Ubuntu SELinux如何防止未授权访问

Preparatory Steps for SELinux on Ubuntu
Ubuntu does not enable SELinux by default (it uses AppArmor instead), so the first step is to install and activate SELinux. Run the following commands to install core SELinux packages:

sudo apt update
sudo apt install selinux-basics selinux-policy-default selinux-utils

After installation, enable SELinux by editing the configuration file:

sudo nano /etc/selinux/config

Change the SELINUX= line to enforcing (this ensures SELinux is active after reboot) and save the file. To apply the change immediately, run:

sudo selinux-activate &
    &
 sudo reboot

Verify SELinux is enabled and in enforcing mode using:

sestatus

The output should show Current mode: enforcing.

Understanding Core SELinux Concepts for Access Control
SELinux uses Mandatory Access Control (MAC) to restrict access based on security contexts, which consist of three key components:

• User: System users (e.g., system_u for system processes).
• Role: Defines what a user can do (e.g., object_r for files, system_r for processes).
• Type: The most critical component for access control—defines the type of resource (e.g., httpd_sys_content_t for web files, ssh_home_t for SSH user files).

The enforcing mode ensures SELinux blocks unauthorized access based on these contexts. For example, a web server process (httpd_t) can only access files labeled with httpd_sys_content_t unless explicitly allowed by a custom policy.

Restricting Process and File Access with Security Contexts
To prevent unauthorized access, you must ensure files and processes have the correct security contexts. Use these commands to manage contexts:

• View a file’s context:

  ls -Z /path/to/file
  

• Change a file’s context (temporary, resets after reboot):

  chcon -t httpd_sys_content_t /var/www/html/index.html
  

• Permanently restore a file’s context (based on policy):

  restorecon -v /var/www/html/index.html
  

For processes, SELinux automatically assigns a context based on the service. For example, an Apache process runs with the httpd_t type, which is restricted to accessing only files labeled for web use. This prevents a compromised web server from reading sensitive system files (e.g., /etc/shadow).

Configuring Boolean Settings for Common Services
SELinux provides booleans—dynamic switches that toggle specific permissions for services. For example, to allow Apache to access user home directories (useful for personal websites), run:

sudo setsebool -P httpd_enable_homedirs 1

The -P flag makes the change permanent. To view all available booleans for a service (e.g., Apache):

sudo semanage boolean -l | grep httpd

Adjusting booleans helps balance security and functionality—for instance, disabling unnecessary access (e.g., httpd_can_network_connect=0) reduces the attack surface.

Creating Custom Policies for Application-Specific Needs
If a service requires access beyond the default policy (e.g., a custom application needs to read logs in /var/log/myapp), you can create a custom SELinux policy module. Here’s a step-by-step guide:

1. Install development tools:

   sudo apt install selinux-policy-dev policycoreutils-python-utils
   

2. Generate a policy template:
   Use audit2allow to parse SELinux denial logs (e.g., from /var/log/audit/audit.log) and create a policy file:

   sudo ausearch -m avc -ts today | audit2allow -M my_custom_policy
   

   This generates two files: my_custom_policy.te (policy source) and my_custom_policy.pp (compiled module).
3. Edit the policy file (if needed) to refine permissions. For example, to restrict the policy to only reading log files:

   policy_module(my_custom_policy, 1.0)
   
   require {
       
       type myapp_t;
   
       class file {
    read open }
       ;
   
   }
   
   
   allow myapp_t var_log_t:file {
    read open }
       ;
       
   

4. Load the policy module:

   sudo semodule -i my_custom_policy.pp
   

5. Verify the policy: Check SELinux logs to ensure no further denials occur for the application.

Monitoring and Troubleshooting SELinux Events
To maintain security, regularly monitor SELinux logs for unauthorized access attempts. Use these tools:

• View real-time denials:

  sudo ausearch -m avc -ts recent
  

• Get detailed explanations for denials:

  sudo audit2why <
       /var/log/audit/audit.log
  

• Check for persistent issues:

  sudo grep avc /var/log/audit/audit.log
  

Logs help identify misconfigurations (e.g., a process needing additional permissions) or potential attacks (e.g., repeated attempts to access restricted files). Adjust policies or contexts based on log analysis to strengthen security.

声明：本文内容由网友自发贡献，本站不承担相应法律责任。对本内容有异议或投诉，请联系2913721942#qq.com核实处理，我们将尽快回复您，谢谢合作！