Shulou(Shulou.com)06/02 Report--

Selinux (Security-Enhanced Linux) security enhanced linux is a Linux kernel module and a security subsystem of Linux.

Three modes:

Enforcing: mandatory mode, which has begun to restrict domain/type when selinux is in operation.

Permissive: warning mode, when selinux is running, there will be warning messages, but will not restrict access to domain/type.

Disabled: turn off mode.

You can view selinux status with getenforce

The effect of selinux on files:

When selinux is enabled, selinux loads the tag context for each file. The security context must be paired, otherwise the file cannot be accessed.

Test:

# enable selinux

Create a file and move to the ftp publishing directory

Touch / mnt/filemv / mnt/file / var/ftp/

Users log in to ftp to view files

You can find that anonymous users cannot view files moved to ftp before.

But the file exists in the ftp directory

View the security context of file

Ls-Z / var/ftp/

You can see that the security context of the two files is not the same, so it will not be displayed.

Temporarily modify the security context

Chcon-t public_content_t / var/ftp/file

Log in to ftp to view files

Because the security context is consistent, the file file can be displayed.

Chcon is only a temporary change to the security context, which will become invalid when the system selinux is restarted.

# permanently modify the security context

# # create your own ftp home directory and modify the security context label of this directory

Mkdir / ftphomesemanage fcontext-a-t pubilc_content_t'/ ftphome (/. *)?'

# View the security context of this directory

You can see here that the security context label has not been modified. We need to restart the kernel list service.

Restorecon-RvvF / ftphome###R: recursive vv: displays the modification information of subdirectories or files in the directory. F: forces the security context of the files and directories in the directory to be the same.

The security context has been modified

The role of selinux for services:

The effect of selinux on a service is like adding a switch to the service, which is turned off by default. 1: turn on the switch; 0: turn off the switch

When selinux is on, we test the switching effect of selinux on the service by logging in to ftp.

Users cannot upload or delete files.

Check the switch status of selinux to ftp

Are all turned off, so there are restrictions on user permissions.

Turn on the function switch

Setsebool-P ftp_home_dir onsetsebool-P ftpd_anon_write on

Log in to ftp again, and users can upload files.

Install setroubleshoot, you can log selinux errors, and provide a solution

/ var/log/audit/audit.log # record the logs collected by selinux

/ var/log/audit/audit.log # record the logs collected by selinux

Summary

The above is the detailed explanation of the basic configuration tutorial of selinux in Linux introduced by the editor. I hope it will be helpful to you. If you have any questions, please leave me a message and the editor will reply to you in time. Thank you very much for your support to the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.