Comprehensive analysis of RHCE (Red Hat certified engineer) exam topics----SELinux Articles
Last Update:2018-01-07
Source: Internet
Author: User
Linux Security Mode
DAC, autonomous access control
MAC, mandatory access control
SELinux
A set of MAC extension modules to strengthen Linux security
National Security Agency leads development
How SELinux works
Integrated Linux kernel (2.6 and above)
Operating system provides customizable policies and management tools
[[email protected] ~] # cat / etc / redhat-release
Red Hat Enterprise Linux Server release 7.2 (Maipo)
[[email protected] ~] # uname -r
3.10.0-327.el7.x86_64
[[email protected] ~] # rpm -qa | grep -i selinux
selinux-policy-3.13.1-60.el7.noarch
libselinux-2.2.2-6.el7.x86_64
selinux-policy-targeted-3.13.1-60.el7.noarch
libselinux-utils-2.2.2-6.el7.x86_64
libselinux-python-2.2.2-6.el7.x86_64
View the current status of SELinux
[[email protected] ~] # sestatus
SELinux status: enabled
SELinuxfs mount: / sys / fs / selinux
SELinux root directory: / etc / selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
[[email protected] ~] # ls / etc / selinux /
[[email protected] ~] # ls / sys / fs / selinux /
[[email protected] ~] # setenforce 0 | 1 # 0: permissive 1: enforcing
[[email protected] ~] # getenforce #Check the current SELinux status
[[email protected] ~] # vim / etc / selinux / config #Configuration file
# This file controls the state of SELinux on the system.
# SELINUX = can take one of these three values:
# enforcing-SELinux security policy is enforced.
# permissive-SELinux prints warnings instead of enforcing. # loose / allow mode
# disabled-No SELinux policy is loaded.
SELINUX = enforcing
# SELINUXTYPE = can take one of three two values:
# targeted-Targeted processes are protected,
# minimum-Modification of targeted policy. Only selected processes are protected.
# mls-Multi Level Security protection. #Provide multi-level and comprehensive security protection policies
SELINUXTYPE = targeted #Recommended, protect only the most common / critical network services, other restrictions
SELinux policy settings
First, the security context
Process ps aux -Z
Directory ls -dZ directory name
File ls -lZ filename
[[email protected] ~] # ls -lZ / etc / passwd
-rw-r--r--. root root system_u: object_r: passwd_file_t: s0 / etc / passwd
[[email protected] ~] # ls -dZ / var / www / html /
drwxr-xr-x. root root system_u: object_r: httpd_sys_content_t: s0 / var / www / html /
[[email protected] ~] # ls -dZ / var / lib / mysql /
drwxr-x--x. mysql mysql system_u: object_r: mysqld_db_t: s0 / var / lib / mysql /
[[email protected] ~] # ps aux -Z | grep httpd
system_u: system_r: httpd_t: s0 root 5965 0.1 0.4 226128 5052? Ss 22:33 0:00 / usr / sbin / httpd -DFOREGROUND
system_u: system_r: httpd_t: s0 apache 5966 0.0 0.3 228212 3144? S 22:33 0:00 / usr / sbin / httpd -DFOREGROUND
Components of a security context
User: Role: Access Type: Option
Common access types
bin_t #binary execution file
etc_t #System configuration file
fsadm_exec_t #File system management
admin_home_t #Home directory of the administrator account
user_home_t #Home directory for ordinary users
httpd_sys_content_t #httpdwebsite content
General operating rules after SELinux is enabled
New files or directories inherit the security context of the parent directory
[[email protected] ~] # touch /root/1.txt
[[email protected] ~] # ls -dZ / root /
dr-xr-x ---. root root system_u: object_r: admin_home_t: s0 / root /
[[email protected] ~] # ls -lZ /root/1.txt
-rw-r--r--. root root unconfined_u: object_r: admin_home_t: s0 /root/1.txt
Inherit the security context of the target directory when copying
[[email protected] ~] # cp /root/1.txt / var / www / html /
[[email protected] ~] # ls -lZ /var/www/html/1.txt
-rw-r--r--. root root unconfined_u: object_r: httpd_sys_content_t: s0 /var/www/html/1.txt
Preserve security context of source files when moving
[[email protected] ~] # rm -rf /var/www/html/1.txt
[[email protected] ~] # mv /root/1.txt / var / www / html /
[[email protected] ~] # ls -lZ /var/www/html/1.txt
-rw-r--r--. root root unconfined_u: object_r: admin_home_t: s0 /var/www/html/1.txt
Modify security context
chcon modify security context
Options: -t: specify access type
-u, -r: Used to specify users and roles, respectively
-R: recursive modification
[[email protected] ~] # ls -lZ /var/www/html/1.txt
-rw-r--r--. root root unconfined_u: object_r: admin_home_t: s0 /var/www/html/1.txt
[[email protected] ~] # chcon -t httpd_sys_content_t /var/www/html/1.txt
[[email protected] ~] # ls -lZ /var/www/html/1.txt
-rw-r--r--. root root unconfined_u: object_r: httpd_sys_content_t: s0 /var/www/html/1.txt
restorecon resets the security context
— Revert to the default context properties of the location
-R: Recursive recovery
[[email protected] ~] # touch /root/2.txt
[[email protected] ~] # mv /root/2.txt / var / www / html /
[[email protected] ~] # ls -lZ /var/www/html/2.txt
-rw-r--r--. root root unconfined_u: object_r: admin_home_t: s0 /var/www/html/2.txt
[[email protected] ~] # restorecon /var/www/html/2.txt
[[email protected] ~] # ls -lZ /var/www/html/2.txt
-rw-r--r--. root root unconfined_u: object_r: httpd_sys_content_t: s0 /var/www/html/2.txt
Two. SELinux boolean: (function switch)
getsebool View
-a to list all booleans
setsebool settings
-P changes permanently, restart still works
Enable SELinux logger
[[email protected] ~] # rpm -qa | grep shoot
setroubleshoot-plugins-3.0.59-1.el7.noarch
setroubleshoot-3.2.24-1.1.el7.x86_64
setroubleshoot-server-3.2.24-1.1.el7.x86_64
Exercise: Enable SELinux, allow local ftp service, allow anonymous users to upload and download files
[[email protected] ~] # yum -y install vsftpd
[[email protected] ~] # mkdir / var / ftp / sharedir
[[email protected] ~] # chmod o + w / r / ftp / sharedir /
[[email protected] ~] # cp / etc / hosts / var / ftp / sharedir /
[[email protected] ~] # vim /etc/vsftpd/vsftpd.conf
29 anon_upload_enable = YES
[[email protected] ~] # systemctl restart vsftpd
[[email protected] ~] # getsebool -a | grep ftp
[[email protected] ~] # setsebool -P ftpd_full_access = on
[[email protected] ~] # setsebool -P ftpd_anon_write = on
[[email protected] ~] # yum -y install ftp.x86_64
[[email protected] ~] # ftp 192.168.4.12
Connected to 192.168.4.12 (192.168.4.12).
220 (vsFTPd 3.0.2)
Name (192.168.4.12:root): ftp
Password:
ftp> cd sharedir
ftp> lcd / root #Set local accept directory location
ftp> put test.txt #upload local files
ftp> get hosts #under the file
Exercise Enable SELinux and modify the port 8090 listened by the native web service
[[email protected] ~] # sed -i '42s / 80/8090 /' /etc/httpd/conf/httpd.conf
[[email protected] ~] # grep -n 8090 /etc/httpd/conf/httpd.conf
42: Listen 8090
[[email protected] ~] # systemctl restart httpd
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
[[email protected] ~] # grep -i "setroubleshoot" / var / log / messages | tail -1
Jan 3 01:43:44 test setroubleshoot: SELinux is preventing / usr / sbin / httpd from name_bind access on the tcp_socket port 8090. For complete SELinux messages. Run sealert -l b044047d-64e3-425b-aa88-50ffb248f814
[[email protected] ~] # sealert -l b044047d-64e3-425b-aa88-50ffb248f814 #The solution provided by the run log file Find a solution in it
...
If you want to allow / usr / sbin / httpd to bind to network port 8090
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 8090
Where PORT_TYPE is one of the following: http_cache_port_t, http_port_t, jboss_management_port_t, jboss_messaging_port_t, ntop_port_t, puppet_port_t.
...
[[email protected] ~] # semanage port -a -t http_port_t -p tcp 8090
[[email protected] ~] # systemctl restart httpd
[[email protected] ~] # netstat -pantu | grep httpd
tcp6 0 0 ::: 8090 ::: * LISTEN 9668 / httpd
One of the questions on the RHCE exam is:
Configure SELinux
Make sure SELinux for your two virtual machines is in forced enable mode
What we need to do is perform the following operations on the two virtual machines:
# setenforce 1 #Configure the current SELinux status as enforcing (force start)
# getenforce #View the current SELinux status
Enforcing
# vim / etc / selinux / config #Modify the configuration file and configure it to enforcing (force start)
# sed -n "7p" / etc / selinux / config
SELINUX = enforcing