Comprehensive analysis of RHCE (Red Hat certified engineer) exam topics----SELinux Articles

Source: Internet
Author: User
Tags parent directory
Linux Security Mode
DAC, autonomous access control

MAC, mandatory access control



SELinux

A set of MAC extension modules to strengthen Linux security

National Security Agency leads development



How SELinux works

Integrated Linux kernel (2.6 and above)

Operating system provides customizable policies and management tools

[[email protected] ~] # cat / etc / redhat-release

Red Hat Enterprise Linux Server release 7.2 (Maipo)

[[email protected] ~] # uname -r

3.10.0-327.el7.x86_64

[[email protected] ~] # rpm -qa | grep -i selinux

selinux-policy-3.13.1-60.el7.noarch

libselinux-2.2.2-6.el7.x86_64

selinux-policy-targeted-3.13.1-60.el7.noarch

libselinux-utils-2.2.2-6.el7.x86_64

libselinux-python-2.2.2-6.el7.x86_64

View the current status of SELinux

[[email protected] ~] # sestatus

SELinux status: enabled

SELinuxfs mount: / sys / fs / selinux

SELinux root directory: / etc / selinux

Loaded policy name: targeted

Current mode: permissive

Mode from config file: enforcing

Policy MLS status: enabled

Policy deny_unknown status: allowed

Max kernel policy version: 28

[[email protected] ~] # ls / etc / selinux /

[[email protected] ~] # ls / sys / fs / selinux /



[[email protected] ~] # setenforce 0 | 1 # 0: permissive 1: enforcing

[[email protected] ~] # getenforce #Check the current SELinux status



[[email protected] ~] # vim / etc / selinux / config #Configuration file

# This file controls the state of SELinux on the system.

# SELINUX = can take one of these three values:

# enforcing-SELinux security policy is enforced.

# permissive-SELinux prints warnings instead of enforcing. # loose / allow mode

# disabled-No SELinux policy is loaded.

SELINUX = enforcing

# SELINUXTYPE = can take one of three two values:

# targeted-Targeted processes are protected,

# minimum-Modification of targeted policy. Only selected processes are protected.

# mls-Multi Level Security protection. #Provide multi-level and comprehensive security protection policies

SELINUXTYPE = targeted #Recommended, protect only the most common / critical network services, other restrictions



SELinux policy settings

First, the security context

Process ps aux -Z

Directory ls -dZ directory name

File ls -lZ filename

[[email protected] ~] # ls -lZ / etc / passwd

-rw-r--r--. root root system_u: object_r: passwd_file_t: s0 / etc / passwd

[[email protected] ~] # ls -dZ / var / www / html /

drwxr-xr-x. root root system_u: object_r: httpd_sys_content_t: s0 / var / www / html /

[[email protected] ~] # ls -dZ / var / lib / mysql /

drwxr-x--x. mysql mysql system_u: object_r: mysqld_db_t: s0 / var / lib / mysql /

[[email protected] ~] # ps aux -Z | grep httpd

system_u: system_r: httpd_t: s0 root 5965 0.1 0.4 226128 5052? Ss 22:33 0:00 / usr / sbin / httpd -DFOREGROUND

system_u: system_r: httpd_t: s0 apache 5966 0.0 0.3 228212 3144? S 22:33 0:00 / usr / sbin / httpd -DFOREGROUND



Components of a security context

User: Role: Access Type: Option



Common access types

bin_t #binary execution file

etc_t #System configuration file

fsadm_exec_t #File system management

admin_home_t #Home directory of the administrator account

user_home_t #Home directory for ordinary users

httpd_sys_content_t #httpdwebsite content



General operating rules after SELinux is enabled

New files or directories inherit the security context of the parent directory

[[email protected] ~] # touch /root/1.txt

[[email protected] ~] # ls -dZ / root /

dr-xr-x ---. root root system_u: object_r: admin_home_t: s0 / root /

[[email protected] ~] # ls -lZ /root/1.txt

-rw-r--r--. root root unconfined_u: object_r: admin_home_t: s0 /root/1.txt



Inherit the security context of the target directory when copying

[[email protected] ~] # cp /root/1.txt / var / www / html /

[[email protected] ~] # ls -lZ /var/www/html/1.txt

-rw-r--r--. root root unconfined_u: object_r: httpd_sys_content_t: s0 /var/www/html/1.txt

Preserve security context of source files when moving

[[email protected] ~] # rm -rf /var/www/html/1.txt

[[email protected] ~] # mv /root/1.txt / var / www / html /

[[email protected] ~] # ls -lZ /var/www/html/1.txt

-rw-r--r--. root root unconfined_u: object_r: admin_home_t: s0 /var/www/html/1.txt



Modify security context

chcon modify security context

Options: -t: specify access type

-u, -r: Used to specify users and roles, respectively

-R: recursive modification

[[email protected] ~] # ls -lZ /var/www/html/1.txt

-rw-r--r--. root root unconfined_u: object_r: admin_home_t: s0 /var/www/html/1.txt

[[email protected] ~] # chcon -t httpd_sys_content_t /var/www/html/1.txt

[[email protected] ~] # ls -lZ /var/www/html/1.txt

-rw-r--r--. root root unconfined_u: object_r: httpd_sys_content_t: s0 /var/www/html/1.txt



restorecon resets the security context

— Revert to the default context properties of the location

-R: Recursive recovery

[[email protected] ~] # touch /root/2.txt

[[email protected] ~] # mv /root/2.txt / var / www / html /

[[email protected] ~] # ls -lZ /var/www/html/2.txt

-rw-r--r--. root root unconfined_u: object_r: admin_home_t: s0 /var/www/html/2.txt

[[email protected] ~] # restorecon /var/www/html/2.txt

[[email protected] ~] # ls -lZ /var/www/html/2.txt

-rw-r--r--. root root unconfined_u: object_r: httpd_sys_content_t: s0 /var/www/html/2.txt



Two. SELinux boolean: (function switch)

getsebool View

-a to list all booleans

setsebool settings

-P changes permanently, restart still works



Enable SELinux logger

[[email protected] ~] # rpm -qa | grep shoot

setroubleshoot-plugins-3.0.59-1.el7.noarch

setroubleshoot-3.2.24-1.1.el7.x86_64

setroubleshoot-server-3.2.24-1.1.el7.x86_64





Exercise: Enable SELinux, allow local ftp service, allow anonymous users to upload and download files

[[email protected] ~] # yum -y install vsftpd

[[email protected] ~] # mkdir / var / ftp / sharedir

[[email protected] ~] # chmod o + w / r / ftp / sharedir /

[[email protected] ~] # cp / etc / hosts / var / ftp / sharedir /

[[email protected] ~] # vim /etc/vsftpd/vsftpd.conf

29 anon_upload_enable = YES

[[email protected] ~] # systemctl restart vsftpd

[[email protected] ~] # getsebool -a | grep ftp

[[email protected] ~] # setsebool -P ftpd_full_access = on

[[email protected] ~] # setsebool -P ftpd_anon_write = on



[[email protected] ~] # yum -y install ftp.x86_64

[[email protected] ~] # ftp 192.168.4.12

Connected to 192.168.4.12 (192.168.4.12).

220 (vsFTPd 3.0.2)

Name (192.168.4.12:root): ftp

Password:

ftp> cd sharedir

ftp> lcd / root #Set local accept directory location

ftp> put test.txt #upload local files

ftp> get hosts #under the file





Exercise Enable SELinux and modify the port 8090 listened by the native web service

[[email protected] ~] # sed -i '42s / 80/8090 /' /etc/httpd/conf/httpd.conf

[[email protected] ~] # grep -n 8090 /etc/httpd/conf/httpd.conf

42: Listen 8090

[[email protected] ~] # systemctl restart httpd

Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.



[[email protected] ~] # grep -i "setroubleshoot" / var / log / messages | tail -1

Jan 3 01:43:44 test setroubleshoot: SELinux is preventing / usr / sbin / httpd from name_bind access on the tcp_socket port 8090. For complete SELinux messages. Run sealert -l b044047d-64e3-425b-aa88-50ffb248f814

[[email protected] ~] # sealert -l b044047d-64e3-425b-aa88-50ffb248f814 #The solution provided by the run log file Find a solution in it

...

If you want to allow / usr / sbin / httpd to bind to network port 8090

Then you need to modify the port type.

Do

# semanage port -a -t PORT_TYPE -p tcp 8090

Where PORT_TYPE is one of the following: http_cache_port_t, http_port_t, jboss_management_port_t, jboss_messaging_port_t, ntop_port_t, puppet_port_t.

...

[[email protected] ~] # semanage port -a -t http_port_t -p tcp 8090

[[email protected] ~] # systemctl restart httpd

[[email protected] ~] # netstat -pantu | grep httpd

tcp6 0 0 ::: 8090 ::: * LISTEN 9668 / httpd



One of the questions on the RHCE exam is:

    Configure SELinux
    Make sure SELinux for your two virtual machines is in forced enable mode

    What we need to do is perform the following operations on the two virtual machines:

        # setenforce 1 #Configure the current SELinux status as enforcing (force start)

        # getenforce #View the current SELinux status

        Enforcing

        # vim / etc / selinux / config #Modify the configuration file and configure it to enforcing (force start)

        # sed -n "7p" / etc / selinux / config

        SELINUX = enforcing

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.