What is SELinux? (Access control system to achieve system security reach military level)
Baidu explains: The United States National Security Agency (NSA) for the implementation of mandatory access control, is the most outstanding new security subsystem in the history of Linux. The NSA, with the help of the Linux community, has developed an access control system that, under the constraints of the access control system, can access only those files that are needed in his tasks.
How to use it?
[Email protected] ~]# cat/etc/redhat-release
CentOS Release 6.6 (Final)
[Email protected] ~]# uname-a
Linux hack1 2.6.32-504.12.2.el6.i686 #1 SMP Wed Mar 19:05:53 UTC i686 i686 i386 gnu/linux
[Email protected] ~]# This is my system.
[[email protected] selinux]# ls
Config restorecond.conf restorecond_user.conf semanage.conf targeted
[Email protected] selinux]# pwd
/etc/selinux
[email protected] selinux]# Cat Config
# This file controls the state of the SELinux on the system.
# selinux= can take one of these three values:
# Enforcing-selinux security policy is enforced.
# Permissive-selinux Prints warnings instead of enforcing.
# disabled-no SELinux policy is loaded.
Selinux=enforcing
# selinuxtype= can take one of these the values:
# targeted-targeted processes is protected,
# Mls-multi level Security protection.
selinuxtype=targeted
[Email protected] selinux]#
Now explain directory under/etc/selinux, config file config
SELinux can have three parameters
Enforcing level: The security policy set by SELinux under Linux is enabled. All services or programs related to SELinux security policy are blocked by policy.
Permissive level: The security policy set by SELinux under Linux will be started, but all services or programs related to SELinux security policy will not be organized by policy, but will receive a warning.
Disabled level: Turn off SELinux, which is equivalent to the system not having SELinux installed.
How do we implement the strategy?
Through binary and content (context secure), the implication is that what files a process can access depends on the permissions of the user initiating the process and the permissions of the file being accessed, as to how the binary and content can be viewed below this link http ://www.myhack58.com/article/48/66/2012/36288.htm
Common commands
[[email protected] selinux]# getsebool-a #查看系统中所有 "switch form" rules
Abrt_anon_write--off
Abrt_handle_event--off
Allow_console_login-On
Allow_cvs_read_shadow--off
。。。。。。
[Email protected] selinux]# getenforce #查看selinux Status
Enforcing
[[email protected] selinux]#setenforce 0/1 #设置selinux的status (Temporary effect)
Ls-z #查看文件的标签
[Email protected] selinux]#ls-zYou can see the different labels
-rw-r--r--. Root root system_u:object_r:selinux_config_t:s0 config
-rw-r--r--. Root root System_u:object_r:selinux_config_t:s0 restorecond.conf
-rw-r--r--. Root root system_u:object_r:Selinux_config_t:s0Restorecond_user.conf
[Email protected] selinux]#ls-z/root
-RW-------. Root root system_u:object_r:Admin_home_t:s0Anaconda-ks.cfg
-rw-r--r--. Root root System_u:object_r:admin_home_t:s0 Install.log
-rw-r--r--. Root root System_u:object_r:admin_home_t:s0 Install.log.syslog
[Email protected] selinux]#ls-z/home/lxf/
-rw-rw-r--. LXF LXF Unconfined_u:object_r:User_home_t:s0C.log
[Email protected] selinux]#
PS Auxz#查看进程的标签 (User: Role: type)
PS auxz | grep httpd #查看httpd的标签
ls-dz/var/www/html #查看此目录的标签 (the case in the link is through the copy of files in different places, the same access cannot be achieved, the reason is from the SELinux
#上面进程和目录被selinux定义的类型相同 so it can be accessed
Chcon -T #改文件类型
-R #该目录类型 (recursive modification)
--reference
Chcon-r--reference=/var/www/html/www #参照/www change/var/www/html file type
Chcon-t default_t/www/index.html #更改文件类型为default_t
Restorecon -R #恢复目录的文件原有默认属性
-F #强制恢复
-V #显示信息
restorecon-r-v-f/www #强制恢复 The default properties of the/www directory
semanage fcontext #更改文件安全上下文 (permanent change)
getsebool-a | grep httpd #查看httpd服务能用的 "switch"
How to turn these rules on/off:
Setsebool Httpd_enable_cgi=1 #开启
Setsebool Httpd_enable_cgi=1 #关闭
[[email protected] selinux]# getsebool-a |grep httpd through this should be able to know why turn off SELinux
Allow_httpd_anon_write--off
Allow_httpd_mod_auth_ntlm_winbind--off
Allow_httpd_mod_auth_pam--off
Allow_httpd_sys_script_anon_write--off
Httpd_builtin_scripting-On
Httpd_can_check_spam--off
Httpd_can_network_connect--off
Httpd_can_network_connect_cobbler--off
httpd_can_network_connect_db--off
Httpd_can_network_memcache--off
Httpd_can_network_relay--off
Httpd_can_sendmail--off
Httpd_dbus_avahi-On
HTTPD_DBUS_SSSD--off
HTTPD_ENABLE_CGI-On
Httpd_enable_ftp_server--off
Httpd_enable_homedirs--off
Httpd_execmem--off
Httpd_manage_ipa--off
Httpd_read_user_content--off
Httpd_run_preupgrade--off
Httpd_run_stickshift--off
Httpd_serve_cobbler_files--off
Httpd_setrlimit--off
Httpd_ssi_exec--off
Httpd_tmp_exec--off
Httpd_tty_comm-On
Httpd_unified-On
Httpd_use_cifs--off
Httpd_use_fusefs--off
HTTPD_USE_GPG--off
Httpd_use_nfs--off
Httpd_use_openstack--off
Httpd_verify_dns--off
[Email protected] selinux]#
Extended Reading
SE Linux can provide a great security protection for your system. Users can be assigned pre-defined roles so that they cannot access files or access programs that they do not own. This is not a simple "chmod 777" equivalent operation. This is different from the general Unix permissions in the user definition of the file and other resources in which the role, or the security context in which he is located, has restricted access, except in a more restrictive fashion. A. rhosts file with a user is applied on a generic Unix system. If they make it anyone can write, then anyone who can log in can do dangerous things. Under SE Linux, you can control whether other users have the ability to change their. rhosts files, and prevent other people from writing, even if the owner has made it available to anyone to write.
A common question is how the permission settings for SE Linux coexist with the standard Unix permission settings. When you do a specific operation, Unix permissions are checked first. If they allow you to operate then, SE Linux will check and allow or deny the use of the user. But if the Unix license does not let you do something, the operation there is forbidden and the SE Linux check does not matter. Another example is that if you have an executable file that has a suid set, such as/USR/BIN/PASSWD, he can run the command chmod 666/etc/shadow,se Linux will block anyone from illegally setting up files like this.
2.2 Terminology
The following terminology will often appear in this article, as well as the basic concepts from SE Linux. It's somewhat tricky to define one word without including the other terms so I realise my definitions include things that Need Defining (Translator Note: This sentence really dare not to be translated, sorry. But do not delay learning;-)))
2.2.1 (Identity) identity
In SE Linux, the concept of identity differs from the traditional UNIX UID (user ID). They can coexist in a system, but they are very different concepts. Identity in SE Linux is part of the security context, and it affects which domains can be entered, that is, they can be executed in nature. The identity of an SE Linux is very similar to the standard UNIX logins (in most cases, they are), but it is important to understand that they are two completely different concepts. Running the SU command does not change the identity in SE Linux. (Translator Note: I did not do this in the Red Hat system, but it doesn't matter, maybe the Red Hat system has different policy settings, I haven't had time to study what the problem is, just guess.) )
6
Getting Started with SE linux howto:the new SE Linux
Example:
An unprivileged user Faye Run ID command (in the case of starting SE Linux) can see the user's security context:
context=faye:user_r:user_t
The identity part of the security context is "Faye". Now, if Faye Su switches to root and then runs the ID, he will find that the security context is still:
context=faye:user_r:user_t
Identity remains the same as it did when you switched to root. , however, if the Faye identity is allowed to enter the Sysadm_r role and converted to Sysadm_r (where you can use the Newrole-r command), and then run the ID command, he will see:
context=faye:sysadm_r:sysadm_t
The identity field remains the same but the fields for the Roles and fields (second and third fields) have changed. This way of maintaining identity is required by the user's responsibilities. Identity will affect the system deciding which role and domain can be used by what identity, which will play a decisive role in the system security period.
2.2.2 Domain
All processes are running in the domain. The domain directly determines the access of the process. A domain is basically a list of actions that a process allows, or it determines which types a process can manipulate. The domain is like the concept of a standard UNIX UID. Assume that an executable program belonging to the root user is set to setuid. Any user on this system, as long as the program can be executed, it is possible to get root permissions. This is a very large security vulnerability. On the SE linux system, if an executing process wants to convert into privileged domain execution, the process cannot execute if the role of the process is set to not allow access to privileges.
A common example is sysadm_t is the system admin domain and user_t is an unprivileged user domain. Init runs in the init_t domain, named runs in the named_t domain.
2.2.3 Type
The type is assigned to an object and determines who can access the object. Its definition and domain are basically the same, the difference is that the domain is applied to the process and the type is assigned to the directory, file, and socket.
2.2.4 Role
The roles determine which domains can be used. Information about which roles can be used can be pre-defined in the policy configuration file. If a role is defined in a policy database and cannot be used by a domain, it will be rejected.
7