SELinux 1편, 기본 설정, 장애 유발, 유저 권한 할당
왜??
먼저 왜? selinux를 봐야할까? 라는 것부터 시작해야될 것 같네요. 거의 몇년간 selinux는 꺼야만 하는 것. 이라고만 알고 써왔던 리눅스 보안 모듈이죠.
그런데 조금은 변화가 찾아오기 시작했습니다. 언제부터인지는 명확하지 않지만 오픈스택에 selinux가 더이상 끄고 설치하는 것이 아니게 되었죠
오픈스택 RDO(레드헷 계열 centos 포함)의 설치 가이드에 yum install openstack-selinux의 형태로 이제 더이상 끄고 설치하는 것이 아닌것으로 되었습니다.
Openstack installation guide - Mitaka
Openstack installation guide - Newton
Openstack installation guide - Ocata
올해까지도 활동이 있는 Chef Selinux Cookbook
점점 리눅스에 올라가는 어플리케이션들이 selinux를 끄는 것이 아니라 selinux에 정책을 적용하는 쪽으로 움직이는 것 같습니다.
그래서 이제 한번쯤 selinux에 대해서 조금은 깊게 봐야할 때가 아닌가 싶네요.
준비
필요한 것들
가상머신을 돌리기 위한 vmware workstation / virtual box 등등
CentOS-7-x86_64-Minimal-1611.iso 이미지
인터넷 연결
머신 준비
게다가 내용이 selinux라 기본적인 내용은 아시는 분들이 읽으시겠지만 간만에 포스팅이라 설치과정은 패스하겠습니다.
vCPU 1, RAM2, NAT network 정도만 적용해서 OS 설치 후
첫 부팅 이후 yum update 정도만 해준 뒤 스냅샷을 하나쯤 떠 두시는 것도 좋습니다. 차후에 이것저것 막 적용 해보시다 보면 시스템이 망가질 경우도 있어 복구가 어려울 수도 있습니다.
그렇다면 먼저 장애를 유발시켜서 복구시키는것부터 해보는 것도 좋을거 같네요
SELINUX의 기본
설정 컨피그 파일
[root@localhost ~]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
[root@localhost ~]#
보통은 위의 상태에서 SELINUX=enforcing 항목을 직접 permissive나 disabled 로 수정해서 재부팅하거나
설정 즉시 적용
아래와 같이 SELINUX 명령을 통해 상태를 변경합니다.
[root@localhost ~]# getenforce
Enforcing
[root@localhost ~]# setenforce 0
[root@localhost ~]#
[root@localhost ~]# getenforce
Permissive
[root@localhost ~]#
[root@localhost ~]# setenforce 1
[root@localhost ~]#
[root@localhost ~]# getenforce
Enforcing
[root@localhost ~]#
설정 설명
위의 방법은 완전히 disable 상태로 적용이 가능하지만 아래 setenforce 명령어의 경우 enforcing(정책 시행)과 permissive(정책 모니터링) 상태만 가능합니다.
그리고 그 아래 SELINUXTYPE=targeted 항목은 정책 타입으로 selinux-policy-targeted 패키지에 정의된 정책을 시행하는 것입니다. 아래 옵션으로 minimum의 경우 시스템에 최소한으로 정책이 적용되는 것으로 추가적인 애플리케이션에 대한 정책이 disable 상태로 운영하는 것입니다.
MLS는 멀티레벨로 해당 내용으로 적용되어 운영하는 것은 저도 제대로 보지 못해 일단은 패스하도록 하겠습니다.
위 config 파일과 아래 명령의 차이 중 또 하나는 컨피그 파일은 재부팅을 통해 적용되고 setenforce 명령어는 즉시 적용됩니다.
SELINUX 한 걸음 더
정책 패키지 확인
현재 설정파일에 targeted가 명시되어 있으니 targeted 패키지가 깔려있겠네요
[root@localhost ~]# rpm -qa | grep selinux-policy
selinux-policy-targeted-3.13.1-102.el7_3.16.noarch
selinux-policy-3.13.1-102.el7_3.16.noarch
[root@localhost ~]#
사용 가능한 정책 패키지 확인
그럼 사용 가능한 패키지에는 어떤게 있는지 한번 볼까요.
[root@localhost ~]# yum list *selinux-policy*
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.mirror.cdnetworks.com
* extras: centos.mirror.cdnetworks.com
* updates: centos.mirror.cdnetworks.com
Installed Packages
selinux-policy.noarch 3.13.1-102.el7_3.16 @updates
selinux-policy-targeted.noarch 3.13.1-102.el7_3.16 @updates
Available Packages
selinux-policy-devel.noarch 3.13.1-102.el7_3.16 updates
selinux-policy-doc.noarch 3.13.1-102.el7_3.16 updates
selinux-policy-minimum.noarch 3.13.1-102.el7_3.16 updates
selinux-policy-mls.noarch 3.13.1-102.el7_3.16 updates
selinux-policy-sandbox.noarch 3.13.1-102.el7_3.16 updates
[root@localhost ~]#
뭐... 개발용, 테스트용? 샌드박스, 앞서 설정에서 본 mls 등이 있네요.
그러면 현재는 selinux-policy-minimum 패키지가 설치되지 않은 상태일텐데 minimum 패키지를 적용시키기 전에 앞서 말한것처럼 장애를 한번 유발시켜봐야겠네요
패키지 변경을 통한 부팅 장애 유발
그러면 /etc/selinux/config 파일의 내용중 SELINUXTYPE을 현재 없는 minimum으로 변경해서 재부팅 해보겠습니다.
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=minimum
재부팅 하면 아래 스샷처럼 이 상태로 더 이상 부팅이 되지 않습니다.
장애 유발에 성공했네요
부팅 중 장애시 해결방법
그러면 다시 재부팅을 해서 싱글모드 들어가듯이 편집해줍니다.
편집모드에서 linux16 을 찾아서 제일 뒤에 selinux=0 을 추가해 주고 ctrl+x를 쳐서 부팅합니다.
부팅한 뒤 확인해 보면
[root@localhost ~]# getenforce
Disabled
[root@localhost ~]#
이렇게 disabled 상태로 부팅되게 됩니다. 그렇다면 앞서 문제였던 selinux-policy-minimum을 설치해주면 되겠네요.
[root@localhost ~]# yum install -y selinux-policy-minimum
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.mirror.cdnetworks.com
* extras: centos.mirror.cdnetworks.com
* updates: centos.mirror.cdnetworks.com
Resolving Dependencies
--> Running transaction check
---> Package selinux-policy-minimum.noarch 0:3.13.1-102.el7_3.16 will be installed
--> Processing Dependency: policycoreutils-python >= 2.5 for package: selinux-policy-minimum-3.13.1-102.el7_3.16.noarch
--> Running transaction check
---> Package policycoreutils-python.x86_64 0:2.5-11.el7_3 will be installed
--> Processing Dependency: setools-libs >= 3.3.8-1 for package: policycoreutils-python-2.5-11.el7_3.x86_64
--> Processing Dependency: libsemanage-python >= 2.5-5 for package: policycoreutils-python-2.5-11.el7_3.x86_64
--> Processing Dependency: audit-libs-python >= 2.1.3-4 for package: policycoreutils-python-2.5-11.el7_3.x86_64
--> Processing Dependency: python-IPy for package: policycoreutils-python-2.5-11.el7_3.x86_64
--> Processing Dependency: libqpol.so.1(VERS_1.4)(64bit) for package: policycoreutils-python-2.5-11.el7_3.x86_64
--> Processing Dependency: libqpol.so.1(VERS_1.2)(64bit) for package: policycoreutils-python-2.5-11.el7_3.x86_64
--> Processing Dependency: libcgroup for package: policycoreutils-python-2.5-11.el7_3.x86_64
--> Processing Dependency: libapol.so.4(VERS_4.0)(64bit) for package: policycoreutils-python-2.5-11.el7_3.x86_64
--> Processing Dependency: checkpolicy for package: policycoreutils-python-2.5-11.el7_3.x86_64
--> Processing Dependency: libqpol.so.1()(64bit) for package: policycoreutils-python-2.5-11.el7_3.x86_64
--> Processing Dependency: libapol.so.4()(64bit) for package: policycoreutils-python-2.5-11.el7_3.x86_64
--> Running transaction check
---> Package audit-libs-python.x86_64 0:2.6.5-3.el7_3.1 will be installed
---> Package checkpolicy.x86_64 0:2.5-4.el7 will be installed
---> Package libcgroup.x86_64 0:0.41-11.el7 will be installed
---> Package libsemanage-python.x86_64 0:2.5-5.1.el7_3 will be installed
---> Package python-IPy.noarch 0:0.75-6.el7 will be installed
---> Package setools-libs.x86_64 0:3.3.8-1.1.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=========================================================================================================================
Package Arch Version Repository Size
=========================================================================================================================
Installing:
selinux-policy-minimum noarch 3.13.1-102.el7_3.16 updates 6.4 M
Installing for dependencies:
audit-libs-python x86_64 2.6.5-3.el7_3.1 updates 70 k
checkpolicy x86_64 2.5-4.el7 base 290 k
libcgroup x86_64 0.41-11.el7 base 65 k
libsemanage-python x86_64 2.5-5.1.el7_3 updates 104 k
policycoreutils-python x86_64 2.5-11.el7_3 updates 445 k
python-IPy noarch 0.75-6.el7 base 32 k
setools-libs x86_64 3.3.8-1.1.el7 base 612 k
Transaction Summary
=========================================================================================================================
Install 1 Package (+7 Dependent packages)
Total download size: 7.9 M
Installed size: 20 M
Downloading packages:
(1/8): audit-libs-python-2.6.5-3.el7_3.1.x86_64.rpm | 70 kB 00:00:00
(2/8): libsemanage-python-2.5-5.1.el7_3.x86_64.rpm | 104 kB 00:00:00
(3/8): checkpolicy-2.5-4.el7.x86_64.rpm | 290 kB 00:00:00
(4/8): libcgroup-0.41-11.el7.x86_64.rpm | 65 kB 00:00:00
(5/8): policycoreutils-python-2.5-11.el7_3.x86_64.rpm | 445 kB 00:00:00
(6/8): python-IPy-0.75-6.el7.noarch.rpm | 32 kB 00:00:00
(7/8): setools-libs-3.3.8-1.1.el7.x86_64.rpm | 612 kB 00:00:00
(8/8): selinux-policy-minimum-3.13.1-102.el7_3.16.noarch.rpm | 6.4 MB 00:00:00
-----------------------------------------------------------------------------------------------------------------------
Total 6.0 MB/s | 7.9 MB 00:00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : setools-libs-3.3.8-1.1.el7.x86_64 1/8
Installing : checkpolicy-2.5-4.el7.x86_64 2/8
Installing : libcgroup-0.41-11.el7.x86_64 3/8
Installing : libsemanage-python-2.5-5.1.el7_3.x86_64 4/8
Installing : audit-libs-python-2.6.5-3.el7_3.1.x86_64 5/8
Installing : python-IPy-0.75-6.el7.noarch 6/8
Installing : policycoreutils-python-2.5-11.el7_3.x86_64 7/8
Installing : selinux-policy-minimum-3.13.1-102.el7_3.16.noarch 8/8
ValueError: Login mapping for __default__ is not defined
Verifying : python-IPy-0.75-6.el7.noarch 1/8
Verifying : audit-libs-python-2.6.5-3.el7_3.1.x86_64 2/8
Verifying : libsemanage-python-2.5-5.1.el7_3.x86_64 3/8
Verifying : selinux-policy-minimum-3.13.1-102.el7_3.16.noarch 4/8
Verifying : libcgroup-0.41-11.el7.x86_64 5/8
Verifying : policycoreutils-python-2.5-11.el7_3.x86_64 6/8
Verifying : checkpolicy-2.5-4.el7.x86_64 7/8
Verifying : setools-libs-3.3.8-1.1.el7.x86_64 8/8
Installed:
selinux-policy-minimum.noarch 0:3.13.1-102.el7_3.16
Dependency Installed:
audit-libs-python.x86_64 0:2.6.5-3.el7_3.1 checkpolicy.x86_64 0:2.5-4.el7 libcgroup.x86_64 0:0.41-11.el7
libsemanage-python.x86_64 0:2.5-5.1.el7_3 policycoreutils-python.x86_64 0:2.5-11.el7_3 python-IPy.noarch 0:0.75-6.el7
setools-libs.x86_64 0:3.3.8-1.1.el7
Complete!
[root@localhost ~]#
앞서 selinuxtype에서 minimum을 명시했는데 현재 시스템에 깔린 패키지가 minimum이 없다보니 장애가 났었고
이를 selinux를 disable 시킨채로 부팅해서 minimum 패키지를 통해 해결했습니다.
부팅 장애 해결
다 설치가 됐으니 다시 재부팅을 해줍니다.
재부팅하면 정상적으로 enforcing 된 상태로 부팅 된 걸 확인할 수 있습니다.
[root@localhost ~]# getenforce
Enforcing
[root@localhost ~]#
설치된 정책 모듈 확인
아래 커맨드를 통해 현재 적용된 selinux 정책 모듈을 확인할 수 있습니다.
[root@localhost ~]# semodule -l
apache 2.7.2
application 1.2.0
auditadm 2.2.0
authlogin 2.5.1
base (null)
bootloader 1.14.0
clock 1.7.0
dbus 1.19.0
dmesg 1.3.0
fstools 1.16.1
getty 1.10.0
hostname 1.8.1
inetd 1.13.0
init 1.20.1
ipsec 1.14.0
iptables 1.14.0
kerberos 1.12.0
libraries 2.10.0
locallogin 1.12.0
logadm 1.0.0
logging 1.20.1
lvm 1.15.2
miscfiles 1.11.0
modutils 1.14.0
mount 1.16.1
mta 2.7.3
netlabel 1.3.0
netutils 1.12.1
nis 1.12.0
postgresql 1.16.0
secadm 2.4.0
selinuxutil 1.17.2
setrans 1.8.0
seunshare 1.1.0
ssh 2.4.2
staff 2.4.0
su 1.12.0
sudo 1.10.0
sysadm 2.6.1
sysadm_secadm 1.0.0
sysnetwork 1.15.4
systemd 1.0.0
udev 1.16.2
unconfined 3.5.0
unconfineduser 1.0.0
unlabelednet 1.0.0
unprivuser 2.4.0
userdomain 4.9.1
usermanage 1.19.0
xserver 3.9.4
[root@localhost ~]#
여기서 좀 더 자세하게 보거나 disabled 된 module까지 보려면
[root@localhost ~]# semodule -lfull
100 abrt pp disabled
100 accountsd pp disabled
100 acct pp disabled
100 afs pp disabled
100 aiccu pp disabled
100 aide pp disabled
100 ajaxterm pp disabled
100 alsa pp disabled
100 amanda pp disabled
100 amtu pp disabled
100 anaconda pp disabled
100 antivirus pp disabled
100 apache pp
100 apcupsd pp disabled
100 apm pp disabled
100 application pp
100 arpwatch pp disabled
100 asterisk pp disabled
100 auditadm pp
100 authconfig pp disabled
100 authlogin pp
100 automount pp disabled
100 avahi pp disabled
100 awstats pp disabled
100 bacula pp disabled
100 base pp
100 bcfg2 pp disabled
100 bind pp disabled
100 bitlbee pp disabled
100 blkmapd pp disabled
100 blueman pp disabled
100 bluetooth pp disabled
100 boinc pp disabled
100 bootloader pp
100 brctl pp disabled
100 brltty pp disabled
100 bugzilla pp disabled
100 bumblebee pp disabled
100 cachefilesd pp disabled
100 calamaris pp disabled
100 callweaver pp disabled
100 canna pp disabled
100 ccs pp disabled
100 cdrecord pp disabled
100 certmaster pp disabled
100 certmonger pp disabled
100 certwatch pp disabled
100 cfengine pp disabled
100 cgdcbxd pp disabled
100 cgroup pp disabled
100 chrome pp disabled
100 chronyd pp disabled
100 cinder pp disabled
100 cipe pp disabled
100 clock pp
100 clogd pp disabled
100 cloudform pp disabled
100 cmirrord pp disabled
100 cobbler pp disabled
100 cockpit pp disabled
100 collectd pp disabled
100 colord pp disabled
100 comsat pp disabled
100 condor pp disabled
100 conman pp disabled
100 consolekit pp disabled
100 couchdb pp disabled
100 courier pp disabled
100 cpucontrol pp disabled
100 cpufreqselector pp disabled
100 cpuplug pp disabled
100 cron pp disabled
100 ctdb pp disabled
100 cups pp disabled
100 cvs pp disabled
100 cyphesis pp disabled
100 cyrus pp disabled
100 daemontools pp disabled
100 dbadm pp disabled
100 dbskk pp disabled
100 dbus pp
100 dcc pp disabled
100 ddclient pp disabled
100 denyhosts pp disabled
100 devicekit pp disabled
100 dhcp pp disabled
100 dictd pp disabled
100 dirsrv pp disabled
100 dirsrv-admin pp disabled
100 dmesg pp
100 dmidecode pp disabled
100 dnsmasq pp disabled
100 dnssec pp disabled
100 docker pp disabled
100 dovecot pp disabled
100 drbd pp disabled
100 dspam pp disabled
100 entropyd pp disabled
100 exim pp disabled
100 fail2ban pp disabled
100 fcoe pp disabled
100 fetchmail pp disabled
100 finger pp disabled
100 firewalld pp disabled
100 firewallgui pp disabled
100 firstboot pp disabled
100 fprintd pp disabled
100 freeipmi pp disabled
100 freqset pp disabled
100 fstools pp
100 ftp pp disabled
100 games pp disabled
100 gdomap pp disabled
100 gear pp disabled
100 geoclue pp disabled
100 getty pp
100 git pp disabled
100 gitosis pp disabled
100 glance pp disabled
100 glusterd pp disabled
100 gnome pp disabled
100 gpg pp disabled
100 gpm pp disabled
100 gpsd pp disabled
100 gssproxy pp disabled
100 guest pp disabled
100 hddtemp pp disabled
100 hostname pp
100 hsqldb pp disabled
100 hwloc pp disabled
100 hypervkvp pp disabled
100 icecast pp disabled
100 inetd pp
100 init pp
100 inn pp disabled
100 iodine pp disabled
100 iotop pp disabled
100 ipa pp disabled
100 ipmievd pp disabled
100 ipsec pp
100 iptables pp
100 irc pp disabled
100 irqbalance pp disabled
100 iscsi pp disabled
100 isns pp disabled
100 jabber pp disabled
100 jetty pp disabled
100 jockey pp disabled
100 journalctl pp disabled
100 kdump pp disabled
100 kdumpgui pp disabled
100 keepalived pp disabled
100 kerberos pp
100 keyboardd pp disabled
100 keystone pp disabled
100 kismet pp disabled
100 kmscon pp disabled
100 ksmtuned pp disabled
100 ktalk pp disabled
100 l2tp pp disabled
100 ldap pp disabled
100 libraries pp
100 likewise pp disabled
100 linuxptp pp disabled
100 lircd pp disabled
100 livecd pp disabled
100 lldpad pp disabled
100 loadkeys pp disabled
100 locallogin pp
100 lockdev pp disabled
100 logadm pp
100 logging pp
100 logrotate pp disabled
100 logwatch pp disabled
100 lpd pp disabled
100 lsm pp disabled
100 lttng-tools pp disabled
100 lvm pp
100 mailman pp disabled
100 mailscanner pp disabled
100 man2html pp disabled
100 mandb pp disabled
100 mcelog pp disabled
100 mediawiki pp disabled
100 memcached pp disabled
100 milter pp disabled
100 minidlna pp disabled
100 minissdpd pp disabled
100 mip6d pp disabled
100 mirrormanager pp disabled
100 miscfiles pp
100 mock pp disabled
100 modemmanager pp disabled
100 modutils pp
100 mojomojo pp disabled
100 mon_statd pp disabled
100 mongodb pp disabled
100 motion pp disabled
100 mount pp
100 mozilla pp disabled
100 mpd pp disabled
100 mplayer pp disabled
100 mrtg pp disabled
100 mta pp
100 munin pp disabled
100 mysql pp disabled
100 mythtv pp disabled
100 nagios pp disabled
100 namespace pp disabled
100 ncftool pp disabled
100 netlabel pp
100 netutils pp
100 networkmanager pp disabled
100 ninfod pp disabled
100 nis pp
100 nova pp disabled
100 nscd pp disabled
100 nsd pp disabled
100 nslcd pp disabled
100 ntop pp disabled
100 ntp pp disabled
100 numad pp disabled
100 nut pp disabled
100 nx pp disabled
100 obex pp disabled
100 oddjob pp disabled
100 openct pp disabled
100 opendnssec pp disabled
100 openhpid pp disabled
100 openshift pp disabled
100 openshift-origin pp disabled
100 opensm pp disabled
100 openvpn pp disabled
100 openvswitch pp disabled
100 openwsman pp disabled
100 oracleasm pp disabled
100 osad pp disabled
100 pads pp disabled
100 passenger pp disabled
100 pcmcia pp disabled
100 pcp pp disabled
100 pcscd pp disabled
100 pegasus pp disabled
100 pesign pp disabled
100 pingd pp disabled
100 piranha pp disabled
100 pkcs pp disabled
100 pki pp disabled
100 plymouthd pp disabled
100 podsleuth pp disabled
100 policykit pp disabled
100 polipo pp disabled
100 portmap pp disabled
100 portreserve pp disabled
100 postfix pp disabled
100 postgresql pp
100 postgrey pp disabled
100 ppp pp disabled
100 prelink pp disabled
100 prelude pp disabled
100 privoxy pp disabled
100 procmail pp disabled
100 prosody pp disabled
100 psad pp disabled
100 ptchown pp disabled
100 publicfile pp disabled
100 pulseaudio pp disabled
100 puppet pp disabled
100 pwauth pp disabled
100 qmail pp disabled
100 qpid pp disabled
100 quantum pp disabled
100 quota pp disabled
100 rabbitmq pp disabled
100 radius pp disabled
100 radvd pp disabled
100 raid pp disabled
100 rasdaemon pp disabled
100 rdisc pp disabled
100 readahead pp disabled
100 realmd pp disabled
100 redis pp disabled
100 remotelogin pp disabled
100 rhcs pp disabled
100 rhev pp disabled
100 rhgb pp disabled
100 rhnsd pp disabled
100 rhsmcertd pp disabled
100 ricci pp disabled
100 rkhunter pp disabled
100 rlogin pp disabled
100 rngd pp disabled
100 roundup pp disabled
100 rpc pp disabled
100 rpcbind pp disabled
100 rpm pp disabled
100 rshd pp disabled
100 rssh pp disabled
100 rsync pp disabled
100 rtas pp disabled
100 rtkit pp disabled
100 rwho pp disabled
100 samba pp disabled
100 sambagui pp disabled
100 sandboxX pp disabled
100 sanlock pp disabled
100 sasl pp disabled
100 sbd pp disabled
100 sblim pp disabled
100 screen pp disabled
100 secadm pp
100 sectoolm pp disabled
100 selinuxutil pp
100 sendmail pp disabled
100 sensord pp disabled
100 setrans pp
100 setroubleshoot pp disabled
100 seunshare pp
100 sge pp disabled
100 shorewall pp disabled
100 slocate pp disabled
100 slpd pp disabled
100 smartmon pp disabled
100 smokeping pp disabled
100 smoltclient pp disabled
100 smsd pp disabled
100 snapper pp disabled
100 snmp pp disabled
100 snort pp disabled
100 sosreport pp disabled
100 soundserver pp disabled
100 spamassassin pp disabled
100 speech-dispatcher pp disabled
100 squid pp disabled
100 ssh pp
100 sssd pp disabled
100 staff pp
100 stapserver pp disabled
100 stunnel pp disabled
100 su pp
100 sudo pp
100 svnserve pp disabled
100 swift pp disabled
100 sysadm pp
100 sysadm_secadm pp
100 sysnetwork pp
100 sysstat pp disabled
100 systemd pp
100 targetd pp disabled
100 tcpd pp disabled
100 tcsd pp disabled
100 telepathy pp disabled
100 telnet pp disabled
100 tftp pp disabled
100 tgtd pp disabled
100 thin pp disabled
100 thumb pp disabled
100 tmpreaper pp disabled
100 tomcat pp disabled
100 tor pp disabled
100 tuned pp disabled
100 tvtime pp disabled
100 udev pp
100 ulogd pp disabled
100 uml pp disabled
100 unconfined pp
100 unconfineduser pp
100 unlabelednet pp
100 unprivuser pp
100 updfstab pp disabled
100 usbmodules pp disabled
100 usbmuxd pp disabled
100 userdomain pp
100 userhelper pp disabled
100 usermanage pp
100 usernetctl pp disabled
100 uucp pp disabled
100 uuidd pp disabled
100 varnishd pp disabled
100 vdagent pp disabled
100 vhostmd pp disabled
100 virt pp disabled
100 vlock pp disabled
100 vmtools pp disabled
100 vmware pp disabled
100 vnstatd pp disabled
100 vpn pp disabled
100 w3c pp disabled
100 watchdog pp disabled
100 wdmd pp disabled
100 webadm pp disabled
100 webalizer pp disabled
100 wine pp disabled
100 wireshark pp disabled
100 xen pp disabled
100 xguest pp disabled
100 xserver pp
100 zabbix pp disabled
100 zarafa pp disabled
100 zebra pp disabled
100 zoneminder pp disabled
100 zosremote pp disabled
[root@localhost ~]#
앞의 100은 priority이고 pp는 정책이 들어간 파일형식 같은것으로 아시면 됩니다. 차후에 다시 설명해 드리겠습니다.
SELINUX 실전 : confined vs unconfined
여기서 selinux에서 먼저 알아야 될 개념중 하나가 confined(제한된)와 unconfined(제한되지않은)입니다.
[root@localhost ~]# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@localhost ~]#
해당 명령어는 selinux context 를 확인하는 커맨드로 root의 경우 unconfined 상태입니다.
그러면 유저를 추가해 둘의 차이를 알아보도록 할텐데 필요한 툴을 좀 깔아보겠습니다.
필요 툴 설치
[root@localhost ~]# yum install -y setools-console
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.mirror.cdnetworks.com
* extras: centos.mirror.cdnetworks.com
* updates: centos.mirror.cdnetworks.com
Resolving Dependencies
--> Running transaction check
---> Package setools-console.x86_64 0:3.3.8-1.1.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=========================================================================================================================
Package Arch Version Repository Size
=========================================================================================================================
Installing:
setools-console x86_64 3.3.8-1.1.el7 base 310 k
Transaction Summary
=========================================================================================================================
Install 1 Package
Total download size: 310 k
Installed size: 1.1 M
Downloading packages:
setools-console-3.3.8-1.1.el7.x86_64.rpm | 310 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : setools-console-3.3.8-1.1.el7.x86_64 1/1
Verifying : setools-console-3.3.8-1.1.el7.x86_64 1/1
Installed:
setools-console.x86_64 0:3.3.8-1.1.el7
Complete!
[root@localhost ~]#
해당 패키지를 통해 seinfo 커맨드를 이제 사용할 수 있습니다.
[root@localhost ~]# seinfo
Statistics for policy file: /sys/fs/selinux/policy
Policy Version & Type: v.28 (binary, mls)
Classes: 91 Permissions: 256
Sensitivities: 1 Categories: 1024
Types: 1599 Attributes: 157
Users: 6 Roles: 9
Booleans: 112 Cond. Expr.: 117
Allow: 20350 Neverallow: 0
Auditallow: 41 Dontaudit: 1934
Type_trans: 1621 Type_change: 21
Type_member: 13 Role allow: 25
Role_trans: 32 Range_trans: 88
Constraints: 109 Validatetrans: 0
Initial SIDs: 27 Fs_use: 28
Genfscon: 105 Portcon: 596
Netifcon: 0 Nodecon: 0
Permissives: 0 Polcap: 2
[root@localhost ~]#
테스트 유저 등록
[root@localhost ~]# useradd user1
[root@localhost ~]# passwd user1
Changing password for user user1.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@localhost ~]#
[root@localhost ~]# useradd -Z user_u user2
[root@localhost ~]# passwd user2
Changing password for user user2.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@localhost ~]#
이렇게 되면 unconfined user1 과 user_u로 confined된 user2가 생성되게 됩니다.
[root@localhost ~]# semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
system_u system_u s0-s0:c0.c1023 *
user2 user_u s0 *
[root@localhost ~]#
보시면 user2는 SELinux User에서 user_u가 할당됐죠.
unconfined user1 과 confined user2의 차이
[user1@localhost ~]$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[user1@localhost ~]$
[user1@localhost ~]$ systemctl | grep sshd
sshd.service loaded active running OpenSSH server daemon
[user1@localhost ~]$
[user2@localhost ~]$ id -Z
user_u:user_r:user_t:s0
[user2@localhost ~]$
[user2@localhost ~]$ systemctl status sshd
-bash: systemctl: command not found
[user2@localhost ~]$
보시는 것처럼 똑같은 유저인데 systemctl 커맨드에 대한 권한이 없어 실행조차 안되는 것을 알 수 있습니다.
user1과 user2 차이의 이유
systemctl에 대한 정보를 확인해 보면...
[root@localhost ~]# ls -alZ /usr/bin/systemctl
-rwxr-xr-x. root root system_u:object_r:systemd_systemctl_exec_t:s0 /usr/bin/systemctl
[root@localhost ~]#
중간의 "system_u:object_r:systemd_systemctl_exec_t:s0" 해당 부분이 핵심입니다.
안되는 이유만 간단하게 보자면 세번째 칸의 systemd_systemctl_exec_t 가 systemctl 명령어에 대한 SELinux type 으로 정의되어 있는 것을 볼 수 있습니다.
[user2@localhost ~]$ id -Z
user_u:user_r:user_t:s0
[user2@localhost ~]$ ls -alZ /usr/bin/systemctl
ls: cannot access /usr/bin/systemctl: Permission denied
[user2@localhost ~]$
user_u:user_r:user_t로 정의된 user2는 파일 자체도 읽을 수 없습니다.이러한 결과가 나오는 과정을 살짝만 설명드리면
연관관계 분석 툴? sesearch
sesearch는 이러한 연관관계를 찾기 위한 툴로 -s 소스 -t 대상 -A(허용룰)
[root@localhost ~]# sesearch -s user_t -t systemd_systemctl_exec_t -A | grep systemctl
[root@localhost ~]#
정의된 룰 자체가 없습니다. 그렇다면 unconfined(제한되지 않은) user1의 경우에는 어떤지 한번 보면
[root@localhost ~]# sesearch -s unconfined_t -t systemd_systemctl_exec_t -A | grep systemctl
allow unconfined_domain_type systemd_systemctl_exec_t : file { ioctl read getattr lock execute execute_no_trans open } ;
allow unconfined_t systemd_systemctl_exec_t : file { ioctl read getattr lock execute execute_no_trans open } ;
[root@localhost ~]#
두번째 줄을 보시면 allow(허용) unconfined_t(에서) systemd_systemctl_exec_t(에 대한) : file (파일권한을) { (이런 권한들을 준다) }
로 해석할 수 있습니다.
이를 통해 user1과 user2에 차이가 생기는 것입니다.
해당 내용은 semodule -l 에서 본 어딘가에 정의되어 있습니다.
정리
기본적인 selinux의 적용/해제,
targeted와 minimum 정책 적용,
selinux 부팅 장애 시 해결 방법,
unconfined와 confined user
위 내용 대해서 정리를 좀 해봤는데 SELinux라는 게 보통은 enforcing, disable, permissive 정도만 적용해서 사용을 하기 때문에...라기 보단 사실상 그냥 끄고 사용하는 것이 대부분이죠.
뒤의 부가적인 내용들은 잘 언급되지도 않다보니 난이도가 꽤 높을 수 있습니다. 제 설명이 부족하기도 합니다.
앞으로 점점 더 자세하게 정리를 해보겠습니다.