SELinux Introduction and Basic configuration

The concept of SELinux:

Selinux[security Enhanced Linux (Secure hardened Linux)], is an implementation of a Mac that works in the kernel (Mandatory access control, mandatory access controls), The goal is to explicitly indicate which resources a process can access (files, network ports, and so on). The purpose of the mandatory access control system is to enhance the ability of the system to defend against 0-day attacks (exploits that exploit the vulnerabilities that have not been exposed). So it is not a substitute for network firewalls or ACLs, nor is it duplicated in purpose.

The connections and differences between DAC and Mac:

The DAC environment used on the general system, SELinux is the MAC (mandatory access control)

Process in DAC environment is non-binding

The rules of policy in MAC environment determine the degree of rigor of control

The process can be limited in MAC environment

policies are used to define which resources (files and ports) the restricted process can use

By default, behavior that is not explicitly allowed is denied

For SELinux's popular understanding:

SELinux, which makes a sandbox for specific programs (which are also growing), has a security label for the files, which belong to different classes and can only perform specific actions, which specifies that an application sets up the files or directories that you can access.

Subject Operation Object

Body: process is called principal (subject)

Object: All objects that can be read, including files, directories and processes, ports, etc.

In SELinux, all files are given a type tag for each file, and a domain label for all processes. The actions that domain tags can perform are defined by the security policy. When a subject tries to access a object,kernel in the policy execution server will check the AVC (Access vector cache), in AVC, the permissions of subject and object are cached (cached), look for "app + File "Security environment. Then allow or deny access based on the results of the query

Security Policy: Defines the rule database in which the principal reads an object, and the rules that record which type of principal uses which method to read which object is allowed or denied, and which behavior is to be filled or denied

Understanding and configuring SELinux

1. Get the current SELinux run status

Getenforce

There are three possible return results: Enforcing, Permissive, and Disabled. Disabled on behalf of SELinux is disabled, Permissive represents only security warnings but does not block suspicious behavior, enforcing represents logging warnings and blocking suspicious behavior.

2. Change the SELinux operating state

Setenforce [1 | 0]

A reboot is required to toggle the disabled state or switch from the disabled state to another state. Switching between enforceing and permissive two states does not require a restart

The security label (Touch/.autorelabel && reboot) is re-created for the entire file system upon reboot.

SELinux does not start as long as a disabled is set in grub or in a configuration file.

If you want to permanently change the system SELinux Runtime environment, you can change the configuration file/etc/sysconfig/selinux implementation.

3. SELinux Operation Policy

strict:centos5, each process is under the control of SELinux

targeted: Used to protect common network services, only limited processes are controlled by selinux, only vulnerable processes are monitored, RHEL4 only 13 services are protected, RHEL5 protects 88 services

Minimum:centos7, modified targeted, only for selected network services

MLS: Provides security for MLS (multilevel security) mechanisms

minimum and MLS are not stable enough to be used

targeted is generally used by default, without modification

4. Safety Label

A. Viewing the program's security label

#ps Auxz | grep Lldpad

SYSTEM_U:SYSTEM_R:INITRC_T:S0 Root 1000 8.9 0.0 3040 668? Ss 21:01 6:08/usr/sbin/lldpad-d

B. Viewing the security label for a file: Yes, there is a security label.

#ls-Z/usr/lib/xulrunner-2/libmozjs.so

-rwxr-xr-x. Root root system_u:object_r:lib_t:s0/usr/lib/xulrunner-2/libmozjs.so

There are several options for the security label, so we just need to focus on the third type .

Type: Specifies the data type, the rule defines which process type to access which file target policy is based on type implementation, multi-service common: public_content_t

to re-secure the file label:

Chcon [-t TYPE] FILE ...

chcon[option] ...--reference=rfile FILE ...

-R: Recursive marking;

Restore the default security context for a directory or file:

Restorecon[-r]/path/to/somewhere

5. Security context

semanage from Policycoreutils-python package, not installed by default on CentOS 6

to view the default security context

semanage Fcontext–l

Add Security context

semanage fcontext-a–t httpd_sys_content_t '/testdir (/.*)? '

Restorecon–rv/testdir

Remove Security context

semanage fcontext-d–t httpd_sys_content_t '/testdir (/.*)? '

6. Ports

View Port labels

semanage Port–l

Add Port

semanage port-a-T port_label-p tcp|udpport

semanage port-a-t http_port_t-p TCP 9527

Delete Port

semanage port-d-T port_label-p tcp|udpport

semanage port-d-t http_port_t-p TCP 9527

Modify

semanage port-m-T port_label-p tcp|udpport

semanage port-m-T http_port_t-p tcp9527

7. Boolean rules

Boolean rule:

Getsebool

Setsebool

to view the bool command:

Getsebool [-A] [Boolean]

semanage Boolean–l

semanage boolean-l–c to view modified Boolean values

to set the bool value command:

Setsebool [-p] Booleanvalue

Setsebool [-p] Boolean=value

8. Log

Yum Install setroublesshoot* (restart effective)

writes the wrong information to/var/log/message

grep setroubleshoot/var/log/messages

sealert-l UUID

View the Security event log description

sealert-a/var/log/audit/audit.log

Scan and analyze logs

Apache SELinux Configuration Instance

1, install httpd Service, change the site's default home directory for/WebSite, add selinux file tag rules, set http_sys_content_t to/WebSite and directory all files, make the website accessible

[[Email protected]~]# mkdir/website

[email protected]~]# ll-z/website-d

drwxr-xr-x. Root root Unconfined_u:object_r:default_t:s0/websit

[email protected]~]# ll-z/var/www/html/

-rw-r--r--. Root root System_u:object_r:httpd_sys_content_t:s0 index.html

[email protected]~]# chcon--reference=/var/www/html/website

[email protected]~] #ll-Z/website/

-rwxr-xr-x. Root root Unconfined_u:object_r:httpd_sys_content_t:s0 index.html

[[Email protected]~]# vim/etc/httpd/conf/httpd.conf

documentroot "/WebSite"

[[Email protected]~]# service httpd restart

[[Email protected]~] #echo "Test website" >/website/index.html

Test:

Enter the address in the browser, you can normally access the

650) this.width=650; "Src=" Http://s5.51cto.com/wyfs02/M02/87/3E/wKiom1fYswLz05E8AAB1j9N7EKI689.png-wh_500x0-wm_3 -wmp_4-s_570763806.png "title=" Selinux.png "alt=" Wkiom1fyswlz05e8aab1j9n7eki689.png-wh_50 "/>

2, modify the site port is 9527, increase the SELinux port label, make the website accessible

[[Email protected]~]# semanage port-l | grep "http_port_t"

http_port_t TCP 80, 81, 443, 488, 8008, 8009, 8443, 9000

[[Email protected]~]# semanage port-a-t http_port_t-p TCP 9527

[[Email protected]~]# semanage port-l | grep "http_port_t"

http_port_t TCP 9527, 80, 81, 443, 488, 8008, 8009, 8443, 9000

[email protected]~] #vim/etc/httpd/conf/httpd.conf

Listen 9527

Test:

650) this.width=650; "Src=" Http://s5.51cto.com/wyfs02/M02/87/3B/wKioL1fYtuuw5PMaAABnh6_fSXw696.png-wh_500x0-wm_3 -wmp_4-s_1526372964.png "title=" 9527.png "alt=" Wkiol1fytuuw5pmaaabnh6_fsxw696.png-wh_50 "/>

3, enable SELinux Boolean value, so that the user student home directory can be accessed via HTTP

[Email protected]~] #vim/etc/httpd/conf/httpd.conf

Modified to:

# Userdir Disabled

Userdir public_html

[Email protected]~]# chmod 711/home/jay

[Email protected]~] #mkdir/home/jay/public_html

[[Email protected]~] #echo "Jay Home" >/home/jay/public_html/index.html

To view a Boolean rule:

[[Email protected]~]# semanage boolean-l | grep "Homedir"

Httpd_enable_homedirs (off, off) allow httpd to read home directories

To modify a Boolean rule:

[[Email protected]~]# setsebool-p httpd_enable_homedirs on

Test:

650) this.width=650; "Src=" Http://s1.51cto.com/wyfs02/M02/87/3E/wKiom1fYtxrwXmotAABl6JblY1E537.png-wh_500x0-wm_3 -wmp_4-s_4045258005.png "title=" Jay.png "alt=" Wkiom1fytxrwxmotaabl6jbly1e537.png-wh_50 "/>

This article is from the "Mylinux" blog, make sure to keep this source http://luxiangyu.blog.51cto.com/9976123/1852458

SELinux Introduction and Basic configuration