SELinux Brief Introduction

In the Linux operating system, SELinux provides a security refinement policy rule, similar to the ACL rules in the network, for access control of files. But for most system administrators, often feel that selinux is too cumbersome and directly disabled, in fact, in high security requirements of the scenario, reasonable use of selinux can make our system more stable.

The purpose of SELinux is to ensure that the process accesses files in a Linux environment. Without SELinux, a process or application such as the Apache daemon uses root startup, and when the app is attacked by a rogue program, the application can do whatever it needs because Root has full permissions on each file. With SELinux, this problem can be avoided by limiting the behavior of the application.

SELinux tries to take a step to eliminate this risk. With SELinux, a process or application will have only the permissions it needs and no longer need it. An application's SELinux policy determines what types of files it needs to access and which processes it can transition to. The SELinux policy is written by the application developer and is included in the Linux distribution that supports it. A policy is basically a set of rules that map processes and users to their rights.

SELinux Policy

The core of the SELinux security engine is its strategy. A policy represents a set of rules that define the security and access rights of all content in the system. SELinux classifies policies using users, roles, processes, and files, and defines how each entity correlates with each other.

users: SELinux refers to users who contain ordinary users and system users in the Linux system, a user can manage their own files, processes, and so on, a process called subject.

Angle Color (rolers): A role is like a gateway between users and processes. Roles define which users can access the process. A role is not like a group, but more like a filter: A user can be granted permission to a role at any time. The roles in the SELinux policy define which users can access the role. It also defines the process domains that the role itself can access. Using roles enables SELinux to implement so-called role-based access control (RBAC).

Themes and objects (subjects and Objects): Subject is a process in which the process has a potential impact on object. The object here can be a file, directory, port, TCP socket, or even a single server. The action that a subject performs on an object is the permission that subject has.

Domain (Domains): a domain is an area where selinux topics (processes) can run. This area is like a subject range of activities. It tells the process what to do and what not to do. For example, a domain defines which files, directories, links, devices, or ports the theme can access.

type (Types): Types is similar to the concept of metadata, which is used to describe the properties of an object, for example, it can describe a Web page, or a file belongs to A/etc directory, or the owner of the file is a specific selinux user.

So what is the SELinux strategy?

The SELinux policy defines that the user is authorized to the role, the domain is authorized to the role, and the type is granted to the domain. First, the user must be authorized to have a role, and the role must be authorized to access the domain. The domain is also limited to accessing only certain types of files.

The policy itself is a set of rules that means that all users can only assume such roles and that those roles will be authorized to access only such domains. These domains can also access only such file types. Shows this concept:

650) this.width=650; "src=" https://assets.digitalocean.com/articles/SELinuxCentOS7/1.jpg "width=" "height=" 213 " Border= "0" hspace= "0" vspace= "0" title= "" style= "width:750px;height:213px;" alt= "1.jpg"/>

Back to the policy topic, the SELinux policy implementation is usually the default targeted type. In the SELinux configuration file, the Selinuxtype directive is set to targeted by default, which means that by default, SELinux restricts only certain processes in the system (that is, only certain processes are defined). Those that are not tagged with targeted will run in an unconstrained domain. In the most restrictive security policy, the alternative is the default deny mode, and each access is denied unless authorized. This will be a very secure implementation, but it also means that the developer must anticipate every possible permission for every possible object that each process might require. By default, SELinux only cares about certain processes.

SELinux policy Behavior

The SELinux policy does not replace the traditional free access control (discretionary access controls) security. If a DAC rule prohibits a user from accessing a file, the SELinux policy rule is not evaluated because the first line of defense has blocked access. After the DAC security is evaluated, the SELinux security decision will work.

When the SELinux system is enabled, the policy is loaded into memory. The SELinux policy is in a modular format that is very similar to the kernel modules loaded at boot time. Just like kernel modules, they can be dynamically added and removed from memory at run time. The policy store used by SELinux tracks the loaded modules. The sestatus command displays the policy store name. The semodule-l command lists the SELinux policy modules that are currently loaded into memory.

The Semodule module can be used to install, remove, reload, upgrade, enable and disable SELinux policy modules and other tasks.

Although we cannot read the policy module files, there is an easy way to adjust the settings. This is done by using the SELinux Boolean value:

Run the following command:

semanage boolean -l | lessselinux boolean                 state  default descriptionprivoxy_connect _any             (on   ,    on)   Allow privoxy to connect anysmartmon_3ware                   (Off  ,  off )   Allow smartmon to 3warempd_enable_homedirs              (Off  ,  off)   Allow mpd to  enable homedirsxdm_sysadm_login                 (Off  ,  off)   Allow xdm to sysadm  loginxen_use_nfs                     ( Off  ,  off)   Allow xen to use nfsmozilla_read_content             (Off  ,  off)   allow  mozilla to read contentssh_chroot_rw_homedirs           (Off  ,  off)   Allow ssh to chroot rw  homedirsmount_anyfile                    (On   ,   on)   Allow mount to  anyfilecron_userdomain_transition      (On   ,   on)   Allow cron to userdomain transitionxdm_write_home                   (Off  ,  off)   Allow xdm  to write homeopenvpn_can_network_connect     (on   ,    on)   allow openvpn to can network connect

You can use the setsebool command to set the values you want to access, first using Getsetool to view the current properties:

# Getsebool Xen_use_nfs Xen_use_nfs---off

Set it to On:

# setsebool Xen_use_nfs on# getsebool xen_use_nfs Xen_use_nfs-On

The change of the Boolean is not permanent. After restarting, they revert to the default values. For the configuration to take effect permanently, we can use the Setsebool command with the-P option.

SELinux context

The first part of the security Policy places a label on each entity in the Linux system. Tags are like any other file or process attributes (owner, group, creation date, etc.); It shows the context of the resource. What is the context? In short, context is a collection of relevant information that helps SELinux make access control decisions. All content in a Linux system can have a security context: A user account, a file, a directory, a daemon, or a port can have a security context. However, the security context implies different content for different types of objects.

Document context (file contexts)

The unique attribute of a file is role.

Use the ls-z command to view some files:

# ls-z/etc/*.conf-rw-r--r--. Root root system_u:object_r:etc_t:s0/etc/asound.conf-rw-r--r--. Root root system_u:object_r:dnsmasq_etc_t:s0/etc/dnsmasq.conf-rw-r--r--. Root root system_u:object_r:etc_t:s0/etc/dracut.conf-rw-r--r--. Root root system_u:object_r:etc_t:s0/etc/e2fsck.conf-rw-r--r--. Root root system_u:object_r:etc_t:s0/etc/host.conf

You can find more than one line of system_u:object_r:etc_t:s0 content. The 4 components in this form are separated by a colon and represent user,roler,type. System_u represents the root user, which is converted through the SELinux internal policy. The role section is more than introduction. Type This is the section that defines the type of file or directory to which it belongs. We can see that most of the files belong to the etc_t type in the/etc directory. You can treat a type as a "group" or a property of a file: It is a way to categorize files. The fourth part of S0 is related to multilevel security or MLS, which is another way to implement the SELinux security policy, which shows the sensitivity of the resource (S0).

Process context (contexts)

The unique attribute of a process is domain.

Use the command ps-z parameter to view context information for a process.

# ps -efz |grep httpsystem_u:system_r:httpd_t:s0    root       8527     1  0 14:52 ?         00:00:00 /usr/sbin/httpd -dforegroundsystem_u:system_r:httpd_t:s0     apache    8528  8527  0 14:52 ?         00:00:00 /usr/sbin/httpd -dforegroundsystem_u:system _r:httpd_t:s0    apache    8529  8527  0  14:52 ?        00:00:00 /usr/sbin/httpd - dforegroundsystem_u:system_r:httpd_t:s0    apache    8530   8527  0 14:52 ?        00:00:00 /usr/sbin/ Httpd -dforegroundsystem_u:system_r:httpd_t:s0    apache    8531  8527  0 14:52 ?         00:00:00 /usr/sbin/httpd -dforegroundsystem_u:system _r:httpd_t:s0    apache    8532  8527  0  14:52 ?        00:00:00 /usr/sbin/httpd -dforeground

SYSTEM_U:SYSTEM_R:HTTPD_T:S0 also has four sections: User, Role,domain, sensitivity. Here's a domain,domain is unique to the process, which defines the scope of operations allowed by the process, telling the process what to do and what not to do.

In this way, even if a process is hijacked by another malicious process or user, the worst case scenario is to corrupt the files it can access. For example, the vsftp daemon will not be able to access files used by SendMail or samba. This restriction is implemented from the kernel level: it is executed as a SELinux policy loaded into memory, so access control becomes mandatory.

How processes access resources

Before we learn more, the following is a description of the SELinux naming convention. The SELinux user suffix is "u", the role suffix is "r", the type (for the file) or the domain (for the process) is suffixed with "_t".

We have seen that files and processes can have different contexts, and they are limited to their own type or domain. So how does the process work? At run time, the process needs to access its files and perform some operations on it (open, read, modify, or execute). Each process can access only certain types of resources (files, directories, ports, and so on).

SELinux prescribes these access rules in the policy. Access rules follow the standard allow statement structure:

Allow <domain> <type>:<class> {<permissions>};

The class here mainly defines some real resources such as files, directories, soft connections, devices, ports, etc.

• If the process is the specified domain

• The resource object it is attempting to access is the specified type or class

• And then allow access to

• Otherwise access denied

If you create a Web page file in the/var/www/html directory:

# Ls-lz Index.html-rw-r--r--. Root root Unconfined_u:object_r:httpd_sys_content_t:s0 index.html

We can use the Sesearch command to view the type information granted to the HTTPD service:

# sesearch --allow --source httpd_t --target httpd_sys_content_t --class  filefound 5 semantic av rules:   allow httpd_t httpd_ content_type : file { ioctl read getattr lock open } ;     allow httpd_t httpd_sys_content_t : file { ioctl read  getattr lock open } ;    allow httpd_t httpdcontent  : file { ioctl read write create getattr setattr lock  append unlink link rename open } ;    allow httpd_t  httpdcontent : file { read getattr execute open } ;     allow httpd_t httpd_content_type : file { ioctl read  getattr lock open&nbsP;}  ;

This indicates that the httpd daemon (Apache Web server) has I/O control, reads, gets properties, locks and opens permissions on httpdsyscontent type files. In this case, our index.html file has the same type.

Use the Chcon command to change the context configuration of the index.html:

# Chcon--type var_t/var/www/html/index.html# ls-z index.html-rw-r--r--. Root root Unconfined_u:object_r:var_t:s0 index.html

At this time to visit the webpage again, there will be 403 Forbidden error, because there is no permission to read the current index.html file content.

If you want to restore the previous settings, use the Restorecon command:

# restorecon-v/var/www/html/index.htmlrestorecon reset/var/www/html/index.html cobject_r:var_t:s0->unconfined_ U:object_r:httpd_sys_content_t:s0ontext Unconfined_u:

The Web page is now back to normal.

To ensure that files and directories have the correct context, this is critical to selinux behavior

Context inheritance for files and directories

SELinux does what we can call "contextual inheritance". This means that unless specified by policies, processes, and files, the context of the parent directory creates them.

Therefore, if we have a process called "proca" that produces a "PROCB" process, the resulting process will run in the same domain as "proc_a" unless the SELinux policy specifies otherwise.

Similarly, if we have a directory of type "SOMECONTEXTT", any file or directory created under it will have the same type context unless the policy is otherwise described.

When we create a directory or copy a file from another directory, the context type of the current directory is automatically modified.

Such as:

# ls-z/var/www/html/index.html-rw-r--r--. Root root unconfined_u:object_r:httpd_sys_content_t:s0/var/www/html/index.html# cp/var/www/html/index.html/etc/# Ls-z/etc/index.html-rw-r--r--. Root root unconfined_u:object_r:etc_t:s0/etc/index.html

When you move a file using the MV command, the context properties of the file are not changed:

# ls-z/var/index.html-rw-r--r--. Root root unconfined_u:object_r:etc_t:s0/var/index.html

changing and restoring the SELinux file context

There is a situation where if we want to modify the HTTP root directory, copy the previous file to the newly created directory, such as/www/html, and then restart httpd after configuring the quota log file, there is still a 403 error is inaccessible because the context property in the new directory has changed. To solve this problem we can modify it manually, but note that the only temporary effect that is modified by the Chcon command here is that the file system re-tagging or running the Restorecon command will restore the file to its original context. To permanently modify the default values we need to modify them.

In addition, running Chcon requires you to know the correct context of the file; The--TYPE flag specifies the context of the target. Restorecon does not need to be specified. If you run Restorecon, the file will reapply the correct context, and the changes will be persisted.

The system in order to facilitate the SELinux "remember" the context of each file or directory in the server. In CentOS 7, the context of a file that already exists in the system is listed in the/etc/selinux/targeted/contexts/files/file_contexts file. It is a large file that lists each file type that is associated with each application supported by the Linux distribution. The context of the new directory and file is recorded in the/etc/selinux/targeted/contexts/files/file_contexts.local file. Therefore, when we run the Restorecon command, SELinux will look for the correct context from one of these two files and apply it to the target.

First we run the Semanage fcontext command. This writes the new context to the/etc/selinux/targeted/contexts/files/file_contexts.local file. But it does not re-tag the file itself.

# semanage Fcontext--add--type httpd_sys_content_t "/www (/.*)?" # semanage Fcontext--add--type httpd_sys_content_t "/www/html (/.*)?"

To see if the add succeeds:

# cat/etc/selinux/targeted/contexts/files/file_contexts.local# This file was auto-generated by libsemanage# does not edit di    Rectly./www (/.*)?    System_u:object_r:httpd_sys_content_t:s0/www/html (/.*)? System_u:object_r:httpd_sys_content_t:s0

Next, we'll run the Restorecon command. This will re-mark the file or directory as recorded in the previous step:

Restorecon-rv/www

This should reset the context at three levels: the top-level/www directory, the/www/html directory, and the index.html file under/www/html

Trying to open the webpage now will display normally.

There is a Matchpathcon tool to help troubleshoot context-sensitive issues. This command looks at the current context of the resource and compares it to what is listed in the SELinux context database. If it is different, it will prompt you to change:

# matchpathcon-v/www/html/index.html/www/html/index.html verified.

Reference Links:
Https://www.digitalocean.com/community/tutorials/an-introduction-to-selinux-on-centos-7-part-2-files-and-processes

This article is from the "Trying" blog, make sure to keep this source http://tryingstuff.blog.51cto.com/4603492/1944819

SELinux Brief Introduction