Application of context value and bool switch

1. Context value and bool switch related content

The context value is divided into 2 types

Default context value for the system

The context value of the service

Role of the context value

The main is to prevent the unknown files into the directory file (such as copying the virus to the directory file)

function of the bool switch

BOOL is the main contention on when SELinux is in the enforcing (mandatory state), the password to have access to the port is also unable to log in the situation when it works.

Then is the context value and the BOOL switch related commands

Chcon t Change

Restorecon v Recovery

Getroubleshoot a View all bool switches

First use the command ll Z to view the file's context value and find that the file's context value is user_home_t

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/54/8F/wKiom1SGeMDRuheJAAFCbXN4B5Y351.jpg "/>

Next, take file Install.log as an example, copy the file Install.log to/tmp and look at the context value again to see that the context value becomes tmp_t.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/54/8E/wKioL1SGeVXSw2j2AABSlCGgV0Y135.jpg "/>

As can be known from the above two phenomena, the context value is inherited from the parent directory file's context value

The next step is to demonstrate the role of the context value.

First, the FTP shared files to test, after the installation of the FTP service, you can automatically generate ftp/pub under/Var, the two sections of the directory, and then you can create a shared file under Directory pub, This creates a file test and copies a file Install.log, discovers that the context value of the file test is public_content_t, and the context value of the file Instal.log becomes public_content_t

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/54/8F/wKiom1SGeMHhgNffAACIyImQlGs036.jpg "/>

Next, through the remote user to log on to the host FTP service, view the files under the pub, you can view the two shared files

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/54/8E/wKioL1SGeVbSK7dtAACnncAc_nA839.jpg "/>

The context value of the file Install.log is then modified to tmp_t

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/54/8F/wKiom1SGeMKiqtIvAACnMqcZotY135.jpg "/>

Then telnet to the host again, look at the file under the pub, found that the file Instll.log, to this faint understanding of what, that is whether to inherit the previous level of directory context value reason

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/54/8E/wKioL1SGeVeCVp2CAACtGZ8_ARM345.jpg "/>

So in order to verify their own vague idea, to check Pub's context value bar, the results found that indeed, as speculated, Pub's context value is also public_content_t, so, The context value of the file Install.log has just been changed to tmp_t, it cannot be read, the file does exist, but the pub is not recognized, because its context has been changed.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/54/8F/wKiom1SGeMPioCySAABYg9oIXoA950.jpg "/>

To make it more deterministic, restore the context value of the file Install.log, and then look at

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/54/8E/wKioL1SGeViw1AWCAAEEsHUbdaI013.jpg "/>

After the change, see again, found the file Install.log again, then can now fully understand the role of the context value, can be a summary of the function of the context value

Because the context value of the directory pub is public_content_t, the context value of the file under pub should also be public_content_t, if the context value is changed artificially, Then pub will not recognize the file in its directory, even if not deleted, we will not see the

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/54/8F/wKiom1SGeMTSB3w7AAC9v4JbaPA261.jpg "/>

Then test under HTTP, after installing the HTTP service, you can generate two directory www/html under/Var, Then under the directory HTML to create a file named Index.html file, in this file, we can see through the browser, this is the HTTP page file interpretation, here or back to the context value bar, we take a look at the file index.html context value, found Conte The XT value is httpd_sys_cotent_t,

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/54/8E/wKioL1SGeVmSb7gOAABdUcOqwTY699.jpg "/>

And then you can see it with your browser.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/54/8F/wKiom1SGeMSRUjCrAABEfjIXYRo052.jpg "/>

Next, change the context value of the file index.html, changing it to tmp_t

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/54/8E/wKioL1SGeVqziQKgAAB3DnRxoPw135.jpg "/>

Found in the browser has not seen the content of the Web page file, the reason should be that the file was not read, was ignored by the directory HTML, so in the browser is naturally invisible

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/54/8F/wKiom1SGeMXieZR2AAItpzcBp2A925.jpg "/>

Then restore the context value of the file index.html to httpd_sys_content_t

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/54/8E/wKioL1SGeVvA4dRVAACN5x82FuU417.jpg "/>

Then you can see hello in the browser.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/54/8F/wKiom1SGeMaTLfTaAAA3j4BAN98371.jpg "/>

Next we delete the two sections of the directory that were created after the FTP installation, ftp/pub

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/54/8E/wKioL1SGeVzgaOkSAABcxvsKiB8210.jpg "/>

Then create the file ftp/pub These two sections of the directory and create the shared directory

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/54/8F/wKiom1SGeMeQUcutAAAuJRF8c0k177.jpg "/>

Create a test shared file

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/54/8F/wKiom1SGeMfwc18AAAAjig_M0mc098.jpg "/>

Then log in remotely, find the login, but can not see the shared file test

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/54/8E/wKioL1SGeVzhLuLrAACNbExuqao789.jpg "/>

This time I think of the context value, so, look at the context value of test, found to be var_t, it appears to inherit the/var directory's context value, but/var is the system default context value, The context value of the FTP service is different, so the new file is just the same name, but does not have the service context value, then there is no meaning, so it is useless

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/54/8F/wKiom1SGeMfTyIzjAABm8P1BrbQ905.jpg "/>

You can restore the context value by using the command Restorecon Rv FTP

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/54/8E/wKioL1SGeV3x-rvSAAGSm0GTHaI677.jpg "/>

After restoring the context value, you can see the shared file.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/54/8F/wKiom1SGeMmzalnMAACXbTLoY5E429.jpg "/>

The following is the case of file inheritance on the previous level

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/54/8E/wKioL1SGeV7BlDjfAABhwSqfzes702.jpg "/>

The experiment here has to be explained.

The context value is divided into two types

1. Default context value for the system
2. The context value of the service

In other words, in addition to the service for reasons such as/Var below, because the FTP service is installed after the FTP directory file is created under/Var, but to see the context value has not inherited the/var context value, but can be seen under/Var, This phenomenon is not to overturn the role of the context value, but to illustrate that inheritance is divided into two, one is based on the default context value of the system, the directory or file created below inherits its context value, and one case is not bound by it, That is when the installation of services automatically generated directories or files, they have their own context value, can be seen as an exception, then everything can be explained.

In fact, there is a way to restore the context value (the graphical interface must be installed)

First you need to install a package, Policycoreutils-gui, and then hit command System-config-selinux,

Into the following graphical interface, the next time you start to mark the tick, and then restart the system, then the system is turned on, so the changed context value will be re-marked, that is, the context will revert to the original value

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/54/8F/wKiom1SGeMvynlgDAADS0VmddJY811.jpg "/>

The following shows the process of re-marking after starting the system, * which means that the marker is re-hit

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/54/8E/wKioL1SGeWDC3vgfAACTJre9DKI727.jpg "/>

Do this, do we think that since a tick will change the context value changed, then whether you can let the context permanently is the changed value, even if the re-marking is not changed,

In fact, you can use the command semanage fconftext a T httpd_sys_content_t ' pub (/.*) on it.

And then we're going to start a second experiment.

Make a bool switch

First of all talk about the function of the bool switch, the function of the bool switch is when selinux into the enforcing state, the bool will be open to continue to access, in this first simple explanation of the SELinux three of the State bar

First disabled state, which disables the SELinux function.

Then is the permissive state, mainly used to determine whether the system is the service itself or the selinux problem, for example, when the remote access users, if the remote host to know the account number and password, the validation can be accessed after successful.

The last is the enforcing state, that is, the meaning of coercion, and then the above example, that is, even if you know the account number and password, verify that the success of the test can not access, that is, forced to not allow its login, this security is higher.

So there's a problem with that, right? When the SELinux is set to enforing State security is really higher, but if it is not accessible, this security is meaningless, then there is any way to make it in the enforcing state can still access it?

Then we need the bool switch.

Then we start to demonstrate the role of the bool switch.

Here, the first need to install setroubleshoot this installation package, of course, SELinux should also be set to enforcing state, in order to make these two changes take effect, you need to restart the system, restart the system, you can view the following two graphs, Found that SELinux is already in the enforcing state, and in the system tools to see the SELinux troubleshooting tool, it means that setroubleshoot installed successfully

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/54/8E/wKioL1SGeWCxfjIgAAAyZD677-4196.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/54/8F/wKiom1SGeNSwY6aGAAGvvbkrSKM236.jpg "/>

Then you can start changing the bool value.

First of all, we telnet to the host's ordinary account found boarded, but unable to view the user files, reported the error of login failure, which is in fact SELinux enforcing played a role

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/54/8E/wKioL1SGeWqgT0VKAADeN87fRag042.jpg "/>

Then look at the bool switch information, here can be specified search, we have access to the FTP user's home under the file, then you can search the following, found that it is off, that is, BOOL is in the closed state

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/54/8F/wKiom1SGeNWjSEp-AABFyFv__FA263.jpg "/>

Then you need to turn it on, so you can hit the following command, where 1 means open, and 0 is the closed

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/54/8F/wKiom1SGeNXTVsoXAAB18k6b6ek074.jpg "/>

Then visit again and you'll be able to see the file under the home of the account.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/54/8E/wKioL1SGeWvxbQo1AACIpvT1X1w721.jpg "/>

Thus, the experiment on the context value and the bool switch is over!!!

Application of context value and bool switch