SELinux policy Configuration

SELinux (security-enhanced Linux) is the United States National Security Agency (NSA) implementation of mandatory access control, is the most outstanding new security subsystem in the history of Linux. The NSA, with the help of the Linux community, has developed an access control system that, under the constraints of the access control system, can access only those files that are needed in his tasks. SELinux is installed on Fedora and Red Hat Enterprise Linux By default, and can also be used as an easy-to-install package on other distributions

SELinux permissions for files can be seen through ls-z

-rw-r--r--. Root root System_u:object_r:admin_home_t:s0 Install.log

System_u:object_r:admin_home_t:s0 for SELinux permissions, separated by: four segments

System_u:

Refers to the SELinux user, root represents the root account identity, User_u represents a normal user unprivileged user, System_u represents the system process, through the user can confirm the identity type, general collocation role use. Identity and different roles with different permissions, although you can use the SU command to switch users, but for SELinux users have not changed, the account switch between the user identity is unchanged, in the targeted policy environment, the user identity does not have a substantive role

Object_r:

Object_r is generally the role of the file directory, system_r generally the role of the process, in the targeted policy environment, the role of the user is generally system_r. The role of a user is similar to the concept of a user group, where different roles have different identity permissions and one user can have multiple roles, but only one role at a time. Roles do not have a substantive role in the targeted policy environment, and the roles of all process files in the targeted policy environment are system_r roles

admin_home_t:

Files and processes have a type, SELinux restricts access by a related combination of types

S0:

Something related to MLS and MCs.

Related commands

1, ls-z or LS--context

SELinux permissions to display files

2, Chcon change the SELinux permissions of the file

[Email protected] ~]# ls-z/mnt/www
-rw-r--r--. Root root Unconfined_u:object_r:usr_t:s0 index.html

[Email protected] ~]# Chcon-r-t usr_t/mnt/www/

3, Restorecon

Restore the original Selinx permissions of the file, provided that the file's permissions are defined in the policy

4. Star

Tar under SELinux command to back up the files with SELinux tags

5, Cp-z--context=context

Specify SELinux permissions for the destination file when copying files

6. Find--context

Find files that specify SELinux permissions

7. Id

To view the SELinux permissions of the user of course

8, Sestatus

Display the current SELinux information

Related Parameters-d-v

SELinux policy Configuration