Shulou(Shulou.com)06/01 Report--

This article mainly introduces the example analysis of the basic concepts of SELinux, which has a certain reference value, and interested friends can refer to it. I hope you will gain a lot after reading this article.

SELinux (Security Enhanced Linux), the following is a schematic diagram of the actual operation flow of the three types of SELinux:

Meaning:

The traditional Linux access control adopts autonomous access control (Discretionary Access Control, DAC), which determines the access ability according to the rwx rights of the program owner and resources. In this way, there is a problem that root account embezzlement can use any resources and directories if it is set to 777 permissions, which leads to arbitrary access and operation. SELinux uses MAC (Mandatory Access Control, MAC). When accessing resources, judge whether the program has permissions, not the user. So, even if httpd is accidentally taken control, he has no right to browse / etc/shadow and other important documents. When SELinux is enabled, access to files will be controlled by SELinux and normal user resource rwx.

SELinux is a core function integrated into the core, and there is no need to start any additional services to open SELinux. After the boot is complete, SELinux will also be started.

Policy mode:

The operation strategy of SELinux:

Targeted: it is a preset policy that there are more restrictions on network services and fewer restrictions on the local machine.

Strict: complete SELinux restrictions, the restrictions are relatively strict.

Three modes:

Enforcing: mandatory mode, which represents the operation of SELinux, and has correctly begun to restrict domain/type

Permissive: tolerance mode: represents the operation of SELinux, but only warning messages do not actually restrict access to domain/type. This mode can be shipped as a debug for SELinux (see what makes it inaccessible)

Disabled: turn it off.

Query SELinux current mode: getenforce

Query SELinux current policy details: sestatus

Open and close:

Temporarily close SELinux: setenforce 0 (set SELinux to permissive mode)

Temporarily open SELinux: setenforce 1 (set SELinux to enforcing mode)

Completely shut down SElinux: vi / etc/selinux/config set SELINUX=disabled. Restart takes effect.

Log:

The following services can record that useful information to log when an SELinux error occurs to provide a solution:

Setroubleshoot (only error messages are recorded)

Auditd (record details)

Basic use:

For the Security article (Security Context), see:

Ls-Z

Security this article is divided into three fields with colons.

Identify:role:type

Identity: roles: types

Identification (Identify):

Root: indicates the account identity of root, as the table above shows the information under the root home directory

System_u: indicates the identification of a system program, usually a program

User_u: represents the identity related to the general user account

Role (Role):

Object_r: represents archival resources such as archives or directories, which should be the most common

System_r: it stands for the program! However, the average user will also be designated as system_r

Type (Type): (most important!)

The domain of the program should be matched with the type of the file in order to have permission to access.

Every directory or file will have a default security article

The query adds a security text that modifies the preset: semanage

Modify the file to the default security text of the current directory:

Restorecon-Rv / var/www/html/index.html

Set the file directory security text to be the same as another file directory:

Chcon-R-reference=/var/lib/ref_file target_file

Access rules can be set and modified, and directory default security text can be modified.

Thank you for reading this article carefully. I hope the article "sample Analysis of the basic concepts of SELinux" shared by the editor will be helpful to you. At the same time, I also hope that you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.