Comprehensive analysis of RHCE (Red Hat certified engineer) exam topics----SELinux Articles

Last Update:2018-01-07 Source: Internet

Author: User

Tags parent directory

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Linux Security Mode
DAC, autonomous access control

MAC, mandatory access control

SELinux

A set of MAC extension modules to strengthen Linux security

National Security Agency leads development

How SELinux works

Integrated Linux kernel (2.6 and above)

Operating system provides customizable policies and management tools

[[email protected] ~] # cat / etc / redhat-release

Red Hat Enterprise Linux Server release 7.2 (Maipo)

[[email protected] ~] # uname -r

3.10.0-327.el7.x86_64

[[email protected] ~] # rpm -qa | grep -i selinux

selinux-policy-3.13.1-60.el7.noarch

libselinux-2.2.2-6.el7.x86_64

selinux-policy-targeted-3.13.1-60.el7.noarch

libselinux-utils-2.2.2-6.el7.x86_64

libselinux-python-2.2.2-6.el7.x86_64

View the current status of SELinux

[[email protected] ~] # sestatus

SELinux status: enabled

SELinuxfs mount: / sys / fs / selinux

SELinux root directory: / etc / selinux

Loaded policy name: targeted

Current mode: permissive

Mode from config file: enforcing

Policy MLS status: enabled

Policy deny_unknown status: allowed

Max kernel policy version: 28

[[email protected] ~] # ls / etc / selinux /

[[email protected] ~] # ls / sys / fs / selinux /

[[email protected] ~] # setenforce 0 | 1 # 0: permissive 1: enforcing

[[email protected] ~] # getenforce #Check the current SELinux status

[[email protected] ~] # vim / etc / selinux / config #Configuration file

# This file controls the state of SELinux on the system.

# SELINUX = can take one of these three values:

# enforcing-SELinux security policy is enforced.

# permissive-SELinux prints warnings instead of enforcing. # loose / allow mode

# disabled-No SELinux policy is loaded.

SELINUX = enforcing

# SELINUXTYPE = can take one of three two values:

# targeted-Targeted processes are protected,

# minimum-Modification of targeted policy. Only selected processes are protected.

# mls-Multi Level Security protection. #Provide multi-level and comprehensive security protection policies

SELINUXTYPE = targeted #Recommended, protect only the most common / critical network services, other restrictions

SELinux policy settings

First, the security context

Process ps aux -Z

Directory ls -dZ directory name

File ls -lZ filename

[[email protected] ~] # ls -lZ / etc / passwd

-rw-r--r--. root root system_u: object_r: passwd_file_t: s0 / etc / passwd

[[email protected] ~] # ls -dZ / var / www / html /

drwxr-xr-x. root root system_u: object_r: httpd_sys_content_t: s0 / var / www / html /

[[email protected] ~] # ls -dZ / var / lib / mysql /

drwxr-x--x. mysql mysql system_u: object_r: mysqld_db_t: s0 / var / lib / mysql /

[[email protected] ~] # ps aux -Z | grep httpd

system_u: system_r: httpd_t: s0 root 5965 0.1 0.4 226128 5052? Ss 22:33 0:00 / usr / sbin / httpd -DFOREGROUND

system_u: system_r: httpd_t: s0 apache 5966 0.0 0.3 228212 3144? S 22:33 0:00 / usr / sbin / httpd -DFOREGROUND

Components of a security context

User: Role: Access Type: Option

Common access types

bin_t #binary execution file

etc_t #System configuration file

fsadm_exec_t #File system management

admin_home_t #Home directory of the administrator account

user_home_t #Home directory for ordinary users

httpd_sys_content_t #httpdwebsite content

General operating rules after SELinux is enabled

New files or directories inherit the security context of the parent directory

[[email protected] ~] # touch /root/1.txt

[[email protected] ~] # ls -dZ / root /

dr-xr-x ---. root root system_u: object_r: admin_home_t: s0 / root /

[[email protected] ~] # ls -lZ /root/1.txt

-rw-r--r--. root root unconfined_u: object_r: admin_home_t: s0 /root/1.txt

Inherit the security context of the target directory when copying

[[email protected] ~] # cp /root/1.txt / var / www / html /

[[email protected] ~] # ls -lZ /var/www/html/1.txt

-rw-r--r--. root root unconfined_u: object_r: httpd_sys_content_t: s0 /var/www/html/1.txt

Preserve security context of source files when moving

[[email protected] ~] # rm -rf /var/www/html/1.txt

[[email protected] ~] # mv /root/1.txt / var / www / html /

[[email protected] ~] # ls -lZ /var/www/html/1.txt

-rw-r--r--. root root unconfined_u: object_r: admin_home_t: s0 /var/www/html/1.txt

Modify security context

chcon modify security context

Options: -t: specify access type

-u, -r: Used to specify users and roles, respectively

-R: recursive modification

[[email protected] ~] # ls -lZ /var/www/html/1.txt

-rw-r--r--. root root unconfined_u: object_r: admin_home_t: s0 /var/www/html/1.txt

[[email protected] ~] # chcon -t httpd_sys_content_t /var/www/html/1.txt

[[email protected] ~] # ls -lZ /var/www/html/1.txt

-rw-r--r--. root root unconfined_u: object_r: httpd_sys_content_t: s0 /var/www/html/1.txt

restorecon resets the security context

— Revert to the default context properties of the location

-R: Recursive recovery

[[email protected] ~] # touch /root/2.txt

[[email protected] ~] # mv /root/2.txt / var / www / html /

[[email protected] ~] # ls -lZ /var/www/html/2.txt

-rw-r--r--. root root unconfined_u: object_r: admin_home_t: s0 /var/www/html/2.txt

[[email protected] ~] # restorecon /var/www/html/2.txt

[[email protected] ~] # ls -lZ /var/www/html/2.txt

-rw-r--r--. root root unconfined_u: object_r: httpd_sys_content_t: s0 /var/www/html/2.txt

Two. SELinux boolean: (function switch)

getsebool View

-a to list all booleans

setsebool settings

-P changes permanently, restart still works

Enable SELinux logger

[[email protected] ~] # rpm -qa | grep shoot

setroubleshoot-plugins-3.0.59-1.el7.noarch

setroubleshoot-3.2.24-1.1.el7.x86_64

setroubleshoot-server-3.2.24-1.1.el7.x86_64

Exercise: Enable SELinux, allow local ftp service, allow anonymous users to upload and download files

[[email protected] ~] # yum -y install vsftpd

[[email protected] ~] # mkdir / var / ftp / sharedir

[[email protected] ~] # chmod o + w / r / ftp / sharedir /

[[email protected] ~] # cp / etc / hosts / var / ftp / sharedir /

[[email protected] ~] # vim /etc/vsftpd/vsftpd.conf

29 anon_upload_enable = YES

[[email protected] ~] # systemctl restart vsftpd

[[email protected] ~] # getsebool -a | grep ftp

[[email protected] ~] # setsebool -P ftpd_full_access = on

[[email protected] ~] # setsebool -P ftpd_anon_write = on

[[email protected] ~] # yum -y install ftp.x86_64

[[email protected] ~] # ftp 192.168.4.12

Connected to 192.168.4.12 (192.168.4.12).

220 (vsFTPd 3.0.2)

Name (192.168.4.12:root): ftp

Password:

ftp> cd sharedir

ftp> lcd / root #Set local accept directory location

ftp> put test.txt #upload local files

ftp> get hosts #under the file

Exercise Enable SELinux and modify the port 8090 listened by the native web service

[[email protected] ~] # sed -i '42s / 80/8090 /' /etc/httpd/conf/httpd.conf

[[email protected] ~] # grep -n 8090 /etc/httpd/conf/httpd.conf

42: Listen 8090

[[email protected] ~] # systemctl restart httpd

Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.

[[email protected] ~] # grep -i "setroubleshoot" / var / log / messages | tail -1

Jan 3 01:43:44 test setroubleshoot: SELinux is preventing / usr / sbin / httpd from name_bind access on the tcp_socket port 8090. For complete SELinux messages. Run sealert -l b044047d-64e3-425b-aa88-50ffb248f814

[[email protected] ~] # sealert -l b044047d-64e3-425b-aa88-50ffb248f814 #The solution provided by the run log file Find a solution in it

...

If you want to allow / usr / sbin / httpd to bind to network port 8090

Then you need to modify the port type.

Do

# semanage port -a -t PORT_TYPE -p tcp 8090

Where PORT_TYPE is one of the following: http_cache_port_t, http_port_t, jboss_management_port_t, jboss_messaging_port_t, ntop_port_t, puppet_port_t.

...

[[email protected] ~] # semanage port -a -t http_port_t -p tcp 8090

[[email protected] ~] # systemctl restart httpd

[[email protected] ~] # netstat -pantu | grep httpd

tcp6 0 0 ::: 8090 ::: * LISTEN 9668 / httpd

One of the questions on the RHCE exam is:

Configure SELinux
Make sure SELinux for your two virtual machines is in forced enable mode

What we need to do is perform the following operations on the two virtual machines:

# setenforce 1 #Configure the current SELinux status as enforcing (force start)

# getenforce #View the current SELinux status

Enforcing

# vim / etc / selinux / config #Modify the configuration file and configure it to enforcing (force start)

# sed -n "7p" / etc / selinux / config

SELINUX = enforcing

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More