Shulou(Shulou.com)06/01 Report--

This article shares the content of a sample analysis of SELinux Getting Started. Xiaobian thinks it is quite practical, so share it with everyone for reference. Let's follow Xiaobian and have a look.

Back in Kernel 2.6, a new security system was introduced to provide mechanisms for access control security policies. This system is Security Enhanced Linux (SELinux), a contribution from the National Security Agency (NSA) that introduces a robust mandatory access Control architecture for Linux kernel subsystems.

If you have disabled or ignored SELinux in your previous Linux career, this article is written for you: it is an introduction to the SELinux system that exists under your Linux desktop or server, limiting permissions and even eliminating the vulnerability of programs or daemons that can cause damage.

Before I start, you should already know that SELinux is primarily a tool on Red Hat Linux and its derivative distributions. Similarly, Ubuntu and SUSE (and their derivative distributions) use AppArmor. SELinux and AppArmor are significantly different. You can install SELinux on distributions like SUSE, openSUSE, Ubuntu, etc., but it's an incredible challenge unless you're very good at Linux.

Having said that, let me introduce you to SELinux.

DAC vs. MAC

The traditional access control standard on Linux is Discretionary Access Control (DAC). In this form, a software or daemon runs as a User ID (UID) or Set owner User ID (SUID) and has target (file, socket, and other process) permissions for that user. This makes it easy for malicious code to run under certain permissions and gain access to critical subsystems.

Mandatory Access Control (MAC), on the other hand, enforces isolation of information based on confidentiality and integrity to limit damage. This restriction unit operates independently of traditional Linux security mechanisms and has no concept of superuser.

How SELinux Works

Consider SELinux related concepts:

Subjects

Target Objects

Policy

mode Mode

When a Subject (such as a program) attempts to access a target Object (such as a file), SELinux Security Server (in the kernel) runs a check from the Policy Database. Based on the current mode mode, the principal can access the target if the SELinux security server grants permission. If the SELinux security server denies permission, a denial message is logged in/var/log/messages.

Sounds relatively simple, doesn't it? The process is actually more complex, but only the important steps are listed to simplify the presentation.

mode

SELinux has three modes (settable by the user). These patterns will dictate how SELinux responds when requested by the subject. These patterns are:

Enforcement- SELinux policy enforcement, granting or denying access to targets to principals based on SELinux policy rules

Permissive- SELinux policy is not enforced, access is not actually denied, but denial messages are written to the log

Disabled-Disable SELinux completely

Figure 1: The getenforce command shows that the SELinux status is Enforcement enabled.

By default, SELinux is set to Enforcement on most systems. How do you know what mode your system is currently in? You can check this with a simple command called gettenforce. This command is incredibly easy to use (since it is only used to report SELinux patterns). To use this tool, open a terminal window and execute getenforce. The command returns Enforcing, Permissive, or Disabled (see Figure 1 above).

Setting the mode of SELinux is actually quite simple--depending on what mode you want to set. Remember: It is never recommended to shut down SELinux. Why not? When you do this, there is the possibility that files on your disk may be mislabeled, requiring you to relabel permissions to fix them. And you can't modify the mode of a system that starts in Disabled mode. Your best mode is Enforcement or Permissive.

You can change the mode of SELinux from the command line or from the/etc/selinux/config file. To set the mode from the command line, you can use the setenforce tool. To set Enforcement mode, do this:

open a terminal window

Execute su and enter your administrator password

Execute setenforce 1

Perform getenforce to make sure the mode is set correctly (Figure 2)

Figure 2: Setting SELinux mode to Enforcement.

To set the mode to Permissive, do this:

open a terminal window

Execute su and enter your administrator password

Execute setenforce 0

Perform getenforce to make sure the mode is set correctly (Figure 3)

Figure 3: Setting SELinux mode to Permissive.

Note: Setting the mode via the command line overrides the settings in the SELinux configuration file.

If you prefer to set the mode in the SELinux command file, open that file in your favorite editor and find this line:

SELINUX=permissive

You can set the mode according to your preferences and save the file.

There is a third way to modify SELinux mode (via bootloader), but I don't recommend it for new users.

policy type

SELinux has two strategies:

Targeted target-Only target network processes (dhcpd, httpd, named, nscd, ntpd, portmap, snmpd, squid, and syd) are protected

Strict-Complete SELinux protection for all processes

You can modify the policy type in the/etc/selinux/config file. Open this file in your favorite editor and find this line:

SELINUXTYPE=targeted

Change this option to targeted or strict to suit your needs.

Check complete SELinux status

There is a handy SELinux tool that you might want to use to get detailed status reports on your SELinux-enabled system. This command runs on the terminal like this:

sestatus -v

You can see output like Figure 4.

Figure 4: Output of the sestatus -v command.

Thank you for reading! About "SELinux entry sample analysis" This article is shared here, I hope the above content can be of some help to everyone, so that everyone can learn more knowledge, if you think the article is good, you can share it to let more people see it!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.