Ryu's Tech

SELinux 1편, 기본 설정, 장애 유발, 유저 권한 할당

Ryusstory 2017. 8. 29. 23:00

Table of Contents

왜??


먼저 왜? selinux를 봐야할까? 라는 것부터 시작해야될 것 같네요. 거의 몇년간 selinux는 꺼야만 하는 것. 이라고만 알고 써왔던 리눅스 보안 모듈이죠.

그런데 조금은 변화가 찾아오기 시작했습니다. 언제부터인지는 명확하지 않지만 오픈스택에 selinux가 더이상 끄고 설치하는 것이 아니게 되었죠

오픈스택 RDO(레드헷 계열 centos 포함)의 설치 가이드에 yum install openstack-selinux의 형태로 이제 더이상 끄고 설치하는 것이 아닌것으로 되었습니다.

Openstack installation guide - Mitaka

Openstack installation guide - Newton

Openstack installation guide - Ocata

Openstack selinux git

올해까지도 활동이 있는 Chef Selinux Cookbook

점점 리눅스에 올라가는 어플리케이션들이 selinux를 끄는 것이 아니라 selinux에 정책을 적용하는 쪽으로 움직이는 것 같습니다.

그래서 이제 한번쯤 selinux에 대해서 조금은 깊게 봐야할 때가 아닌가 싶네요.

준비

필요한 것들

가상머신을 돌리기 위한 vmware workstation / virtual box 등등

CentOS-7-x86_64-Minimal-1611.iso 이미지

인터넷 연결

머신 준비

게다가 내용이 selinux라 기본적인 내용은 아시는 분들이 읽으시겠지만 간만에 포스팅이라 설치과정은 패스하겠습니다.

vCPU 1, RAM2, NAT network 정도만 적용해서 OS 설치 후

첫 부팅 이후 yum update 정도만 해준 뒤 스냅샷을 하나쯤 떠 두시는 것도 좋습니다. 차후에 이것저것 막 적용 해보시다 보면 시스템이 망가질 경우도 있어 복구가 어려울 수도 있습니다.

그렇다면 먼저 장애를 유발시켜서 복구시키는것부터 해보는 것도 좋을거 같네요

SELINUX의 기본

설정 컨피그 파일


[root@localhost ~]# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: #     enforcing - SELinux security policy is enforced. #     permissive - SELinux prints warnings instead of enforcing. #     disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of three two values: #     targeted - Targeted processes are protected, #     minimum - Modification of targeted policy. Only selected processes are protected. #     mls - Multi Level Security protection. SELINUXTYPE=targeted [root@localhost ~]#

보통은 위의 상태에서 SELINUX=enforcing 항목을 직접 permissive나 disabled 로 수정해서 재부팅하거나

설정 즉시 적용

아래와 같이 SELINUX 명령을 통해 상태를 변경합니다.



[root@localhost ~]# getenforce

Enforcing

[root@localhost ~]# setenforce 0

[root@localhost ~]#

[root@localhost ~]# getenforce

Permissive

[root@localhost ~]#

[root@localhost ~]# setenforce 1

[root@localhost ~]#

[root@localhost ~]# getenforce

Enforcing

[root@localhost ~]#


설정 설명

위의 방법은 완전히 disable 상태로 적용이 가능하지만 아래 setenforce 명령어의 경우 enforcing(정책 시행)과 permissive(정책 모니터링) 상태만 가능합니다.

그리고 그 아래 SELINUXTYPE=targeted 항목은 정책 타입으로 selinux-policy-targeted 패키지에 정의된 정책을 시행하는 것입니다. 아래 옵션으로 minimum의 경우 시스템에 최소한으로 정책이 적용되는 것으로 추가적인 애플리케이션에 대한 정책이 disable 상태로 운영하는 것입니다. 

MLS는 멀티레벨로 해당 내용으로 적용되어 운영하는 것은 저도 제대로 보지 못해 일단은 패스하도록 하겠습니다.

위 config 파일과 아래 명령의 차이 중 또 하나는 컨피그 파일은 재부팅을 통해 적용되고 setenforce 명령어는 즉시 적용됩니다.

SELINUX 한 걸음 더 

정책 패키지 확인

현재 설정파일에 targeted가 명시되어 있으니 targeted 패키지가 깔려있겠네요


[root@localhost ~]# rpm -qa | grep selinux-policy

selinux-policy-targeted-3.13.1-102.el7_3.16.noarch

selinux-policy-3.13.1-102.el7_3.16.noarch

[root@localhost ~]#

사용 가능한 정책 패키지 확인

그럼 사용 가능한 패키지에는 어떤게 있는지 한번 볼까요. 


[root@localhost ~]# yum list *selinux-policy*

Loaded plugins: fastestmirror

Loading mirror speeds from cached hostfile

* base: centos.mirror.cdnetworks.com

* extras: centos.mirror.cdnetworks.com

* updates: centos.mirror.cdnetworks.com

Installed Packages

selinux-policy.noarch                                   3.13.1-102.el7_3.16                               @updates

selinux-policy-targeted.noarch                          3.13.1-102.el7_3.16                               @updates

Available Packages

selinux-policy-devel.noarch                             3.13.1-102.el7_3.16                               updates

selinux-policy-doc.noarch                               3.13.1-102.el7_3.16                               updates

selinux-policy-minimum.noarch                           3.13.1-102.el7_3.16                               updates

selinux-policy-mls.noarch                               3.13.1-102.el7_3.16                               updates

selinux-policy-sandbox.noarch                           3.13.1-102.el7_3.16                               updates

[root@localhost ~]#

뭐... 개발용, 테스트용? 샌드박스, 앞서 설정에서 본 mls 등이 있네요.

그러면 현재는 selinux-policy-minimum 패키지가 설치되지 않은 상태일텐데 minimum 패키지를 적용시키기 전에 앞서 말한것처럼 장애를 한번 유발시켜봐야겠네요

패키지 변경을 통한 부팅 장애 유발

그러면 /etc/selinux/config 파일의 내용중 SELINUXTYPE을 현재 없는 minimum으로 변경해서 재부팅 해보겠습니다.


# SELINUXTYPE= can take one of three two values:

#     targeted - Targeted processes are protected,

#     minimum - Modification of targeted policy. Only selected processes are protected.

#     mls - Multi Level Security protection.

SELINUXTYPE=minimum

재부팅 하면 아래 스샷처럼 이 상태로 더 이상 부팅이 되지 않습니다.

장애 유발에 성공했네요

부팅 중 장애시 해결방법

그러면 다시 재부팅을 해서 싱글모드 들어가듯이 편집해줍니다.

편집모드에서 linux16 을 찾아서 제일 뒤에 selinux=0 을 추가해 주고 ctrl+x를 쳐서 부팅합니다.

부팅한 뒤 확인해 보면


[root@localhost ~]# getenforce

Disabled

[root@localhost ~]#

이렇게 disabled 상태로 부팅되게 됩니다. 그렇다면 앞서 문제였던 selinux-policy-minimum을 설치해주면 되겠네요.


[root@localhost ~]# yum install -y selinux-policy-minimum

Loaded plugins: fastestmirror

Loading mirror speeds from cached hostfile

* base: centos.mirror.cdnetworks.com

* extras: centos.mirror.cdnetworks.com

* updates: centos.mirror.cdnetworks.com

Resolving Dependencies

--> Running transaction check

---> Package selinux-policy-minimum.noarch 0:3.13.1-102.el7_3.16 will be installed

--> Processing Dependency: policycoreutils-python >= 2.5 for package: selinux-policy-minimum-3.13.1-102.el7_3.16.noarch

--> Running transaction check

---> Package policycoreutils-python.x86_64 0:2.5-11.el7_3 will be installed

--> Processing Dependency: setools-libs >= 3.3.8-1 for package: policycoreutils-python-2.5-11.el7_3.x86_64

--> Processing Dependency: libsemanage-python >= 2.5-5 for package: policycoreutils-python-2.5-11.el7_3.x86_64

--> Processing Dependency: audit-libs-python >= 2.1.3-4 for package: policycoreutils-python-2.5-11.el7_3.x86_64

--> Processing Dependency: python-IPy for package: policycoreutils-python-2.5-11.el7_3.x86_64

--> Processing Dependency: libqpol.so.1(VERS_1.4)(64bit) for package: policycoreutils-python-2.5-11.el7_3.x86_64

--> Processing Dependency: libqpol.so.1(VERS_1.2)(64bit) for package: policycoreutils-python-2.5-11.el7_3.x86_64

--> Processing Dependency: libcgroup for package: policycoreutils-python-2.5-11.el7_3.x86_64

--> Processing Dependency: libapol.so.4(VERS_4.0)(64bit) for package: policycoreutils-python-2.5-11.el7_3.x86_64

--> Processing Dependency: checkpolicy for package: policycoreutils-python-2.5-11.el7_3.x86_64

--> Processing Dependency: libqpol.so.1()(64bit) for package: policycoreutils-python-2.5-11.el7_3.x86_64

--> Processing Dependency: libapol.so.4()(64bit) for package: policycoreutils-python-2.5-11.el7_3.x86_64

--> Running transaction check

---> Package audit-libs-python.x86_64 0:2.6.5-3.el7_3.1 will be installed

---> Package checkpolicy.x86_64 0:2.5-4.el7 will be installed

---> Package libcgroup.x86_64 0:0.41-11.el7 will be installed

---> Package libsemanage-python.x86_64 0:2.5-5.1.el7_3 will be installed

---> Package python-IPy.noarch 0:0.75-6.el7 will be installed

---> Package setools-libs.x86_64 0:3.3.8-1.1.el7 will be installed

--> Finished Dependency Resolution

Dependencies Resolved

=========================================================================================================================

Package                                  Arch                     Version                Repository                 Size

=========================================================================================================================

Installing:

selinux-policy-minimum                   noarch                   3.13.1-102.el7_3.16    updates                   6.4 M

Installing for dependencies:

audit-libs-python                        x86_64                   2.6.5-3.el7_3.1        updates                    70 k

checkpolicy                              x86_64                   2.5-4.el7              base                      290 k

libcgroup                                x86_64                   0.41-11.el7            base                       65 k

libsemanage-python                       x86_64                   2.5-5.1.el7_3          updates                   104 k

policycoreutils-python                   x86_64                   2.5-11.el7_3           updates                   445 k

python-IPy                               noarch                   0.75-6.el7             base                       32 k

setools-libs                             x86_64                   3.3.8-1.1.el7          base                      612 k

Transaction Summary

=========================================================================================================================

Install  1 Package (+7 Dependent packages)

Total download size: 7.9 M

Installed size: 20 M

Downloading packages:

(1/8): audit-libs-python-2.6.5-3.el7_3.1.x86_64.rpm                                                 |  70 kB  00:00:00     

(2/8): libsemanage-python-2.5-5.1.el7_3.x86_64.rpm                                                  | 104 kB  00:00:00     

(3/8): checkpolicy-2.5-4.el7.x86_64.rpm                                                             | 290 kB  00:00:00     

(4/8): libcgroup-0.41-11.el7.x86_64.rpm                                                             |  65 kB  00:00:00     

(5/8): policycoreutils-python-2.5-11.el7_3.x86_64.rpm                                               | 445 kB  00:00:00     

(6/8): python-IPy-0.75-6.el7.noarch.rpm                                                             |  32 kB  00:00:00     

(7/8): setools-libs-3.3.8-1.1.el7.x86_64.rpm                                                        | 612 kB  00:00:00     

(8/8): selinux-policy-minimum-3.13.1-102.el7_3.16.noarch.rpm                                        | 6.4 MB  00:00:00     

-----------------------------------------------------------------------------------------------------------------------

Total                                                                                      6.0 MB/s | 7.9 MB  00:00:01     

Running transaction check

Running transaction test

Transaction test succeeded

Running transaction

  Installing : setools-libs-3.3.8-1.1.el7.x86_64                                                     1/8

  Installing : checkpolicy-2.5-4.el7.x86_64                                                          2/8

  Installing : libcgroup-0.41-11.el7.x86_64                                                          3/8

  Installing : libsemanage-python-2.5-5.1.el7_3.x86_64                                               4/8

  Installing : audit-libs-python-2.6.5-3.el7_3.1.x86_64                                              5/8

  Installing : python-IPy-0.75-6.el7.noarch                                                          6/8

  Installing : policycoreutils-python-2.5-11.el7_3.x86_64                                            7/8

  Installing : selinux-policy-minimum-3.13.1-102.el7_3.16.noarch                                     8/8

ValueError: Login mapping for __default__ is not defined

  Verifying  : python-IPy-0.75-6.el7.noarch                                                          1/8

  Verifying  : audit-libs-python-2.6.5-3.el7_3.1.x86_64                                              2/8

  Verifying  : libsemanage-python-2.5-5.1.el7_3.x86_64                                               3/8

  Verifying  : selinux-policy-minimum-3.13.1-102.el7_3.16.noarch                                     4/8

  Verifying  : libcgroup-0.41-11.el7.x86_64                                                          5/8

  Verifying  : policycoreutils-python-2.5-11.el7_3.x86_64                                            6/8

  Verifying  : checkpolicy-2.5-4.el7.x86_64                                                          7/8

  Verifying  : setools-libs-3.3.8-1.1.el7.x86_64                                                     8/8

Installed:

  selinux-policy-minimum.noarch 0:3.13.1-102.el7_3.16                                                                                       

Dependency Installed:

  audit-libs-python.x86_64 0:2.6.5-3.el7_3.1  checkpolicy.x86_64 0:2.5-4.el7                 libcgroup.x86_64 0:0.41-11.el7      

  libsemanage-python.x86_64 0:2.5-5.1.el7_3   policycoreutils-python.x86_64 0:2.5-11.el7_3   python-IPy.noarch 0:0.75-6.el7      

  setools-libs.x86_64 0:3.3.8-1.1.el7             

Complete!

[root@localhost ~]#

앞서 selinuxtype에서 minimum을 명시했는데 현재 시스템에 깔린 패키지가 minimum이 없다보니 장애가 났었고

이를 selinux를 disable 시킨채로 부팅해서 minimum 패키지를 통해 해결했습니다.

부팅 장애 해결

다 설치가 됐으니 다시 재부팅을 해줍니다.

재부팅하면 정상적으로 enforcing 된 상태로 부팅 된 걸 확인할 수 있습니다.


[root@localhost ~]# getenforce

Enforcing

[root@localhost ~]#

설치된 정책 모듈 확인

아래 커맨드를 통해 현재 적용된 selinux 정책 모듈을 확인할 수 있습니다.


[root@localhost ~]# semodule -l

apache  2.7.2

application     1.2.0

auditadm        2.2.0

authlogin       2.5.1

base    (null)

bootloader      1.14.0

clock   1.7.0

dbus    1.19.0

dmesg   1.3.0

fstools 1.16.1

getty   1.10.0

hostname        1.8.1

inetd   1.13.0

init    1.20.1

ipsec   1.14.0

iptables        1.14.0

kerberos        1.12.0

libraries       2.10.0

locallogin      1.12.0

logadm  1.0.0

logging 1.20.1

lvm     1.15.2

miscfiles       1.11.0

modutils        1.14.0

mount   1.16.1

mta     2.7.3

netlabel        1.3.0

netutils        1.12.1

nis     1.12.0

postgresql      1.16.0

secadm  2.4.0

selinuxutil     1.17.2

setrans 1.8.0

seunshare       1.1.0

ssh     2.4.2

staff   2.4.0

su      1.12.0

sudo    1.10.0

sysadm  2.6.1

sysadm_secadm   1.0.0

sysnetwork      1.15.4

systemd 1.0.0

udev    1.16.2

unconfined      3.5.0

unconfineduser  1.0.0

unlabelednet    1.0.0

unprivuser      2.4.0

userdomain      4.9.1

usermanage      1.19.0

xserver 3.9.4

[root@localhost ~]#

여기서 좀 더 자세하게 보거나 disabled 된 module까지 보려면


[root@localhost ~]# semodule -lfull

100 abrt              pp disabled

100 accountsd         pp disabled

100 acct              pp disabled

100 afs               pp disabled

100 aiccu             pp disabled

100 aide              pp disabled

100 ajaxterm          pp disabled

100 alsa              pp disabled

100 amanda            pp disabled

100 amtu              pp disabled

100 anaconda          pp disabled

100 antivirus         pp disabled

100 apache            pp         

100 apcupsd           pp disabled

100 apm               pp disabled

100 application       pp         

100 arpwatch          pp disabled

100 asterisk          pp disabled

100 auditadm          pp         

100 authconfig        pp disabled

100 authlogin         pp         

100 automount         pp disabled

100 avahi             pp disabled

100 awstats           pp disabled

100 bacula            pp disabled

100 base              pp         

100 bcfg2             pp disabled

100 bind              pp disabled

100 bitlbee           pp disabled

100 blkmapd           pp disabled

100 blueman           pp disabled

100 bluetooth         pp disabled

100 boinc             pp disabled

100 bootloader        pp         

100 brctl             pp disabled

100 brltty            pp disabled

100 bugzilla          pp disabled

100 bumblebee         pp disabled

100 cachefilesd       pp disabled

100 calamaris         pp disabled

100 callweaver        pp disabled

100 canna             pp disabled

100 ccs               pp disabled

100 cdrecord          pp disabled

100 certmaster        pp disabled

100 certmonger        pp disabled

100 certwatch         pp disabled

100 cfengine          pp disabled

100 cgdcbxd           pp disabled

100 cgroup            pp disabled

100 chrome            pp disabled

100 chronyd           pp disabled

100 cinder            pp disabled

100 cipe              pp disabled

100 clock             pp         

100 clogd             pp disabled

100 cloudform         pp disabled

100 cmirrord          pp disabled

100 cobbler           pp disabled

100 cockpit           pp disabled

100 collectd          pp disabled

100 colord            pp disabled

100 comsat            pp disabled

100 condor            pp disabled

100 conman            pp disabled

100 consolekit        pp disabled

100 couchdb           pp disabled

100 courier           pp disabled

100 cpucontrol        pp disabled

100 cpufreqselector   pp disabled

100 cpuplug           pp disabled

100 cron              pp disabled

100 ctdb              pp disabled

100 cups              pp disabled

100 cvs               pp disabled

100 cyphesis          pp disabled

100 cyrus             pp disabled

100 daemontools       pp disabled

100 dbadm             pp disabled

100 dbskk             pp disabled

100 dbus              pp         

100 dcc               pp disabled

100 ddclient          pp disabled

100 denyhosts         pp disabled

100 devicekit         pp disabled

100 dhcp              pp disabled

100 dictd             pp disabled

100 dirsrv            pp disabled

100 dirsrv-admin      pp disabled

100 dmesg             pp         

100 dmidecode         pp disabled

100 dnsmasq           pp disabled

100 dnssec            pp disabled

100 docker            pp disabled

100 dovecot           pp disabled

100 drbd              pp disabled

100 dspam             pp disabled

100 entropyd          pp disabled

100 exim              pp disabled

100 fail2ban          pp disabled

100 fcoe              pp disabled

100 fetchmail         pp disabled

100 finger            pp disabled

100 firewalld         pp disabled

100 firewallgui       pp disabled

100 firstboot         pp disabled

100 fprintd           pp disabled

100 freeipmi          pp disabled

100 freqset           pp disabled

100 fstools           pp         

100 ftp               pp disabled

100 games             pp disabled

100 gdomap            pp disabled

100 gear              pp disabled

100 geoclue           pp disabled

100 getty             pp         

100 git               pp disabled

100 gitosis           pp disabled

100 glance            pp disabled

100 glusterd          pp disabled

100 gnome             pp disabled

100 gpg               pp disabled

100 gpm               pp disabled

100 gpsd              pp disabled

100 gssproxy          pp disabled

100 guest             pp disabled

100 hddtemp           pp disabled

100 hostname          pp         

100 hsqldb            pp disabled

100 hwloc             pp disabled

100 hypervkvp         pp disabled

100 icecast           pp disabled

100 inetd             pp         

100 init              pp         

100 inn               pp disabled

100 iodine            pp disabled

100 iotop             pp disabled

100 ipa               pp disabled

100 ipmievd           pp disabled

100 ipsec             pp         

100 iptables          pp         

100 irc               pp disabled

100 irqbalance        pp disabled

100 iscsi             pp disabled

100 isns              pp disabled

100 jabber            pp disabled

100 jetty             pp disabled

100 jockey            pp disabled

100 journalctl        pp disabled

100 kdump             pp disabled

100 kdumpgui          pp disabled

100 keepalived        pp disabled

100 kerberos          pp         

100 keyboardd         pp disabled

100 keystone          pp disabled

100 kismet            pp disabled

100 kmscon            pp disabled

100 ksmtuned          pp disabled

100 ktalk             pp disabled

100 l2tp              pp disabled

100 ldap              pp disabled

100 libraries         pp         

100 likewise          pp disabled

100 linuxptp          pp disabled

100 lircd             pp disabled

100 livecd            pp disabled

100 lldpad            pp disabled

100 loadkeys          pp disabled

100 locallogin        pp         

100 lockdev           pp disabled

100 logadm            pp         

100 logging           pp         

100 logrotate         pp disabled

100 logwatch          pp disabled

100 lpd               pp disabled

100 lsm               pp disabled

100 lttng-tools       pp disabled

100 lvm               pp         

100 mailman           pp disabled

100 mailscanner       pp disabled

100 man2html          pp disabled

100 mandb             pp disabled

100 mcelog            pp disabled

100 mediawiki         pp disabled

100 memcached         pp disabled

100 milter            pp disabled

100 minidlna          pp disabled

100 minissdpd         pp disabled

100 mip6d             pp disabled

100 mirrormanager     pp disabled

100 miscfiles         pp         

100 mock              pp disabled

100 modemmanager      pp disabled

100 modutils          pp         

100 mojomojo          pp disabled

100 mon_statd         pp disabled

100 mongodb           pp disabled

100 motion            pp disabled

100 mount             pp         

100 mozilla           pp disabled

100 mpd               pp disabled

100 mplayer           pp disabled

100 mrtg              pp disabled

100 mta               pp         

100 munin             pp disabled

100 mysql             pp disabled

100 mythtv            pp disabled

100 nagios            pp disabled

100 namespace         pp disabled

100 ncftool           pp disabled

100 netlabel          pp         

100 netutils          pp         

100 networkmanager    pp disabled

100 ninfod            pp disabled

100 nis               pp         

100 nova              pp disabled

100 nscd              pp disabled

100 nsd               pp disabled

100 nslcd             pp disabled

100 ntop              pp disabled

100 ntp               pp disabled

100 numad             pp disabled

100 nut               pp disabled

100 nx                pp disabled

100 obex              pp disabled

100 oddjob            pp disabled

100 openct            pp disabled

100 opendnssec        pp disabled

100 openhpid          pp disabled

100 openshift         pp disabled

100 openshift-origin  pp disabled

100 opensm            pp disabled

100 openvpn           pp disabled

100 openvswitch       pp disabled

100 openwsman         pp disabled

100 oracleasm         pp disabled

100 osad              pp disabled

100 pads              pp disabled

100 passenger         pp disabled

100 pcmcia            pp disabled

100 pcp               pp disabled

100 pcscd             pp disabled

100 pegasus           pp disabled

100 pesign            pp disabled

100 pingd             pp disabled

100 piranha           pp disabled

100 pkcs              pp disabled

100 pki               pp disabled

100 plymouthd         pp disabled

100 podsleuth         pp disabled

100 policykit         pp disabled

100 polipo            pp disabled

100 portmap           pp disabled

100 portreserve       pp disabled

100 postfix           pp disabled

100 postgresql        pp         

100 postgrey          pp disabled

100 ppp               pp disabled

100 prelink           pp disabled

100 prelude           pp disabled

100 privoxy           pp disabled

100 procmail          pp disabled

100 prosody           pp disabled

100 psad              pp disabled

100 ptchown           pp disabled

100 publicfile        pp disabled

100 pulseaudio        pp disabled

100 puppet            pp disabled

100 pwauth            pp disabled

100 qmail             pp disabled

100 qpid              pp disabled

100 quantum           pp disabled

100 quota             pp disabled

100 rabbitmq          pp disabled

100 radius            pp disabled

100 radvd             pp disabled

100 raid              pp disabled

100 rasdaemon         pp disabled

100 rdisc             pp disabled

100 readahead         pp disabled

100 realmd            pp disabled

100 redis             pp disabled

100 remotelogin       pp disabled

100 rhcs              pp disabled

100 rhev              pp disabled

100 rhgb              pp disabled

100 rhnsd             pp disabled

100 rhsmcertd         pp disabled

100 ricci             pp disabled

100 rkhunter          pp disabled

100 rlogin            pp disabled

100 rngd              pp disabled

100 roundup           pp disabled

100 rpc               pp disabled

100 rpcbind           pp disabled

100 rpm               pp disabled

100 rshd              pp disabled

100 rssh              pp disabled

100 rsync             pp disabled

100 rtas              pp disabled

100 rtkit             pp disabled

100 rwho              pp disabled

100 samba             pp disabled

100 sambagui          pp disabled

100 sandboxX          pp disabled

100 sanlock           pp disabled

100 sasl              pp disabled

100 sbd               pp disabled

100 sblim             pp disabled

100 screen            pp disabled

100 secadm            pp         

100 sectoolm          pp disabled

100 selinuxutil       pp         

100 sendmail          pp disabled

100 sensord           pp disabled

100 setrans           pp         

100 setroubleshoot    pp disabled

100 seunshare         pp         

100 sge               pp disabled

100 shorewall         pp disabled

100 slocate           pp disabled

100 slpd              pp disabled

100 smartmon          pp disabled

100 smokeping         pp disabled

100 smoltclient       pp disabled

100 smsd              pp disabled

100 snapper           pp disabled

100 snmp              pp disabled

100 snort             pp disabled

100 sosreport         pp disabled

100 soundserver       pp disabled

100 spamassassin      pp disabled

100 speech-dispatcher pp disabled

100 squid             pp disabled

100 ssh               pp         

100 sssd              pp disabled

100 staff             pp         

100 stapserver        pp disabled

100 stunnel           pp disabled

100 su                pp         

100 sudo              pp         

100 svnserve          pp disabled

100 swift             pp disabled

100 sysadm            pp         

100 sysadm_secadm     pp         

100 sysnetwork        pp         

100 sysstat           pp disabled

100 systemd           pp         

100 targetd           pp disabled

100 tcpd              pp disabled

100 tcsd              pp disabled

100 telepathy         pp disabled

100 telnet            pp disabled

100 tftp              pp disabled

100 tgtd              pp disabled

100 thin              pp disabled

100 thumb             pp disabled

100 tmpreaper         pp disabled

100 tomcat            pp disabled

100 tor               pp disabled

100 tuned             pp disabled

100 tvtime            pp disabled

100 udev              pp         

100 ulogd             pp disabled

100 uml               pp disabled

100 unconfined        pp         

100 unconfineduser    pp         

100 unlabelednet      pp         

100 unprivuser        pp         

100 updfstab          pp disabled

100 usbmodules        pp disabled

100 usbmuxd           pp disabled

100 userdomain        pp         

100 userhelper        pp disabled

100 usermanage        pp         

100 usernetctl        pp disabled

100 uucp              pp disabled

100 uuidd             pp disabled

100 varnishd          pp disabled

100 vdagent           pp disabled

100 vhostmd           pp disabled

100 virt              pp disabled

100 vlock             pp disabled

100 vmtools           pp disabled

100 vmware            pp disabled

100 vnstatd           pp disabled

100 vpn               pp disabled

100 w3c               pp disabled

100 watchdog          pp disabled

100 wdmd              pp disabled

100 webadm            pp disabled

100 webalizer         pp disabled

100 wine              pp disabled

100 wireshark         pp disabled

100 xen               pp disabled

100 xguest            pp disabled

100 xserver           pp         

100 zabbix            pp disabled

100 zarafa            pp disabled

100 zebra             pp disabled

100 zoneminder        pp disabled

100 zosremote         pp disabled

[root@localhost ~]#


앞의 100은 priority이고 pp는 정책이 들어간 파일형식 같은것으로 아시면 됩니다. 차후에 다시 설명해 드리겠습니다.


SELINUX 실전 : confined vs unconfined

여기서 selinux에서 먼저 알아야 될 개념중 하나가 confined(제한된)와 unconfined(제한되지않은)입니다.



[root@localhost ~]# id -Z

unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[root@localhost ~]#

해당 명령어는 selinux context 를 확인하는 커맨드로 root의 경우 unconfined 상태입니다.

그러면 유저를 추가해 둘의 차이를 알아보도록 할텐데 필요한 툴을 좀 깔아보겠습니다.

필요 툴 설치


[root@localhost ~]# yum install -y setools-console

Loaded plugins: fastestmirror

Loading mirror speeds from cached hostfile

* base: centos.mirror.cdnetworks.com

* extras: centos.mirror.cdnetworks.com

* updates: centos.mirror.cdnetworks.com

Resolving Dependencies

--> Running transaction check

---> Package setools-console.x86_64 0:3.3.8-1.1.el7 will be installed

--> Finished Dependency Resolution

Dependencies Resolved

=========================================================================================================================

Package                    Arch                   Version                          Repository                  Size

=========================================================================================================================

Installing:

setools-console            x86_64                 3.3.8-1.1.el7                    base                       310 k

Transaction Summary

=========================================================================================================================

Install  1 Package

Total download size: 310 k

Installed size: 1.1 M

Downloading packages:

setools-console-3.3.8-1.1.el7.x86_64.rpm                        | 310 kB  00:00:00     

Running transaction check

Running transaction test

Transaction test succeeded

Running transaction

  Installing : setools-console-3.3.8-1.1.el7.x86_64                               1/1

  Verifying  : setools-console-3.3.8-1.1.el7.x86_64                               1/1

Installed:

  setools-console.x86_64 0:3.3.8-1.1.el7                                                                                                    

Complete!

[root@localhost ~]#

해당 패키지를 통해 seinfo 커맨드를 이제 사용할 수 있습니다.


[root@localhost ~]# seinfo

Statistics for policy file: /sys/fs/selinux/policy

Policy Version & Type: v.28 (binary, mls)

   Classes:            91    Permissions:       256

   Sensitivities:       1    Categories:       1024

   Types:            1599    Attributes:        157

   Users:               6    Roles:               9

   Booleans:          112    Cond. Expr.:       117

   Allow:           20350    Neverallow:          0

   Auditallow:         41    Dontaudit:        1934

   Type_trans:       1621    Type_change:        21

   Type_member:        13    Role allow:         25

   Role_trans:         32    Range_trans:        88

   Constraints:       109    Validatetrans:       0

   Initial SIDs:       27    Fs_use:             28

   Genfscon:          105    Portcon:           596

   Netifcon:            0    Nodecon:             0

   Permissives:         0    Polcap:              2

[root@localhost ~]#

테스트 유저 등록


[root@localhost ~]# useradd user1

[root@localhost ~]# passwd user1

Changing password for user user1.

New password:

Retype new password:

passwd: all authentication tokens updated successfully.

[root@localhost ~]#


[root@localhost ~]# useradd -Z user_u user2

[root@localhost ~]# passwd user2

Changing password for user user2.

New password:

Retype new password:

passwd: all authentication tokens updated successfully.

[root@localhost ~]#

이렇게 되면 unconfined user1 과 user_u로 confined된 user2가 생성되게 됩니다.


[root@localhost ~]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *

root                 unconfined_u         s0-s0:c0.c1023       *

system_u             system_u             s0-s0:c0.c1023       *

user2                user_u               s0                   *

[root@localhost ~]#

보시면 user2는 SELinux User에서 user_u가 할당됐죠.

unconfined user1 과 confined user2의 차이


[user1@localhost ~]$ id -Z

unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[user1@localhost ~]$

[user1@localhost ~]$ systemctl | grep sshd

  sshd.service                          loaded active running   OpenSSH server daemon

[user1@localhost ~]$


[user2@localhost ~]$ id -Z

user_u:user_r:user_t:s0

[user2@localhost ~]$

[user2@localhost ~]$ systemctl status sshd

-bash: systemctl: command not found

[user2@localhost ~]$

보시는 것처럼 똑같은 유저인데 systemctl 커맨드에 대한 권한이 없어 실행조차 안되는 것을 알 수 있습니다.

user1과 user2 차이의 이유

systemctl에 대한 정보를 확인해 보면...



[root@localhost ~]# ls -alZ /usr/bin/systemctl

-rwxr-xr-x. root root system_u:object_r:systemd_systemctl_exec_t:s0 /usr/bin/systemctl

[root@localhost ~]#


중간의 "system_u:object_r:systemd_systemctl_exec_t:s0" 해당 부분이 핵심입니다.

안되는 이유만 간단하게 보자면 세번째 칸의 systemd_systemctl_exec_t 가 systemctl 명령어에 대한 SELinux type 으로 정의되어 있는 것을 볼 수 있습니다.



[user2@localhost ~]$ id -Z

user_u:user_r:user_t:s0

[user2@localhost ~]$ ls -alZ /usr/bin/systemctl

ls: cannot access /usr/bin/systemctl: Permission denied

[user2@localhost ~]$

user_u:user_r:user_t로 정의된 user2는 파일 자체도 읽을 수 없습니다.이러한 결과가 나오는 과정을 살짝만 설명드리면

연관관계 분석 툴? sesearch

sesearch는 이러한 연관관계를 찾기 위한 툴로 -s 소스 -t 대상 -A(허용룰)


[root@localhost ~]# sesearch -s user_t -t systemd_systemctl_exec_t -A | grep systemctl

[root@localhost ~]#

정의된 룰 자체가 없습니다. 그렇다면 unconfined(제한되지 않은) user1의 경우에는 어떤지 한번 보면


[root@localhost ~]# sesearch -s unconfined_t -t systemd_systemctl_exec_t -A | grep systemctl

   allow unconfined_domain_type systemd_systemctl_exec_t : file { ioctl read getattr lock execute execute_no_trans open } ;

   allow unconfined_t systemd_systemctl_exec_t : file { ioctl read getattr lock execute execute_no_trans open } ;

[root@localhost ~]#

두번째 줄을 보시면 allow(허용) unconfined_t(에서) systemd_systemctl_exec_t(에 대한) : file (파일권한을) { (이런 권한들을 준다) }

로 해석할 수 있습니다.

이를 통해 user1과 user2에 차이가 생기는 것입니다.

해당 내용은 semodule -l 에서 본 어딘가에 정의되어 있습니다.


정리

기본적인 selinux의 적용/해제,
targeted와 minimum 정책 적용,
selinux 부팅 장애 시 해결 방법,
unconfined와 confined user 

위 내용 대해서 정리를 좀 해봤는데 SELinux라는 게 보통은 enforcing, disable, permissive 정도만 적용해서 사용을 하기 때문에...라기 보단 사실상 그냥 끄고 사용하는 것이 대부분이죠.

뒤의 부가적인 내용들은 잘 언급되지도 않다보니 난이도가 꽤 높을 수 있습니다. 제 설명이 부족하기도 합니다.


앞으로 점점 더 자세하게 정리를 해보겠습니다.