Basic operations: SELinux get started to master

First, Introduction

1. Official meaning
SELinux is an enforced access control (MAC) security system based on the domain-type model (DOMAIN-TYPE), which is written by the NSA and designed into kernel modules, and some of the corresponding security-related applications have been patched by SELinux, and finally there is a corresponding security policy. Any program has full control over its resources. If a program intends to throw a file containing potentially important information into the/tmp directory, no one can stop him in the case of a DAC. SELinux provides better access control than traditional UNIX permissions.

2. Simple meaning
SELinux is like a system protection mechanism, if you close it, there is no problem, the operation will not be hindered by selinux and difficulties, but after you open, you will feel that doing anything is wrong, unable to go. Have fun: "When you open the HTTP service, the content can be accessed normally, but after you open the SELinux error, you will feel that the selinux problem, and then you set the content of the SELinux context (similar to user rights), and normal access, Then you happily will be a project code to the root of the Web page, you can not open, you will think of the SELinux ~ ~ Home can open, but other jpg, GIF and so on can not be normal display, you have to change the permissions, crackling operation like a tiger, all can, but jump to other people's website and not, EMMM ~ ~ Direct Reload System "

3. A little bit of meaning
SELinux after all is a protection mechanism, so certainly can play a protective role, protect the system is not arbitrarily modified, protect the site's permissions and strict access restrictions, your files are equal to data, the data is money can not buy, want to exist in the Internet, it is necessary to do relative security (no absolute security), Security awareness is important to protect your data from changes and so on through various means.

4. No meaning
SELinux is a very good protection mechanism, but in the enterprise, most of them do not use this security mechanism, after all, are directly shut down, such as Cloud server, you buy the default is to turn off SELinux this protection mechanism. As a result, later software services and deployments are not turned on.

Ii. Introduction to SELinux-Basic settings

1. About SELinux
The distribution of SELinux in the system

2. Analysis

The SELinux directory consists of:
/sys/: This directory is present in the system global Device management directory, such as Cgroup, Pstore, SELinux, and XFS.
/etc/: The configuration file directory for the service.
/usr/: A directory that holds binaries, shared files, function library files, and service execution files.

3. Imperative tolerant mode or strict mode (the following settings are globally valid)

4. Configuration file description (can be set off, tolerant, strict mode)
/etc/sysconfig/selinux is a soft link to the/etc/selinux/config file
So modifying both of these, the contents of the file will change.

5. Configuration Files

[[email protected] ~]# cat /etc/selinux/config # This file controls the state of SELinux on the system.# SELINUX= can take one of these three values:#     enforcing - SELinux security policy is enforced.        开启模式#     permissive - SELinux prints warnings instead of enforcing.    宽容模式#     disabled - No SELinux policy is loaded.       关闭模式SELINUX=enforcing     #设置selinux的状态模式# SELINUXTYPE= can take one of three two values:#     targeted - Targeted processes are protected,    #目标模式#     minimum - Modification of targeted policy. Only selected processes are protected.   #最小化权限控制#     mls - Multi Level Security protection.    #多种selinux模式，根据文件的上下文设置而改变访问权限SELINUXTYPE=targeted      #设置selinux的类型，默认目标模式

6. Update the configuration file

[[email protected] ~]# vim /etc/selinux/config [[email protected] ~]# cat /etc/selinux/config # This file controls the state of SELinux on the system.# SELINUX= can take one of these three values:#     enforcing - SELinux security policy is enforced.#     permissive - SELinux prints warnings instead of enforcing.#     disabled - No SELinux policy is loaded.SELINUX=disabled    #修改配置文件，需要重启系统以生效# SELINUXTYPE= can take one of three two values:#     targeted - Targeted processes are protected,#     minimum - Modification of targeted policy. Only selected processes are protected. #     

7. Rebooting the system
There are many ways to restart the system:
The first method:
[[email protected] ~]# reboot

The second method:
[[email protected] ~]# init 6

This is the system boot level command, refer to my other blog post:
http://blog.51cto.com/leoheng/2161336

The third method:

Virtual machine--"mouse right click-" Power--"Restart the client

8. View SELinux Status

[[email protected] ~]# getenforceDisabled

Third, SELinux advanced---context

Reminder: If you want to use the context, you must turn on SELinux to be effective, if the context is set, but does not open selinux, it is white busy.

Here's an example: Other settings, analogy is good

1. Installing Apache Services
[[email protected] ~]# yum install -y httpd #提供网页服务

2. Installing Network Tools
[[email protected] ~]# yum install -y net-tools #提供查询系统网络状态的工具

3. Start the Web service and check the site port (the default port is 80)

[[email protected] ~]# systemctl start httpd && netstat -tunlp |grep httpdtcp6       0      0 :::80                   :::*                    LISTEN      1633/httpd          

4. Accessing the Web page (default page)

5. Turn on SELinux

6. Setting up a custom Web page

7. View the web context

[[email protected] html]# ls -Z-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html[[email protected] html]# 上下文为：httpd_sys_content_t

8. Create a Web page file in your home directory and move to the Web site root directory

9. Access to the newly created Web page file (showing no permission to access the file)

10. Set the file SELinux, and access the Web page (the webpage file can be accessed normally)

11.chcon Command Mastery

[[email protected] html]# chcon --helpUsage: chcon [OPTION]... CONTEXT FILE...  or:  chcon [OPTION]... [-u USER] [-r ROLE] [-l RANGE] [-t TYPE] FILE...  or:  chcon [OPTION]... --reference=RFILE FILE...选项如下：--reference     #引用其他文件上下文--dereference    #不引用其他文件上下文    -h, --no-dereference     #影响符号链接而不是引用文件-u, --user=USER      #指定用户-r, --role=ROLE     #指定角色-t, --type=TYPE     #指定上下文-l, --range=RANGE      #指定上下文的范围--no-preserve-root      #不区分对待根目录--preserve-root    #区分对待根目录--reference=RFILE      #直接引用该文件的上下文-R, --recursive        #递归，一般用在目录-v, --verbose          #对每个文件输出信息

12. Display the version information

13.selinux Advanced

This post will be detailed commentary in the RHCE certification column.

Basic operations: SELinux get started to master