I. Introduction of SELinux
SELinux (Secure enhanced Linux) security-enhanced Linux is a new Linux security policy mechanism developed by NSA for computer infrastructure security. SELinux allows system administrators to be more flexible in defining security policies.
SELinux is a kernel-level security mechanism that integrates selinux into the kernel from the Linux2.6 kernel, because SELinux is kernel-level, so our modifications to its configuration files require a restart of the operating system to take effect.
The SELinux mechanism is now integrated into the Linux version of the mainstream discovery, and Centos/rhel will turn on the SELinux mechanism by default.
Ii. Basic concepts of SELinux
We know that the security mechanism of the operating system is actually restricting two things: process and system resources (files, network sockets, system calls, etc.).
In the previously learned knowledge, the Linux operating system uses the concept of users and groups to limit our system resources, and we know that each process requires a user to execute.
There are two basic concepts defined for these two things in SELinux: domain (Domin) and context.
a domain is used to restrict progress, and the context is to restrict system resources .
We can ps-z This command to view information about the domain of the current process, that is, the selinux information of the process:
[[email protected] ~]# Ps-zlabel PID TTY time cmdunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2503 pts/0 00:00:00 suunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2511 pts/0 00:00:00 Bashunconfined_u: unconfined_r:unconfined_t:s0-s0:c0.c1023 3503 pts/0 00:00:00 PS
With the ls-z command We can view the file context information, which is the SELinux information of the file:
[Email protected] ~]# LS-Z-RW-------. Root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfgdrwxr-xr-x. Root root unconfined_u:object_r:admin_home_t:s0 desktop-rw-r--r--+ root root system_u:object_r:admin_home_t:s0 Install.log-rw-r--r--. root root system_u:object_r:admin_home_t:s0 install.log.syslog
Later, let's explore what these fields mean.
Third, the strategy
In SELinux, we define policies to control which contexts can be accessed by which domains.
In SELinux, there are a number of policy models preset, and we don't usually need to define our own policies unless we need to protect some services or programs ourselves.
In Centos/rhel, which uses the target strategy by default, then what is the target strategy?
The target policy defines that only the target process is throttled by SELinux, non-target processes are not throttled by SELinux, and our network applications are usually target processes such as httpd, MYSQLD,DHCPD, and so on.
Our SELinux configuration file for CentOS is a selinux file stored in the/etc/sysconfig/directory, and we can look at the contents:
[Email protected] ~]# Cat/etc/sysconfig/selinux # This file controls the state of SELinux on the system.# selinux= can t Ake one of these three values:# enforcing-selinux security policy is enforced.# permissive-selinux prints warn Ings instead of enforcing.# disabled-no SELinux policy is loaded. selinux=enforcing# Selinuxtype= can take one of these, values:# targeted-targeted processes is protected,# m Ls-multi level Security protection. selinuxtype=targeted//Our CentOS use strategy is the target strategy
Four, SELinux mode
There are three types of enforcing, permissive and disabled in the SELinux mode of operation.
①Enforcing enforcement mode: Any action that violates the policy is prohibited and is logged as the kernel information
②permissive allow mode: Actions that violate policy are not banned, but alert messages are prompted
③Disabled Disable mode: Disabling SELinux is the same as without selinux system, usually we set the mode to disabled when we don't understand selinux, so there is no problem when accessing some network applications.
It also says that the SELinux master configuration file is/etc/sysconfig/selinux
[Email protected] ~]# Cat/etc/sysconfig/selinux # This file controls the state of SELinux on the system.# selinux= can t Ake one of these three values:# enforcing-selinux security policy is enforced.# permissive-selinux prints warn Ings instead of enforcing.# disabled-no SELinux policy is loaded. Selinux=enforcing//We see that the SELinux default mode of operation is enforcing# Selinuxtype= can take one of the these of the values:# Targeted-target Ed Processes is protected,#
Our SELinux default mode of operation is enforcing, we can modify it to permissive or disabled
If we want to see the current SELinux working status, we can use the Getenforce command to view:
[Email protected] ~]# Getenforce enforcing
The current mode of operation is enforcing, if we want to set the current SELinux working state, you can use the Setenforce [0|1] command to modify, Setenforce 0 means set to permissive,1 to indicate enforcing
" Note:" using Setenforce to set SELinux is only a temporary modification, when the system restarts, it will be invalidated, so if you want to permanently modify, by modifying the SELinux master configuration file
[[email protected] ~]# setenforce 0[[email protected] ~]# getenforcepermissive[[email protected] ~]# Setenforce 1[[email p Rotected] ~]# Getenforce enforcing
[Email protected] ~]# LS-Z-RW-------. Root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfgdrwxr-xr-x. Root root unconfined_u:object_r:admin_home_t:s0 desktop-rw-r--r--+ root root system_u:object_r:admin_home_t:s0 Install.log-rw-r--r--. root root system_u:object_r:admin_home_t:s0 install.log.syslog
We can ls-z this command to view the context of our files, which is the selinux information, we find that it is more than the traditional LS command system_u:object_r:admin_home_t:s0 this thing, Now, let's analyze what this statement means.
System_u:object_r:admin_home_t:s0
This statement through: Divided into four paragraphs, the first paragraph System_u represents the user, the second paragraph object_r represents the role, the third paragraph is the most important information in SELinux, Admin_home represents the type, the last paragraph S0 is related to the MLS, MCS, I don't need a tube.
①System_u refers to the SELinux user, root represents the root account identity, User_u represents the ordinary user unprivileged user, System_u represents the system process, through the user can confirm the identity type, general collocation role use. Identity and different roles with different permissions, although you can use the SU command to switch users but for SELinux users did not change, the user identity is switched between accounts, the user identity in the targeted policy environment is not a real role.
②Object_r Object_r is generally the role of the file directory, System_r is generally the role of the process, in the targeted policy environment the role of the user is generally system_r. The role of a user is similar to the concept of a user group, where different roles have different identity permissions and one user can have multiple roles, but only one role at a time. Roles do not have a substantive role in the targeted policy environment, and the roles of all process files in the targeted policy environment are system_r roles.
③admin_home files and processes have a type, and SELinux restricts access based on the associated combination of types.
V. Examples
Let's look at the context value and the SELinux access control by an example
For example, I set up a Web server, we know that the WWW server its default Web location is in the/var/www/html directory, if we create a new index.html test page here, launch our WWW server, refresh will be able to see its content, At this time if we are in our home/home directory to create a index.html page, and then move it to/var/www/html this directory, and then refresh the page, it will not be normal display it?
First we start our httpd service:
[[Email protected] ~]# service httpd restartstopping httpd: [ OK ]starting httpd:httpd:apr_sockaddr_info_ Get () failed for xiaoluohttpd:could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName [ OK ]
Then open the browser and enter our 127.0.0.1来 access, at this point the interface is Apache Test interface:
Because we do not yet have any pages under the/var/www/html at this time:
[Email protected] home]# Ll/var/www/html/total 0
Next we create a index.html page in the/home directory and move it to our/var/www/html directory
[Email protected] home]# VI index.htmlthis is a test about Selinux[[email protected] home]# mv index.html/var/www/html/[ [Email protected] html]# cd/var/www/html/[[email protected] html]# lsindex.html
At this point, according to normal situation, because there is a index.html page in the HTML directory, if we refresh the browser page, we should jump to the index.html page
But the fact that we found that the page is still on this test page, exactly why? This is related to our selinux security strategy, we can go to /var/log/audit This directory to view audit.log This file, to find out the error message
[[email protected] html]# tail/var/log/audit/audit.log type=cred_disp msg=audit (1369575601.957:289): User pid= 3637 uid=0 auid=0 ses=44 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg= ' op=pam:setcred acct= ' root ' exe= '/usr/sbin /crond "Hostname=? Addr=? Terminal=cron res=success ' type=user_end msg=audit (1369575601.957:290): USER pid=3637 uid=0 auid=0 ses=44 Subj=system_u : system_r:crond_t:s0-s0:c0.c1023 msg= ' op=pam:session_close acct= "root" exe= "/usr/sbin/crond" Hostname=? Addr=? Terminal=cron res=success ' TYPE=AVC msg=audit (1369575729.534:291): avc:denied {getattr} for pid=3619 comm= "HTTPD" Pat H= "/var/www/html/index.html" Dev=sda2 ino=538738 scontext=unconfined_u:system_r:httpd_t:s0 Tcontext=unconfined_u:o Bject_r:home_root_t:s0 tclass=filetype=syscall Msg=audit (1369575729.534:291): arch=c000003e syscall=4 Success=no EXIT=-13 a0=7f34198634f8 a1=7fffbc87bee0 a2=7fffbc87bee0 a3=7f341985ff60 items=0 ppid=3612 pid=3619 auid=500 uid=48 gid= euid=48 suid=48 fsuid=48 egid=48 sgid=48 Fsgid=48 tty= (none) Ses=1 comm= "httpd" exe= "/usr/sbin/httpd" Subj=unconfined_u:system_r:httpd_t:s0 key= (NULL) type= AVC Msg=audit (1369575729.535:292): avc:denied {getattr} for pid=3619 comm= "httpd" path= "/var/www/html/index.html" de V=sda2 ino=538738 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass= Filetype=syscall Msg=audit (1369575729.535:292): arch=c000003e syscall=6 success=no exit=-13 a0=7f34198635c8 a1= 7fffbc87bee0 a2=7fffbc87bee0 a3=1 items=0 ppid=3612 pid=3619 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid= Fsgid=48 tty= (none) Ses=1 comm= "httpd" exe= "/usr/sbin/httpd" Subj=unconfined_u:system_r:httpd_t:s0 key= (NULL) type= AVC Msg=audit (1369575736.549:293): avc:denied {getattr} for pid=3618 comm= "httpd" path= "/var/www/html/index.html" de V=sda2 ino=538738 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass= Filetype=syscall Msg=audit (1369575736.549:293): arch=c000003e syscall=4 success=no exit=-13 a0=7f34198634f8 a1=7fffbc87bee0 a2=7fffbc87bee0 a3=7f341985ff60 items=0 ppid=3612 pid=3618 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty= (none) Ses=1 comm= "httpd" exe= "/usr/sbin/http D "Subj=unconfined_u:system_r:httpd_t:s0 key= (NULL) TYPE=AVC Msg=audit (1369575736.549:294): avc:denied {getattr} for pid=3618 comm= "httpd" path= "/var/www/html/index.html" Dev=sda2 ino=538738 scontext=unconfined_u:system_r:httpd_t:s0 Tcontext=unconfined_u:object_r:home_root_t:s0 tclass=filetype=syscall Msg=audit (1369575736.549:294): arch= c000003e syscall=6 success=no exit=-13 a0=7f34198635c8 a1=7fffbc87bee0 a2=7fffbc87bee0 a3=1 items=0 ppid=3612 pid=3618 au id=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty= (none) Ses=1 comm= "httpd" exe= "/USR/SBIN/HTTPD" Subj=unconfined_u:system_r:httpd_t:s0 key= (NULL)
From this log file, we can see that the Refresh page does not come out index.html because of our selinux security policy
We'll take a look at the contextual information of the index.html we just moved through the ls-z command.
[Email protected] html]# ls-z-rw-r--r--. Root root unconfined_u:object_r:home_root_t: S0 index.html
We find that the third field of the type is home_root_t, which is why? Because we just created this index.html file in the/home directory, it inherits the SELinux type information from the previous directory by default, so we can look at the context information for the/home directory:
[Email protected] html]# ls-z-d/home/drwxr-xr-x. Root root system_u:object_r:home_root_t: s0/home/
We see that the third field is the same as the one we just index.html, so we can see that the context value of the file is affected by the previous level of the directory, and generally they inherit the context value of the previous level of the directory, but Some installation Services produce the file context value exception, do not inherit the context value of the parent directory, the service will automatically create their context value, such as when the HTTP service is not installed in the/var/directory when there is no www directory, After the HTTPD service is installed, the service automatically creates the desired directory and defines the directory and files associated with the service as the context value, which does not inherit the context value of the parent directory .
[Email protected] html]# ls-z-d/vardrwxr-xr-x. Root root system_u:object_r:var_t: S0 /var[[email protected] html]# ls-z-d/var/www/html/drwxr-xr-x. Root Root system_u:object_r:httpd_sys_content_t: s0/var/www/html/
At this point we find our/var/www/html the context type of this directory is httpd_sys_content_t, and the type of index.html we have just moved over is home_root_t, because our working mode of SELinux at this time is Enforcing, so the action against the policy is forbidden, so we refresh the page does not appear in our index.html information, then we should solve this problem?
Usually the solution consists of two kinds:
① directly set the SELinux working mode to disabled, so there will be no policy blocking issues, but then our system will not have selinux security protection
② to repair our file context information by Restorecon or chcon command
The command Restorecon can be used to restore the file's default context:
Restorecon-r-v/var/www/html/index.html//-r is recursive, and if it is a directory, all subdirectories and files in that directory will be repaired
The command Chcon can change the context information of a file, and usually we use a reference file to modify it:
Chcon--reference=/var/www/html/index.html/var/www/html/test.html
Here we restore the default context of our files by using the restorecon command:
[Email protected] html]# restorecon-v index.html restorecon reset/var/www/html/index.html Context Unconfined_u:object _r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0[[email protected] html]# ls-z-rw-r--r--. Root root unconfined_u:object_r:httpd_sys_content_t: S0 index.html
We see that after using the restorecon command, the context information of the index.html inherits the contextual information of the directory HTML of the previous level, and this time we can refresh the page to see the contents of our index.html.
Through this example, we understand the relationship between the context information of the file and SELinux, and know what the error is by looking at the information /var/log/audit/audit.log This log file, and by Restorecon command to repair the contextual information of our files
SELinux Security System Fundamentals