SELinux principle and use

This article structure: SELinux Introduction, security Context--mode, policy setting and use of-->bool values, query modification-->semanager Tool security Context usage

Security enhanced Linux Secure hardening Linux

is a module embedded in the kernel to enhance security against process access to system resources, in the case of network services, where the principal of the service is the process, Selinx can control whether the network service can access system resources

Why SELinux is required

The traditional way to access the file system is by Autonomous access control (discretionary access CONTROL,DAC) to determine access through the owner and RWX permissions of the file resource

disadvantage : If the process owner has RWX permission, the file resource can be modified arbitrarily (example: if the manager accidentally changed the external service directory such as/var/www/html permissions to 777, then anyone can make arbitrary access and modification)

SELinux, delegated access control (Mandatory access Contral,mac) controls the body to become a process rather than a user, leveraging policy and security context matching to control access to file resources by the process

Policies (Policy)

• targeted: There are more restrictions on network services and less for native limits, which is the default policy

• Strict: Strict limits, complete selinux limits

Security context

Drwxr-xr-x. Root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/

Identify:role:type

1. Identity: Root, System_u, User_u

2. Roles: Object_r, System_r

3. Type:

The principal and Target security context type fields are consistent before they can be accessed

The security context is placed within the file Inode and rwx

relationship between the process and the SElinux Type field : Take httpd as an example

1. First run the program usr/sbin/httpd,type httpd_exec_t

2. This type causes the file-triggered principal process (subject) to have httpd this domain

3. This domain has been developed with many rules , including the type of target resource that the domain can read

4. HTTPD domain is set to be able to read httpd_sys_content_t object of this type

5. The type of/var/www/html is httpd_sys_content_t

6. So the page can be read by the httpd process under/var/www/html.

7. And finally, based on RWX's permissions,

SELinux use

View mode

• Getenforce

Enforcing//Mandatory mode
Permissive: Tolerant mode (only reminder not forbidden)

Disabled Close SELinux

Change mode

• Setenforce 0 /1

View Policies

• Sestatus lists the current policy and status [-V lists the security context content under/etc/sestatus.conf] [-B lists the policy rules in a Boolean way]

configuration Files : Modifiable modes and policies

• /etc/selinux/config

• [Email protected] ~]# cat/etc/selinux/config
  # This file controls the state of the SELinux on the system.
  # selinux= can take one of these three values:
  # Enforcing-selinux security policy is enforced.
  # Permissive-selinux Prints warnings instead of enforcing.
  # disabled-no SELinux policy is loaded.
  Selinux=enforcing
  # selinuxtype= can take one of these the values:
  # targeted-targeted processes is protected,
  # Mls-multi level Security protection.
  selinuxtype=targeted//And strict

Start and close

• Check if the kernel has no shutdown SElinux

• [Email protected] ~]# cat/boot/grub/menu.lst
  Default=0
  Timeout=5
  Splashimage= (hd0,0)/grub/splash.xpm.gz
  Hiddenmenu
  Title Red Hat Enterprise Linux (2.6.32-431.el6.x86_64)
  Root (hd0,0)
  kernel/vmlinuz-2.6.32-431.el6.x86_64 ro root=uuid=7f7fc25f-c295-4b8a-8d2c-48ae97b01d41 rd_NO_LUKS Rd_NO_LVM Lang=en_us.                                                                         UTF-8 rd_no_md sysfont=latarcyrheb-sun16 crashkernel=auto keyboardtype=pc keytable=us Rd_NO_DM rhgb quiet
  Initrd/initramfs-2.6.32-431.el6.x86_64.img

• If the kernel parameter plus selinux=0 indicates the off function

• SELinux is written to the kernel so: Change the mode or change the strategy to restart the system

Modifying the security context

• Chcon [-T type] [-R Recursion] Directory/File

[email protected] ~]# chcon-r-t httpd_sys_content_t/var/www/html

• Restorecon [-R recursion ] [-v Display Procedure] Directory/File

//restore type By default security context

[email protected] ~]# restorecon-rv/var/www/html

SELinux Log Records

• Setroubleshoot: Error message written to /var/log/messages

• AUDITD: Verbose log information including error messages written to /var/log/audit/audit.log

Policy rules

Query Status Rules (Setools-console using seinfo rpm package)

• Seinfo [-B Lists all (Booleans) rules] [-u user] [-r Role] [-t type] lists the stats status in the current state

[email protected] ~]# Seinfo//Statistics status under current policy

Statistics for policy file:/etc/selinux/targeted/policy/policy.24

Policy Version & type:v.24 (binary, MLS)

classes:81 permissions:235

Sensitivities:1 categories:1024

types:3637 attributes:280

Users:9 Roles:12

booleans:217 Cond. Expr.: 257 //rules for the network boolens217 bar

allow:291033 neverallow:0

Auditallow:123 dontaudit:226650

type_trans:33142 type_change:38

type_member:48 Role allow:19

role_trans:308 range_trans:4521

Constraints:90 validatetrans:0

Initial sids:27 fs_use:23

genfscon:83 portcon:446

netifcon:0 nodecon:0

Permissives:75 Polcap:2

[Email protected] ~]# Seinfo-b | grep httpd//httpd bool Value

Httpd_manage_ipa

Httpd_run_stickshift

Httpd_use_fusefs

Httpd_use_openstack

Allow_httpd_mod_auth_pam

Httpd_setrlimit

Httpd_enable_ftp_server

Httpd_use_nfs

Boolean Query modification (sesearch view details)

[[email protected] ~]# getsebool-a//Enquiry

Abrt_anon_write--off

Abrt_handle_event--off

Allow_console_login-On

Allow_cvs_read_shadow--off

[email protected] ~]# getsebool allow_console_login//query One

Allow_console_login-On

[email protected] ~]# setsebool-p allow_console_login=1//(1 means on, 0 is off),-P writes the configuration file

File default security context settings

• [email protected] ~]# semanage Fcontext [-L query] [-a add] [-m modify] [-D delete]//Fcontext for security context

• Cases:

[email protected] ~]# Ls-zd/srv/samba
Drwxr-xr-x. Root root Unconfined_u:object_r:var_t:s0/srv/samba
[email protected] ~]# semanage fcontext-l | grep/srv/
/srv/([^/]*/)? FTP (/.*)? All Files System_u:object_r:public_content_t:s0
/srv/([^/]*/)? Rsync (/.*)? All Files System_u:object_r:public_content_t:s0
/srv/([^/]*/)? www (/.*)? All Files System_u:object_r:httpd_sys_content_t:s0
/srv/.* All Files System_u:object_r:var_t:s0
/srv/gallery2 (/.*)? All Files System_u:object_r:httpd_sys_content_t:s0
/srv/git (/.*)? All Files System_u:object_r:git_sys_content_t:s0
[email protected] ~]# semanage fcontext-a-T public_content_t "/srv/samba (/.*)?"
[Email protected] ~]# Semanage fcontext-l | Grep/srv/samba
/srv/samba (/.*)? All Files System_u:object_r:public_content_t:s0
[email protected] ~]# Restorecon-rv/srv/samba
Restorecon Reset/srv/samba Context Unconfined_u:object_r:var_t:s0->unconfined_u:object_r:public_content_t:s0
[email protected] ~]# ls-dz/srv/samba/
Drwxr-xr-x. Root root unconfined_u:object_r:public_content_t:s0/srv/samba/

This article is from the "Call Me boxin" blog, so be sure to keep this source http://boxinknown.blog.51cto.com/10435935/1664775

SELinux principle and use