Ubuntu SELinux与防火墙如何配合

Understanding SELinux and UFW in Ubuntu
Ubuntu systems typically use AppArmor as the default mandatory access control (MAC) tool, but SELinux (Security-Enhanced Linux) can be installed to provide more granular access control. SELinux enforces policies that restrict processes and users from accessing resources (files, ports, etc.) beyond their defined permissions. UFW (Uncomplicated Firewall) is the default frontend for managing firewall rules in Ubuntu, built on top of iptables. It simplifies the process of allowing/blocking traffic by translating user-friendly commands into low-level iptables rules. While UFW handles network-layer filtering, SELinux enforces host-based access control, making them complementary tools for a layered security approach.

Installing and Enabling SELinux on Ubuntu
By default, SELinux is not installed on Ubuntu. To enable it:

1. Install required packages:

   sudo apt update && sudo apt install selinux-basics selinux-policy-default auditd
   

2. Activate SELinux:

   sudo selinux-activate
   

3. Set the enforcement mode (recommended: Permissive for testing, Enforcing for production):
   • Permissive mode logs violations without blocking actions (useful for debugging):

     sudo setenforce 0
     

   • Enforcing mode actively blocks unauthorized actions:

     sudo setenforce 1
     

4. Make the mode persistent across reboots by editing /etc/selinux/config and setting SELINUX=enforcing.

Configuring UFW for Basic Firewall Rules
UFW simplifies firewall management with intuitive commands. Key steps include:

1. Install UFW (if not already installed):

   sudo apt install ufw
   

2. Enable UFW:

   sudo ufw enable
   

3. Set default policies (deny all incoming traffic, allow all outgoing traffic):

   sudo ufw default deny incoming
   sudo ufw default allow outgoing
   

4. Allow specific services/ports (e.g., SSH, HTTP, HTTPS):

   sudo ufw allow ssh     # Allows SSH (port 22)
   sudo ufw allow http    # Allows HTTP (port 80)
   sudo ufw allow https   # Allows HTTPS (port 443)
   

5. Verify UFW status:

   sudo ufw status verbose
   

This displays active rules, default policies, and rule priorities.

Key Considerations for Compatibility
While SELinux and UFW can coexist, conflicts may arise if rules overlap or block each other. To ensure smooth operation:

• Understand Rule Layers: UFW filters traffic at the network level (e.g., blocking unauthorized IPs), while SELinux controls access at the process/resource level (e.g., preventing a web server from reading sensitive files).
• Avoid Redundant Blocking: Do not configure UFW to block ports that SELinux policies rely on (e.g., if SELinux allows a process to access port 80, ensure UFW does not block port 80).
• Use SELinux Contexts for Port Labeling: If you modify UFW rules to allow non-standard ports (e.g., port 8080 for HTTP), label the port with the appropriate SELinux context to avoid access issues. For example:

  sudo semanage port -a -t http_port_t -p tcp 8080  # Labels port 8080 as http_port_t
  

• Monitor Logs for Conflicts: Check /var/log/audit/audit.log (SELinux logs) and /var/log/syslog (UFW logs) for denied actions. Use audit2allow to generate custom SELinux policies if legitimate actions are blocked.

Example Workflow: Allowing SSH with Both Tools
To allow SSH while leveraging both UFW and SELinux:

1. Configure UFW to allow SSH:

   sudo ufw allow ssh
   

2. Verify SELinux allows SSH access:
   • Check if the SSH service has the correct SELinux boolean enabled (e.g., ssh_sysadm_login for sysadmin logins):

     sudo getsebool ssh_sysadm_login
     

   • If disabled, enable it:

     sudo setsebool -P ssh_sysadm_login on
     

3. Test the configuration:
   • Attempt to SSH into the system from an authorized IP.
   • Check UFW logs (sudo ufw status numbered) to confirm the rule is applied.
   • Check SELinux logs (sudo ausearch -m avc -ts recent) for any denied actions related to SSH.

Troubleshooting Common Issues

• SELinux Blocking Legitimate Traffic: If a process is denied access, check /var/log/audit/audit.log for “AVC denied” messages. Use audit2allow to create a custom policy:

  sudo grep "AVC denied" /var/log/audit/audit.log | audit2allow -M mypolicy
  sudo semodule -i mypolicy.pp
  

• UFW Blocking SELinux-Required Ports: Ensure UFW rules align with SELinux port labels. For example, if SELinux expects a web server to use port 80, verify UFW allows port 80:

  sudo ufw allow 80/tcp
  

• SELinux in Permissive Mode: If SELinux is in permissive mode, violations are logged but not enforced. Switch to enforcing mode after verifying rules work as expected.