Shulou(Shulou.com)06/03 Report--

This article brings you the basic operating methods of the SELinux system. Most of the commands and methods are often used by everyone, so we can share them for your reference. Let's follow the editor and have a look.

1. What is SELinux

SELinux (Security-Enhanced Linux) is the implementation of mandatory access control by the National Security Agency (NSA), and it is the most outstanding new security subsystem in the history of Linux. NSA developed an access control system with the help of the Linux community. Under the restriction of this access control system, the process can only access the files needed in his task. SELinux is installed by default on Fedora and Red Hat Enterprise Linux, and is also available as a package that is easy to install on other distributions.

SELinux is a mandatory access control (MAC) system provided in version 2.6 of the Linux kernel. For the currently available Linux security module, SELinux is the most comprehensive and well-tested. It is based on 20 years of MAC research. SELinux incorporates multi-level security or an optional multi-class policy in the type enforcement server and adopts the concept of role-based access control.

Most people who use SELinux use SELinux-ready distributions such as Fedora, Red Hat Enterprise Linux (RHEL), Debian, or Centos. They all enable SELinux in the kernel and provide a customizable security policy, as well as a number of user-level libraries and tools that can use the capabilities of SELinux.

SELinux is a mandatory access control (MAC) security system based on domain-type model (domain-type). It is written and designed by NSA as a kernel module to be included in the kernel. Some security-related applications are patched by SELinux, and finally there is a corresponding security policy. Any program has complete control over its resources. Suppose a program is going to throw files containing potentially important information into the / tmp directory, and no one can stop him in the case of DAC. SELinux provides better access control than traditional UNIX permissions

2. The operation mode of SELinux

● body (Subject):

What SELinux mainly wants to manage is the program, so you can equate "subject" with process.

● goal (Object):

The "target resource" that can be accessed by the subject program is generally the file system. So the target project can wait for the file system to be equated.

● Policy (Policy):

Because of the large number of programs and files, SELinux will formulate basic access security policies based on certain services. There are also detailed rules (rule) within these policies that specify whether or not different services open access to certain resources. In the current CentOS 6.x, there are only two main policies provided as follows, generally speaking, you can use the default target policy.

Targeted: it is a preset policy that there are more restrictions on network services and fewer restrictions on the local machine.

Strict: complete SELinux restrictions, the restrictions are relatively strict.

● Security article (security context):

We have just talked about the subject, goal and policy, but whether the subject can access the target in addition to complying with the policy specification, the security of the subject and the goal must be consistent in order to have smooth access. This security article (security context) is a bit like the rwx of a file system! Security the content and setting of this article is very important! If you set it incorrectly, some of your services (main programs) will not be able to access the file system (target resources), and of course, there will always be "permissions do not match" error messages!

(1) after the subject program is released through the rules in the SELinux policy, it can be compared with the target resources in this article.

(2) if the alignment fails, the target cannot be accessed, and if the alignment is successful, the target can be accessed.

3. Security article (Security Context)

[root@localhost] # ll-Z

Total 4

-rw-. 1 root root system_u:object_r:admin_home_t:s0 1193 Feb 9 09:16 anaconda-ks.cfg

● identity (Identify): equivalent to account identification! The main identification has the following three common types:

Root: indicates the account identity of root, as the table above shows the data under the root home directory!

System_u: indicates the identification of a system program, usually a program

User_u: represents the identity related to the general user account.

● role (Role): through the role field, we can know whether this data belongs to the program, the file resource, or represents the user. The general roles are:

Object_r: represents archival resources such as archives or directories, which should be the most common

System_r: it stands for the program! However, the average user will also be designated as system_r!

● type (Type): in the default targeted policy, the Identify and Role fields are basically unimportant! What matters is this type (type) field! Basically, whether a main program can read this file resource has something to do with the type field! The definition of type field in the file is not the same as that of the program, which are:

Type: it is called Type in archival resources (Object).

Domain: in the main program (Subject), it is called domain!

Domain needs to be matched with type, then the program can successfully read file resources!

4. Startup, shutdown and viewing of SELinux

Introduction to the SELinux main configuration file:

[root@localhost ~] # cat / etc/selinux/config

SELINUX=enforcing

Currently, SELinux supports three modes, which are as follows:

● enforcing: mandatory mode: indicates that SELinux is running and that domain/type has been properly restricted.

● permissive: tolerance mode: means that SELinux is running, but only warnings do not actually restrict access to domain/type. This mode can be used for debugging SELinux.

● disabled: off: SELinux is not actually running.

SELINUXTYPE=targeted

View SELinux:

[root@localhost ~] # getenforce

Permissive

[root@localhost ~] # sestatus [- vb]

Parameters:

-v: check the security context contents of files and programs listed in / etc/sestatus.conf

-b: lists the Boolean values of the rules for the current policy, and whether some rules (rule) want to be started (0can1)

[root@localhost ~] # sestatus

SELinux status: enabled

SELinuxfs mount: / sys/fs/selinux

SELinux root directory: / etc/selinux

Loaded policy name: targeted

Current mode: permissive

Mode from config file: enforcing

Policy MLS status: enabled

Policy deny_unknown status: allowed

Memory protection checking: actual (secure)

Max kernel policy version: 31

[root@localhost ~] # setenforce [0 | 1]

Parameters:

0: switch to permissive tolerance mode

1: switch to Enforcing mandatory mode

Start selinux:

Start selinux in the configuration file (need to restart the system)

[root@localhost ~] # cat / etc/selinux/config

SELINUX=enforcing

Start selinux on the command line

[root@localhost ~] # setenforce 1

Turn off selinux:

Turn off selinux in the configuration file (system restart is required)

[root@localhost ~] # cat / etc/selinux/config

SELINUX=disabled

Start selinux on the command line

[root@localhost ~] # setenforce 0

5. SELinux network service operation example

[root@localhost ~] # yum-y install httpd

[root@localhost ~] # echo "123456" > / var/www/html/index.html

[root@localhost ~] # systemctl restart httpd

At this point, your browser will read / var/www/html/index.html the file through the httpd_t domain owned by the httpd process.

View the permissions of the file and the security context data of the SELinux:

[root@localhost] # ll-Z / var/www/html/index.html

-rw-r--r--. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 7 Feb 22 20:42 / var/www/html/index.html

Create the wrong SELinux security context:

[root@localhost ~] # echo "My httpd" > index.html

[root@localhost ~] # rm-rf / var/www/html/index.html

[root@localhost ~] # mv index.html / var/www/html/

To view the permissions of index.html:

[root@localhost] # ll-Z / var/www/html/index.html

-rw-r--r--. 1 root root unconfined_u:object_r:admin_home_t:s0 9 Feb 22 20:50 / var/www/html/index.html

Modify the security context:

Introduction of chcon command (modification method):

[root@localhost ~] # chcon [- R] [- t type] [- u user] [- r role] file

[root@localhost ~] # chcon [- R]-- reference= sample file

Parameters:

-R: modify it together with the subdirectories under this directory

-t: followed by the type field of the security context! For example: httpd_sys_content_t

-u: followed by identification, such as system_u

-r: followed by roles, such as system_r

-- reference= sample file: use a file as an example to modify the type of subsequent files!

Example 1: modify index.html to this type based on / etc/passwd

[root@localhost] # ll-Z / etc/passwd

-rw-r--r--. 1 root root system_u:object_r:passwd_file_t:s0 1133 Feb 22 20:42 / etc/passwd

[root@localhost] # chcon-- reference=/etc/passwd / var/www/html/index.html

[root@localhost] # ll-Z / var/www/html/index.html

-rw-r--r--. 1 root root system_u:object_r:passwd_file_t:s0 9 Feb 22 20:50 / var/www/html/index.html

Example 2: change the index.html type to the httpd_sys_content_t type

[root@localhost] # chcon-t httpd_sys_content_t / var/www/html/index.html

[root@localhost] # ll-Z / var/www/html/index.html

-rw-r--r--. 1 root root system_u:object_r:httpd_sys_content_t:s0 9 Feb 22 20:50 / var/www/html/index.html

Chcon handles the type data of the security context directly. We all know that the default directory of the system has a special SELinux security context, and restorecon is the command of the security context of the recovery model.

Restorecon (restore mode)

[root@localhost ~] # restorecon [- Rv] file or directory

Parameters:

-R: modify it together with the subdirectory.

-v: displays the process on the screen.

Example 1: correct the wrong index.html with the default security context

[root@localhost ~] # restorecon-Rv / var/www/html/index.html

Relabeled / var/www/html/index.html from unconfined_u:object_r:admin_home_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0

[root@localhost] # ll-Z / var/www/html/index.html

-rw-r--r--. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 7 Feb 22 21:07 / var/www/html/index.html

6. SELinux log

Setroubleshoot: write error messages to / var/log/message

[root@localhost ~] # cat / var/log/messages | grep setroubleshoot

Feb 22 21:28:27 localhost setroubleshoot [12759]: failed to retrieve rpm info for / var/www/html/index.html

Feb 22 21:28:27 localhost setroubleshoot [12759]: SELinux is preventing / usr/sbin/httpd from getattr access on the file / var/www/html/index.html. For complete SELinux messages run: sealert-l cf1dacbd-e06f-4c52-bbd4-abc3d3cde551

[root@localhost ~] # sealert-l cf1dacbd-e06f-4c52-bbd4-abc3d3cde551

SELinux is preventing / usr/sbin/httpd from getattr access on the file / var/www/html/index.html.

# off

Antivirus_use_jit-- > off

Auditadm_exec_content-- > on

. (omitted below).

Turn off and start a Boolean value:

[root@localhost ~] # setsebool [- P] Boolean value = [0 | 1]

Parameters:

-P: write the setting value directly to the configuration file, and the setting data will take effect in the future!

Example 1: query whether httpd_enable_homedirs is closed, if not, please close it!

[root@localhost ~] # getsebool httpd_enable_homedirs

Httpd_enable_homedirs-- > on

[root@localhost] # setsebool-P httpd_enable_homedirs=0

[root@localhost ~] # getsebool httpd_enable_homedirs

Httpd_enable_homedirs-- > off

Security context query and modification of ● default directory

Use semanage to view the default security context of the directory:

[root@localhost ~] # semanage {login,user,port,interface,fcontext,translation}-l

[root@localhost ~] # semanage fcontext-{a | d | m} [- frst] file_spec

Parameters:

Fcontext: mainly used in security context,-l means query

-a: added meaning, you can add some directory default security context type settings

-m: the meaning of modification

-d: the meaning of deletion

Example 1: query the default security context settings for / var/www/html

[root@localhost ~] # semanage fcontext-l

. (omitted before).

/ var/www (/. *) All files system_u:object_r:httpd_sys_content_t:s0

. (omitted later).

Example 2: using semanage to set the default security context of the / srv/samba directory to public_content_t

[root@localhost ~] # mkdir / srv/samba

[root@localhost ~] # ll-Zd / srv/samba/

Drwxr-xr-x. 2 root root unconfined_u:object_r:var_t:s0 6 Feb 22 22:46 / srv/samba/

[root@localhost ~] # semanage fcontext-l | grep'/ srv'

/ srv all files system_u:object_r:var_t:s0

/ srv/ ([^ /] /)? ftp (/.)? All files system_u:object_r:public_content_t:s0

/ srv/ ([^ /] /)? rsync (/.)? All files system_u:object_r:public_content_t:s0

/ srv/ ([^ /] /)? www (/.)? All files system_u:object_r:httpd_sys_content_t:s0

/ srv/ ([^ /] /)? www/logs (/.)? All files system_u:object_r:httpd_log_t:s0

/ srv/. All files system_u:object_r:var_t:s0

/ srv/gallery2 (/.) All files system_u:object_r:httpd_sys_content_t:s0

/ srv/gallery2/smarty (/.) All files system_u:object_r:httpd_sys_rw_content_t:s0

/ srv/lib/gitosis (/.) All files system_u:object_r:gitosis_var_lib_t:s0

/ srv/loopback-device (/.) All files system_u:object_r:swift_data_t:s0

/ srv/node (/.) All files system_u:object_r:swift_data_t:s0

# above is the security context data under the default / srv, but it is not specified to / srv/samba

[root@localhost] # semanage fcontext-a-t public_content_t "/ srv/samba (/.)?

[root@localhost ~] # semanage fcontext-l | grep'/ srv/samba (/.)?'

/ srv/samba (/. *) All files system_u:object_r:public_content_t:s0

[root@localhost ~] # cat / etc/selinux/targeted/contexts/files/file_contexts.local

This file is auto-generated by libsemanageDo not edit directly.

/ srv/samba (/. *) System_u:object_r:public_content_t:s0

# in fact, this is the file

[root@localhost ~] # ll-Zd / srv/samba

Drwxr-xr-x. 2 root root unconfined_u:object_r:var_t:s0 6 Feb 22 22:46 / srv/samba

[root@localhost ~] # restorecon-Rv / srv/samba

[root@localhost ~] # ll-Zd / srv/samba

Drwxr-xr-x. 2 root root unconfined_u:object_r:public_content_t:s0 6 Feb 22 22:46 / srv/samba

# there are default values, so it's easy to modify them with restorecon later!

After reading the above, do you have a general understanding of the SELinux system? I hope you will learn the basic operation of SELinux system. If you want to know more about related articles, you are welcome to follow the industry information channel. Thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.