Логика и политика работы SELinux (CentOS)


Security Enhanced Linux - SELinux разработан в агенстве национальной безопасности (NSA) в 2000 году. Проект распространяется по лицензии GPL. Основной целью проекта является достижение такого уровня защищенности компьютерной системы, чтобы можно было спокойно использовать ее в военных и правительственных организациях. SeLinux являет собой дополнительное расширение к ядру, целью которого является увеличение его защищенности и возможность строго и гибко регулировать права доступа к системе для конкретных пользователей.


Какая логика работы мне нужна?
getsebool -a

покажет вам все варианты защиты, которые вы можете изменить. При активированном selinux вы увидите список, который даст вам информацию о необходимости конфигурировать логику защиты заданных сервисов.

Для того чтобы посмотреть активирован или нет SELinux введите:
# sestatus

Соответственно
enforsing - принудительный режим
permissive - режим предупреждения

Примечание: Вы не можете изменять все политики перечисленные ниже, а только те, которые вам выдал getsebool -a. Список показанный ниже выдан system-config-selinux и показывает все политики, которые могут быть использованы в зависимости от установленных пакетов

Пример: SELinux не позволит вашему httpd демону взаимодействовать с LDAP сервером на той же машине. Вы должны иметь возможность аутентифицироваться на LDAP. Вы знаете, что интересующие вас политики содержат слово httpd.
[root@localhost ~]# getsebool -a | grep httpd
allow_httpd_anon_write --> off
allow_httpd_bugzilla_script_anon_write --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_nagios_script_anon_write --> off
allow_httpd_squid_script_anon_write --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
httpd_disable_trans --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_rotatelogs_disable_trans --> off
httpd_ssi_exec --> off
httpd_suexec_disable_trans --> off
httpd_tty_comm --> on
httpd_unified --> on


httpd_can_network_connect вызывает интерес - давайте сравним со списком ниже.

httpd_can_network_connect (HTTPD Service):: Allow HTTPD scripts and modules to connect to the network. (Разрешить HTTPD скриптам и модулям подключения к сети).

Похоже, это то что нам нужно ...
setsebool -P httpd_can_network_connect on

Оказалось именно это и нужно. Вуаля - все работает.

system-config-selinux - графический интерфейс для управления настройками политик SELinux. Если у вас имеется GUI (графический интерфейс пользователя), то хорошей идеей будет установить данный пакет и вносить изменения с помощью него.

Это можно сделать следующим образом:
yum install policycoreutils-gui

Список политик SELinux

acct_disable_trans (SELinux Service Protection)
allow_cvs_read_shadow (CVS)
allow_daemons_dump_core (Admin)
allow_daemons_use_tty (Admin)
allow_execheap (Memory Protection)
allow_execmem (Memory Protection)
allow_execmod (Memory Protection)
allow_execstack (Memory Protection)
allow_ftpd_full_access (FTP)
allow_ftpd_anon_write (FTP)
allow_ftpd_use_cifs (FTP)
allow_ftpd_use_nfs (FTP)
allow_gpg_execstack (Memory Protection)
allow_gssd_read_tmp (NFS)
allow_httpd_anon_write (HTTPD Service)
allow_httpd_mod_auth_pam (HTTPD Service)
allow_httpd_sys_script_anon_write (HTTPD Service)
allow_java_execstack (Memory Protection)
allow_kerberos (Kerberos)
allow_mount_anyfile (Mount)
allow_mounton_anydir (Mount)
allow_mplayer_execstack (Memory Protection)
allow_nfsd_anon_write (NFS)
allow_polyinstantiation (Polyinstatiation)
allow_ptrace (Compatibility)
allow_rsync_anon_write (rsync)
allow_smbd_anon_write (Samba)
allow_ssh_keysign (SSH)
allow_unconfined_execmem_dyntrans (Memory Protection)
allow_user_mysql_connect (Databases)
allow_user_postgresql_connect (Databases)
allow_write_xshm (XServer)
allow_ypbind (NIS)
allow_zebra_write_config (Zebra)
amanda_disable_trans (SELinux Service Protection)
amavis_disable_trans (SELinux Service Protection)
apmd_disable_trans (SELinux Service Protection)
arpwatch_disable_trans (SELinux Service Protection)
auditd_disable_trans (SELinux Service Protection)
automount_disable_trans (Mount)
avahi_disable_trans (SELinux Service Protection)
bluetooth_disable_trans (SELinux Service Protection)
canna_disable_trans (SELinux Service Protection)
cardmgr_disable_trans (SELinux Service Protection)
ccs_disable_trans (SELinux Service Protection)
cdrecord_read_content (User Privs)
ciped_disable_trans (SELinux Service Protection)
clamd_disable_trans (SELinux Service Protection)
clamscan_disable_trans (SELinux Service Protection)
clvmd_disable_trans (SELinux Service Protection)
comsat_disable_trans (SELinux Service Protection)
courier_authdaemon_disable_trans (SELinux Service Protection)
courier_pcp_disable_trans (SELinux Service Protection)
courier_pop_disable_trans (SELinux Service Protection)
courier_sqwebmail_disable_trans (SELinux Service Protection)
courier_tcpd_disable_trans (SELinux Service Protection)
cpucontrol_disable_trans (SELinux Service Protection)
cpuspeed_disable_trans (SELinux Service Protection)
cron_can_relabel (Cron)
crond_disable_trans (Cron)
cupsd_config_disable_trans (Printing)
cupsd_disable_trans (Printing)
cupsd_lpd_disable_trans (Printing)
cvs_disable_trans (CVS)
cyrus_disable_trans (SELinux Service Protection)
dbskkd_disable_trans (SELinux Service Protection)
dbusd_disable_trans (SELinux Service Protection)
dccd_disable_trans (SELinux Service Protection)
dccifd_disable_trans (SELinux Service Protection)
dccm_disable_trans (SELinux Service Protection)
ddt_client_disable_trans (SELinux Service Protection)
devfsd_disable_trans (SELinux Service Protection)
dhcpc_disable_trans (SELinux Service Protection)
dhcpd_disable_trans (SELinux Service Protection)
dictd_disable_trans (SELinux Service Protection)
direct_sysadm_daemon (Admin)
disable_evolution_trans (Web Applications)
disable_games_trans (Games)
disable_mozilla_trans (Web Applications)
disable_thunderbird_trans (Web Applications)
distccd_disable_trans (SELinux Service Protection)
dmesg_disable_trans (SELinux Service Protection)
dnsmasq_disable_trans (SELinux Service Protection)
dovecot_disable_trans (SELinux Service Protection)
entropyd_disable_trans (SELinux Service Protection)
fcron_crond (Cron)
fetchmail_disable_trans (SELinux Service Protection)
fingerd_disable_trans (SELinux Service Protection)
freshclam_disable_trans (SELinux Service Protection)
fsdaemon_disable_trans (SELinux Service Protection)
ftpd_disable_trans (FTP)
ftpd_is_daemon (FTP)
ftp_home_dir (FTP)
global_ssp (Admin)
gpm_disable_trans (SELinux Service Protection)
gssd_disable_trans (NFS)
hald_disable_trans (SELinux Service Protection)
hide_broken_symptoms (Compatibility)
hostname_disable_trans (SELinux Service Protection)
hotplug_disable_trans (SELinux Service Protection)
howl_disable_trans (SELinux Service Protection)
hplip_disable_trans (Printing)
httpd_builtin_scripting (HTTPD Service)
httpd_can_network_connect_db (HTTPD Service)
httpd_can_network_connect (HTTPD Service)
httpd_can_network_relay (HTTPD Service)
httpd_disable_trans (HTTPD Service)
httpd_enable_cgi (HTTPD Service)
httpd_enable_ftp_server (HTTPD Service)
httpd_enable_homedirs (HTTPD Service)
httpd_rotatelogs_disable_trans (SELinux Service Protection)
httpd_ssi_exec (HTTPD Service)
httpd_suexec_disable_trans (HTTPD Service)
httpd_tty_comm (HTTPD Service)
httpd_unified (HTTPD Service)
hwclock_disable_trans (SELinux Service Protection)
i18n_input_disable_trans (SELinux Service Protection)
imazesrv_disable_trans (SELinux Service Protection)
inetd_child_disable_trans (SELinux Service Protection)
inetd_disable_trans (SELinux Service Protection)
innd_disable_trans (SELinux Service Protection)
iptables_disable_trans (SELinux Service Protection)
ircd_disable_trans (SELinux Service Protection)
irqbalance_disable_trans (SELinux Service Protection)
iscsid_disable_trans (SELinux Service Protection)
jabberd_disable_trans (SELinux Service Protection)
kadmind_disable_trans (Kerberos)
klogd_disable_trans (SELinux Service Protection)
krb5kdc_disable_trans (Kerberos)
ktalkd_disable_trans (SELinux Service Protection)
kudzu_disable_trans (SELinux Service Protection)
locate_disable_trans (SELinux Service Protection)
lpd_disable_trans (SELinux Service Protection)
lrrd_disable_trans (SELinux Service Protection)
lvm_disable_trans (SELinux Service Protection)
mailman_mail_disable_trans (SELinux Service Protection)
mail_read_content (Web Applications)
mdadm_disable_trans (SELinux Service Protection)
monopd_disable_trans (SELinux Service Protection)
mozilla_read_content (Web Applications)
mrtg_disable_trans (SELinux Service Protection)
mysqld_disable_trans (Databases)
nagios_disable_trans (SELinux Service Protection)
named_disable_trans (Name Service)
named_write_master_zones (Name Service)
nessusd_disable_trans (SELinux Service Protection)
NetworkManager_disable_trans (SELinux Service Protection)
nfsd_disable_trans (NFS)
nfs_export_all_ro (NFS)
nfs_export_all_rw (NFS)
nmbd_disable_trans (Samba)
nrpe_disable_trans (SELinux Service Protection)
nscd_disable_trans (Name Service)
nsd_disable_trans (SELinux Service Protection)
ntpd_disable_trans (SELinux Service Protection)
oddjob_disable_trans (SELinux Service Protection)
oddjob_mkhomedir_disable_trans (SELinux Service Protection)
openvpn_disable_trans (SELinux Service Protection)
pam_console_disable_trans (SELinux Service Protection)
pegasus_disable_trans (SELinux Service Protection)
perdition_disable_trans (SELinux Service Protection)
portmap_disable_trans (SELinux Service Protection)
portslave_disable_trans (SELinux Service Protection)
postfix_disable_trans (SELinux Service Protection)
postgresql_disable_trans (Databases)
pppd_can_insmod (pppd)
pppd_disable_trans (pppd)
pppd_disable_trans (pppd)
pppd_for_user (pppd)
pptp_disable_trans (SELinux Service Protection)
prelink_disable_trans (SELinux Service Protection)
privoxy_disable_trans (SELinux Service Protection)
ptal_disable_trans (SELinux Service Protection)
pxe_disable_trans (SELinux Service Protection)
pyzord_disable_trans (SELinux Service Protection)
quota_disable_trans (SELinux Service Protection)
radiusd_disable_trans (SELinux Service Protection)
radvd_disable_trans (SELinux Service Protection)
rdisc_disable_trans (SELinux Service Protection)
readahead_disable_trans (SELinux Service Protection)
read_default_t (Admin)
read_untrusted_content (Web Applications)
restorecond_disable_trans (SELinux Service Protection)
rhgb_disable_trans (SELinux Service Protection)
ricci_disable_trans (SELinux Service Protection)
ricci_modclusterd_disable_trans (SELinux Service Protection)
rlogind_disable_trans (SELinux Service Protection)
rpcd_disable_trans (SELinux Service Protection)
rshd_disable_trans (SELinux Service Protection)
rsync_disable_trans (rsync)
run_ssh_inetd (SSH)
samba_enable_home_dirs (Samba
samba_share_nfs (Samba)
allow_saslauthd_read_shadow (SASL authentication server)
saslauthd_disable_trans (SASL authentication server)
scannerdaemon_disable_trans (SELinux Service Protection)
secure_mode (Admin)
secure_mode_insmod (Admin)
secure_mode_policyload (Admin)
sendmail_disable_trans (SELinux Service Protection)
setrans_disable_trans (SELinux Service Protection)
setroubleshootd_disable_trans (SELinux Service Protection)
slapd_disable_trans (SELinux Service Protection)
slrnpull_disable_trans (SELinux Service Protection)
smbd_disable_trans (Samba)
snmpd_disable_trans (SELinux Service Protection)
snort_disable_trans (SELinux Service Protection)
soundd_disable_trans (SELinux Service Protection)
sound_disable_trans (SELinux Service Protection)
spamassassin_can_network (Spam Assassin)
spamd_disable_trans (spam Protection)
spamd_enable_home_dirs (spam Protection)
spammassasin_can_network (spam Protection)
speedmgmt_disable_trans (SELinux Service Protection)
squid_connect_any (Squid)
squid_disable_trans (Squid)
ssh_keygen_disable_trans (SSH)
ssh_sysadm_login (SSH)
staff_read_sysadm_file (Admin)
stunnel_disable_trans (Universal SSL tunnel)
stunnel_is_daemon (Universal SSL tunnel)
swat_disable_trans (SELinux Service Protection)
sxid_disable_trans (SELinux Service Protection)
syslogd_disable_trans (SELinux Service Protection)
system_crond_disable_trans (SELinux Service Protection)
tcpd_disable_trans (SELinux Service Protection)
telnetd_disable_trans (SELinux Service Protection)
tftpd_disable_trans (SELinux Service Protection)
transproxy_disable_trans (SELinux Service Protection)
udev_disable_trans (SELinux Service Protection)
uml_switch_disable_trans (SELinux Service Protection)
unlimitedInetd (Admin)
unlimitedRC (Admin)
unlimitedRPM (Admin)
unlimitedUtils (Admin)
updfstab_disable_trans (SELinux Service Protection)
uptimed_disable_trans (SELinux Service Protection)
use_lpd_server (Printing)
use_nfs_home_dirs (NFS)
user_canbe_sysadm (User Privs)
user_can_mount (Mount)
user_direct_mouse (User Privs)
user_dmesg (User Privs)
user_net_control (User Privs)
user_ping (User Privs)
user_rw_noexattrfile (User Privs)
user_rw_usb (User Privs)
user_tcp_server (User Privs)
user_ttyfile_stat (User Privs)
use_samba_home_dirs (Samba)
uucpd_disable_trans (SELinux Service Protection)
vmware_disable_trans (SELinux Service Protection)
watchdog_disable_trans (SELinux Service Protection)
winbind_disable_trans (Samba)
write_untrusted_content (Web Applications)
xdm_disable_trans (SELinux Service Protection)
xdm_sysadm_login (XServer)
xend_disable_trans (SELinux Service Protection)
xen_use_raw_disk (XEN)
xfs_disable_trans (SELinux Service Protection)
xm_disable_trans (SELinux Service Protection)
ypbind_disable_trans (NIS)
yppasswdd_disable_trans (NIS)
ypserv_disable_trans (SELinux Service Protection)
ypxfr_disable_trans (NIS)
zebra_disable_trans (SELinux Service Protection)
httpd_use_cifs (HTTPD Service)
httpd_use_nfs (HTTPD Service)
samba_domain_controller (Samba)
samba_export_all_ro (Samba)
samba_export_all_rw (Samba)
webadm_manage_users_files (HTTPD Service)
webadm_read_users_files (HTTPD Service)

Обновлено: 16.03.2015