Shulou(Shulou.com)06/01 Report--

This article mainly explains "what are the knowledge points of SELinux". Friends who are interested might as well take a look. The method introduced in this paper is simple, fast and practical. Now let the editor take you to learn "what are the knowledge points of SELinux"?

SELinux, short for "Security-Enhanced Linux", is an extended mandatory access control security module of Linux developed by the National Security Agency "NSA=The National Security Agency" and SCC (Secure Computing Corporation).

Because a large number of business secrets, personal data and personal data are stored on the servers of the enterprise's business platform, it is directly related to personal privacy issues. Especially the government website, as a platform for information disclosure, its security is even more important.

These servers connected to the Internet are inevitably threatened by all kinds of threats from all over the world. At worst, our servers are hacked, home files are replaced, and confidential files are stolen. In addition to external threats, illegal visits and attacks by internal personnel can not be ignored. Of course, there are many ways to deal with these attacks or threats, such as firewalls, intrusion detection systems, patches and so on.

Like other commercial UNIX, various kinds of security vulnerabilities have been found in Linux.

The shortcomings of traditional Linux OS:

Although Linux is much more reliable and stable than Windows, like other UNIX, it also has the following shortcomings.

1) privileged user root exists

Anyone can do whatever they want for the whole system as long as they get the authority of root. It's the same with Windows.

2) the division of access to the file is not detailed enough.

In the linux system, there are only three categories of file operations: "owner", "all groups" and "other". There is no way to divide the users in the "other" category in detail.

3) privilege upgrade of SUID program

If there is a vulnerability in a program with SUID permissions, it can be easily exploited by an attacker.

4) DAC (Discretionary Access Control) problem

The owner of the file directory can do all the operations on the files, which brings inconvenience to the overall management of the system.

For the above shortcomings, firewalls and intrusion detection systems are powerless.

DAC (Discretionary access control, discretionary access control):

DAC mechanism means that the owner of an object (such as a program, file, or process, etc.) can modify or grant the corresponding permissions to the object at will. Such as traditional Linux,Windows and so on.

MAC (Mandatory Access Control, mandatory access control):

MAC mechanism means that the owner of an object (such as programs, files or folders, etc.) is no longer allowed to modify or grant the corresponding permissions to the object, but to grant permissions to each object in a mandatory way, such as SELinux.

Advantages of SELinux

SELinux system has much higher security performance than the usual Linux system. By minimizing the permissions of users and processes, even if they are attacked, the process or user rights are taken away, it will not have a significant impact on the whole system.

In the standard Linux, the access control attribute of the subject is the real and effective user and group ID associated with the process through the process structure in the kernel. These attributes are protected by the kernel using a large number of tools, including the login process and the setuid program. For files, the inode of files includes a set of access mode bits, file users and group ID.

The previous access control was based on the read / write / execute three control bits, one for the file owner, one for the group to which the file owner belongs, and one for others. In SELinux, access control attributes are always in the form of a security context trio, all files and principals have an associated security context, standard Linux uses process user / group ID, file access mode, file user / group ID is either accessible or denied, SELinux uses process and object security context, it should be noted that because the main access control feature of SELinux is type enforcement The type identifier in the security context determines access.

To access a file, you must have both normal and SELinux access. So even if you run a process as a superuser root, access to a file or resource may be denied depending on the process and the SELinux security context of the file or resource.

Using SELinux to protect network services

= display and set SELinux mode =

[root@tianyun ~] # vim / etc/sysconfig/selinux / / strong mode license mode disable mode

[root@tianyun ~] # getenforce / / View the current SElinux status

[root@tianyun ~] # setenforce / / can switch between strong mode license modes

[root@tianyun ~] # sestatus / / list the policies used by the directory SELinux (Policy)

File context FILE CONTEXTS:

= display and set the context of SELinux files, processes, etc.

[root@tianyun ~] # ps auxZ / / View the SELinux security context of the process

[root@tianyun ~] # ps-ZC httpd

[root@tianyun ~] # ls-Zd / home / / View the SELinux security context of the file

[root@tianyun ~] # ls-Zd / var/www

= modify the file SELinux context =

Method 1: chcon

[root@tianyun] # chcon-R-t httpd_sys_content_t / virtual

[root@tianyun] # chcon-R-reference / var/www/html / vritual

Method 2: semanage fcontext

[root@tianyun ~] # yum provides * / semanage

[root@tianyun ~] # yum-y install policycoreutils policycoreutils-pythons

Allows Apache to access Web site files located in a non-default directory

First, use semanage fcontext-l | grep'/ var/www' to learn the SELinux context of the default / var/www directory:

/ var/www (/. *) All files system_u:object_r:httpd_sys_content_t:s0

You can see that Apache can only access files that contain httpd_sys_content_t tags.

Suppose you want Apache to use / srv/www as the website file directory, then you need to add httpd_sys_content_t tags to the files in this directory, which is implemented in two steps.

First, add the default tag type for the files in the / srv/www directory: semanage fcontext-a-t httpd_sys_content_t'/ srv/www (/. *)? Then mark the existing file with a new tag type: restorecon-Rv / srv/www and then Apache can use the files in this directory to build the site.

Among them, restorecon is very common in SELinux management, which plays the role of restoring the default tag of files. For example, when copying a file from the user's home directory to the Apache website directory, Apache is inaccessible by default, because the file label under the user's home directory is user_home_t.

At this point, you need restorecon to restore it to the httpd_sys_content_t type that can be accessed by Apache:

[root@tianyun ~] # semanage fcontext-a-t httpd_sys_content_t "/ web2" / / for directory

[root@tianyun ~] # semanage fcontext-a-t httpd_sys_content_t "/ web2 (/. *)? / / for all files in the directory and directory

[root@tianyun ~] # semanage fcontext-a-t httpd_sys_content_t "/ web2/file4" / / for files

[root@tianyun ~] # semanage fcontext-a-t httpd_sys_content_t "/ web2/index\ .txt" / / for files

1. The influence of cp and mv on context

[root@tianyun ~] # touch / tmp/file1 / tmp/file2

[root@tianyun ~] # cp / tmp/file1 / var/www/html

[root@tianyun ~] # mv / tmp/file2 / var/www/html

[root@tianyun] # ls-Z / var/www/html/file*

[root@tianyun ~] # semanage fcontext-l | grep ^ / var/www

[root@tianyun ~] # restorecon-Rv / var/www

two。 Add context for the new directory

[root@tianyun ~] # mkdir / virtual

[root@tianyun ~] # touch / virtual/index.html

[root@tianyun ~] # ls-Zd / virtual

[root@tianyun] # semanage fcontext-a-t httpd_sys_content_t'/ virtual (/. *)?'

[root@tianyun ~] # restorecon-RFvv / virtual

In addition, we can use man to get help man-k http | grep selinux

SELinux Boolean value

= adjust policy behavior by SELinux Boolean value =

The SELinux Boolean value is the switch that changes the behavior of the SELinux policy

Man-k'_ selinux'

Cd / selinux/booleans is equivalent to variable

Getsebool-a | grep httpd is used to display Boolean values

Setsebool is used to modify Boolean values

Setsebool-P modifies the SELinux policy to permanently retain the modification

Semanage boolean-l | grep httpd_enable_homedirs shows whether the Boolean value is permanent

two。

Monitor SELinux policy conflicts

Deploy the SELinux log analysis tool

The setroubleshoot-server package must be installed to send SELinux messages to / var/log/messages

Setroubleshoot-server listens for audit information in / var/log/audit/audit.log and sends a short summary to / var/log/messages

The summary includes the unique identifier (UUIDs) of the SELinux conflict, which can be used to collect more information

[root@tianyun ~] # yum-y install setroubleshoot setroubleshoot-server

[root@tianyun ~] # service rsyslog restart; chkconfig rsyslog on

[root@tianyun ~] # service auditd restart; chkconfig auditd on

1. When SElinux is turned on, use anonymous users to access ftp and upload a file in the upload directory

Configure ftp anonymous user writeability in vsftpd.conf

Anonymous_enable

Anon_upload_enable

Anon_other_write_enable

Anon_mkdir_write_enable

Use robin users to access their home directory and upload

two。 Set up a samba server, customize the folder / share, use samba sharing, allow user1 user2 users to access / share by rw, and allow user1 to access their home directory through samba

At this point, I believe you have a deeper understanding of "what are the knowledge points of SELinux?" you might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.