Shulou(Shulou.com)06/03 Report--

Editor to share with you how the CentOS 8 system to enable selinux and implement mandatory access control, I believe that most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's learn about it!

1. Operation purpose and application scenario (1) purpose

The CentOS 8 system enables selinux and enforces mandatory access control.

(2) brief introduction

Security enhanced Linux (Security-Enhanced Linux) is referred to as SELinux, which is a Linux kernel module and a security subsystem of Linux. SELinux is mainly developed by the National Security Agency. SELinux modules have been integrated into Linux kernels of version 2. 6 and above.

The main function of SELinux is to minimize the resources that can be accessed by the service process in the system (the least privilege principle).

Imagine that if a network service running as root has a 0day vulnerability, hackers can take advantage of this vulnerability and do whatever they want on your server as root. Isn't that scary? SELinux is here to solve this problem.

Operation steps (1) the working mode of selinux

1. Three working modes of selinux

SELinux has three modes of operation, which are:

Enforcing / / mandatory mode. Violations of SELinux rules will be blocked and logged

Permissive / / tolerance model. Violations of SELinux rules are only logged. Generally speaking, it is the adjustment and trial.

Disabled / / close SELinux

The SELinux operating mode can be set in / etc/selinux/config.

If you want to switch from disabled to enforcing or permissive, you need to restart the system. And vice versa.

Enforcing and permissive modes can be quickly switched with the setenforce 1 | 0 command.

2. Enable selinux

(1) enable selinux temporarily

Setenforce 1

(2) enable selinux permanently

Vi / etc/selinux/config / / Edit configuration file

Set

SELINUX=disabled

Change to

SELINUX=enforcing

Save exit. It takes effect after reboot.

Reboot / / restart the computer

Getenforce / / View the working mode of selinux

/ usr/sbin/sestatus-v / / View details of selinux working status

The current status of selinux is enabled, the working mode is enforcing, and the policy is targeted, which means that selinux is working properly.

Conversely, if you want to disable selinux, the temporary method is setenforce 0, and the persistence method is to modify the configuration file, set SELINUX=disabled, and restart to make it take effect.

(2) the strategies and rules of selinux

1. The strategy of selinux

There are usually a large number of files and processes in the system, and we usually only selectively control some processes in order to save time and overhead. Which processes need to be regulated and how to be regulated is determined by strategy.

In the CentOS system, there are three sets of strategies, namely:

Targeted / / one controls most network service processes, which is the default policy

Minimum / / is based on targeted and regulates only the selected network service processes. Not usually.

Mls / / multi-level security protection. To control all processes, this is the strictest policy, and it is very difficult to configure. Generally not, unless there are very high security requirements.

The policy can be specified in the / etc/selinux/config file.

2. Rules of selinux

There are many rules in a set of policies, some of which can be enabled or disabled as required. These rules are called Boolean rules. The rules are modular and extensible. When installing a new application, the application can add rules by adding new modules. Users can also add or subtract rules manually.

3. Use seinfo to view the policy information of selinux

Seinfo-SELinux policy information tool

Seinfo / / run without parameters to view the policy file and the contents contained in the file

As you can see from the output, the policy contains Users, Roles, Types, and Boleans, which are user, role, type, and Boolean rules, respectively. Check out the following separately:

Seinfo-r / / View all roles of selinux (role)

There are currently 14 selinux roles.

Seinfo-u / / lists all the identity representations of selinux (user)

There are currently 8 selinux users

Seinfo-t / / View all types of selinux (type)

As you can see, there are 4940 selinux types in the current system.

Seinfo-b / / lists all Boolean rules

There are currently 330 Boolean selinux rules.

Seinfo-b | grep nfs / /-b-- bool to view the Boolean rules related to nfs

4. Use sesearch to query the details of selinux policy.

Sesearch is a policy query tool of SELinux. It is used as follows:

Sesearch-- allow | grep\ cluster_t\ / / View the allow rules whose principal type is cluster_t

Sesearch-- allow | grep\ cluster_t: / / View the allow rules whose object type is cluster_d

5. Use setsebool to switch a Boolean rule

Setsebool [options]

Setsebool-P httpd_anon_write on

The switch represents the effective state of the toggle selinux rule. No information is displayed after a successful run.

(3) the security context of selinux 1. What is the security context?

Security context is divided into process security context and file security context. A process security context generally corresponds to multiple file security contexts. The process can access the file only if the security context of the two corresponds. Their correspondence is determined by the rules in the policy.

The file security context is determined by the location where the file was created and the process by which the file was created. And the system has a set of default values, users can also set the default values.

It is important to note that simply moving a file does not change the security context of the file.

2. The structure and meaning of security context

The security context has four fields, separated by colons. Such as: system_u:object_r:admin_home_t:s0.

3. View the security context

(1) View the security context of the file

Ls-Z / var/www/htmp / / View the security context of the directory

You can see that the selinux type of the / var/www/html/ directory is http_sys_content_t

(2) View the security context of the process

Ps auxZ | grep-v grep | grep httpd

As you can see, the selinux type of the httpd process is http_t, and there are multiple httpd processes with the same security context. Note that the security context of a process is different from that of its executable.

Why can the httpd process access the / var/www/html directory? Because there are corresponding selinux rules that allow the subject httpd_t to access the object http_sys_content_t for related operations.

4. Modify the file security context

Here is an example of how to modify the security context of a file:

(1) create a test file

/ / create a test file in the / var/www/html directory:

Echo index.html > / var/www/html/index.html

/ / View the security context of the file

Ls-Z / var/www/html/index.html

As you can see, the selinux type of the file is httpd_sys_content_t

/ / create another test file in / root directory

Echo index1.html > / root/index1.html

/ / move the test file to the / var/www/html/ directory

Mv / root/index1.html / var/www/html/index1.html

/ / View the security context of the test file

Ls-Z / var/www/html/index1.html

As you can see, the selinux type of the index1.html file is admin_home_t. This is because the security context of the file does not change because the file is moved.

/ / use links to remotely access index.html files

Links 192.168.242.164/index.html

The visit was successful.

/ / remote hosts use links to access index1.html files

Links 192.168.242.164/index1.html

Prompt does not have permission to access index1.html.

This is because there are no rules that allow principals of type httpd_t to access object files of type admin_home_t and perform read operations. You can use the following command to find rules that meet the criteria:

Sesearch-s httpd_t-t admin_home_t-c file-p read-- allow

No rule entries were found that met the requirements.

To solve this problem, either modify the security context of the / var/www/html/index1.html file, change the type to httpd_sys_content_t or other types that are already allowed to access, or create a new rule that allows the body of type httpd_t to read from the object file of type admin_home_t. The first way is to modify the security context of the file.

(2) use chcon to modify the security context of a file

/ / use the chcon command to specify the type in the context of the file. The chcon command is used as follows:

Chcon []

Option

Function

-u

Modify the user field of the security context

-r

Modify the role field of the security context

-t

Modify the type field of the security context

-l

Modify the level field of the security context

-- reference

Modify the security context of the file / directory to be consistent with the specified file / directory

-R

Recursive operation

-h

Modify the security context of the symbolic link, and modify the file corresponding to the symbolic link without options

/ / one way is to specify the type directly using the-t option

Chcon-t httpd_sys_content_t / var/www/html/index1.html

/ / attempt to access the index1.html file remotely

Links 192.168.242.164/index1.html

The visit was successful. Indicates that the change to the security context of the index1.html file is in effect.

Another way is to use the-- reference option to copy the security context of other files

/ / modify the type of the index1.html file to admin_home_t again

Chcon-t admin_home_t / var/www/html/index1.html

Chcon-referece=/var/www/html/index.html / var/www/html/index1.html

The security context of the file was modified successfully. The type in the file security context is set to httpd_sys_content_t, which is naturally accessible by the httpd process, so links authentication is no longer used.

(3) use restorecon to automatically set the correct security context for files

Ls-Z / var/www/html/index1.html / / View the security context

Restorecon / var/www/html/index1.html / / automatically sets the security context

The file security context was modified successfully.

5. Modify the security context of the directory

Use an example to learn how to modify the security context of a directory and its files.

(1) create test directories and web pages

/ / create a directory in / root directory

Mkdir / root/myweb/

/ / create a web page

Echo myweb > / root/myweb/myweb.html

/ / move the test directory to / var/www/html/

Mv / root/myweb / var/www/html/

/ / View the security context of the moved test directory

Ls-dZ / var/www/html/myweb/

/ / View the security context of the web page in the moved test directory

Ls-Z / var/www/html/myweb/myweb.html

/ / use links to remotely access index.html files

Links 192.168.242.164/myweb/myweb.html

The cause of the error is the same as in the previous example, because there are no corresponding selinux rules. As above, we modify the type in the security context of the file.

Chcon-t httpd_sys_content_t / var/www/html/myweb/myweb.html

Success.

/ / create a new web page file

Echo myweb1 > / var/www/html/myweb/myweb1.html

The security context of the new file is still admin_home_t, because the type in the security context of the directory where the file is located, or admin_home_t, has not been changed. So we need to modify the security context of the directory so that the new files in this directory will have a new security context.

Chcon-t httpd_sys_content_t / var/www/html/myweb/

After that, the new file is created, and the type of the security context becomes httpd_sys_content_t.

(2) use the semanage command to modify the default security context of the directory

Semanage-fcontext-SELinux Policy Management file context tool

Look at the following example:

/ / create a directory in / root directory

Mkdir / root/newweb/

/ / create a web page

Echo newweb > / root/newweb/newweb.html

/ / move the test directory to / var/www/html/

Mv / root/newweb / var/www/html/

/ / View the security context of the moved test directory

Ls-dZ / var/www/html/newweb/

/ / View the security context of the web page in the moved test directory

Ls-Z / var/www/html/newweb/newweb.html

As you can see, the type in the security context of the moved directory and the files in it is admin_home_t

/ / modify the security context of the directory and all files in it, and add httpd_sys_content_t type

Semanage fcontext-a-t httpd_sys_content_t "/ var/www/html/newweb (/. *)?"

/ / the modified security context does not take effect, and you need to use the restorecon command to make it effective:

Restorecon-Rv / var/www/html/newweb/

/ / View the security context of directories and files

Ls-dZ / var/www/html/newweb/ / var/www/html/newweb/newweb.html

The change to the security context has taken effect.

/ / View the default security context for test directories and files

Semanage fcontext-l | grep / var/www/html/

As you can see, the / var/www/html/newweb directory and the files in it have the default security context, while the previous myweb directory does not set the default security context, so it is not in the result now.

What is the purpose of the default security context? Once the default security context is set, no matter how you modify the properties in the security context, you can restore the default security context to the current configuration by running the restorecon command.

/ / use chcon to modify the security context

Chcon-t admin_home_t / var/www/html/newweb/newweb.html

/ / use the restorecon command to restore the default security context

Restorecon / var/www/html/newweb/newweb.html

The current security context has been restored to the default.

(4) selinux log 1. View log files

The records that selinux blocks process access are kept in the / var/log/audit/audit.log file.

Tail-n 3 / var/log/audit/audit.logtype=*VC msg=audit (1615342682.388 denied): * vc: denied {getattr} for pid=2632 comm= "httpd" path= "/ var/www/html/index1.html" dev= "sda1" ino=67619205 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0type=SYSCALL msg=audit (1615342682.388 denied): arch=c000003e syscall=6 success=no exit=-13 a0=7f261c043dc8 a1=7f261b7fd8d0 a2=7f261b7fd8d0 a334 1 items=0 ppid=2307 pid=2632 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 Tty= (none) ses=4294967295 comm= "httpd" exe= "/ usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key= (null) ARCH=x86_64 SYSCALL=lstat AUID= "unset" UID= "apache" GID= "apache" EUID= "apache" SUID= "apache" FSUID= "apache" EGID= "apache" SGID= "apache" FSGID= "apache" type=PROCTITLE msg=audit (1615342682.388V139): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44

The information of the subject and object of selinux is recorded in detail in the log.

2. Use sealert program to analyze the log.

Copy the above log information to the new file, and then use the sealert program to analyze it.

Sealert-a se.txt / /-a parameter specification file

Sealert gives an explanation of the event:

SELinux is preventing / usr/sbin/httpd from getattr access on the file / var/www/html/index1.html.

After that, two repair suggestions are given, one is to use the restorecon plug-in to fix it, with a confidence of 99.5:

/ sbin/restorecon-v / var/www/html/index1.html

The other is to fix it with the catchall plug-in, with a confidence level of 1.49:

Ausearch-c 'httpd'-- raw | audit2allow-M my-httpd

Semodule-I my-httpd.pp

Using restorecon can solve the problem perfectly, but using catchall can only meet the requirements of reading file properties, not the contents of the file. The error log for selinux will still appear:

The content of the log is to refuse to read the file.

(5) create selinux strategy for custom programs and create test programs

In this example, create a program that opens the / var/log/messages file and performs a write operation.

/ / install the policycoreutils-devel package yum install policycoreutils-develvi mydaemon.c / / create and edit the code file, and add the following # include # include FILE * f int main (void) {while (1) {f = fopen ("/ var/log/messages", "w"); sleep (5); fclose (f) }} Save exit / / compile file gcc-o mydaemon mydaemon.cvi mydaemon.service / / create and edit the service configuration file, add the following content [Unit] Description=Simple testing daemon [service] Type=simpleExecStart=/usr/local/bin/ mydaemon [install] WantedBy=multi-user.target save exit / / install as a service and start cp mydaemon / usr/local/bin/cp mydaemon.service / usr/lib/systemd/systemsystemctl start mydaemonsystemctl status mydaemon

/ / View the process

Ps-efZ | grep mydaemon

As you can see, the new process has not set the selinux security context.

2. Generate custom policies

Sepolicy generate-init / usr/local/bin/mydaemon

Multiple files were generated.

Run the generated shell script and rebuild the new system policy using the new policy module.

/ mydaemon.sh

/ / set the security context of the executable file

Restorecon-v / usr/local/bin/mydaemon / usr/lib/systemd/system

/ / restart the process and view the security context

Systemctl restart mydaemon

Ps-efZ | grep mydaemon

The security context for the process has been set.

This process cannot write to the / var/log/messages file due to selinux restrictions.

/ / View the errors recorded in the audit log (change the * in * VC to A)

Ausearch-m * VC-ts recent

A recent error was returned that the mydaemon process as the body could not open and write object / var/log/messages files.

/ / use the sealert command to view more detailed information

Sealert

/ / use audit2allow to put forward suggestions for rectification (change * in * VC to A)

Ausearch-m * VC-ts recent | audit2allow-R

The returned result indicates that mydaemon_t needs to be brought into the logging_write_generic_logs interface as a parameter.

Since the output of audit2allow may be inaccurate, you need to find the corresponding policy interface to confirm its existence:

Grep-r "logging_write_generic_logs" / usr/share/selinux/devel/include/ | grep .if

The policy interface file was found.

View the contents of the policy interface file

Cat / usr/share/selinux/devel/include/system/logging.if

The above is the configuration of the logging_write_generic_logs interface, which can be used.

/ / write the interface to the te file

Echo "logging_write_generic_logs (mydaemon_t)" > > mydaemon.te

/ / re-execute the script to build a new selinux policy

. / mydaemon.sh

/ / View the errors recorded in the audit log (change the * in * VC to A)

Ausearch-m * VC-ts recent

The program is still running, but no new error is generated, indicating that the new selinux rules are in effect.

The above is all the content of the article "how to enable selinux and enforce mandatory access control in CentOS 8 system". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.