3, SELinux encryption, decryption

Source: Internet
Author: User
Tags decrypt gpg asymmetric encryption

SELinux

I. SELinux mode of operation

Modify File/etc/selinux/config

Set selinux=disabled Disable

Set Selinux=permissive Loose mode

Set selinux=enforcing Enforcement Mode


Two. View the current operating mode

[Email protected] ~]# Getenforce

Enforcing


Three. Temporarily modify the operating mode

[Email protected] ~]# Setenforce

Usage:setenforce [Enforcing | Permissive | 1 | 0]//1 delegates mandatory, 0 stands for loose



#yum-y Install setrouble*//troubleshooting software that prompts SELinux for errors

#reboot//reboot required to install the software


Four. Configuring the two main aspects of SELinux

1.SELINUX Contextual Environment

(1) View the context of a file

[Email protected] html]# ls-z

-rw-r--r--. Root root unconfined_u:object_r:net_conf_t:s0 index.html//File context

[Email protected] html]# LS-ZD

Drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0.//Directory Context Environment

[Email protected] html]#

Only care about httpd_sys_content_t, ls-zd the httpd_sys_content_t of the directory to modify the context of the file


(2) Modifying the SELinux context environment value

[Email protected] html]# chcon-t httpd_sys_content_t index.html


(2.1) Restore the file to the default value in your directory

#restorecon-rv/var/www/html//-r with Table recursive recovery context environment value, including sub-files and subfolders

#restorecon-V/var/www/html/index.html//Modify only one file context,-V print out


Files copied from other directories will inherit the context of his original directory.

Files that are moved from other directories inherit the context of the Moving destination folder


SELinux Boolean value

4.windows access to Linux via Samba

(1) Installing Samba

(2) # smbpasswd-a Root

(3) Service SMB start Start services

(4) With UNC path access under Windows, can see the home directory of root, but double hit not open

(5) # Getsebool-a | grep Samba

(6) # sebsebool-p SAMBA_EXPORT_ALL_RW 1//r, read, w write, 1 means open read or write, can also be written rw=on

(7) Once again accessed under Windows with a UNC path, you can open the home directory of root



2. Example Ii. Implementing FTP Anonymous user uploads

(1) # mkdir-m 757/var/ftp/incoming

(2) vim/etc/vsftpd/vsftpd.conf

Anon_upload_enable=yes Modify vsftpd.conf Open anonymous upload

(3) Upload file test,

FTP, enter

Ftp> CD Incoming

ftp> lcd/etc//LCD Change Local Directory

Ftp> put passwd

If the setroubleshoot is already installed, a prompt will appear in the upper right corner of the screen, as prompted to modify

#chcon-T public_content_rw_t/var/ftp/incoming//Modify Context

# Getsebool-a | grep ftp > Get the SELinux boolean value associated with FTP

# setsebool-p Allow_ftpd_anon_write 1//Open Boolean, can also be written as Write=on

(4) Try uploading again, success

FTP 192.168.1.2

Ftp>jack, log in with Jack.

ftp> Password

Prompt cannot change directory

# Getsebool-a | grep ftp > Get the SELinux boolean value associated with FTP

# setsebool-p Ftp_home_dir 1//Open Boolean, allow access to directory

Vimdiff vsftpd.conf Vsftpd.conft//Compare two files in different places


Six. Installing setroubleshoot (troubleshooting) Troubleshooting

# yum Install-y setroubleshoot*

Restart

There are any selinux violations, the system will give a hint and a solution

If it's a graphical interface, a message pops up in the upper-right corner of the screen. If it is a character terminal, you can view the log file

Vim/var/log/messages

Run Sealert-l 17876b7e-c588-4d5e-a900-ca093341fc38

There will be a help message when the terminal is running this line

# sealert-l 17876b7e-c588-4d5e-a900-ca093341fc38


Seven. Get help with SELinux settings

(1) Man ftpd SELinux

Mans httpd SELinux

Man Samba SELinux

(2) Some service configuration files are also described

Vim/etc/samba/smb.conf


Encrypted decryption

[[Email protected] html]# TR ' A-Z ' A-Z '//convert letters to uppercase

Hellow

Hellow

^c

[email protected] html]# Cat index.html | Tr ' A-Z ' A-Z '//convert file letters to uppercase output

Bbb

[[Email protected] html]# TR ' A-Z ' A-Z ' < index.html//convert file letters to uppercase output

Wsyht

[[Email protected] html]# tr ' a-y ' b-z '//encryption

Hellow

Ifmmpx

^c


GNUPG Encryption Tool

Symmetric encryption

Asymmetric encryption

Signature


GPG--version//view version


Symmetric encryption

Cryptographic operation:-C

Decryption Operation:-D


Symmetric encryption

Terminal 1 (Bob)

ssh-x [email protected]//-x means you can open the graphical interface

echo "Bob" > Bob.txt

Gpg-c Bob.txt//encryption

CP bob.txt.gpg/tmp


Terminal 2 (Jack)

ssh-x [email protected]//-x means you can open the graphical interface

Cp/tmp/bob.txt.gpg.

gpg-d bob.txt//Decrypt output to screen (do not write-D also line)

gpg-d bob.txt.gpg > Bob.txt//Decrypt and redirect to bob.txt this file


Asymmetric encryption

Terminal 1 (Bob)

ssh-x [email protected]//-x means you can open the graphical interface

#gpg--gen-key

#回车

#回车

#0

#y

#wsyht

#[email protected]

#回车

#O

#输入保护私钥的密码

Cue box point right option

Randomly press the letter to generate the key

#gpg--list-keys//View public key information

#gpg--list-secret//view private key information

#gpg--export-a >/tmp/bob.key//Export public key,-a means output in ASCII format (1)

#cat/tmp/bob.key

#gpg--fingerprint//print fingerprint information

#cp/TMP/BOB.TXT.ASC. Copy JAVK encrypted files to the current folder (4)

#gpg BOB.TXT.ASC

#ls


Terminal 2 (Jack)

#ssh-X [email protected]//-x means you can open the graphical interface

#gpg--import/tmp/bob.key//Import Public key (2)

#gpg--list-keys//Can view the public key

#gpg--list-secret//Cannot view the private key, no key pair

#man GPG

#gpg-ear Bob Bob.txt E, encryption, A,ASCIID code output, R, recipient, Bob user name

#y

#cat BOB.TXT.ASC

#cp/bob.txt.asc/tmp//Copy files encrypted with public key to TMP (3)


Three. Signing with GPG

1. Signature Achievable Features:

(1) Identity authentication, indicating that the user is indeed the person he claims to be.

(2) Data integrity, once the data has been tampered with, the signature will expire.

(3) Recognition, non-repudiation

Terminal 1 (Bob)

2.bob Send the signature file to Jack

#echo ' Bob file ' > Bob.txt

#gpg-B bob.txt//signature

#ls

Bob.txt Bob.txt.sig

2.2 Send the original and signature files to Jack

#cp bob.txt*/tmp


Terminal 2 (Jack)

2.3 Verifying signatures

#cp/tmp/bob.txt*

#ls

Bob.txt Bob.txt.sig

Verifying signatures #gpg--verify Bob.txt.sig


This article is from the "Wsyht blog" blog, make sure to keep this source http://wsyht2015.blog.51cto.com/9014030/1790278

3, SELinux encryption, decryption

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.