Implementing Mandatory Access Control with SELinux or AppArmor in Linux

为了克服标准ugo/rwx权限和访问控制列表提供的限制和增加安全机制，美国国家安全局( NSA )在为了将进程访问或对系统对象（例如文件、目录、网络端口等）执行其他操作的能力限制为尽可能少的权限，同时仍允许以后对此模型进行修改。

另一个流行且广泛使用的 MAC 是AppArmor，除了SELinux提供的功能外，它还包括一个学习模式，允许系统“学习”特定应用程序的行为，并通过配置配置文件来设置限制以确保应用程序的安全使用。

在CentOS 7中，SELinux被合并到内核本身中，并且默认启用强制模式（下一节将详细介绍），这与使用AppArmor的openSUSE和Ubuntu不同。

在本文中，我们将解释 SELinux 和 AppArmor 的基本要素，以及如何根据您选择的发行版使用这些工具之一为您带来好处。

SELinux 简介以及如何在 CentOS 7 上使用它

Security Enhanced Linux 可以以两种不同的方式运行：

1. 强制执行：SELinux 根据 SELinux 策略规则（一组控制安全引擎的准则）拒绝访问。
2. Permissive：SELinux 不会拒绝访问，但如果在强制模式下运行会被拒绝的操作，则会记录拒绝。

SELinux 也可以禁用。虽然它本身不是一种操作模式，但它仍然是一种选择。但是，学习如何使用这个工具总比忽略它要好。记在心上！

要显示SELinux的当前模式，请使用getenforce. 如果要切换操作模式，请使用setenforce 0(将其设置为Permissive ) 或setenforce 1( Enforcing )。

由于此更改不会在重新启动后继续存在，因此您需要编辑/etc/selinux/config文件并将SELINUX变量设置为enforcing、permissive或disabled，以实现重新启动后的持久性：

附带说明，如果getenforce返回 Disabled，则必须使用所需的操作模式编辑/etc/selinux/config并重新启动。否则，您将无法使用 设置（或切换）操作模式setenforce。

的一个典型用途setenforce包括在 SELinux 模式之间切换（从强制模式到许可模式或相反），以对行为不端或无法按预期工作的应用程序进行故障排除。如果在您将 SELinux 设置为Permissive模式后它可以工作，那么您可以确信您正在查看 SELinux 权限问题。

我们最有可能不得不处理 SELinux 的两个经典案例是：

1. 更改守护程序侦听的默认端口。
2. 为/var/www/html之外的虚拟主机设置DocumentRoot指令。

让我们使用以下示例来看看这两种情况。

示例 1：更改 sshd 守护程序的默认端口

One of the first thing most system administrators do in order to secure their servers is change the port where the SSH daemon listens on, mostly to discourage port scanners and external attackers. To do this, we use the Port directive in /etc/ssh/sshd_config followed by the new port number as follows (we will use port 9999 in this case):

Port 9999

After attempting to restart the service and checking its status we will see that it failed to start:

# systemctl restart sshd
# systemctl status sshd

If we take a look at /var/log/audit/audit.log, we will see that sshd was prevented from starting on port 9999 by SELinux because that is a reserved port for the JBoss Management service (SELinux log messages include the word “AVC” so that they might be easily identified from other messages):

# cat /var/log/audit/audit.log | grep AVC | tail -1

At this point most people would probably disable SELinux but we won’t. We will see that there’s a way for SELinux, and sshd listening on a different port, to live in harmony together. Make sure you have the policycoreutils-python package installed and run:

# yum install policycoreutils-python

To view a list of the ports where SELinux allows sshd to listen on. In the following image we can also see that port 9999 was reserved for another service and thus we can’t use it to run another service for the time being:

# semanage port -l | grep ssh

Of course we could choose another port for SSH, but if we are certain that we will not need to use this specific machine for any JBoss-related services, we can then modify the existing SELinux rule and assign that port to SSH instead:

# semanage port -m -t ssh_port_t -p tcp 9999

After that, we can use the first semanage command to check if the port was correctly assigned, or the -lC options (short for list custom):

# semanage port -lC
# semanage port -l | grep ssh

We can now restart SSH and connect to the service using port 9999. Note that this change WILL survive a reboot.

EXAMPLE 2: Choosing a DocumentRoot outside /var/www/html for a virtual host

If you need to set up a Apache virtual host using a directory other than /var/www/html as DocumentRoot (say, for example, /websrv/sites/gabriel/public_html):

DocumentRoot “/websrv/sites/gabriel/public_html”

Apache will refuse to serve the content because the index.html has been labeled with the default_t SELinux type, which Apache can’t access:

# wget http://localhost/index.html
# ls -lZ /websrv/sites/gabriel/public_html/index.html

As with the previous example, you can use the following command to verify that this is indeed a SELinux-related issue:

# cat /var/log/audit/audit.log | grep AVC | tail -1

To change the label of /websrv/sites/gabriel/public_html recursively to httpd_sys_content_t, do:

# semanage fcontext -a -t httpd_sys_content_t "/websrv/sites/gabriel/public_html(/.*)?"

The above command will grant Apache read-only access to that directory and its contents.

Finally, to apply the policy (and make the label change effective immediately), do:

# restorecon -R -v /websrv/sites/gabriel/public_html

Now you should be able to access the directory:

# wget http://localhost/index.html

For more information on SELinux, refer to the Fedora 22 SELinux and Administrator guide.

Pages: 1 2

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

We are thankful for your never ending support.