/
```
要获取关于 AppArmor 的更多信息,参阅[官方 AppArmor wiki][5] 以及 [Ubuntu 提供的][6]文档。
### 总结
在这篇文章中我们学习了一些 SELinux 和 AppArmor 这两个著名强制访问控制系统的基本知识。什么时候使用两者中的一个或是另一个?为了避免提高难度,你可能需要考虑专注于你选择的发行版自带的那一个。不管怎样,它们会帮助你限制进程和系统资源的访问,以提高你服务器的安全性。
关于本文你有任何的问题,评论,或建议,欢迎在下方发表。不要犹豫,让我们知道你是否有疑问或评论。
--------------------------------------------------------------------------------
via: http://www.tecmint.com/mandatory-access-control-with-selinux-or-apparmor-linux/
作者:[Gabriel Cánepa][a]
译者:[alim0x](https://github.com/alim0x)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: http://www.tecmint.com/author/gacanepa/
[1]: http://www.tecmint.com/secure-files-using-acls-in-linux/
[2]: http://www.tecmint.com/apache-virtual-hosting-in-centos/
[3]: https://docs.fedoraproject.org/en-US/Fedora/22/html/SELinux_Users_and_Administrators_Guide/index.html
[4]: http://www.tecmint.com/sed-command-to-create-edit-and-manipulate-files-in-linux/
[5]: http://wiki.apparmor.net/index.php/Main_Page
[6]: https://help.ubuntu.com/community/AppArmor