Analysis of selinux and Xinxing linuxselinux in Linux

Analysis of selinux and Xinxing linuxselinux in Linux

Selinux is a program initiated by the US National Security Agency. It aims to reinforce the system to a level that can reach the military level. This also provides more powerful protection for Linux security.

The so-called DAC is autonomous access control, that is, in order to be able to share files with other users, each user can only change the permissions of other users of this file before using the ACL, however, this method poses many potential risks to the system. The so-called CS is the security context. It depends on the permissions of the initiator user and the permissions of the text itself.

MAC is Mandatory Access Control, which is Mandatory Access Control. It is the basis for implementing Access Control by selinux. selinux is implemented by type enforce (TE), that is, force type.

The standard Unix security model is any access control, that is, DAC. Any program has full control over its resources. If a program is planning to throw a file containing potentially important information to the/tmp directory, no one can block it in the case of DAC. However, the MAC in selinux also allows the program to create a file in the/tmp directory, and also allows the file to scale around the world according to the Unix permission word requirements, but when the Unix license checks the application, the selinux license check also further determines whether access to resources is permitted. Selinux can restrict the access and access permissions of each process to various resources. That is, when a process uses sensitive data, the data is prohibited from being written into readable files of Low-privilege processes. Therefore, selinux provides better access control than traditional Unix permissions.

Selinux is a security system that enforces access control based on the "Domain-type" model. It is written to the kernel by Linux2.6, some security-related applications are also patched with selinux, and finally there is a corresponding security policy.

For example, the administrator can allow an application to add records to a log file but cannot rewrite or delete the content of the log file. Although ext3 supports the append-only tag, we can set it through chattr, but this attribute does not differentiate a process. It can no longer allow another process to access append-only and allow another process to have full writeable rights, on the other hand, an application can be allowed to create a file in a directory card and write data to it, but cannot delete the file. These features are not available in ordinary linux kernels without selinux, and network applications can be bound to the desired port, but not to other ports.

Our selinux uses the subject and object of operation to create a "tag". In a "type", it can only be executed by a specific directory or user. The operation here is usually: read, write, execute, and so on. It is actually a structure of the subject and object, that is, the structure of the subject operation object. It also has a minimum permission rule, such as defining the httpd directory/var/www as the public_content_t type, then httpd can only access this specific type of files or directories, these files are called "sandboxes". When using selinux, you must carefully design a set of access rules. For example, we can add different "domains" to different processes and different "types" to different directories ", then, it is implemented by defining the corresponding rules of "type" and "domain.

Selinux has two implementation mechanisms: strict. At this time, any process is controlled by selinux, which is generally not applicable because it is difficult to set. One is targeted, which is developed by a red hat and specifies that the selected process is controlled by selinux. This mechanism makes selinux more controllable.

The selinux rule file exists as a binary file, which is converted to a binary file after being edited. This can reduce the usage of system resources. The file is/etc/selinux/policy. Selinux can also set the functions that can be easily controlled in some rules to on or off, which all become Boolean types. getsebool-a can display these Boolean types of content.

In a system that uses selinux, the context of each process contains three components: an ID, namely identify, a role, role, and a domain, that is, domain. The ID indicates the owner of the process, which is a Unix account, but the premise is that the account must be pre-compiled into the selinux policy so that selinux can recognize this account, otherwise, selinux will mark the unknown system process IDS as system_u by default, and mark those unknown user process IDS as user_u, generally, a role is used to determine the domains that a role ID can enter. It can also be used to prevent a role ID from entering other fields that shouldn't be entered.

In fact, the domain is also a type corresponding to a process. Therefore, when you check whether a process has the right to send signals to another process, the domain of the process that receives the signal acts as the "type" role in the "Domain-type" model to complete the "Domain-type" rule check. That is, the inter-process communication permission is checked. The role mechanism has not been used for files, so currently every file is specified as the object_r role. This role is only a location and has no impact on the policy.

The file ID is the ID of the file creator. This method is used in the policy source file to determine whether an access has the right to change the context descriptor of the file. Unless the ID field in the descriptor of the accessed file is the same as the ID field of the owner of the process accessing the file, otherwise, the process does not have the permission to change the context descriptor of a file.

We can use ls-Z to display the file tag. We can use ps-Z to display the process tag. For example, we can use ps auxZ | grep httpd to view the specific information of selinux.

We can use the chcon command to modify the context, while chcon is the abbreviation of change context. chcon-t is modified to a specific type, where-R is a recursive modification, you can change all directories in the directory, and -- reference = change the same label as the reference of a file, for example, we can use chcon-R -- reference =/var/www/html/www. Of course we can also directly modify it. The example command is chcon-t default_t/www/index.html.

We can use restorecon to restore the modification of the default security context. The-R parameter of this command indicates recursion, and the-F parameter of this command indicates force, the-v parameter of this command shows detailed information. We can use restorecon-R-v-F/www to display detailed CS information of the/www directory. We can also use semange to modify information. Generally, its-d parameter indicates deletion,-m indicates modification,-a indicates attachment, and-t indicates type.

We can use getsebool-a | grep httpd to view a corresponding Boolean value. We can set setsebool httpd_enable_cgi = on, and add the-p option to indicate permanent validity.

Some files do not specify the context, that is, those file systems that do not support the rwx tag, such as/sys,/dev, And/selinux. The ls command does not display the context, for those file systems that cannot use the stat command to view the current status, the ls command will return? --------. The owner and all groups are also marked ?. Our id command returns the context of the current shell.

When we start a selinux, The first thing init does is to mount the/proc file system and determine whether selinux is activated, init uses the selinuxfs file system to determine whether selinux exists in the kernel. If the selinux parameter is not in the kernel or selinux = 0 in the kernel parameter, then the system will continue booting in a state called non-SE. If selinux is found, the/selinux Virtual File System will be created, and init will check the kernel-supported selinux version through/selinux/policyvers. Finally, the corresponding policy data/etc/selinux/X/policy. YY will be loaded into the kernel. Here, X is the corresponding policy. We can use strict or targeted.