Ubuntu SELinux如何进行强制访问控制

Preparatory Note
Ubuntu defaults to AppArmor for mandatory access control (MAC), not SELinux. To use SELinux on Ubuntu, you must first install and enable it, which may introduce compatibility considerations with existing AppArmor policies.

1. Install SELinux Packages

Before configuring SELinux, install the necessary packages to support its functionality:

sudo apt update
sudo apt install selinux-basics selinux-policy-default auditd audispd-plugins

The selinux-basics package installs core SELinux utilities, while selinux-policy-default provides a default policy. The auditd suite is required to log SELinux denial events.

2. Enable SELinux

After installation, enable SELinux to start enforcing access controls:

• Temporary Activation: Use setenforce to switch modes without rebooting (takes effect immediately but resets after restart):

  sudo setenforce 1  # Enable enforcing mode
  sudo setenforce 0  # Switch to permissive mode (logs violations without enforcement)
  

• Permanent Activation: Modify the /etc/selinux/config file to set the default mode. Open the file in a text editor (e.g., nano) and update the SELINUX line:

  sudo nano /etc/selinux/config
  

  Change the line to:

  SELINUX=enforcing
  

  Save the file and reboot the system to apply the change:

  sudo reboot
  

Verify the current mode with:

sestatus

The output should show SELinux status: enabled and Current mode: enforcing.

3. Configure SELinux Modes

SELinux operates in three modes:

• Enforcing: Enforces the SELinux policy, blocking unauthorized access.
• Permissive: Logs policy violations but does not enforce them (ideal for testing).
• Disabled: Completely disables SELinux (not recommended for production).

Use setenforce for temporary changes and the /etc/selinux/config file for permanent adjustments.

4. Manage File Contexts for Access Control

SELinux uses security contexts (labels) to define access rules for files/directories. Use the semanage fcontext command to modify these contexts:

• Add a New Context Rule: For example, to restrict the /home/user1/documents directory to user_home_t (a context for user home directories), run:

  sudo semanage fcontext -a -t user_home_t "/home/user1/documents(/.*)?"
  

  The -a flag adds the rule, and -t specifies the target context.
• Apply Changes: Use restorecon to apply the new context to the directory and its contents:

  sudo restorecon -Rv /home/user1/documents
  

  The -R flag recursively applies the context, and -v enables verbose output.

5. Create Custom SELinux Policies

For granular control (e.g., restricting an application’s access), create custom policies using .te (Type Enforcement) files:

• Write a .te File: Create a file (e.g., myapp.te) with rules defining allowed actions. Example: Allow a custom app (myapp_t) to read/write files in /var/www/html:

  module myapp 1.0;
  
  require {
      type httpd_t;          # Existing context for web server processes
      class file { read write };  # Resource class (files) and permissions
  }
  
  # Allow myapp_t to transition to httpd_t and access httpd_sys_rw_content_t files
  type myapp_t;
  init_daemon_domain(myapp_t, myapp_exec_t)
  allow myapp_t httpd_sys_rw_content_t:dir { read write };
  

• Compile and Load the Policy: Use checkmodule and semodule_package to compile the .te file into a loadable module, then install it:

  checkmodule -M -m -o myapp.mod myapp.te
  semodule_package -o myapp.pp -m myapp.mod
  sudo semodule -i myapp.pp
  

• Verify the Policy: Check logs for SELinux denial events related to your app:

  sudo ausearch -c 'myapp' --raw | grep myapp
  

  If issues arise, adjust the .te file and reload the policy.

6. Troubleshoot SELinux Issues

When SELinux blocks an action, it logs the event to /var/log/audit/audit.log. Use these tools to analyze and resolve issues:

• Search for Denials: Find recent SELinux access control violations (AVCs) with:

  sudo ausearch -m AVC -ts recent
  

• Generate Reports: Summarize AVC events for a specific module or time period:

  sudo aureport -m avc
  

• Adjust Policies: Based on log entries, modify your .te file to allow the required access (e.g., add allow rules for missing permissions) and reload the policy.

By following these steps, you can implement mandatory access control on Ubuntu using SELinux. Remember to test policies thoroughly in permissive mode before enforcing them to avoid disrupting system operations.