Shulou(Shulou.com)06/02 Report--

1. When is Selinux?

Selinux, kernel-level enhanced firewall

SElinux is a mandatory access control (MAC) security system, and it is the most outstanding new security system in the history of linux. For the linux security module, the function of SElinux is the most comprehensive, and the testing is the most thorough. It is a kernel-based security system.

Three modes of Selinux

Enforcing Enforcement (Enforcement Mode)-SELinux policy enforcement that grants or denies principal access to the target based on SELinux policy rules

Permissive tolerance (warning mode)-the SELinux policy is not enforced and access is not actually denied, but denied information is written to the log

Disabled disabled (off mode)-completely disable SELinux

two。 How to manage selinux levels

Selinux on or off

Change "SELINUX=enforcing" to "SELINUX=disabled" under the configuration file "/ etc/sysconfig/selinux". Because SElinux is a kernel-based security system, you need to restart the kernel after setup, that is, you need to restart the computer to take effect.

Vim / etc/sysconfig/selinux

Selinux=disabled # # off status

Selinux=Enforcing # # mandatory status

Selinux=Permissive # # warning status

Selinux on or off

Getenforce # # View status

When selinux is turned on, "setenforce" can set the state of SElinux, but only 0 and 1 can be set, that is, warning mode or enforcement mode.

Setenforce 0 | 1 # # change the running level of selinux

3. How to change the file security context

View security context): SElinux leaves context identifiers on directories and files

Ls-Z

Temporary changes)

Chcon-t security context file

Chcon-t public_content_t / publicftp-R

Permanent change)

Semanage fcontext-l # # list the contents of kernel security context list

Semanage fcontext-a-t public_content_t'/ publicftp (/. *)?'

Restorecon-FvvR / publicftp/

4. How to control the switch of selinux to service function

Getsebool-a | grep service name

Getsebool-a | grep ftp

Setsebool-P function Bool value on | off

Setsebool-P ftpd_anon_write on

The impact of SElinux on servic

SElinux is the most comprehensive security system, so there are certain restrictions on files and services. The following services take ftp as an example. SElinux will make a context identification on the file, as shown in the following figure, create the file "file" under "/ mnt" and "/ var/ftp/pub" respectively, and enter "ls-Z" to view the file identity. As you can see, "/ mnt/file" is "mnt_t" and "/ var/ftp/pub/file" is marked "public_content_t", which causes "/ mnt/file" to be moved into the "/ var/ftp/pub" directory, and the connection lftp cannot see the file.

SElinux forbids the use of some dangerous functions for the security of the system. You can type "getsebool-a | grep ftp" to see which functions of the ftp service are disabled. As shown in the following figure, enter "setsebool-P function on | off" to control the switch of these functions.

5. Monitor error messages for selinux

Setroubleshoot-server

Project case 1: management of httpd Service shared File Security context

* * do experiments with selinux on

Yum install httpd-y

Systemctl start httpd

Systemctl enable httpd

Systemctl stop firewalld

Systemctl disable firewalld

Hostname > / var/www/html/hello.html

Date +% F > / mnt/westos.html

Mv / mnt/westos.html / var/www/html/

Phenomenon 1: users can access hello.html files through browsers, but can not access westos.html files. How to solve the problem? Because the security context of the file is different.

Ls-Z / var/www/html/

Chcon-t httpd_sys_content_t / var/www/html/westos.html # temporarily modifies the security context and expires after restart

Semanage fcontext-l # View the default security context information of the system

Semanage fcontext-a-t httpd_sys_content_t / var/www/html/westos.html # permanently modify the security context of the file to the system

Restorecon-FvvR / var/www/html/ # refresh directory and reread security context

Project case 2: management of vsftpd Service shared File Security context

Project case 3: management of files uploaded by vsftpd service (when selinux is enabled)

Vim / etc/vsftpd/vsftpd.conf

Anon_upload_enable=YES

Turn on the switch of selinux to service function

Setsebool-P ftpd_anon_write on

Setsebool-P ftpd_full_access on

Restart the service

Systemctl restart vsftpd

Project case 4: how to manage / handle error messages in Selinux

1)。 Warning log information file for Selinux: / var/log/audit/audit.log

Selinux's warning log letter analyzes the storage location of the solution: / var/log/messages

2)。 Implement selinux warning analysis and give the software name of the solution: rpm-qa | grep setroubleshoot-server

3)。 Test procedure

1 > / var/log/messages

2 > / var/log/audit/audit.log

3 ifconfig | less

4 setsebool-a | grep ftp

5 getsebool-a | grep ftp

6 less / var/log/audit/audit.log View Log File

7 rpm-qa | grep setroubleshoot-server

8 less / var/log/messages

9 yum install httpd-y

10 systemctl start httpd

11 systemctl enable httpd

12 rpm-qc httpd

13 vim / etc/httpd/conf/httpd.conf@@br/ > @ @

@ @

14 systemctl restart httpd

15 less / var/log/messages

16 semanage port-a-t http_port_t-p tcp 6666

17 semanage port-l | grep http

18 systemctl restart httpd

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.