Setting and application of SELinux security policy

What we are sharing today may be that a lot of people feel that it is not meaningful, but it is not meaningless, but it is more cumbersome to use, because after the SELinux security policy is enabled, each application's access domain and file security tags need to be strictly matched to perform access operations, So if a bit of improper setting, it will cause the application error, but anything is double-sided, it is more cumbersome to set up at the same time, but also to the corresponding application data provides adequate security, for example, after we have enabled SELinux security policy for the Web service, Even if someone successfully hacked into our web server and replaced our home page, the web process would be more difficult to achieve if it had to be a policy match in order to access the Web site home page file. So there is nothing in itself that says no meaning, just that we can use it appropriately.

I. Introduction of SELinux

Selinux:secure Enhanced Linux, is the National Security Agency (Nsa=the) and SCC (Secure Computing Corporation) A security module that develops a mandatory access control for Linux. Released in 2000 under the GNU GPL, integrated into the kernel after the Linux kernel version 2.6

Dac:discretionary access Control

Mac:mandatory Access Control Enforcement

Process in DAC environment is non-binding

The process can be limited in MAC environment

Policies are used to define which resources (files and ports) the restricted process can use

By default, behavior that is not explicitly allowed is denied

1, SELinux two kinds of work level:

Strict: Each process is under the control of SELinux

Targeted: Only limited processes are controlled by SELinux to protect common network services and monitor only vulnerable processes

2, traditional Linux, all files, by users, groups, permissions control access

SELinux, all objects (object), controlled by security elements stored in the Inode's extended domain to access all files and ports, with security tags for resources and processes: security context

The security context consists of five elements:

User:role:type:sensitivity:category

such as: user_u:object_r:tmp_t:s0:c0

3, in fact, the following: stored in the file system

To view the security label for a file: ls–z filename

To view the security label for a process: ps–z

4. Expected (default) context :

stored in the binary SELinux Policy library (mapping directory and expected security context)

View default security Tags: semanage fcontext–l

5. Definition of security contextual items

User: Indicates the types of users logged on to the system, such as Root,user_u,system_u, where most local processes are part of the free (unconfined) process

Role: Defines the file, process, and user's purpose: File: Object_r, process, and User: System_r

Type: Specifies the data type, which process type is defined in the rule to access which file

Target policy is based on type implementation, multi-service common: public_content_t

Sensitivity: the need to restrict access, hierarchical security levels defined by an organization

such as unclassified, Secret,top,secret, an object with only one

Sensitivity, sub-level 0-15, S0 minimum, target policy is used by default S0

Category: For a particular organization to classify non-hierarchical categories, such as the FBI Secret,nsa Secret, an object can have multiple categroy,c0-c1023 a total of 1024 categories,

Target policy does not use category

Object: All objects that can be read, including files, directories and processes, ports, etc.

Body: process is called principal (subject)

6, SELinux in all the files are given a type of file type tag, for all processes are also given a domain label. The actions that domain tags can perform are defined by the security policy.

7. When a subject tries to access a object,kernel in a policy execution server will check AVC (Access vector cache for access vectors caches), in AVC, the permissions of subject and object are cached (cached), looking for " Security environment for apps + files. Then allow or deny access based on the results of the query

8. Security Policy: Defines the rule database in which the principal reads the object, and the rule records which type of principal is using which method to read which object is allowed or denied, and which behavior is to be filled or denied

Second, configure SELinux:

Whether SELinux is enabled

Re-hit the security label for the file

Set some Boolean lane

1, the status of SELinux:

Enforcing: Mandatory, each restricted process is bound to be limited

Permissive: Enabled, each restricted process violation will not be banned, but will be recorded in the audit log

Disabled: Disable

2. Related commands

Getenforce: Get SELinux current status

Setenforce 0 or 1

0: Set to permissive

1: Set to enforcing

This setting reboot fails

Permanent Active Profile:/etc/sysconfig/selinux,/etc/selinux/config

Selinux={disabled|enforcing|permissive}

3. Re-tag the file:

Chcon [OPTION] ... [-U USER] [-R ROLE] [-T TYPE] FILE ...

Chcon [OPTION] ...--reference=rfile FILE ...

-R: Recursive marking;

4. Restore the default security context for the directory or file:

Restorecon [-R]/path/to/file

5. Default security context Query and modification (semanage command)

Semanage command from Policycoreutils-python package

To view the default security context: Semanage Fcontext–l

Add security context: Semanage fcontext-a–t httpd_sys_content_t '/www (/.*)? '

Restore the default security context: Restorecon–rv/www

Delete Security context: Semanage fcontext-d–t httpd_sys_content_t '/www (/.*)? '

6. SELinux Port Label

View Port Tags: semanage port–l

Add Port

Semanage port-a-T port_label-p tcp|udp Port

Semanage port-a-t http_port_t-p TCP 9527

Delete Port

Semanage port-d-T port_label-p tcp|udp Port

Semanage port-d-t http_port_t-p TCP 9527

Modify an existing port to a new label

Semanage port-m-T port_label-p tcp|udp Port

Semanage port-m-t http_port_t-p TCP 9527

7. SELinux Boolean value

To view the BOOL command:

Getsebool [-A] [Boolean]

Semanage boolean–l

Semanage Boolean-l–c to view modified Boolean values

To set the bool value command:

Setsebool [-P] Boolean value (On,off)

Setsebool [-P] boolean=value (0,1)

8. SELinux Log Management

Yum Install setroubleshoot* (restart effective)

Writes the wrong information to/var/log/message

grep setroubleshoot/var/log/messages

Sealert-l UUID

View the Security event log description

Sealert-a/var/log/audit/audit.log

The use of SELinux is to share so much, the basic application of production environment is not a problem, if you want a more advanced security strategy, then into the SELinux policy development level problem, this article does not discuss.

This article is from the "Love Firewall" blog, be sure to keep this source http://183530300.blog.51cto.com/894387/1854201

Setting and application of SELinux security policy