Centos7 's SELinux principle and its related configuration

Centos7 's SELinux principle and its related configuration

The full name of SELinux is security enhanced Linux, which is a secure, enhanced Linux. Before SELinux, the root account can access all documents and services arbitrarily, and if a file is set to 777, then any user can access or even delete; this is called a DAC (active access mechanism) and is not secure.

DAC discretionary access control: The user determines the operation of the file according to their own file permissions, which is limited by the Own,group,other/r,w,x permissions on the file. Root has the highest privileges and cannot be limited. R,w,x permission partitioning is too coarse. Limits cannot be implemented for different processes.

SELinux is based on the MAC (mandatory access mechanism), simply speaking, the program and Access objects have a security label (that is, the selinux context) to differentiate, only the corresponding label to allow access. Otherwise, even if the permission is 777, it cannot be accessed.

In SELinux, the access control property is called the security context. All objects (files, interprocess communication channels, sockets, network hosts, etc.) and principals (processes) have a security context associated with them, and a security context consists of three parts: the User (U), the role (R), and the type (t) identifier. But what we're most concerned about is the third part.

When the program accesses the resource, the principal program must pass through the rules within the SELinux policy, then the security context can be compared with the target resource, if the target cannot be accessed if the comparison fails, then the target can be accessed if it succeeds, and the final access target is related to the setting of the RWX permission of the file system. So when you enable SELinux, you will have to analyze the possible issues step-by-step.

The above is easy to understand, the following is to focus on the

a . SELinux Status View and configuration

SELinux configuration file Location:/etc/selinux/config, it also has a link in/etc/sysconfig/selinux

Configuring SELinux with config file (modifying the status of SELinux through configuration files is a permanent modification and will not take effect until the system is restarted)

View SELinux configuration file/etc/selinux/config or his link file/etc/sysconfig/selinux/

650) this.width=650; "src=" https://s4.51cto.com/wyfs02/M02/96/05/wKiom1kcBeDwOW1lAAL4mMLGOeM922.jpg "title=" 1.jpg "alt=" Wkiom1kcbedwow1laal4mmlgoem922.jpg "/>

The status of SELinux modified through the profile is permanently modified and the service must be restarted to take effect

650) this.width=650; "src=" https://s2.51cto.com/wyfs02/M02/96/05/wKioL1kcBgCykzjZAAuL6Jonc5M852.jpg "title=" 2.jpg "alt=" Wkiol1kcbgcykzjzaaul6jonc5m852.jpg "/>

Selinux=enforcing
#此项定义selinux状态.
#enforcing-is a mandatory mode system protected by SELinux. Is that you're violating the strategy, and you can't go on.
#permissive-is the hint mode system is not protected by SELinux, just receive a warning message. permissive is a valid Selinux, but even if you violate the strategy it allows you to continue to operate, but the content of your violations recorded ( warning message )
#disabled-Disables SELinux.
selinuxtype=targeted
#此项定义selinux使用哪个策略模块保护系统. Targeted only for Apache, Sendmail,bind,postgresql,nfs,cifs and other network services protection.

The above policy configuration is placed in the/etc/selinux directory with the same directory and policy name

1. Use the SELinux commands to view and modify the status: (Belonging to Immediate but temporary)

A, sestatus query SELinux work status

650) this.width=650; "src=" https://s4.51cto.com/wyfs02/M02/96/05/wKiom1kcBlvCi64RAAY3nJIskvQ035.jpg "title=" 3.jpg "alt=" Wkiom1kcblvci64raay3njiskvq035.jpg "/>

B, selinuxenabled Check if SELinux is open, with echo $? The return value is 0 on, and 1 is off.

650) this.width=650; "src=" https://s4.51cto.com/wyfs02/M00/96/05/wKiom1kcBnHjFUVCAAKXOObTH6w853.jpg "title=" 4.jpg "alt=" Wkiom1kcbnhjfuvcaakxoobth6w853.jpg "/>

C, Getenforce View the status of SELinux

650) this.width=650; "src=" https://s4.51cto.com/wyfs02/M00/96/05/wKiom1kcBoDDPw7hAAF0WDwofbY638.jpg "title=" 5.jpg "alt=" Wkiom1kcboddpw7haaf0wdwofby638.jpg "/>

D, Setenforce set SELinux operation status, 1 open (enforcing), 0 off (Permissive)

650) this.width=650; "src=" https://s4.51cto.com/wyfs02/M01/96/05/wKiom1kcBpnza8eVAAGOWNGhz_4511.jpg "title=" 6.jpg "alt=" Wkiom1kcbpnza8evaagownghz_4511.jpg "/>

2. View security context-sensitive commands

A. Viewing the file context can be done by ls-z

650) this.width=650; "src=" https://s2.51cto.com/wyfs02/M00/96/05/wKioL1kcBrLRbEKdAAH4IFwiumg918.jpg "title=" 7.jpg "alt=" Wkiol1kcbrlrbekdaah4ifwiumg918.jpg "/>

B. Viewing a process context can use PS Z

650) this.width=650; "src=" https://s4.51cto.com/wyfs02/M01/96/05/wKioL1kcBr7DB6YBAAMOQFEW7es520.jpg "title=" 8.jpg "alt=" Wkiol1kcbr7db6ybaamoqfew7es520.jpg "/>

C. Viewing the user context can be used Id–z

650) this.width=650; "src=" https://s1.51cto.com/wyfs02/M00/96/05/wKioL1kcBs-gdtqaAAGGsCEEcJ8064.jpg "title=" 9.jpg "alt=" Wkiol1kcbs-gdtqaaaggsceecj8064.jpg "/>

The security context appears in the form of a User: role: type (domain) identifier. (Users here refer to Selinu users)

3. The following are changes to the security context when copying and moving files:

Take httpd as an example, this httpd process can access the Document object under/var/www/html in one directly created to the root of the Web site, another created under root, and then moved to the site with the MV command

650) this.width=650; "src=" Https://s3.51cto.com/wyfs02/M00/96/05/wKioL1kcBvDTkjB4AAKT_C7BW_4135.jpg "title=" 10. JPG "alt=" wkiol1kcbvdtkjb4aakt_c7bw_4135.jpg "/>

To view the security context of a file in an HTML directory

650) this.width=650; "src=" Https://s2.51cto.com/wyfs02/M01/96/05/wKioL1kcBwCRNxllAANz-DQ81F8412.jpg "title=" 11. JPG "alt=" wkiol1kcbwcrnxllaanz-dq81f8412.jpg "/>

The context of the file is still the same as the original context, while the file's context is inherited by the copy operation, as it can be seen when the cut operation is not changed. Access both Web files through the browser

650) this.width=650; "src=" Https://s5.51cto.com/wyfs02/M02/96/05/wKiom1kcBxbDuw5qAAbzFP8V1SE333.jpg "title=" 12. JPG "alt=" wkiom1kcbxbduw5qaabzfp8v1se333.jpg "/>650) this.width=650; src=" https://s5.51cto.com/wyfs02/M02/96/ 05/wkiol1kcbzehhlzeaaltkjrsqla317.jpg "title=" 13.jpg "alt=" Wkiol1kcbzehhlzeaaltkjrsqla317.jpg "/>

You can see that the lala.html page can be accessed and haha.html is denied access.

View permissions discover that Apache users have R permissions on all two files, but the haha.html file denies access.

650) this.width=650; "src=" Https://s3.51cto.com/wyfs02/M02/96/05/wKiom1kcB3ajnAZsAAMIMJ0EiWc710.jpg "title=" 14. JPG "alt=" wkiom1kcb3ajnazsaamimj0eiwc710.jpg "/>

The reason is that the httpd process cannot access the domain type label is a admin_home_t resource and is denied access by SELinux.

Viewing the log/var/log/audit/audit.log can also see that the haha.html file denies httpd process access through logging.

650) this.width=650; "src=" https://s4.51cto.com/wyfs02/M00/96/05/wKiom1kcB4WiOU-5AAO3IKvrdfQ892.jpg "title=" 15. JPG "alt=" wkiom1kcb4wiou-5aao3ikvrdfq892.jpg "/> because the information recorded in this file is not suitable for direct viewing, you can use audit2why and Audit2allow

#audit2why </var/log/audit/audit.log

650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M00/96/05/wKioL1kcB_Sgzs5uAAqb_Ln29dM174.jpg "title=" 16. JPG "alt=" wkiol1kcb_sgzs5uaaqb_ln29dm174.jpg "/>

Note: audit2why and Audit2allow tool packages are available

650) this.width=650; "src=" Https://s5.51cto.com/wyfs02/M01/96/05/wKiom1kcCBLhGKQ8AALDCD9dgiI919.jpg "title=" 17. JPG "alt=" wkiom1kccblhgkq8aaldcd9dgii919.jpg "/>

Collect the log generated by SELinux, another tool is Setroubleshoot, the corresponding package is

650) this.width=650; "src=" Https://s3.51cto.com/wyfs02/M02/96/05/wKiom1kcCCqy9R5tAAHpgKdS180027.jpg "title=" 18. JPG "alt=" wkiom1kcccqy9r5taahpgkds180027.jpg "/>

Setroubleshoot writing error messages to /var/log/messages

#tail/var/log/messages | grep setroubleshoot

650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M02/96/05/wKiom1kcCEaA1SIOAAsfUCBG70E300.jpg "title=" 19. JPG "alt=" wkiom1kcceaa1sioaasfucbg70e300.jpg "/>

The above error message probably says "SELinux prevents httpd from accessing this file, to see the complete information, execute the sealert command"

650) this.width=650; "src=" Https://s3.51cto.com/wyfs02/M00/96/05/wKioL1kcCF7hCeRhAAFX0PXTlts400.jpg "title=" 20. JPG "alt=" wkiol1kccf7hcerhaafx0pxtlts400.jpg "/>

Detailed rules can be queried using Sesearch [--allow] [-S principal category] [-t target class] [-b]

The Sesearch command is provided by the following packages

650) this.width=650; "src=" Https://s5.51cto.com/wyfs02/M01/96/05/wKiom1kcCG_jTRPjAAMuvKvBSaY387.jpg "title=" 21. JPG "alt=" wkiom1kccg_jtrpjaamuvkvbsay387.jpg "/>

Find out about the target resource category for httpd_sys_content_t

650) this.width=650; "src=" Https://s2.51cto.com/wyfs02/M00/96/05/wKioL1kcCIOAd51PAAFljPgYtPQ798.jpg "title=" 22. JPG "alt=" wkiol1kccioad51paafljpgytpq798.jpg "/>

650) this.width=650; "src=" Https://s5.51cto.com/wyfs02/M01/96/05/wKioL1kcCLSCpdBCAAlCONUlrlk668.jpg "title=" 23. JPG "alt=" wkiol1kcclscpdbcaalconulrlk668.jpg "/>

The display information represents the [Allow Principal program security context category target resource security context category], which indicates which principal program category can be read by this resource category.

Find out all the information related to httpd_t by the principal program

650) this.width=650; "src=" https://s1.51cto.com/wyfs02/M00/96/05/wKiom1kcCOXRKwF2AAHKEPt8d6Y837.jpg "style=" float : none; "title=" 24.jpg "alt=" Wkiom1kccoxrkwf2aahkept8d6y837.jpg "/>

From the data above, you can see which resource categories the program httpd_t to be accessible by category.

How to solve the above problem? The workaround is to change the context of the test2.html file. There are two ways to fix the default context of inheriting the current directory through Restorerecon (restore context), and one is to modify the current context by Chcon (change context).

A Use Restorerecon (Restore context) to repair the default context that inherits the current directory

Two-Step implementation:

First, add the default label type for all files in this directory/var/www/html:

Semanagefcontext-a-T httpd_sys_content_t '/var/www/html (/.*)? '

Because the default label type of the HTML directory is httpd_sys_content_t, this step can be omitted

The existing file is then annotated with the new label type:

restorecon-rv/var/www/html/, then httpd will be able to access the files under this directory.

650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M00/96/05/wKiom1kcCObTSXr2AAPMLH7wM-U974.jpg "title=" 25. JPG "style=" float:none; "alt=" wkiom1kccobtsxr2aapmlh7wm-u974.jpg "/>

650) this.width=650; "src=" Https://s3.51cto.com/wyfs02/M01/96/05/wKiom1kcCRTyM4SEAAhLGHyI0pI428.jpg "title=" 26. JPG "alt=" wkiom1kccrtym4seaahlghyi0pi428.jpg "/>

The Semanage and Restorecon commands are provided by the following packages

650) this.width=650; "src=" Https://s5.51cto.com/wyfs02/M00/96/05/wKiom1kcCVGRop27AANYHIOuWQo491.jpg "title=" 27. JPG "alt=" wkiom1kccvgrop27aanyhiouwqo491.jpg "/>

B. Using Chcon (change context) to modify the current context

650) this.width=650; "src=" Https://s2.51cto.com/wyfs02/M01/96/05/wKioL1kcCWjwDHpjAAGaJK8jsmo727.jpg "title=" 28. JPG "alt=" wkiol1kccwjwdhpjaagajk8jsmo727.jpg "/>

Note:

Chcon means change context

-T type

-R recursive recursion (ideal for changing the context of all files in a directory)

-U user

-R Role

Or

--reference indicates that the context of the haha.html file is modified with the context of the lala.html file.

650) this.width=650; "src=" Https://s2.51cto.com/wyfs02/M00/96/05/wKioL1kcCZex2mKhAAIlgCvHUjI966.jpg "title=" 29. JPG "alt=" wkiol1kcczex2mkhaailgcvhuji966.jpg "/>

Finally, let's look at a concept, SELinux Boolean value. This boolean value is similar to a switch, if opened, some of his corresponding services are allowed to execute, otherwise they will refuse to execute.

See what the Boolean values are.

650) this.width=650; "src=" https://s5.51cto.com/wyfs02/M01/96/05/wKioL1kcCaviWq6WAAEMWLQanrQ196.jpg "title=" 30. JPG "alt=" wkiol1kccaviwq6waaemwlqanrq196.jpg "/>650) this.width=650; src=" https://s4.51cto.com/wyfs02/M02/96/ 05/wkiol1kccb_svmplaaru-fp4htu330.jpg "title=" 31.jpg "alt=" Wkiol1kccb_svmplaaru-fp4htu330.jpg "/>

You can also use the Semanage command #semanageboolean–l

Knowing the name of a Boolean, you can use Sesearch to confirm which domain of the services he is associated with, such as Httpd_enable_homedir allows the following rules, and if set to off, they are inaccessible.

650) this.width=650; "src=" Https://s2.51cto.com/wyfs02/M00/96/05/wKioL1kcCfDAnzRuAAGLtLQ4lHk086.jpg "title=" 32. JPG "alt=" wkiol1kccfdanzruaagltlq4lhk086.jpg "/>650) this.width=650; src=" https://s5.51cto.com/wyfs02/M01/96/ 05/wkiol1kccgthppwhaadldjj_kfw484.jpg "title=" 33.jpg "alt=" Wkiol1kccgthppwhaadldjj_kfw484.jpg "/>

Sets the Boolean value,-p for the setting to take effect permanently.

#setsebool [-P] Boolean on/Off

Here is an example of a Boolean value

Confirm that Selinux is enabled, start FTP:

650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M01/96/06/wKiom1kcCiaSvqdjAAjW3Bp7yeo191.jpg "title=" 34. JPG "alt=" wkiom1kcciasvqdjaajw3bp7yeo191.jpg "/>

Create 2 files under Anonymous Access directory to test, one is created manually in this directory, so

The file automatically inherits the value of the directory context under/var/ftp/pub, and one is moved from the root directory with the MV command

This file retains the security context under the root directory, as shown here

650) this.width=650; "src=" Https://s3.51cto.com/wyfs02/M02/96/06/wKiom1kcCkHw967mAAYkIFpVlF8334.jpg "title=" 35. JPG "alt=" wkiom1kcckhw967maaykifpvlf8334.jpg "/>

To test with Anonymous logon:

650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M02/96/06/wKioL1kcClqBSbCJAA4HYM5b6vI016.jpg "title=" 36. JPG "alt=" wkiol1kcclqbsbcjaa4hym5b6vi016.jpg "/>

I found out here that I can't see the haha file

It is known that the system started SELinux, the system logs are reviewed, and two tools are available to collect the SELinux generated

Log, one is Setroubleshoot, one is audit, first Use audit tool, use method

As follows:

Audit related commands are available in the system, often with logs generated by audit2why and Audit2allow,audit

Put in/var/log/audit, because this file record information is not suitable for direct viewing, you can use audit2why

command, start audit first

When the client logs on to the FTP server, it starts audit Deamon generates the log:

650) this.width=650; "src=" Https://s5.51cto.com/wyfs02/M01/96/06/wKiom1kcCoeBri1ZAAEBmPB8_6Q936.jpg "title=" 37. JPG "alt=" wkiom1kccoebri1zaaebmpb8_6q936.jpg "/>650) this.width=650; src=" https://s5.51cto.com/wyfs02/M02/96/ 06/wkiom1kccp_hpx4xaaxrgllwswe748.jpg "title=" 38.jpg "alt=" wkiom1kccp_hpx4xaaxrgllwswe748.jpg "/>650) this.width=650, "src=" https://s3.51cto.com/wyfs02/M01/96/06/wKioL1kcCsHy7CS3AAvzmGEOqE0572.jpg "title=" 39.jpg " alt= "Wkiol1kccshy7cs3aavzmgeoqe0572.jpg"/>

AVC is the acronym for Access vector cache, which is intended to record all access statistics related to SELinux.

Based on the recommendations in the log, use the Audit2allow command to view the recommendations given below:

Verifying the definition of a Boolean value for FTP

650) this.width=650; "src=" Https://s5.51cto.com/wyfs02/M00/96/06/wKiom1kcCumQ0I9ZAAowOMV1b0E005.jpg "title=" 40. JPG "alt=" wkiom1kccumq0i9zaaowomv1b0e005.jpg "/>

Found Ftp_home_dir-to-off, and the file Root.txt type is exactly ROOT:OBJECT_R:USER_HOME_T:S0

Therefore, changing this bool value can

650) this.width=650; "src=" https://s2.51cto.com/wyfs02/M01/96/06/wKiom1kcCwDA0lAnAAHU-FTNfKs364.jpg "style=" float : none; "title=" 41.jpg "alt=" Wkiom1kccwda0lanaahu-ftnfks364.jpg "/>

650) this.width=650; "src=" https://s1.51cto.com/wyfs02/M01/96/06/wKioL1kcCwHxKfcDAAF4SOh635Q925.jpg "style=" float : none; "title=" 42.jpg "alt=" Wkiol1kccwhxkfcdaaf4soh635q925.jpg "/>

650) this.width=650; "src=" https://s4.51cto.com/wyfs02/M02/96/06/wKioL1kcCxDj7SoLAAwIkATGMnY467.jpg "style=" float : none; "title=" 43.jpg "alt=" Wkiol1kccxdj7solaawikatgmny467.jpg "/>

(-P is to write the change to the file, the next time it is still valid)

Client login test, find the haha file to access the

To summarize, if you are paired with a server and then the client is unable to access it properly, you should do the troubleshooting in the following order:

1. Is the configuration file of the service open with relevant permissions, such as whether to allow anonymous users to write, etc.;

2. File system permissions, such as whether you need to use chmod to modify permissions

Context and Boolean values for 3.SELinux

This article is from "Love Linux" blog, reproduced please contact the author!

Centos7 's SELinux principle and its related configuration