如何启用Exadata Cell端的SELinux Enforcing模式

原文链接: http://www.dbaleet.org/how_to_enable_selinux_on_exadata_cell/

SELinux(Security-Enhanced Linux) 是美国国家安全局(NSA)为Linux设计的,对于强制访问控制的一个安全子系统。大多数Linux的发行版都在各自的内核级别启用 SELinux 的,同时提供一个可定制的安全策略。SELinux实际上是强制访问控制的一种实现,主要目的是为了控制进程可以访问的资源,能够减少或者防止0-day漏洞的探测和攻击。

在Exadata上,DB节点默认其SELInux的策略是禁止的,主要是考虑到ASM可能造成的问题:参见我之前的文章 iptables和SELinux是不是必须禁用? http://www.dbaleet.org/is_disable_iptables_and_selinux_to_be_mandatory/ 。

SELinux有三种状态:

  • Enforcing: 这个缺省模式会在系统上启用并实施 SELinux 的安全性政策,拒绝访问及记录行动
  • Permissive: 在 Permissive 模式下,SELinux 会被启用但不会实施安全性政策,而只会发出警告及记录行动。Permissive 模式在排除 SELinux 的问题时很有用。
  • Disabled: SELinux 已被禁用。

在Cell端,SELInux默认以Permissive的方式开启,也就意味着系统只默认将违背访问控制的的内容写入到日志文件,并不真正的实行安全性策略。

[root@dm01cel01 audit]# imageinfo

Kernel version: 2.6.32-400.6.2.el5uek #1 SMP Sun Nov 18 17:02:09 PST 2012 x86_64
Cell version: OSS_11.2.3.2.1_LINUX.X64_121203
Cell rpm version: cell-11.2.3.2.1_LINUX.X64_121203-1

Active image version: 11.2.3.2.1.121203
Active image activated: 2012-12-05 18:22:16 -0700
Active image status: success
Active system partition on device: /dev/md5
Active software partition on device: /dev/md7

In partition rollback: Impossible

Cell boot usb partition: /dev/sda1
Cell boot usb version: 11.2.3.2.1.121203

Inactive image version: undefined
Rollback to the inactive partitions: Impossible
[root@dm01db01 audit]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 24
Policy from config file: targeted

在Linux下,SELinux是通过auditd守护进程将其违反的AVC策略写入到/var/log/audit/audit.log中的,这个文件默认日志会在25MB大小的时候进行rotation ,生成后缀为.1或者.2之类的归档文件。

Exadata较新的版本中,在/opt/oracle.SupportTools目录下会有一个名为SELinuxPermit.log的文件,这个文件实际上是取自/var/log/audit/audit.log文件中的avc denial message,;例如:

type=AVC msg=audit(1330990260.465:60): avc: denied { execute } for pid=8232 comm="ntpdate" path="/lib64/libcap.so.1.10" dev=md5 ino=688359 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file

这些就是违背SELinux的规则,如果将 SELinuxPermit.log添加为例外的规则,那么就是将SELinux设置为enforcing的模式了。

1. 根据SELinuxPermit.log的违反规则,生成对应的te(type enforcement)文件:

[root@dm01cel01 audit]# sed -e '/^#/d' /opt/oracle.SupportTools/SELinuxPermit.log |audit2allow -m Exadata > Exadata.te

2. 编译成对应的模块:

[root@dm01cel01 audit]# checkmodule -M -m Exadata.te  -o Exadata.mod

3. 将模块生成对应的package:

[root@dm01cel01 audit]# semodule_package -m Exadata.mod -o Exadata.pp

4. 在内核中移除以前的Exadata模块:

[root@dm01cel01 audit]# semodule ­-r Exadata

5. 将新生成的package载入内核:

[root@dm01cel01 audit]# semodule -­i Exadata.pp

6. 将/etc/selinux/config文件中的 “selinux=修改为enforcing”。

7. 重启主机生效。

 

注意,当前SELinux enforcing模式没有经过严格的测试,并不被官方支持。如果对Linux的SELinux不是太熟悉,请不要进行设置。

参见MOS文档:How to enable ‘enforcing’ mode for SELinux on Exadata (Doc ID 1481829.1)

Please note that SELinux enforcing mode is not tested by Exadata Development and
that creating/changing an SELinux policy is beyond the scope of Oracle Support.
Setting SELinux policy must be done carefully, to avoid ‘breaking’ applications,
so be sure to check /var/log/audit/audit.log if something should ‘go wrong’.

附我当前测试环境下Exadata其对应的TE文件的内容:

module Exadata 1.0;

require {
type audisp_t;
type mount_t;
type file_t;
type restorecon_t;
type load_policy_t;
type procmail_t;
type mdadm_t;
type wtmp_t;
type snmpd_t;
type tmp_t;
type root_t;
type auditctl_t;
type fsdaemon_t;
type auditd_t;
type faillog_t;
type fsadm_t;
type iptables_t;
type hwclock_t;
type mqueue_spool_t;
type pam_console_t;
type system_mail_t;
type semanage_t;
type usr_t;
type ping_t;
type syslogd_t;
type sysfs_t;
type var_spool_t;
type irqbalance_t;
type var_log_t;
type sendmail_log_t;
type setfiles_t;
type lastlog_t;
type etc_mail_t;
type shadow_t;
type ifconfig_t;
type ntpd_t;
type locale_t;
type etc_runtime_t;
type klogd_t;
type device_t;
type initrc_var_run_t;
type var_t;
type netutils_t;
class process { setsched getsched };
class capability sys_resource;
class file { rename execute setattr read getattr write ioctl unlink append };
class netlink_route_socket { write bind create read nlmsg_read };
class lnk_file read;
class dir { rename search read write getattr rmdir remove_name };
}

#============= audisp_t ==============
allow audisp_t file_t:file { execute getattr };
allow audisp_t self:capability sys_resource;

#============= auditctl_t ==============
allow auditctl_t etc_runtime_t:file getattr;
allow auditctl_t faillog_t:file getattr;
allow auditctl_t file_t:file read;
allow auditctl_t initrc_var_run_t:file getattr;
allow auditctl_t lastlog_t:file getattr;
allow auditctl_t locale_t:file getattr;
allow auditctl_t shadow_t:file getattr;
allow auditctl_t tmp_t:file read;
allow auditctl_t wtmp_t:file getattr;

#============= auditd_t ==============
allow auditd_t file_t:file { rename getattr setattr read unlink append };

#============= fsadm_t ==============
allow fsadm_t root_t:file unlink;
allow fsadm_t var_log_t:file append;

#============= fsdaemon_t ==============
allow fsdaemon_t file_t:file { read getattr };
allow fsdaemon_t self:capability sys_resource;
allow fsdaemon_t usr_t:file { read getattr };

#============= hwclock_t ==============
allow hwclock_t self:capability sys_resource;

#============= ifconfig_t ==============
allow ifconfig_t file_t:dir { search getattr };
allow ifconfig_t file_t:file append;
allow ifconfig_t file_t:lnk_file read;
allow ifconfig_t usr_t:lnk_file read;
allow ifconfig_t var_log_t:file write;

#============= iptables_t ==============
allow iptables_t file_t:dir { search getattr };
allow iptables_t file_t:file append;
allow iptables_t file_t:lnk_file read;

#============= irqbalance_t ==============
allow irqbalance_t file_t:file { read getattr execute };

#============= klogd_t ==============
allow klogd_t file_t:file { read getattr execute };

#============= load_policy_t ==============
allow load_policy_t file_t:file { read getattr execute };

#============= mdadm_t ==============
allow mdadm_t var_log_t:file append;

#============= mount_t ==============
allow mount_t var_log_t:file append;

#============= netutils_t ==============
allow netutils_t sysfs_t:dir search;
allow netutils_t sysfs_t:file read;

#============= ntpd_t ==============
allow ntpd_t file_t:file { read getattr unlink execute };

#============= pam_console_t ==============
allow pam_console_t file_t:file { read ioctl getattr };

#============= ping_t ==============
allow ping_t file_t:file { read getattr execute };

#============= procmail_t ==============
allow procmail_t file_t:file { read getattr };
allow procmail_t self:capability sys_resource;

#============= restorecon_t ==============
allow restorecon_t file_t:file execute;

#============= semanage_t ==============
allow semanage_t file_t:dir { rename write getattr rmdir read remove_name };
allow semanage_t file_t:file { execute unlink };
allow semanage_t file_t:lnk_file read;

#============= setfiles_t ==============
allow setfiles_t device_t:file append;
allow setfiles_t file_t:file execute;

#============= snmpd_t ==============
allow snmpd_t etc_mail_t:dir search;
allow snmpd_t etc_mail_t:file { read getattr };
allow snmpd_t file_t:file { read rename getattr unlink execute };
allow snmpd_t mqueue_spool_t:dir search;
allow snmpd_t self:capability sys_resource;
allow snmpd_t self:netlink_route_socket { write bind create read nlmsg_read };
allow snmpd_t self:process { setsched getsched };
allow snmpd_t sendmail_log_t:dir search;
allow snmpd_t sendmail_log_t:file read;
allow snmpd_t tmp_t:dir { read getattr };
allow snmpd_t usr_t:file append;
allow snmpd_t var_spool_t:dir search;
allow snmpd_t var_t:lnk_file read;

#============= syslogd_t ==============
allow syslogd_t file_t:file { read getattr execute };

#============= system_mail_t ==============
allow system_mail_t file_t:file { read getattr execute };

Posted

in

by

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *