Context Value and bool switch

?

1. Context value and bool switch related content

The context value is divided into 2 types

Default context value for the system

The context value of the service

Role of the context value

The main is to prevent the unknown files into the directory file (such as copying the virus to the directory file)

?

function of the bool switch

BOOL is the main contention on when SELinux is in the enforcing (mandatory state), the password to have access to the port is also unable to log in the situation when it works.

?

Then is the context value and the BOOL switch related commands

Chcon–t Change

Restorecon–v Recovery

Getroubleshoot–a View all BOOL Switches

?

1. Match context Value

First look at the root of the files in the home directory, compare the following two figures, found that the first diagram of the time into a second, here we see the change in the admin_home_t, that is, the context value

Next, take file Install.log as an example, copy the file Install.log to/tmp and look at the context value again to see that the context value becomes user_tmp_t.

?

The next step is to demonstrate the role of the context value.

First, the FTP shared files to test, after the installation of the FTP service, you can automatically generate ftp/pub under/Var, the two sections of the directory, and then you can create a shared file under Directory pub, This creates a file test and copies a file Install.log, discovers that the context value of the file test is public_content_t, and the context value of the file Instal.log becomes public_content_t

Next, through the remote user to log on to the host FTP service, view the files under the pub, you can view the two shared files

Then modify the file Install.log the context value to tmp_t,

?

Then telnet to the host again, look at the file under the pub, found that the file Instll.log, to this faint understanding of what, that is whether to inherit the previous level of directory context value reason

?

So in order to verify their own vague idea, to check Pub's context value bar, the results found that indeed, as speculated, Pub's context value is also public_content_t, so, The context value of the file Install.log has just been changed to tmp_t, it cannot be read, the file does exist, but the pub is not recognized, because its context has been changed.

?

To make it more deterministic, restore the context value of the file Install.log, and then look at

?

?

?

?

?

?

?

?

After the change, see again, found the file Install.log again, then can now fully understand the role of the context value, can be a summary of the function of the context value

Because the context value of the directory pub is public_content_t, the context value of the file under pub should also be public_content_t, if the context value is changed artificially, Then pub will not recognize the file in its directory, even if not deleted, we will not see the

?

?

Then test under HTTP, after installing the HTTP service, you can generate two directory www/html under/Var, Then under the directory HTML to create a file named Index.html file, in this file, we can see through the browser, this is the HTTP page file interpretation, here or back to the context value bar, we take a look at the file index.html context value, found Conte The XT value is httpd_sys_cotent_t,

?

And then you can see it with your browser.

?

Next, change the context value of the file index.html, changing it to tmp_t

?

?

?

?

?

?

?

Found in the browser has not seen the content of the Web page file, the reason should be that the file was not read, was ignored by the directory HTML, so in the browser is naturally invisible

?

Then restore the context value of the file index.html to httpd_sys_content_t

?

Then you can see hello in the browser.

?

Next we delete the two sections of the directory that were created after the FTP installation, ftp/pub

?

Then telnet FTP, found that access failed, which is certain, after all, the shared files have been deleted

?

?

?

Then create the file ftp/pub These two sections of the directory

?

Then log in remotely, find the login, but do not see the shared directory Pub

?

At this time I think of the context value, so, look at the context value of pub, found to be var_t, it appears to inherit the/var directory's context value, but/var is the system default context value, and the FTP service context value is different , so the new file is just the same name, but does not have a service context value, then there is no meaning, so it is useless

You can restore the context value by using the command RESTORECON–RV FTP

After restoring the context value, you can see the shared file.

The following is the case of file inheritance on the previous level

The experiment here has to be explained.

The context value is divided into two types

1. Default context value for the system
2. The context value of the service

In other words, in addition to the service for reasons such as/Var below, because the FTP service is installed after the FTP directory file is created under/Var, but to see the context value has not inherited the/var context value, but can be seen under/Var, This phenomenon is not to overturn the role of the context value, but to illustrate that inheritance is divided into two, one is based on the default context value of the system, the directory or file created below inherits its context value, and one case is not bound by it, That is when the installation of services automatically generated directories or files, they have their own context value, can be seen as an exception, then everything can be explained.

?

In fact, there is a way to restore the context value,

First you need to install a package, Policycoreutils-gui, and then hit command System-config-selinux,

?

Into the following graphical interface, the next time you start to mark the tick, and then restart the system, then the system is turned on, so the changed context value will be re-marked, that is, the context will revert to the original value

?

?

?

The following shows the process of re-marking after starting the system, * which means that the marker is re-hit

?

Once the system is turned on, look again at the context value of the pub and find that it has actually recovered

?

Do this, do we think that since a tick will change the context value changed, then whether you can let the context permanently is the changed value, even if the re-marking is not changed,

In fact, you can use the command semanage fconftext–a–t httpd_sys_content_t ' Pub (/.*) on it.

That

?

?

?

?

?

And then we're going to start a second experiment.

Make a bool switch

First of all talk about the function of the bool switch, the function of the bool switch is when selinux into the enforcing state, the bool will be open to continue to access, in this first simple explanation of the SELinux three of the State bar

First disabled state, which disables the SELinux function.

Then is the permissive state, mainly used to determine whether the system is the service itself or the selinux problem, for example, when the remote access users, if the remote host to know the account number and password, the validation can be accessed after successful.

The last is the enforcing state, that is, the meaning of coercion, and then the above example, that is, even if you know the account number and password, verify that the success of the test can not access, that is, forced to not allow its login, this security is higher.

?

So there's a problem with that, right? When the SELinux is set to enforing State security is really higher, but if it is not accessible, this security is meaningless, then there is any way to make it in the enforcing state can still access it?

Then we need the bool switch.

Then we start to demonstrate the role of the bool switch.

Here, the first need to install setroubleshoot this installation package, of course, SELinux should also be set to enforcing state, in order to make these two changes take effect, you need to restart the system, restart the system, you can view the following two graphs, Found that SELinux is already in the enforcing state, and in the system tools to see the SELinux troubleshooting tool, it means that setroubleshoot installed successfully

?

?

?

?

?

Then you can start changing the bool value.

?

First of all, we telnet to the host's ordinary account found boarded, but unable to view the user files, reported the error of login failure, which is in fact SELinux enforcing played a role

Then look at the bool switch information, here can be specified search, we have access to the FTP user's home under the file, then you can search the following, found that it is off, that is, BOOL is in the closed state

Then you need to turn it on, so you can hit the following command, where 1 means open, and 0 is the closed

Then visit again and you'll be able to see the file under the home of the account.

?

?

Thus, the experiment on the context value and the bool switch is over!!!

Context Value and bool switch