SELinux Security System Basics in CentOS

SELinux Security System Basics in CentOS

This article will record some experiences and experiences of learning SELinux...

1. Introduction to SELinux

SELinux (Secure Enhanced Linux) Security Enhancement Linux is a new Linux security policy mechanism developed by the National Security Agency (NSA) for computer infrastructure security. SELinux allows system administrators to define security policies more flexibly.

SELinux is a kernel-level security mechanism. SELinux has been integrated into the kernel since Linux2.6, because SELinux is kernel-level, therefore, modification to the configuration file takes effect only after the operating system is restarted.

Currently, the mainstream Linux versions have integrated the SELinux mechanism, and CentOS/RHEL will enable the SELinux mechanism by default.

Ii. Basic SELinux concepts

We know that the operating system's security mechanism is actually to limit two things: Processes and system resources (files, network sockets, system calls, etc ).

In the previous knowledge, the Linux operating system restricts our system resources through the concepts of users and groups. We know that each process requires a user to execute.

SELinux defines two basic concepts for these two things: domin and context ).

A domain is used to restrict system resources, while a context is used to restrict system resources.

We can use the ps-Z command to view the information about the current process's domain, that is, the process's SELinux information:

[root@xiaoluo ~]# ps -ZLABEL                             PID TTY          TIME CMDunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2503 pts/0 00:00:00 suunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2511 pts/0 00:00:00 bashunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3503 pts/0 00:00:00 ps

Through the ls-Z command, we can view the file context information, that is, the file's SELinux information:

[root@xiaoluo ~]# ls -Z-rw-------. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfgdrwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 Desktop-rw-r--r--+ root root system_u:object_r:admin_home_t:s0 install.log-rw-r--r--. root root system_u:object_r:admin_home_t:s0 install.log.syslog

We will discuss the meaning of these fields later.

Iii. Strategy

In SELinux, we define policies to control which domains can access which contexts.

In SELinux, multiple policy modes are preset, and we usually do not need to define our own policies unless we need to protect some services or programs.

In CentOS/RHEL, the target policy is used by default. What is the target policy?

The target policy defines that only the target process is restricted by SELinux, and non-target processes are not restricted by SELinux. Generally, our network applications are all target processes, such as httpd and mysqld, dhcpd and so on.

Our CentOS SELinux configuration file is The selinux file stored in the/etc/sysconfig/directory. Let's take a look at the content:

[Root @ xiaoluo ~] # Cat/etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX = can take one of these three values: # enforcing-SELinux security policy is enforced. # permissive-SELinux prints warnings instead of enforcing. # disabled-No SELinux policy is loaded. SELINUX = enforcing # SELINUXTYPE = can take one of these two values: # targeted-Targeted processes are protected, # mls-Multi Level Security protection. SELINUXTYPE = targeted // Our CentOS policy is the target policy.

Iv. SELinux Mode

SELinux has three working modes: enforcing, permissive, and disabled.

① Enforcing forced mode: any action that violates the policy will be banned and recorded as kernel information

② Permissive permitted mode: action that violates the policy is not forbidden, but a warning message is prompted.

③ Disabled: Disable SELinux, which is the same as a system without SELinux. Normally, when we do not know much about SELinux, we set the mode to disabled, in this way, no problems will occur when accessing some network applications.

The main configuration file of SELinux is/etc/sysconfig/selinux.

[Root @ xiaoluo ~] # Cat/etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX = can take one of these three values: # enforcing-SELinux security policy is enforced. # permissive-SELinux prints warnings instead of enforcing. # disabled-No SELinux policy is loaded. SELINUX = enforcing // we can see that the default working mode of SELinux is enforcing # SELINUXTYPE = can take one of these two values: # targeted-Targeted processes are protected, # mls-Multi Level Security protection. SELINUXTYPE = targeted

Our default working mode of SELinux is enforcing. We can change it to permissive or disabled.

To view the current working status of SELinux, run the getenforce command:

[root@xiaoluo ~]# getenforce Enforcing

The current working mode is enforcing. If you want to set the current SELinux working status, you can use the setenforce [0 | 1] command to modify it. setenforce 0 indicates setting to permissive, and 1 indicates enforcing.

[Note:] Using setenforce to set SELinux is only a temporary modification and will expire after the system is restarted. Therefore, if you want to modify SELinux permanently, you can modify the SELinux main configuration file.

[root@xiaoluo ~]# setenforce 0[root@xiaoluo ~]# getenforcePermissive[root@xiaoluo ~]# setenforce 1[root@xiaoluo ~]# getenforce Enforcing

[root@xiaoluo ~]# ls -Z-rw-------. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfgdrwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 Desktop-rw-r--r--+ root root system_u:object_r:admin_home_t:s0 install.log-rw-r--r--. root root system_u:object_r:admin_home_t:s0 install.log.syslog

We can use the ls-Z command to view the context information of our file, that is, SELinux information. We find that system_u: object_r: admin_home_t is more than the traditional ls command: let's analyze the meaning of the s0 statement.

System_u: object_r: admin_home_t: s0 the statement is divided into four segments by:. The first segment system_u represents the user, the second segment object_r represents the role, and the third segment represents the most important information in SELinux, admin_home indicates the type, and the last s0 is related to MLS and MCS.

① System_u indicates SElinux user, root indicates root account identity, user_u indicates normal users have no privilege user, system_u indicates system process, and the user can confirm the identity type, which is generally used with roles. Different roles have different permissions. Although you can use the su command to switch between users, The SElinux user does not change, and the identity remains unchanged when switching between accounts, in the targeted policy environment, user identification does not have a substantial effect.

② Object_r is generally a file directory role, and system_r is generally a process role. In the targeted policy environment, the user's role is generally system_r. User roles are similar to user groups. Different roles have different identity permissions. A user can have multiple roles, but only one role can be used at a time. In the targeted policy environment, the role does not have a substantial role. In the targeted policy environment, all the process files are played by the system_r role.

③ The admin_home file and process both have a type. SElinux restricts access permissions based on a combination of types.

V. Instances

Next, let's look at the context value and SELinux access control through an example.

For example, if I have set up a Web server, we know that the default webpage storage location of the www server is in the/var/www/html directory. If we create a new index.html test page here, start our www server and refresh it to see its content. If we create an index.html page under our/home directory, then, move it to the/var/www/html directory and refresh the page. Will it still display normally?

First, we start our httpd service:

[root@xiaoluo ~]# service httpd restartStopping httpd:                                            [  OK  ]Starting httpd: httpd: apr_sockaddr_info_get() failed for xiaoluohttpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName                                                           [  OK  ]

Open the browser and enter 127.0.0.1 to access the service. The Apache test interface is displayed:

Because no page exists in/var/www/html at this time:

[root@xiaoluo home]# ll /var/www/html/total 0

Next, create an index.html page under the/home directory and move it to our/var/www/html directory.

[root@xiaoluo home]# vi index.htmlThis is a test about SELinux[root@xiaoluo home]# mv index.html /var/www/html/[root@xiaoluo html]# cd /var/www/html/[root@xiaoluo html]# lsindex.html

The

But we found that the page is still in this test page. Why? This is related to our SELinux security policy. We can view the audit. log file in the/var/log/audit directory to find the error message.

[root@xiaoluo html]# tail /var/log/audit/audit.log type=CRED_DISP msg=audit(1369575601.957:289): user pid=3637 uid=0 auid=0 ses=44 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'type=USER_END msg=audit(1369575601.957:290): user pid=3637 uid=0 auid=0 ses=44 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'type=AVC msg=audit(1369575729.534:291): avc:  denied  { getattr } for  pid=3619 comm="httpd" path="/var/www/html/index.html" dev=sda2 ino=538738 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=filetype=SYSCALL msg=audit(1369575729.534:291): arch=c000003e syscall=4 success=no exit=-13 a0=7f34198634f8 a1=7fffbc87bee0 a2=7fffbc87bee0 a3=7f341985ff60 items=0 ppid=3612 pid=3619 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)type=AVC msg=audit(1369575729.535:292): avc:  denied  { getattr } for  pid=3619 comm="httpd" path="/var/www/html/index.html" dev=sda2 ino=538738 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=filetype=SYSCALL msg=audit(1369575729.535:292): arch=c000003e syscall=6 success=no exit=-13 a0=7f34198635c8 a1=7fffbc87bee0 a2=7fffbc87bee0 a3=1 items=0 ppid=3612 pid=3619 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)type=AVC msg=audit(1369575736.549:293): avc:  denied  { getattr } for  pid=3618 comm="httpd" path="/var/www/html/index.html" dev=sda2 ino=538738 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=filetype=SYSCALL msg=audit(1369575736.549:293): arch=c000003e syscall=4 success=no exit=-13 a0=7f34198634f8 a1=7fffbc87bee0 a2=7fffbc87bee0 a3=7f341985ff60 items=0 ppid=3612 pid=3618 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)type=AVC msg=audit(1369575736.549:294): avc:  denied  { getattr } for  pid=3618 comm="httpd" path="/var/www/html/index.html" dev=sda2 ino=538738 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=filetype=SYSCALL msg=audit(1369575736.549:294): arch=c000003e syscall=6 success=no exit=-13 a0=7f34198635c8 a1=7fffbc87bee0 a2=7fffbc87bee0 a3=1 items=0 ppid=3612 pid=3618 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

From this log file, we can see that the reason why index.html is refreshed is caused by our SELinux security policy.

Let's use the ls-Z command to check the context information of the recently moved index.html.

[root@xiaoluo html]# ls -Z-rw-r--r--. root root unconfined_u:object_r:home_root_t:s0 index.html

We found that the third field type is home_root_t. Why? Because the index.html file was created under the/home directory, it inherits the SELinux type information of the previous directory by default. We can view the context information of the/home directory:

[root@xiaoluo html]# ls -Z -d /home/drwxr-xr-x. root root system_u:object_r:home_root_t:s0 /home/

We can see that the third field is the same as our just index.html. We can see that the context value of the file is affected by the upper-level directory. Generally, they inherit the context value of the upper-level directory. However, some file context values generated by the installation service will be exceptional and will not inherit the context values of the upper-level directory. The service will automatically create their context values, for example, if the/var/directory does not contain the www directory when the http service is not installed, the service automatically creates the required directory after the httpd service is installed, and define the service-related directories and files before the context value. They do not inherit the context value of the parent directory.

[root@xiaoluo html]# ls -Z -d /vardrwxr-xr-x. root root system_u:object_r:var_t:s0       /var[root@xiaoluo html]# ls -Z -d /var/www/html/drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/

At this point, we found that the context type of our/var/www/html directory is httpd_sys_content_t, while the index.html we just moved is home_root_t, because our SELinux working mode is enforcingat this time, the actions against the illegal policy are forbidden, so that we will not find the information in our index.html, so should we solve this problem at this time?

There are two solutions:

① Directly set SELinux's working mode to disabled, so there will be no problem with policy interception, but in this way our system will not have SELinux security protection.

② Use the restorecon or chcon command to fix the context information of our files

The restorecon command can be used to restore the default file context:

Restorecon-R-v/var/www/html/index.html //-R indicates recursion. If it is a directory, all subdirectories and files under the directory will be repaired.

The command chcon can change the context information of a file. We usually use a reference file to modify it:

chcon --reference=/var/www/html/index.html /var/www/html/test.html

Here we use the restorecon command to restore the default context of our file:

[root@xiaoluo html]# restorecon -v index.html restorecon reset /var/www/html/index.html context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0[root@xiaoluo html]# ls -Z-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html

As we can see, after using the restorecon command, the context information of index.html inherits the context information of the html directory of the previous level. When we click New pages, we can see the content in our index.html.

Through this instance, we can understand the relationship between the context information of the file and SELinux, and view/var/log/audit. log the information of the log file to locate the error, and use the restorecon command to fix the context information of our file.

This article describes some basic concepts of SELinux and some commands related to SELinux. More specific content and knowledge about SELinux will be recorded in the course of study !!!