Shulou(Shulou.com)06/01 Report--

Today, the editor will share with you the relevant knowledge about how to configure SELinux. The content is detailed and the logic is clear. I believe most people still know too much about this, so share this article for your reference. I hope you can get something after reading this article. Let's take a look at it.

SELinux is a system that controls permissions for specific processes and specified file resources. The main purpose of this paper is to enhance the security of the traditional Linux operating system, and to solve all kinds of permission problems in the discretionary access control (DAC) system in the traditional Linux system (such as too high root authority, etc.).

SELinux and mandatory access Control system

SELinux, whose full name is Security Enhanced Linux (Security enhanced Linux), is an implementation of MAC (Mandatory Access Control, mandatory access Control system), which aims to specify which resources (files, network ports, etc.) can be accessed by a certain process.

The purpose of a mandatory access control system is to enhance the system's ability to resist 0-Day attacks (attacks that take advantage of vulnerabilities that have not yet been disclosed). So it is not a substitute for network firewalls or ACL, and it is not duplicated in use.

For example, a vulnerability has been found in Apache on the system that allows a remote user to access sensitive files on the system (such as / etc/passwd to obtain existing users on the system), but the Apache update patch to fix this security vulnerability has not yet been released. At this time, SELinux can act as a mitigation solution to fill this loophole. Because / etc/passwd does not have the access label of Apache, Apache's access to / etc/passwd is blocked by SELinux.

Compared with other mandatory access control systems, SELinux has the following advantages:

The control policy is searchable rather than programmatically invisible. You can change the policy hot without restarting or stopping the service. It can be controlled by policy from three aspects: process initialization, inheritance and program execution. The scope of control covers file systems, directories, files, file startup descriptors, ports, message interfaces, and network interfaces.

So what is the impact of SELinux on system performance? According to a horizontal comparison made by Phoronix using Fedora 11 in 2009, turning on SELinux only resulted in a system performance reduction of about 5% in a few cases.

Does SELinux have a great impact on general desktop applications and program development? Originally, because the policy of SELinux is mainly aimed at the server environment. However, with the wide application of SELinux in the past 8 years, the current SELinux strategy can still meet the requirements of security and convenience in general desktop and program development environment. Take the newly released Fedora 15 as an example, in the process of building a complete entertainment (including a number of third-party native Linux games and Wine games) and the development environment (Android SDK + Eclipse), only the first run of the Wine program is blocked by the default policy of SELinux. With the help of the graphical "SELinux troubleshooting program", it can be solved with the click of a button.

Understand and configure SELinux1. Get the current SELinux running status

Getenforce

There are three possible returns: Enforcing, Permissive, and Disabled. Disabled represents that SELinux is disabled, Permissive represents only logging security warnings but does not prevent suspicious behavior, and Enforcing stands for logging warnings and blocking suspicious behavior.

In current common distributions, RHEL and Fedora are set to Enforcing by default, and others, such as openSUSE, are set to Permissive.

two。 Change the running state of SELinux

Setenforce [Enforcing | Permissive | 1 | 0]

This command immediately changes the running state of SELinux, switches between Enforcing and Permissive, and stays off as a result. A typical use is to see if SELinux is causing a service or program to fail to run. If the service or program still fails to run after setenforce 0, then it is certain that SELinux is not the cause.

If you want to permanently change the system SELinux runtime environment, you can do so by changing the configuration file / etc/sysconfig/selinux. Note that when you switch from Disabled to Permissive or Enforcing mode, you need to restart the computer and recreate the security label for the entire file system (touch / .autorelabel & & reboot).

3. SELinux running policy

The configuration file / etc/sysconfig/selinux also contains information about the SELinux running policy, which can be achieved by changing the value of the variable SELINUXTYPE: targeted represents SELinux protection for only a few prefabricated network services and access requests, and strict represents that all network services and access requests go through SELinux.

RHEL and Fedora, which are set to targeted by default, contain the SELinux policy configuration for almost all common network services, are installed by default and can be used without modification.

If you want to edit the SELinux policy yourself, you can also provide the policy editor seedit under the command line and the editing plug-in eclipse-slide under Eclipse.

4. SELinux mode of coreutils tool

Common tools that belong to coreutils, such as ps, ls, and so on, can learn about SELinux by adding the Z option.

Such as ps auxZ | grep lldpad

System_u:system_r:initrc_t:s0 root 1000 8.9 0.0 3040 668? Ss 21:01 6:08 / usr/sbin/lldpad-d

Such as ls-Z / usr/lib/xulrunner-2/libmozjs.so

-rwxr-xr-x. Root root system_u:object_r:lib_t:s0 / usr/lib/xulrunner-2/libmozjs.so

By analogy, the Z option can be applied to almost all coreutils tools.

Apache SELinux configuration example 1. Allows Apache to access Web site files located in a non-default directory

First, use semanage fcontext-l | grep'/ var/www' to learn the SELinux context of the default / var/www directory:

/ var/www (/. *) All files system_u:object_r:httpd_sys_content_t:s0

You can see that Apache can only access files that contain httpd_sys_content_t tags.

Suppose you want Apache to use / srv/www as the website file directory, then you need to add httpd_sys_content_t tags to the files in this directory, which is implemented in two steps.

First, add the default tag type for the files in the / srv/www directory: semanage fcontext-a-t httpd_sys_content_t'/ srv/www (/. *)? Then mark the existing file with a new tag type: restorecon-Rv / srv/www and then Apache can use the files in this directory to build the site.

Among them, restorecon is very common in SELinux management, which plays the role of restoring the default tag of files. For example, when copying a file from the user's home directory to the Apache website directory, Apache is inaccessible by default, because the file label under the user's home directory is user_home_t. At this point, you need restorecon to restore it to the httpd_sys_content_t type that can be accessed by Apache:

Restorecon-v / srv/www/foo.com/html/file.html

Restorecon reset / srv/www/foo.com/html/file.html context unconfined_u:object_r:user_home_t:s0- > system_u:object_r:httpd_sys_content_t:s0

two。 Let Apache listen on non-standard ports

By default, Apache only listens on ports 80 and 443. If it is directly specified to listen on port 888, an error will be reported during service httpd restart:

Starting httpd: (13) Permission denied: make_sock: could not bind to address [:]: 888

(13) Permission denied: make_sock: could not bind to address 0.0.0.0 could not bind to address 888

No listening sockets available, shutting down

Unable to open logs

At this time, the SELinux troubleshooting tool should have popped up and reported an error in the desktop environment. If you are under the terminal, you can view the / var/log/messages log and then use sealert-l with a number, or browse directly using sealert-b. Either way, the content will be similar to the following:

SELinux is preventing / usr/sbin/httpd from name_bind access on the tcp_socket port 888.

* Plugin bind_ports (92.2 confidence) suggests *

If you want to allow / usr/sbin/httpd to bind to network port 888

Then you need to modify the port type.

Do

# semanage port-a-t PORT_TYPE-p tcp 888

`where PORT_TYPE is one of the following: ntop_port_t, http_cache_port_t, http_port_ t.`

* Plugin catchall_boolean (7.83 confidence) suggests * *

If you want to allow system to run with NIS

Then you must tell SELinux about this by enabling the 'allow_ypbind' boolean.

Do

Setsebool-P allow_ypbind 1

* Plugin catchall (1.41 confidence) suggests *

If you believe that httpd should be allowed name_bind access on the port 888 tcp_socket by default.

Then you should report this as a bug.

You can generate a local policy module to allow this access.

Do

Allow this access for now by executing:

# grep httpd / var/log/audit/audit.log | audit2allow-M mypol

# semodule-I mypol.pp

It can be seen that SELinux gives the corresponding solutions according to three different situations. In this case, the first case is what we want, so follow its suggestion to enter:

Semanage port-a-t http_port_t-p tcp 888

Then start the Apache service again and there will be no problem.

Semanage, the SELinux management configuration tool, can be seen here again. Its first option represents the type you want to change, followed by what you want to do. Refer to the Man manual for details.

3. Allow Apache access to create a private website

If you want users to create their own personal website by placing files in ~ / public_html/, then you need to allow this operation in the Apache policy. Use:

Setsebool httpd_enable_homedirs 1

Setsebool is used to switch SELinux policies controlled by Boolean values, and the status of the current Boolean policies can be learned through getsebool.

By default, setsebool is only set until the next restart. If you want to take effect permanently, you need to add a-P parameter, such as:

Setsebool-P httpd_enable_homedirs 1

These are all the contents of the article "how to configure SELinux". Thank you for reading! I believe you will gain a lot after reading this article. The editor will update different knowledge for you every day. If you want to learn more knowledge, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.