Linux-selinux security protection, encryption and decryption

Linux security protection model?

1 discretionary access control DAC (RWX facl)

Owners are responsible for their own resources

Dr-xr-xr-x. Root root 4096 May 5 14:05/

2 MAC, mandatory access control

Administrators are responsible for all resources

MLS multilevel security defined by the TCSEC standard

SELinux *

[Email protected] ~]# Sestatus

SELinux status:disabled

[Email protected] ~]#

[Email protected] ~]# Cat/etc/sysconfig/selinux

# This file controls the state of the SELinux on the system.

# selinux= can take one of these three values:

#enforcing-selinux security policy is enforced.

#permissive-selinux prints warnings instead of enforcing.

#Disabled-selinux is fully disabled.

Selinux=enforcing

# selinuxtype= type of policy in use. Possible values are:

#targeted-only targeted network daemons is protected.

#strict-full SELinux protection.

selinuxtype=targeted

[email protected] ~]# reboot

[[email protected] ~]# sestatus selinux Query

SELinux status:enabled

Current mode:enforcing

.. ..

Policy from config file:targeted

Method One, modify the kernel startup parameters

Add selinux=0 to disable

Add Selinux=1 to enable

Method Two, modify the file/etc/selinux/config

Set Selinux=disabled to disable

Set selinux=permissive loose/Allow mode

Set selinux=enforcing Enforcement Mode

[Email protected] ~]# Getenforce

Enforcing

[Email protected] ~]# Setenforce 0

[Email protected] ~]# Getenforce

Permissive

[Email protected] ~]# Setenforce 1

[Email protected] ~]# Getenforce

Enforcing

[Email protected] ~]#

++++++++++++++++++++++++++++++++++++++++++++

To view the file context:

[Email protected] ~]# ll-z/etc/passwd

-rw-r--r--. Root root system_u:object_r:etc_t:s0/etc/passwd

[Email protected] ~]# ll-dz/etc

Drwxr-xr-x. Root root system_u:object_r:etc_t:s0/etc

View the HTTPD service context

PS Aux-z | grep httpd

UNCONFINED_U:SYSTEM_R:HTTPD_T:S0 Apache 3975 0.0 0.0 186060 2524? S 10:42 0:00/usr/sbin/httpd

UNCONFINED_U:SYSTEM_R:HTTPD_T:S0 Apache 3976 0.0 0.0 186060 2508? S 10:42 0:00/usr/sbin/httpd

[Email protected] ~]# id-z

View the context of a home folder

ll-dz/var/www/html/

System_u:object_r:httpd_sys_content_t:s0

User: Role: Access type: Options ...

General operating rules

Moved files, original context properties unchanged

Copied files that automatically inherit the context of the target location

Modify security Ask Chcon

-T, specifying the type of access

-R, Recursive modification

[Email protected] ~]# ll-z/var/www/html/two.html

-rw-r--r--. Root root unconfined_u:object_r:admin_home_t:s0/var/www/html/two.html

[Email protected] ~]#

[Email protected] ~]#

[Email protected] ~]# ll-z/var/www/html/one.html

-rw-r--r--. Root root unconfined_u:object_r:httpd_sys_content_t:s0/var/www/html/one.html

[Email protected] ~]# chcon-t httpd_sys_content_t/var/www/html/two.html

[Email protected] ~]# ll-z/var/www/html/two.html

-rw-r--r--. Root root unconfined_u:object_r:httpd_sys_content_t:s0/var/www/html/two.html

[Email protected] ~]#

Chcon-r-T httpd_sys_content_t/var/www/html

Using the Restorecon tool

Revert to the default context property for your location

-R, Recursive modification

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

SELinux Boolean value

Getsebool-a

getsebool-a | grep FTP

[Email protected] ~]#

Setsebool-p allow_ftpd_anon_write=1

Setsebool-p allow_ftpd_full_access on

+++++++++++++++++++++++++++++++++++++++++++++++++++++++

Installing the Troubleshooting tool

Yum-y Install setroubleshoot-server setroubleshoot-plugins setroubleshoot-doc setroubleshoot

Reboot

Tail-f/var/log/messages (Follow the instructions)

May 7 11:53:04 room5pc00 Setroubleshoot:selinux are preventing/usr/sbin/vsftpd from write access on the directory Stuput . For complete SELinux messages. Run Sealert-l ac0211d2-a4fc-4051-8157-a9ca0f771570

Follow the prompts to execute the command after run #sealert-l ac0211d2-a4fc-4051-8157-a9ca0f771570

#sealert-B to bring up graphical error-checking menu

++++++++++++++++++++++++++++++++++++

Why encrypt data?

Encrypt, decrypt

Algorithm?

Unidirectional encryption (irreversible) MD5 SHA

Source data does not change the result of encryption is unchanged

Generate summary text for fixed-length (such as 128-bit)

Using the Md5sum Verification tool

Generate MD5 Checksum value

Check-value comparison with the official software

710 Head-1/etc/passwd > A.txt

711 Cat A.txt

712 Md5sum A.txt

713 CP A.txt B.txt

714 Md5sum B.txt

715 Vim B.txt

716 Md5sum B.txt

717 Vim B.txt

718 md5sum B.txt

++++++++++++++++++++++++++++++++++++

Symmetric encryption (encryption and decryption using the same password) DES AES

++++++++++++++++++++++++++++++++++++

Gnupg,gnu Privacy Guard's most popular data encryption, digital signature tool software

[email protected] ~]# which GPG

/usr/bin/gpg

[Email protected] ~]# RPM-QF/USR/BIN/GPG

Gnupg2-2.0.14-8.el6.x86_64

[Email protected] ~]#

GPG-Supported algorithms:

Public key: RSA, ELG, DSA

Symmetric encryption: 3DES, CAST5, BLOWFISH, AES, AES256,. ..

Hash: MD5, SHA1,.. .., SHA256, SHA512

ssh-x [email protected]

echo AAAAA >/tmp/usera.txt

cd/tmp/

Gpg-c Usera.txt (Prompt for encrypted password)

LS USERA.TXT.GPG

RM-RF Usera.txt

ssh-x [email protected]

Cd/tmp

gpg-d usera.txt.gpg > Userb.txt (Prompt for decrypted password)

Cat Userb.txt

Aaaaa

++++++++++++++++++++++++++++++++++++

Asymmetric encryption (public key encryption private key decryption) RSA DSA

1 UserA user generates their own key pair (public/private key) GPG--gen-key

2 UserA users to export their own public keys

Gpg-a--export >/tmp/userb.pub

3 UserB User Import public key

GPG--import/tmp/userb.pub

4 UserB user encrypts data using the imported public key

echo ABCDEDF >/tmp/test.txt

Cd/tmp

GPG-E-R PANGLJ test.txt

LS test.txt.*

5 UserB users use their own private key to decrypt

gpg-d/TMP/TEST.TXT.GPG > Usera2.txt

UserB

GPG--gen-key

[Email protected] ~]$ GPG--gen-key

GPG (GnuPG) 2.0.14; Copyright (C) Software Foundation, Inc.

This was free software:you was free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Please select the type of key you want to use:

(1) RSA and RSA (default)

(2) DSA and Elgamal

(3) DSA (for signature only)

(4) RSA (for signature only)

What is your choice?

The RSA key length should be between 1024 bits and 4,096 bits.

How big a key size do you want to use? (2048) 1024

The key size you require is 1024-bit

Please set the validity period of this key.

0 = key never Expires

<n> = key expires in n days

<n>w = key expires after n weeks

<n>m = key expires after n months

<n>y = key expires in n years

What is the validity period of the key? (0)

The key will never expire

Is the above correct? (y/n) Y

You need a user ID to identify your key; The software constructs the user ID

From the Real Name, Comment and Email Address in this form:

"Heinrich Heine (Der dichter) <[email protected]>"

Real name: PLJ

Name must be at least five characters in length

Real name: PANGLJ

Email address: [Email protected]

Note: Teacher

You have selected this user id:

"Panglj (teacher) <[email protected]>"

Change name (N), comment (C), e-mail address (e) or OK (O)/exit (Q) O

LS ~/.gnupg/

Linux-selinux security protection, encryption and decryption