About SELinux Getting Started

The operating system has two types of access control: Autonomous access Control (DAC) and mandatory access control (MAC). Standard Linux security is a dac,selinux for Linux that adds a flexible and configurable Mac.

The permissions that the process starts with are the user right to run the process, and the files that a process can access depend on the primary, group, and other permissions of the file, which is the DAC

If a user runs a process that requires several files to run the process, the process has permissions that are consistent with that user's permissions, that is, the process has access to all the files that the user can access. Linux itself cannot qualify a process to access only the specified files it needs to run, so the MAC does not require the process to access it under that user right without requiring files, even if the process has access.

So how is it implemented?
When each process starts, it is assigned a scope that can only access resources within that scope. But each program runs on a different set of resources or permissions, and it is not possible to develop a scope for each program. So there are two levels of work.

SELinux Work Level
Restrict: Each process is controlled by SELinux
Targeted: Only limited processes are controlled, typically only vulnerable processes are monitored

SELinux Working Model

There are three kinds of characters subject operation object
Subject: Principal, initiator of operation
Operation: operation, what the body can do depends on the operation supported by the object
Object: Objects, operands of action
Usually the initiator of the action is a process, the process can be such as files or processes, such as the operation of the object, which can be supported for the file operation has read, write, open, close and change permissions, for the process as the object, the execution of operations have killed, created, etc.

Each process has a label. Every file/directory in the operating system object object also has a label. Even network ports, devices, and potentially host names are assigned tags. The label has five parts user:role:type[level[:category]]. User refers to SELinux's user non-system user,level and Category: Defining hierarchies and classifications for use in MLS policies only.

Processes are separated by tags in different domains, and files are defined as different types by tags. SELinux has a rule library that defines what types of files can be accessed in which domain. If a process is going to access a file, but the domain of the process is not in the same range as the file type, then you need to modify the label when you want to break the limit.
The SELinux strategy is usually compiled into binary files to speed up access.

How to use SELinux

(1)/etc/sysconfig/selinux turn SELinux on or off
Selinux=enforcing|permissive|disabled
When enabled from the Disable state, the system needs to be restarted to allow all files on the system to be labeled again. Permissive not forbidden, but accounting into the log/var/log/audit/audit.log
Getenforce/setenforce 0|1 Gets or changes the current state
(2) Viewing and changing file tags
Ps–z: Check the security context of the process;
Ls-z: Checking the security context of files and directories
Chcon [-U USER] [-R ROLE] [-t TYPE]
Files in the generic directory have a type of directory name _t, and changing the file label type restricts access to the process without changing the primary (group).
Restore the default label for a file, Restorecon [-R]Path/file
(3) SELinux Boolean switch
Getsebool-a: Lists all the Boolean values for SELinux
Setsebool: Set SELinux boolean value, such as: Setsebool-p dhcpd_disable_trans=0,-p to take effect after reboot, write directly to rule library

Reference: http://blog.csdn.net/myarrow/article/details/9856095/

About SELinux Getting Started