SELinux Introduction and Setup

I. Introduction of SELinux
?? SELinux mandatory access control of a strategy, in the traditional Linux system, all files, have users, groups and permissions to control access, in SELinux, all objects, by the security elements stored in the extended domain control access, all files, ports, processes have a security context, The security context consists of five security elements, user, role, type, sensitivity, category.
二、五个 Security Elements

User: The types of users logged into the system, such as Root,user_u,system_u, the local process belongs to the free (unconfined) process
Role: Defines the file, process, and user's purpose: File: Object_r, process, and User: System_r
Type: Data type, in which process type access to which file is implemented based on type, multi-service common public_content_t
Sensitivity: Restricting access to hierarchies defined by an organization
Category: Classification of non-hierarchical organizational divisions

Iii. SELinux Mode of operation
?? SELinux main modes are: Strict (centos5), targeted, Minimun (CENTOS7), MLS several categories, SELinux system default selection is Targeten,strict is no longer used, Minimun and MLS are not stable enough
Iv. actual context and expected contexts
In fact the following: stored in the metadata, view the file context: Ls-z. To view the process context: Ps-z


Expected context: The expected contexts can also be understood as the default context, which is stored in the binary SELinux policy library. View the command for the desired context for Semanage fcontext-l view all expected contexts of the system

V. Enable and disable SELinux

Changing the profile type generally only switches between enforcing and disabled in two modes, because the second is just an alarm, it doesn't make any sense, the configuration is only valid after a reboot
View the status command for the current SELinux
Getenforce View current status
Setenforce temporarily turn SELinux on or off
Setenforce 0|1, of which 0 represents the permissive,1 representative enforcing
Sestatus View the current SELinux status in detail

Re-hit the security label for the file
Chcon This command changes the actual context directly, does not change the expected contexts, and if the system re-hits the security label, the change is not recommended here.
Chcon [-R] [-u user] [-r Role] [-t type] directory | file, where-R recursively tag.
Restore the expected context of a directory or file
Restorecon directory or file,-R recursion
1. Queries and changes to the default security context.Note: After changing the desired context, you need to Restorecon change the directory to synchronize the actual security context with the desired context
Semanage fcontext-l

Semanage fcontext-a-T type directory or file

The RESTORECON-RV directory, restores the desired context, and displays the process if the expected context and the actual context are consistent will not display any information

Semanage fcontext-d-T type directory or file

2. SELinux Change Port Label
View Port Labels
Semanage port-l

Add a port, and if you need to add a port that is not the default port number, you need a new port number, for example, SSH
Semanage port-a-T type-P TCP|UDP port number

Just change the port in the SSH configuration file/etc/ssh/sshd.conf file to 2222 restart service.

To remove a port, just change a to D
Semanage port-d-T type-P TCP|UDP port number
Modify an existing port to a new label
Semanage port-m-T type-P TCP|UDP port number

3. SELinux Boolean value
View all Boolean values for the current system
getsebool-a| Name

Semanage boolean-l
Semanage Boolean-l-C View the currently modified bool value

Setting a Boolean value
Setsebool [-p] BOOL value to be modified =[0|1]
Setsebool [-p] BOOL value to modify [On|off]

When setting a Boolean value, if you need to save the operation to disk permanently, you need to add the- PParameters

SELinux Introduction and Setup