RedHat SELinux System Overview and case analysis

1. Introduction to SELinux

The biggest security change in Redhat Enterprise Linux as 3.0/4.0 is the integration of SELinux support.

SELinux, short for security-enhanced Linux, is an access control system developed by the National Security Agency (NSA.

SELinux can maximize the security of Linux systems. As to how powerful it is, a simple example can prove:

Linux without SELinux protection has the same security level as windows, which is level C2. However, Linux without SELinux protection has the same security level.

Then it can reach B1 level. For example, we set the permissions of all files and directories under the/tmp directory to 0777, so that no SELinux protection is available.

Anyone can access the content under/tmp. In The SELinux environment, although the directory permission allows you to access the content under/tmp,

However, SELinux's security policy will continue to check whether you can access it.

The SELinux security architecture launched by NSA is called flask. In this structure, the logic of security policies and general interfaces are encapsulated together

The independent components of the operating system are called security servers. SELinux's security server defines a hybrid security

Policy, which consists of Type implementation (TE), role-based access control (RBAC), and multi-level security (MLS. By replacing the security server, you can

To support different security policies. SELinux uses the policy configuration language to define the security policy, and then compiles it into binary form through checkpolicy

Stored in files (such as the target policy/etc/SELinux/targeted/policy/policy.18) and read the kernel space during kernel boot.

. This means that the security policy is different every time the system is booted.

There are two SELinux policies: one is the target policy and the other is the strict policy. Limited policies only apply to some

System network services and processes execute The SELinux policy, while the strict policy is to execute the global default NSA policy. In the limited policy mode, nine (

More) system services are monitored by SELinux, and almost all network services are under control.

The configuration file is/etc/SELinux/config. Generally, the "Permissive" mode is used during the test, which only violates SELinux rules.

Then, a warning is issued, and then the rules are modified. Finally, the user determines whether to execute the strict "enforcing" policy to prohibit the violation of the rule policy.

Action.

The rules determine SELinux's work behavior and method, and the policy determines the specific security details, such as file system and file consistency.

 

During installation, you can select "Activate", "warning", or "Disable" SELinux. The default value is "Activate ".

After installation, you canProgram"-->" System settings "-->" security level ", or directly enter" system "in the console window

-Config-securitylevel to open the "Security Level" setting window. On the "SELinux" option page, we can not only set"

Enable or disable SELinux, and modify the built-in SELinux policy.

SELinux commands:

Ls-z

PS-z

ID-z

You can see the SELinux attributes of files, processes, and users respectively.

Chcon changes The SELinux attribute of the file.

Getenforce/setenforce: View and set the current working mode of SELinux.

After modifying the configuration file/etc/SELinux/config, restart the system to start the new working mode of SELinux.

 

Ii. Case Analysis

Apache-"document root must be a directory" question?

The concurrency issue may also be caused by the 403 forbidden access issue.

Symptom description:

Do not use the default/var/www/html file of the system as the document root. Create a new directory and modify it.

Configure/etc/httpd/CONF/httpd. conf and restart Apache daemon. If Apache cannot be started, the system reports the following error:

Document Root must be a directory

However, the DocumentRoot we set is indeed a directory, and Apache users have the read permission.

In another case, a new virtual directory or file cannot be accessed. The forbidden, 403 error is displayed, but the file or directory is readable.

Permission.

Cause:

At first I thought about why, but I felt that it was a matter of permissions. in the traditional way of thinking about Linux, the permissions are definitely not available.

Yes. But do SELinux have other security settings?

Check avcmessage, view the/var/log/messages file, and find a section similar to the following:

Dec 24 17:54:59 hostname kernel: Audit (1098222899.827: 0): AVC:

Denied {getattr} forpid = 19029 EXE =/usr/sbin/httpd

Path =/var/www/html/about.html Dev = dm-0 ino = 373900

Scontext = root: system_r: httpd_t tcontext = user_u: object_r: user_home_t

Tclass = File

Hey, the problem is found. It is really a ghost of SELinux's new features. I set the directory or file to the user_home_t type, so

The Apache process has no permissions and cannot be accessed. The SELinux target policy used by Apache processes specifies

Only directories or files of the httpd_sys_content_t type can be accessed.

Solution:

Simply change the policy type of the directory or file to httpd_sys_content_t.

# Chcon-T httpd_sys_content_t [file_name | dir_name]

Then you can run the LS-Laz command to view the policy type of the file directory. (T002)