3, SELinux encryption, decryption

SELinux

I. SELinux mode of operation

Modify File/etc/selinux/config

Set selinux=disabled Disable

Set Selinux=permissive Loose mode

Set selinux=enforcing Enforcement Mode

Two. View the current operating mode

[Email protected] ~]# Getenforce

Enforcing

Three. Temporarily modify the operating mode

[Email protected] ~]# Setenforce

Usage:setenforce [Enforcing | Permissive | 1 | 0]//1 delegates mandatory, 0 stands for loose

#yum-y Install setrouble*//troubleshooting software that prompts SELinux for errors

#reboot//reboot required to install the software

Four. Configuring the two main aspects of SELinux

1.SELINUX Contextual Environment

(1) View the context of a file

[Email protected] html]# ls-z

-rw-r--r--. Root root unconfined_u:object_r:net_conf_t:s0 index.html//File context

[Email protected] html]# LS-ZD

Drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0.//Directory Context Environment

[Email protected] html]#

Only care about httpd_sys_content_t, ls-zd the httpd_sys_content_t of the directory to modify the context of the file

(2) Modifying the SELinux context environment value

[Email protected] html]# chcon-t httpd_sys_content_t index.html

(2.1) Restore the file to the default value in your directory

#restorecon-rv/var/www/html//-r with Table recursive recovery context environment value, including sub-files and subfolders

#restorecon-V/var/www/html/index.html//Modify only one file context,-V print out

Files copied from other directories will inherit the context of his original directory.

Files that are moved from other directories inherit the context of the Moving destination folder

SELinux Boolean value

4.windows access to Linux via Samba

(1) Installing Samba

(2) # smbpasswd-a Root

(3) Service SMB start Start services

(4) With UNC path access under Windows, can see the home directory of root, but double hit not open

(5) # Getsebool-a | grep Samba

(6) # sebsebool-p SAMBA_EXPORT_ALL_RW 1//r, read, w write, 1 means open read or write, can also be written rw=on

(7) Once again accessed under Windows with a UNC path, you can open the home directory of root

2. Example Ii. Implementing FTP Anonymous user uploads

(1) # mkdir-m 757/var/ftp/incoming

(2) vim/etc/vsftpd/vsftpd.conf

Anon_upload_enable=yes Modify vsftpd.conf Open anonymous upload

(3) Upload file test,

FTP, enter

Ftp> CD Incoming

ftp> lcd/etc//LCD Change Local Directory

Ftp> put passwd

If the setroubleshoot is already installed, a prompt will appear in the upper right corner of the screen, as prompted to modify

#chcon-T public_content_rw_t/var/ftp/incoming//Modify Context

# Getsebool-a | grep ftp > Get the SELinux boolean value associated with FTP

# setsebool-p Allow_ftpd_anon_write 1//Open Boolean, can also be written as Write=on

(4) Try uploading again, success

FTP 192.168.1.2

Ftp>jack, log in with Jack.

ftp> Password

Prompt cannot change directory

# Getsebool-a | grep ftp > Get the SELinux boolean value associated with FTP

# setsebool-p Ftp_home_dir 1//Open Boolean, allow access to directory

Vimdiff vsftpd.conf Vsftpd.conft//Compare two files in different places

Six. Installing setroubleshoot (troubleshooting) Troubleshooting

# yum Install-y setroubleshoot*

Restart

There are any selinux violations, the system will give a hint and a solution

If it's a graphical interface, a message pops up in the upper-right corner of the screen. If it is a character terminal, you can view the log file

Vim/var/log/messages

Run Sealert-l 17876b7e-c588-4d5e-a900-ca093341fc38

There will be a help message when the terminal is running this line

# sealert-l 17876b7e-c588-4d5e-a900-ca093341fc38

Seven. Get help with SELinux settings

(1) Man ftpd SELinux

Mans httpd SELinux

Man Samba SELinux

(2) Some service configuration files are also described

Vim/etc/samba/smb.conf

Encrypted decryption

[[Email protected] html]# TR ' A-Z ' A-Z '//convert letters to uppercase

Hellow

Hellow

^c

[email protected] html]# Cat index.html | Tr ' A-Z ' A-Z '//convert file letters to uppercase output

Bbb

[[Email protected] html]# TR ' A-Z ' A-Z ' < index.html//convert file letters to uppercase output

Wsyht

[[Email protected] html]# tr ' a-y ' b-z '//encryption

Hellow

Ifmmpx

^c

GNUPG Encryption Tool

Symmetric encryption

Asymmetric encryption

Signature

GPG--version//view version

Symmetric encryption

Cryptographic operation:-C

Decryption Operation:-D

Symmetric encryption

Terminal 1 (Bob)

ssh-x [email protected]//-x means you can open the graphical interface

echo "Bob" > Bob.txt

Gpg-c Bob.txt//encryption

CP bob.txt.gpg/tmp

Terminal 2 (Jack)

ssh-x [email protected]//-x means you can open the graphical interface

Cp/tmp/bob.txt.gpg.

gpg-d bob.txt//Decrypt output to screen (do not write-D also line)

gpg-d bob.txt.gpg > Bob.txt//Decrypt and redirect to bob.txt this file

Asymmetric encryption

Terminal 1 (Bob)

ssh-x [email protected]//-x means you can open the graphical interface

#gpg--gen-key

#回车

#回车

#0

#y

#wsyht

#[email protected]

#回车

#O

#输入保护私钥的密码

Cue box point right option

Randomly press the letter to generate the key

#gpg--list-keys//View public key information

#gpg--list-secret//view private key information

#gpg--export-a >/tmp/bob.key//Export public key,-a means output in ASCII format (1)

#cat/tmp/bob.key

#gpg--fingerprint//print fingerprint information

#cp/TMP/BOB.TXT.ASC. Copy JAVK encrypted files to the current folder (4)

#gpg BOB.TXT.ASC

#ls

Terminal 2 (Jack)

#ssh-X [email protected]//-x means you can open the graphical interface

#gpg--import/tmp/bob.key//Import Public key (2)

#gpg--list-keys//Can view the public key

#gpg--list-secret//Cannot view the private key, no key pair

#man GPG

#gpg-ear Bob Bob.txt E, encryption, A,ASCIID code output, R, recipient, Bob user name

#y

#cat BOB.TXT.ASC

#cp/bob.txt.asc/tmp//Copy files encrypted with public key to TMP (3)

Three. Signing with GPG

1. Signature Achievable Features:

(1) Identity authentication, indicating that the user is indeed the person he claims to be.

(2) Data integrity, once the data has been tampered with, the signature will expire.

(3) Recognition, non-repudiation

Terminal 1 (Bob)

2.bob Send the signature file to Jack

#echo ' Bob file ' > Bob.txt

#gpg-B bob.txt//signature

#ls

Bob.txt Bob.txt.sig

2.2 Send the original and signature files to Jack

#cp bob.txt*/tmp

Terminal 2 (Jack)

2.3 Verifying signatures

#cp/tmp/bob.txt*

#ls

Bob.txt Bob.txt.sig

Verifying signatures #gpg--verify Bob.txt.sig

This article is from the "Wsyht blog" blog, make sure to keep this source http://wsyht2015.blog.51cto.com/9014030/1790278

3, SELinux encryption, decryption