Application of SELinux and mandatory access control system

Almost certainly everyone has heard of SELinux (more accurately, tried to shut down), and even some past experience has made you biased against SELinux. But with the growing 0-day security hole, maybe it's time to get to know about this mandatory access control system (MAC) in the Linux kernel, and we'll encounter problems with SELinux control when we're just in touch with Linux. Let me take the initial step to uncover the SELinux mystery:

SELinux and mandatory access control system
The SELinux full name Security Enhanced Linux (Secure hardened Linux) is an implementation of the MAC (Mandatory access control, mandatory access controls) to explicitly indicate which resources a process can access (files, Network ports, etc.).
The purpose of the mandatory access control system is to enhance the ability of the system to defend against 0-day attacks (exploits that exploit the vulnerabilities that have not been exposed). So it is not a substitute for network firewalls or ACLs, nor is it duplicated in purpose.
For example, Apache on the system was found to have a vulnerability that would allow a remote user to access sensitive files on the system (such as/etc/passwd to get the existing user on the system), while the Apache update patch to fix the security vulnerability had not been released.
At this point, selinux can be a mitigation solution to compensate for the vulnerability. Because/ETC/PASSWD does not have Apache access tags, Apache's access to/etc/passwd is blocked by SELinux.

SELinux has the following advantages over other mandatory access control systems:
Control policies are queryable, not program-visible.

You can hot-change the policy without restarting or stopping the service.

You can control the policy from three aspects of process initialization, inheritance, and program execution.

The control scope overrides the file system, directory, file, file launch descriptor, port, message interface, and network interface.

Understanding and configuring SELinux
1. Get the current SELinux run level status

[Email protected] ~]# Getenforce Permissive

There are three levels of return results:

Enforcing -SELinux security policy is enforced.

#Linux系统下selinux所设置的安全策略都会被启用, log warnings and block suspicious behavior.

Permissive -SELinux prints warnings instead of enforcing.

#Linux系统下selinux所设置的安全策略都会被启动, but only security warnings are logged, but suspicious behavior is not blocked.

Disabled -No SELinux policy is loaded.

#禁用selinux, all SELinux policies will be disabled.

2. Changing the SELinux run level status

[Email protected] ~]# Setenforce [Enforcing | Permissive | 1 | 0]

You can switch between enforcing and permissive by Setenforce the SELinux runlevel status without restarting the operating system to take effect.

If you need to allow SELinux to permanently change the runlevel state, you need to modify the/etc/selinux/config configuration file, such as permanently changing the SELinux runlevel status to disable, in the/etc/selinux/config configuration file " Selinux=permissive "selinux=disabled" note that the operating system needs to be restarted when switching from Disabled to Permissive or enforcing mode.

3.SELinux Operation Policy
The configuration file/etc/sysconfig/selinux also contains information about the SELinux run policy, which is implemented by changing the value of the variable Selinuxtype, which is possible with two possibilities: The targeted represents only a few of the pre-fabricated network services and access requests SELinux protection, strict on behalf of all network services and access requests are going through SELinux.

4. View SELinux Related information

Common tools have "PS" "ls" to increase the Z option to learn about SELinux information

For example 1:

[Email protected] ~]# ls-z/etc/issue-rw-r--r--. Root root System_u:object_r:etc_runtime_t:s0/etc/issue

For example 2:

[Email protected] ~]# PS Auxz |      grep cronsystem_u:system_r:crond_t:s0-s0:c0.c1023 Root 1495 0.4 0.2 117296 1352? Ss 16:52 0:01 Crond

Below we have two examples to understand the security mechanism of SELinux:

Case 1: allow vsftpd anonymous users to upload

1. First install the VSFTP service and start the service

[Email protected] ~]# yum-y install vsftpd[[email protected] ~]# service vsftpd startstarting vsftpd for vsftpd: [OK]

2. Create the FTP shared directory as "/var/ftp/ftpuser", enter the directory to create some files for testing, and set the SELinux mode to Permissive mode.

[[email protected] ~]# mkdir/var/ftp/ftpuser[[email protected] ~]# chmod 755/var/ftp/ftpuser[[email protected] ~]# chown Ftp/var/ftp/ftpuser[[email protected] ~]# touch/var/ftp/ftpuser/{1..5}.txt[[email protected] ~]# ll/var/ftp/ftpuser/ Total 0-rw-r--r--. 1 root root 0 Apr 17:10 1.txt-rw-r--r--. 1 root root 0 Apr 17:10 2.txt-rw-r--r--. 1 root root 0 Apr 17:10 3.txt-rw-r--r--. 1 root root 0 Apr 17:10 4.txt-rw-r--r--. 1 root root 0 Apr 17:10 5.txt[[email protected] ~]# Getenforce Permissive

3. With ftp://172.16.100.7/ftpuser/access on the client windows, you can access all the files under/var/ftp/ftpuser and test to see if the file could be uploaded anonymously:

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/7F/34/wKiom1cWzmiwKYHFAALrBaRjuyQ729.jpg "title=" Ftpuser.jpg "alt=" Wkiom1cwzmiwkyhfaalrbarjuyq729.jpg "/>

Uploading files anonymously is successful.

4. Set the SELinux run level status to enforcing:

[Email protected] ~]# setenforce 1[[email protected] ~]# Getenforce enforcing

5. We re-upload the file anonymously via the client:

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/7F/32/wKioL1cW0Cbyi3MIAANGNQcAMps139.jpg "title=" Ftpuser2.jpg "alt=" Wkiol1cw0cbyi3miaangnqcamps139.jpg "/>

It is now possible to state that the SELinux policy is in effect and can be #getsebool-a | grep ftp View FTPD's SELinux access policy

[Email protected] ftpuser]# Getsebool-a | grep ftpallow_ftpd_anon_write--offallow_ftpd_full_access--offallow_ftpd_use_cifs-Offallow_ftpd_use _nfs--Offftp_home_dir---offftpd_connect_db, Offftpd_use_fusefs--and Offftpd_use_passive_mode- Offhttpd_enable_ftp_server--Offtftp_anon_write---offtftp_use_cifs-Offtftp_use_nfs-off

Open FTP SELinux policy via setsebool-p:

[[email protected] ftpuser]# setsebool-p ftp_home_dir 1[[email protected] ftpuser]# setsebool-p allow_ftpd_anon_write 1[ [Email protected] ftpuser]# setsebool-p allow_ftpd_full_access 1

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/7F/32/wKioL1cW1DXRvrErAAJbtcCY8FM256.jpg "title=" Ftpon.jpg "alt=" Wkiol1cw1dxrvreraajbtccy8fm256.jpg "/>

Uploading anonymously again can be accomplished by:

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/7F/35/wKiom1cW1CejENtkAAHzKCNeuiY269.jpg "title=" last. jpg "alt=" Wkiom1cw1cejentkaahzkcneuiy269.jpg "/>

case Two: SELinux for the enforcing state, the httpd DocumentRoot changed to/web/htdocs:

[[email protected] ~]# rpm -qa httpdhttpd-2.2.15-29.el6.centos.x86_64[[email  protected] ~]# getenforce enforcing[[email protected] ~]# mkdir -pv / web/htdocs[[email protected] ~]# vim /etc/httpd/conf/httpd.conf Modify the configuration file to the next:documentroot  "/web/htdocs" <Directory  "/web/htdocs" >[[email protected] ~]# service httpd  restartStopping httpd:                                              [  OK   ]Starting httpd:                                              [  ok  ] Create a home page file index.html[[email protected]  ~]# vim /web/htdocs/index.html
Test Access Home Page:
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/7F/32/wKioL1cW2C-j80iRAAGOVS5A368216.jpg "title=" Html.jpg "alt=" Wkiol1cw2c-j80iraagovs5a368216.jpg "/>
We changed the SELinux mode to "Permissive" and then tested the access:
[Email protected] httpd]# Getenforce Permissive
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/7F/32/wKioL1cW2K_gSeQ8AAE9IFnNe5w474.jpg "title=" Html2.jpg "alt=" Wkiol1cw2k_gseq8aae9ifnne5w474.jpg "/>
Set the SELinux level to permissive mode to access
Setting the SELinux mode to enforcing mode is not accessible, which is affected by the SELinux context value.
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/7F/35/wKiom1cW2YqTgUDEAAJng0FlWk8886.jpg "title=" 7888. JPG "alt=" wkiom1cw2yqtgudeaajng0flwk8886.jpg "/>
The context value of the file can be viewed through ls–z. By default, creating a document in any directory inherits the context value of the parent directory, as you can see that the context value of the index.html inherits the context value of the/root directory, while the/var The default context value for creating files under the/www/html/directory is httpd_sys_content.

You can modify the context value of the/web/htdocs by using the chcon–t command
[Email protected] ~]# chcon-r--reference=/var/www/html//web/htdocs/[[email protected] ~]# ls-ldz/web/htdocs/drwxr-x R-x. Root root system_u:object_r:httpd_sys_content_t:s0/web/htdocs/
Once the modifications are complete, access can be achieved
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/7F/33/wKioL1cW29OD-NeyAAGbV6ELD3I111.jpg "title=" End.jpg "alt=" Wkiol1cw29od-neyaagbv6eld3i111.jpg "/>
If you need to restore the default context value, you can use the Restorecon command:
[Email protected] ~]# restorecon-r/web/htdocs/
The end!!!
This article from "Cto_home" blog, declined reprint!
Application of SELinux and mandatory access control system