Shulou(Shulou.com)06/01 Report--

It is believed that many inexperienced people have no idea about how to apply the target strategy in SELinux to restrict the running of the process. therefore, this paper summarizes the causes and solutions of the problem. I hope you can solve this problem through this article.

Install the installation package related to SELinux

Although SELinux has been installed by default in some Linux distributions (such as Fedora 10 and Red Hat Enterprise Linux 5 and 6), users still need to know the installation packages needed to install SELinux. Here is a brief introduction to them, including the following parts:

Policycoreutils: provides SELinux-related commands, such as semanage,restorecon,audit2allow,semodule,load_policy, setsebool, etc., to manipulate and manage SELinux.

Policycoreutils-gui: provides a graphical tool system-config-selinux to manage SELinux.

Selinux-policy: provides SeLinux application strategy. This application policy includes all SELinux policies and serves as a basis for other policies such as target policies (targeted policy).

Selinux-policy-policy: provides a SELinux policy. Install the selinux-policy-targeted package for the target policy and the selinux-policy-mls package for the MLS policy. It should be noted that in Fedora 8, the strict policy is combined with the target policy.

Setroubleshoot-server: translate the SELinux refusal operation information into a detailed description that can be viewed by the sealert software.

Setools,setools-gui and setools-console: these installation packages provide commands and tools related to SELinux such as policy analysis and retrieval, audit log monitoring, file context management, and so on.

Libselinux-utils: provides tools such as avsstat,getenforce,getsebool,matchpathcon,selinuxconlist,selinuxdefcon,selinuxenabled,setenforce,togglesebools.

Mcstrans: provides translation of information at the level (such as s0-s0:c0.c1023) in the context of SELinux, which is not installed by default.

Use log files related to SELinux

SELinux has a number of related log files to record the rejection log of the operation during the run, so that the user can make an audit evaluation in the subsequent process. By default, SELinux writes the deny log to the / var/log/audit/audit.log file, part of which is shown in figure 1:

Figure 1 / part of the var/log/audit/audit.log file is shown.

In addition, if setroubleshooted is running, the records in / var/log/audit/audit.log will be translated into a way that is easy to understand and read and saved in the / var/log/messages file:

Figure 2 partial output of var/log/messages file

Of course, the rejection message is sent to different places, depending on the different daemons. Table 1 lists the paths to the log files corresponding to different daemons:

Table 1 list of SELinux log files

Daemon process

Log file

Auditd on

/ var/log/audit/audit.log

Auditd off; rsyslogd on

/ var/log/messages

Setroubleshootd, rsylogd, auditd on

/ var/log/audit/audit.log post-translation deposit / var/log/messages

In order to start the above daemons, you need to configure auditd,rsyslogd and setroubleshootd to run automatically when the system starts, and you can run the following command as root:

# / sbin/chkconfig-levels 2345 auditd on

# / sbin/chkconfig-levels 2345 rsyslogd on

# / sbin/chkconfig-levels 2345 setroubleshootd on

Also, you can use the following command to check that these daemons are running properly:

# / sbin/service auditd status

# / sbin/service rsyslogd status

# / sbin/service setroubleshootd status

III. Start and disable SELinux

The steps to start and disable SELinux are as simple as modifying its configuration file and then performing a restart. Here are the detailed steps to start SELinux:

(1) Edit configuration file

According to the above description, edit and determine the operation mode and activity policy of SELinux (see the boldface section of the configuration file below):

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

# enforcing-SELinux security policy is enforced.

# permissive-SELinux prints warnings instead of enforcing.

# disabled-No SELinux policy is loaded.

SELINUX=enforcing

# SELINUXTYPE= can take one of these two values:

# targeted-Targeted processes are protected.

# mls-Multi Level Security protection.

SELINUXTYPE=targeted

(2) use the getenforce command and the sestatus command to view the running mode and detailed context information of SELinux:

# / usr/sbin/getenforce

# / usr/sbin/sestatus

(3) restart the system using root user identity:

# reboot

Similarly, the detailed steps to disable SELinux are as follows:

(1) Edit configuration file

According to the above description, edit and determine the operation mode and activity strategy of SELinux (see the boldface section of the configuration file below).

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

# enforcing-SELinux security policy is enforced.

# permissive-SELinux prints warnings instead of enforcing.

# disabled-No SELinux policy is loaded.

SELINUX=diabled

# SELINUXTYPE= can take one of these two values:

# targeted-Targeted processes are protected.

# mls-Multi Level Security protection.

SELINUXTYPE=targeted

(2) use getenforce command and sestatus command to view the running mode and detailed context information of SELinux.

# / usr/sbin/getenforce

# / usr/sbin/sestatus

(3) restart the system using root user identity

# reboot

Fourth, the principle of target strategy

The Targeted policy is derived from the strict sample policy, and its structure and organization are almost the same, but the strict policy tends to maximize the use of all the features of SELinux, providing strong security for most programs, while the goal of the targeted policy is to isolate high-risk programs. The advantage of using targeted policy is that on the one hand, it can add a lot of security protection to the Linux system, while at the same time affecting existing user programs as little as possible. Targeted policy focuses on network-oriented services (that is, components exposed to arbitrary exposure), and targeted policy is the standard policy on RHEL and Fedora systems because it achieves a good balance between enhanced security and reduced impact on existing applications.

If you install the targeted sample policy, you can see its source files in the / etc/selinux/targeted/src/policy/ directory, and the targeted sample policy source is very similar to the strict sample source in all respects.

The main difference between the Targeted sample policy and the strict sample policy is the use of the unlimited domain type unconfined_t and the removal of all other user domain types, such as sysadm_t and user_t, which also means that the basic role structure has also been removed, all users run as role system_r, and almost all users run programs running as unconfined_ t domain type. Of course, both unlimited and restricted domains are subject to executable and writable memory checks. By default, principals running in an infinite domain cannot allocate writable and executable memory, which reduces the risk that the system will suffer from buffer overflows (buffer overflow attack). Of course, these memory checks can be turned off by setting the Boolean variables that need to be described in more detail below, which allows the SELinux policy to be modified at run time.

Users can find undefined domain definitions in. / domain/unconfined.te. Note that in the targeted sample policy, the strict policy files admin.te and user.te are no longer located in the. / domains/ directory. These files define a variety of user domains for the strict sample policy, each with restricted privileges. In the targeted sample policy, all programs run in the unconfined_ t domain type Unless they all explicitly specify the domain type (hence the name targeted), the unrestricted domain essentially has access to all SELinux types, exempting it from SELinux security controls (and therefore unconfined). In the strict sample policy,. / domains/program/ includes a number of policy modules, each representing one or more domain types and associated types, as well as rules for specific programs. In the targeted sample strategy, this directory contains much fewer files, and these are the targets.

The target sample policy module is similar to the policy module in the strict policy, for example, the strict ping module and the targeted ping module are consistent, but some targeted modules simply define the type so that the domain is not restricted (not targeted). For example, if you look at the targeted policy (crond.te) of crond, you will find a line of unconfined_domain (crond_t). This macro is defined in the. / policy/macros/global_macros.te file in the targeted example. It provides all SELinux access to the crond domain type, making it unrestricted. If users compare their domain strict version (/ etc/selinux/strict/src/policy/domains/program/crond.te) crond module, they will see a great difference between them. In targeted policy, crond is considered an unrestricted domain. In both strategies, however, ping remains the strict domain.

Fifth, apply the target policy to restrict the running of the process

Almost all service processes run under restrictions. Also, most system processes that run as root (such as the passwd process) are restricted domain. When a process is restricted, it can only run within its own restricted domain, for example, the Web service process httpd can only run within the httpd_t domain. If a restricted process is * and controlled, according to the SELinux policy configuration, the * * can only access the restricted domain, so the harm caused by the * * is much less than that of the traditional Linux.

The following is an example of a specific process restriction (RHEL or Fedora system example) to illustrate how SELinux restricts the process to run in its own domain. This example takes the httpd process in a very familiar and commonly used Apache server as an example to show how SELinux prevents httpd processes from accessing file types managed by other domains.

(1) run the sestatus command to confirm that SELinux is running in Linux, which runs in enforcing mode, which can be simply understood as the full operation mode of SELinux, which can be used for mandatory access control), and ensure that the target policy is adopted.

Figure 1 use sestatus to confirm whether SELinux is running

The above running results show that SELinux runs in enforcing mode and adopts the target strategy.

(2) with root user rights in Linux, use the following command to create a new file in the working directory of httpd:

# touch / var/www/html/testfile

(3) run the following command to view the SELinux context information of the file:

# ls-Z / var/www/html/testfile-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 / var/www/html/testfile

From the above results, it is clear that by default, Linux users are unrestricted, so the type in the SELinux context of the testfile file you just created is marked unconfined_u. The RBAC access control mechanism is for processes, not for files. Also, the role doesn't mean much to the file, so the object_r role in the above result is just a generic role for the file. In the / proc directory, process-related files can take the system_r role. In addition, the httpd_sys_content_t type in the result allows the httpd process to access the file.

As the root user of Linux, run the following command to run the httpd process.

Figure 2 successful startup of the httpd process

(5) change to a directory where the Linux user has permissions, and run the following command. The result shown in figure 3 is that the command can be executed correctly and download the file.

Figure 3 wget executes and downloads the file correctly

(6) use the chcon command to re-identify the type of file. However, such a logo is not permanently modified and will be changed back once the system is rebooted. For permanent changes to file types, you need to use the semanage command, which will be described in more detail later. Next, as the root user, run the chcon command shown in figure 4 to change the type of testfile file created in the above step to the file used by the Samba process; then, run the ls-z / var/www/html/testfile command to see the result of the change.

Figure 4 run result of chcon command

(7) in the traditional Linux, the httpd process can access the testfile file. Next, you need to try whether the process can successfully access the testfile file in SELinux. As shown in step (5), run the command again to download the file, it is found that the command failed, the file does not have permission to download, run the result.

Figure 6 wget command execution failed

Through the detailed demonstration of the above seven steps, we can know that although the traditional Linux DAC mechanism allows the httpd process to access the testfile file, the SELinux MAC mechanism refuses the access operation. The reason is that the file type (samba_share_t) the httpd process cannot access, so SELinux rejects the operation. At the same time, SELinux records these operation logs in detail to facilitate the system administrator to audit and deal with them afterwards, and can view the / var/log/messages file.

Figure 7 / var/log/messages file illustration

In addition, the related error log can also be viewed in the / var/log/audit/audit.log file, as shown in figure 8:

Type=AVC msg=audit (1241564654.246): avc: denied {getattr} for pid

Also, because the operation involves a httpd service process, and because the service also has its own log file, it can also be viewed through the / var/log/httpd/error_log file.

After reading the above, have you learned how to apply the target policy in SELinux to restrict the running of the process? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.