Linux getting started Tutorial: getting started with SELinux
1. Overview of selinux
Selinux is a kernel-level enhanced firewall. It plays a very important role in server security. SELinux is a domain-type-based Mandatory Access Control (MAC) security system. It is written and designed by NSA to include the kernel module into the kernel, some security-related applications are also patched with SELinux, and finally there is a corresponding security policy.
This is too official. Let's take a vivid example: our general work center has many majors, and so many students have their own numbers (student IDs ), at the school's requirement, every student should be in his/her own classroom instead of other professional classrooms, thus greatly reducing the scope of students' activities.
Security Context of SELinux
An SSH Public Key Authentication Failure Caused by SELinux
Getting started with SELinux
Simple SELinux Configuration
How to quickly disable SELinux in CentOS
Selinux also applies the same method to files. Each file has a tag. Yes, we can check it:
This is in the mnt directory. Our file tag is mnt_t. If you change the directory, the file tag in it is another form. If selinux is enabled when services are opened to external users, the user can only operate under the directory of the open services, even if the user maliciously obtains the root user permission, it still cannot perform operations across directories, which makes it very secure.
Security of selinux (Security on apache server)
If we want to allow anonymous remote access to the Web server, we must open the port through the firewall. However, this means malicious people
Attackers can exploit security vulnerabilities and obtain the permissions of apache users and apache groups if they damage Web server processes.
To forcibly enter the system. This user/group has the read permission for document root (/var/www/html) And/tmp,
Write Permission for/var/tmp and any other files/directories that can be written by all users.
SELinux is a set of security rules that determine which process can access which files, directories, ports, and so on. Each file, process, directory, and
Ports all have special security labels called SELinux context. The context is just a name, and SELinux policy uses it to determine
Whether a process can access files, directories, or ports. By default, this policy does not allow any interaction, so explicit rules are granted to access
Ask permissions. If no rule is allowed, access is not allowed.
2. selinux configuration file
Selinux has three modes: Disabled mode, forced mode, and license mode.
(1) Disable mode: If selinux is disabled and fails to provide the aforementioned functions, the server is insecure;
(2) Forced mode: seLinux actively denies access to the Web server that attempts to read files whose type context is tmp_t. In force
Mode, seLinux not only records but also provides protection.
(3) Licensing mode: it is usually used to troubleshoot the problem. In the license mode, SELinux allows all
And records all rejected interactions. This mode can be used to determine if you have any SELinux problems. You can use
The forced mode is switched to the license mode, or the license mode is switched back to the forced mode.
The three modes can be switched to each other. For temporary modifications, you can use setenforce:
We changed selinux from the forced mode to the license mode.
However, this modification is only temporary. For Permanent modification, we need to modify the selinux configuration file:
/Etc/sysconfig/selinux
Note: In general, the first change to forced mode will take a long time to restart the system, and the kernel will add security context to all files !!
For more details, please continue to read the highlights on the next page: