Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

How to get started with linux SELinux

2025-01-28 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Development >

Share

Shulou(Shulou.com)06/02 Report--

Today, the editor will show you how to get started with linux SELinux. The knowledge points in the article are introduced in great detail. Friends who feel helpful can browse the content of the article with the editor, hoping to help more friends who want to solve this problem to find the answer to the problem. Follow the editor to learn more about "how to get started with linux SELinux".

If you have disabled or ignored SELinux in your previous Linux career, here is an introduction to SELinux systems that exist under Linux desktops or servers, which can limit permissions and even eliminate the possibility of damage caused by the vulnerability of programs or daemons.

Back in the Kernel 2.6 era, a new security system was introduced to provide a mechanism for access control security policies. This system is Security Enhanced Linux (SELinux), which is contributed by the National Security Agency (NSA). It introduces a robust mandatory access control Mandatory Access Control architecture for Linux kernel systems.

Before I start, you should already know that SELinux is mainly a tool on Red Hat Red Hat Linux and its derivative release. Similarly, Ubuntu and SUSE (and their derivative distributions) use AppArmor. There are significant differences between SELinux and AppArmor. You can install SELinux on distributions such as SUSE,openSUSE,Ubuntu, but this is an incredible challenge unless you are very proficient in Linux and have said so much, let me introduce you to SELinux.

DAC vs. MAC

The traditional access control standard on Linux is discretionary access control Discretionary Access Control (DAC). In this form, a software or daemon runs as User ID (UID) or Set owner User ID (SUID) and has permissions for the user's target (files, sockets, and other processes). This makes it easy for malicious code to run under specific permissions to gain access to critical subsystems.

On the other hand, mandatory access control Mandatory Access Control (MAC) enforces the isolation of information based on confidentiality and integrity to limit damage. The restriction unit operates independently of the traditional Linux security mechanism and does not have the concept of super user.

How SELinux works

Consider the concepts related to SELinux:

Principal Subjects

Target Objects

Policy Policy

Mode Mode

When a principal Subject (such as a program) attempts to access a target Object (such as a file), the SELinux security server SELinux Security Server (in the kernel) runs a check from the policy database Policy Database. Based on the current mode mode, the principal can access the target if the SELinux security server grants permissions. If the SELinux security server denies the permission, a denial message is logged in / var/log/messages.

Sounds relatively simple, doesn't it? The process is actually more complex, but to simplify the introduction, only important steps are listed.

Pattern

SELinux has three modes (which can be set by the user). These patterns will dictate how the SELinux will respond to the principal request. These patterns are:

Enforcing Enforcement-SELinux policy enforcement that grants or denies principal access to the target based on SELinux policy rules

Permissive tolerance-SELinux policy is not enforced, access is not actually denied, but denial information is written to the log

Disabled disabled-completely disable SELinux

(the getenforce command shows that the status of SELinux is Enforcing enabled)

By default, the SELinux for most systems is set to Enforcing. How do you know what mode your system is currently in? You can use a simple command to view it, which is getenforce. This command is incredibly simple to use (because it is only used to report the mode of SELinux). To use this tool, open a terminal window and execute the getenforce command. The command returns Enforcing, Permissive, or Disabled (see figure above).

Setting the mode of SELinux is actually very simple-depending on what mode you want to set. Remember: it is never recommended to turn off SELinux. Why? When you do this, there is a possibility that the files on your disk may be labeled with the wrong permissions and require you to re-mark the permissions to fix them. And you can't change the mode of a system that starts in Disabled mode. Your best mode is Enforcing or Permissive.

You can change the mode of SELinux from the command line or / etc/selinux/config file. To set the mode from the command line, you can use the setenforce tool. To set the Enforcing mode, do this as follows:

1. Open a terminal window

two。 Execute su and enter your administrator password

3. Execute setenforce 1

4. Execute getenforce to make sure the mode is set correctly (as shown in the following figure)

To set the mode to Permissive, do this:

1. Open a terminal window

two。 Execute su and enter your administrator password

3. Execute setenforce 0

4. Execute getenforce to make sure the mode is set correctly (as shown in the following figure)

Note: setting through the command line mode overrides the settings in the SELinux configuration file.

If you prefer to set the mode in the SELinux command file, open that file with your favorite editor and find this line:

SELINUX=permissive

You can set the mode according to your preference, and then save the file.

There is a third way to modify the mode of SELinux (via bootloader), but I don't recommend it for new users.

Policy Typ

There are two SELinux strategies:

Targeted targets-only the target network processes (dhcpd,httpd,named,nscd,ntpd,portmap,snmpd,squid, and syslogd) are protected

Strict strict-complete SELinux protection for all processes

You can modify the policy type in the / etc/selinux/config file. Open the file with your favorite editor and find this line:

SELINUXTYPE=targeted

Change this option to targeted or strict to meet your needs.

Check the full SELinux status

There is a convenient SELinux tool that you may want to use to get detailed status reports of your SELinux-enabled systems. This command runs on the terminal like this:

Sestatus-v

You can see the output like the one below.

Thank you for your reading, the above is the whole content of "how to get started with linux SELinux", friends who learn to learn to hurry up to operate it. I believe that the editor will certainly bring you better quality articles. Thank you for your support to the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Development

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report