15.SElinux Security system Basics
· SELinux (Secure enhanced Linux) Security Enhancements Linux is a NSA a brand-new security development for the computer infrastructure Linux security policy mechanism, SELinux allows administrators to define security policies more flexibly,
· SELinux is a kernel-level security mechanism that 2.6 after the kernel is integrated in the kernel,
• The main Linux distributions are integrated with the SELinux mechanism, andCentos/rhel is enabled by default Delinux,
• Because SELinux is a kernel-level mechanism, changes to SELinux typically require a reboot,
· the basic concept of SELinux:
• All security mechanisms are limited to two things: process and system resources,
· SELinux there are two basic concepts defined for both types: domain (domain) and Context (and context) ,
• Domains are used to restrict processes,
• Context is used to restrict system resources,
· ps-z to view the domain of the process,
· ls-z to view the context of a file,
· SELinux target policy:
· SELinux control which domains by defining policies ( process ) which contexts can be accessed ( file ) ,
· SELinux There are many early warning policies that do not usually require a custom policy ( Exclude the need to protect custom services, Processes ) ,
· Centos/rhel use the preset target (target) strategy,
• The target policy defines that only the target process is throttled by SELinux and other processes are running in unrestricted mode, and the target policy only affects the network application.
·CentOSThe Restricted Network Service program has $around, such asDHCPD,hpptd,mysqld,named,ntpd,Rpcbind,Squid,syslogd,
· Selinx mode, level:
• There are three types of modes:
• Mandatory enforcing, violation of policy behavior is prohibited, and as a kernel information record,
• Allow permissive, violation of policy behavior is not prohibited, but will produce a warning message,
• Disable disabled, disable selinux, as with systems without selinux functionality,
· SELinux the configuration file for the mode is /etc/sysconfig/selinux : selinux=permissive ,
· Getenforce View current SELinux working status,
· Setenforce 0|1 Set SELinux working status, 0 to allow, 1 to force,
· policy, domain, context:
• The information displayed with ps-z or ls-z is similar to the following:
System_u:object_r:httpd_exec_t:so, corresponding: User: Role: Type:Mls/mcs
• When managing the system, the operation of the file sometimes alters the context of the file, causing some processes to be unable to access certain files, so we generally need to examine and modify the context of the file.
· restorecon-r-v/var/www , Command Restorecon can be used to restore the default context of the file, - R for directory use,
· Chcon--reference=/etc/named.conf.orig/etc/named.conf , Command Chcon You can change the context of the file and modify the latter with reference to the
·
• For example, a new HTML file in the home directory, cut to the Apache directory, can not be accessed, need - R recovery under the
·
15.SElinux Security System Basics