SELinux
I. SELinux mode of operation
Modify File/etc/selinux/config
Set selinux=disabled Disable
Set Selinux=permissive Loose mode
Set selinux=enforcing Enforcement Mode
Two. View the current operating mode
[Email protected] ~]# Getenforce
Enforcing
Three. Temporarily modify the operating mode
[Email protected] ~]# Setenforce
Usage:setenforce [Enforcing | Permissive | 1 | 0]//1 delegates mandatory, 0 stands for loose
#yum-y Install setrouble*//troubleshooting software that prompts SELinux for errors
#reboot//reboot required to install the software
Four. Configuring the two main aspects of SELinux
1.SELINUX Contextual Environment
(1) View the context of a file
[Email protected] html]# ls-z
-rw-r--r--. Root root unconfined_u:object_r:net_conf_t:s0 index.html//File context
[Email protected] html]# LS-ZD
Drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0.//Directory Context Environment
[Email protected] html]#
Only care about httpd_sys_content_t, ls-zd the httpd_sys_content_t of the directory to modify the context of the file
(2) Modifying the SELinux context environment value
[Email protected] html]# chcon-t httpd_sys_content_t index.html
(2.1) Restore the file to the default value in your directory
#restorecon-rv/var/www/html//-r with Table recursive recovery context environment value, including sub-files and subfolders
#restorecon-V/var/www/html/index.html//Modify only one file context,-V print out
Files copied from other directories will inherit the context of his original directory.
Files that are moved from other directories inherit the context of the Moving destination folder
SELinux Boolean value
4.windows access to Linux via Samba
(1) Installing Samba
(2) # smbpasswd-a Root
(3) Service SMB start Start services
(4) With UNC path access under Windows, can see the home directory of root, but double hit not open
(5) # Getsebool-a | grep Samba
(6) # sebsebool-p SAMBA_EXPORT_ALL_RW 1//r, read, w write, 1 means open read or write, can also be written rw=on
(7) Once again accessed under Windows with a UNC path, you can open the home directory of root
2. Example Ii. Implementing FTP Anonymous user uploads
(1) # mkdir-m 757/var/ftp/incoming
(2) vim/etc/vsftpd/vsftpd.conf
Anon_upload_enable=yes Modify vsftpd.conf Open anonymous upload
(3) Upload file test,
FTP, enter
Ftp> CD Incoming
ftp> lcd/etc//LCD Change Local Directory
Ftp> put passwd
If the setroubleshoot is already installed, a prompt will appear in the upper right corner of the screen, as prompted to modify
#chcon-T public_content_rw_t/var/ftp/incoming//Modify Context
# Getsebool-a | grep ftp > Get the SELinux boolean value associated with FTP
# setsebool-p Allow_ftpd_anon_write 1//Open Boolean, can also be written as Write=on
(4) Try uploading again, success
FTP 192.168.1.2
Ftp>jack, log in with Jack.
ftp> Password
Prompt cannot change directory
# Getsebool-a | grep ftp > Get the SELinux boolean value associated with FTP
# setsebool-p Ftp_home_dir 1//Open Boolean, allow access to directory
Vimdiff vsftpd.conf Vsftpd.conft//Compare two files in different places
Six. Installing setroubleshoot (troubleshooting) Troubleshooting
# yum Install-y setroubleshoot*
Restart
There are any selinux violations, the system will give a hint and a solution
If it's a graphical interface, a message pops up in the upper-right corner of the screen. If it is a character terminal, you can view the log file
Vim/var/log/messages
Run Sealert-l 17876b7e-c588-4d5e-a900-ca093341fc38
There will be a help message when the terminal is running this line
# sealert-l 17876b7e-c588-4d5e-a900-ca093341fc38
Seven. Get help with SELinux settings
(1) Man ftpd SELinux
Mans httpd SELinux
Man Samba SELinux
(2) Some service configuration files are also described
Vim/etc/samba/smb.conf
Encrypted decryption
[[Email protected] html]# TR ' A-Z ' A-Z '//convert letters to uppercase
Hellow
Hellow
^c
[email protected] html]# Cat index.html | Tr ' A-Z ' A-Z '//convert file letters to uppercase output
Bbb
[[Email protected] html]# TR ' A-Z ' A-Z ' < index.html//convert file letters to uppercase output
Wsyht
[[Email protected] html]# tr ' a-y ' b-z '//encryption
Hellow
Ifmmpx
^c
GNUPG Encryption Tool
Symmetric encryption
Asymmetric encryption
Signature
GPG--version//view version
Symmetric encryption
Cryptographic operation:-C
Decryption Operation:-D
Symmetric encryption
Terminal 1 (Bob)
ssh-x [email protected]//-x means you can open the graphical interface
echo "Bob" > Bob.txt
Gpg-c Bob.txt//encryption
CP bob.txt.gpg/tmp
Terminal 2 (Jack)
ssh-x [email protected]//-x means you can open the graphical interface
Cp/tmp/bob.txt.gpg.
gpg-d bob.txt//Decrypt output to screen (do not write-D also line)
gpg-d bob.txt.gpg > Bob.txt//Decrypt and redirect to bob.txt this file
Asymmetric encryption
Terminal 1 (Bob)
ssh-x [email protected]//-x means you can open the graphical interface
#gpg--gen-key
#回车
#回车
#0
#y
#wsyht
#[email protected]
#回车
#O
#输入保护私钥的密码
Cue box point right option
Randomly press the letter to generate the key
#gpg--list-keys//View public key information
#gpg--list-secret//view private key information
#gpg--export-a >/tmp/bob.key//Export public key,-a means output in ASCII format (1)
#cat/tmp/bob.key
#gpg--fingerprint//print fingerprint information
#cp/TMP/BOB.TXT.ASC. Copy JAVK encrypted files to the current folder (4)
#gpg BOB.TXT.ASC
#ls
Terminal 2 (Jack)
#ssh-X [email protected]//-x means you can open the graphical interface
#gpg--import/tmp/bob.key//Import Public key (2)
#gpg--list-keys//Can view the public key
#gpg--list-secret//Cannot view the private key, no key pair
#man GPG
#gpg-ear Bob Bob.txt E, encryption, A,ASCIID code output, R, recipient, Bob user name
#y
#cat BOB.TXT.ASC
#cp/bob.txt.asc/tmp//Copy files encrypted with public key to TMP (3)
Three. Signing with GPG
1. Signature Achievable Features:
(1) Identity authentication, indicating that the user is indeed the person he claims to be.
(2) Data integrity, once the data has been tampered with, the signature will expire.
(3) Recognition, non-repudiation
Terminal 1 (Bob)
2.bob Send the signature file to Jack
#echo ' Bob file ' > Bob.txt
#gpg-B bob.txt//signature
#ls
Bob.txt Bob.txt.sig
2.2 Send the original and signature files to Jack
#cp bob.txt*/tmp
Terminal 2 (Jack)
2.3 Verifying signatures
#cp/tmp/bob.txt*
#ls
Bob.txt Bob.txt.sig
Verifying signatures #gpg--verify Bob.txt.sig
This article is from the "Wsyht blog" blog, make sure to keep this source http://wsyht2015.blog.51cto.com/9014030/1790278
3, SELinux encryption, decryption