SELinux
Basic Overview:
SELinux (security-enhanced Linux) is the United States National Security Agency (NSA) implementation of mandatory access control, is the most outstanding new security subsystem in the history of Linux. The NSA, with the help of the Linux community, has developed an access control system that, under the constraints of the access control system, can access only those files that are needed in his tasks. SELinux is installed on Fedora and Red Hat Enterprise Linux By default and can also be used as an easy-to-install package on other distributions.
SELinux is a mandatory access control (MAC) system available in the 2.6 version of the Linux kernel. For the currently available Linux security modules, SELinux is the most versatile and well-tested, built on the basis of the 20 MAC research. SELinux incorporates multi-level security or an optional multi-class policy in the type enforcement server and employs a role-based access control concept. [1]
Most people who use SELinux use SELinux-ready distributions, such as Fedora, Red Hat Enterprise Linux (RHEL), Debian, or Centos. They all enable selinux in the kernel, provide a customizable security policy, and provide many libraries and tools at the user level, all of which can use SELinux functionality.
SELinux is an enforced access control (MAC) security system based on the domain-type model (DOMAIN-TYPE), which is written by the NSA and designed into kernel modules, and some of the corresponding security-related applications have been patched by SELinux, and finally there is a corresponding security policy. Any program has full control over its resources. If a program intends to throw a file containing potentially important information into the/tmp directory, no one can stop him in the case of a DAC. SELinux provides better access control than traditional UNIX permissions.
The access control mechanism in SELinux:
Dac:discretionary Access Control:
An access control mechanism implemented based on the access rights (R,W,X) that the file or data is given to the file system;
Mac:mandatory Access Control:
Access to a file or data is not set for the user's identity, and when a user initiates a process, the process is able to manipulate or process the file or data, depending on whether the process and the file have the domain and type that can match SELinux is the implementation of MAC access control mechanism in Linux system;
SELinux component features in the Linux kernel:
RHEL 4.0: Beta added selinux security components;
RHEL 5.0: Force this component to be installed on a secure operating system, but you can choose to turn off the feature at the time of installation;
RHEL 6.0+: Forces the installation of this component when the operating system is installed and automatically starts its function after the system starts;
SELinux relies on security policy results for appropriate access control management, with three of known policy results:
Strict: For each file has strict rules of its type, for each process to set a specific domain, the process of the domain and file type must be strictly matched to allow the process to access the file;
Mls:multi-level security, multi-level safety policy result set;
Targeted: Only a limited process of the SELinux mandatory access control; As long as the domain of the process and the file type belong to the same large class, it can be matched to allow the process to access the file, in the Rhel system for this policy results;
All finite processes refer to those processes that are prone to intrusion and pose a security risk to the system;
Sandbox:
Overview:
in the area of computer security, the sandbox (English: Sandbox, also translated as sandbox) is a security mechanism that provides an isolated environment for executing programs. It is often used as an experiment for a program that is untrustworthy, destructive, or unable to determine procedural intent. The
sandbox typically tightly controls the resources that the program can access, such as a sandbox that provides the disk and memory space that is recycled after use. In a sandbox, network access, access to real systems, and reading of input devices are often prohibited or strictly restricted. From this point of view, the sandbox belongs to one of the virtualization.
All changes in the sandbox do not cause any loss to the operating system. Typically, this technique is widely used by computer technicians to test potentially poisonous programs or other malicious code. The
implement
Sandbox runs the software in a restricted system environment and controls the resources (such as file descriptors, memory, disk space, and so on) that the program can use.
The following are some sandbox implementations:
Software Prison (Jail): Restricts network access, restricted file system namespaces. Software prisons are most commonly used on virtual hosts [4]. Rule-based execution: through the system security mechanism, according to a series of preset rules to the user and program to assign certain access rights, Full Control program startup, code injection and network access [5]. You can also control the access to files and the registry. In such an environment, the probability of the virus Trojan infection system will be reduced. In Linux, security-enhanced Linux and AppArmor are using this strategy. Virtual machines: Simulates a complete hosting system that can run virtual operating systems (Customer systems) as if they were running on real hardware. The client system can only access the host's resources through the emulator, so it counts as a sandbox. Host local sandbox: security researchers rely heavily on sandbox technology to analyze the behavior of malicious software. By creating an environment that simulates a real-world desktop, researchers can see how malware infects a single host. Some malware Analysis Services use sandbox technology [6]. Online judgment system: Used for program testing in programming competitions. Safe Computing Mode (SECCOMP) (English: Seccomp): A sandbox built into the Linux kernel. When enabled, Seccomp only allows system calls to write (), read (), exit (), and Sigreturn ().
In a Linux system, a process is an entity capable of doing real work:
Subject, action (operation), object
Subject: Process
Action (operation): Open, close, read, write, modify, delete, chmod, Chown, ...
Object: file, process, socket, link, ...
SELinux provides a security label for each file and a security label for each process, which can be called the SELinux security context.
User-identify:role:domain|type:sencitivity
User-identify:selinux user identification, usually refers to the type of user;
Role: Roles
Domain|type: The type of the domain or file of the process;
Sencitivity: Sensitivity;
Note: In the targeted policy result set, only the type of domain and file that cares about the process can match, and it has no relationship with other security context identifiers;
The SELinux Strategy Library:
Rule library: Storing rules
Rule: Which domain of the process can access or manipulate which types of files in which way; store in the/etc/selinux/targeted/policy directory;
The/etc/sysconfig/selinux file defines the working mode of SELinux and the Resultant Set of policy used;
Selinux=enforcing
selinuxtype=targeted
SELinux Mode of operation:
Enforcing-selinux security policy is enforced.
Permissive-selinux prints warnings instead of enforcing.
Disabled-no SELinux policy is loaded.
Attention:
1. Any switch from enforcing or permissive mode to Disabled mode, or from disabled mode to enforcing or permissive mode, must be rebooted by the operating system to take effect;
2. Switching from enforcing mode to permissive mode can be done directly using the command line tool and takes effect immediately;
Conversion command:
Setenforce command:
Setenforce-modify the mode SELinux is running in.
setenforce [ Enforcing | Permissive | 1 | 0 ] 1:Enforcing 0:Permissivegetenforce命令: getenforce - get the current mode of SELinux注意:使用setenforce命令修改的SELinux的工作模式会立即生效,但并非永久有效;如果想要使被修改的SELinux的工作模式永久有效,则需要修改/etc/sysconfig/selinux文件中的SELINUX参数的值,并重新引导操作系统;
Basic command:
To view the SELinux security context for a process or file:
File Security Context View:
Ls-z|--context [File]
Process Security Context View: PS Auxz PS-EFZ Modify the security context of the file: Chcon command: Chcon-change file SELinux Security context -T,--type=type: Sets the type of the target file directly;-R,--recursive: recursively modifies all files in the directory, including files in subdirectories;--reference=rfile: Refer to the security of the files represented by Rfile Context, setting the exact security context for the target file; Usage scenarios: typically used when the security contexts of a process do not match or are incompatible with the security context type of the file, such as: Setting the security of the document root directory for the httpd virtual host Restorcon command: Restorecon-restore file (s) default SELinux security contexts. -R,-R: Recursively modifies the security context of the specified directory and its subdirectories as default; View or modify the contents of the policy: Getsebool command: Getsebool-get SELinux boolean value (s)-a:show All SELinux Booleans. Setsebool command: Setsebool-set SELinux boolean value-p:if the-p option is given, all pending values are writ Ten to the policy file on disk. So they'll be persistent across reboots. Usage Scenario: System services that support binary policy modification; vsftpd's upload function for anonymous users is limited by SELinux scenario: ~]# setsebool-p ftpd_anon_write on ~]# s Etsebool-p Ftpd_full_access=1samba Service The share result of Samba users accessing their home directory is SELinuxRestricted scenario: ~]# setsebool-p samba_enable_home_dirs The shared directory in the Onsamba service is created and specified by the administrator: Chcon-t samba_share_t /path/to/directory semanage command: semanage-selinux Policy Management Tool Note: If you do not have this command, you need to install Policycoreuti Ls-python package; semanage Port command:-A,--add add a record of the specified object type- D,--delete Delete a record of the specified object type-m,--modify Modify A record of the specified object type-l,--list list records of the specified object type example: ~]# semanage Port- A-t http_port_t-p TCP 8088
The advantages and disadvantages of SELinux:
Disadvantages:
Although Linux is much better than windows for its reliability and stability, he has the following shortcomings, like other Unix.
There is a privileged user root
Anyone with root access can do whatever it takes to get the whole system. This is the same thing with Windows.
Insufficient segmentation of access rights for files
In a Linux system, there are only 3 categories of "owners", "all Groups," and "other" operations for files.
For the "other" in this category of users in the thin division of words, there is no way.
Privilege escalation for SUID programs
If a program with SUID permissions is compromised, it can easily be exploited by attackers.
DAC (discretionary Access Control) issue
The owner of the file directory can perform all operations on the file, which is inconvenient for the overall management of the system.
For these deficiencies, firewalls, intrusion detection systems are powerless.
In this context, for SELinux, which has greatly enhanced access, its charm
The SELinux system has much higher security performance than the usual Linux system, and it does not have a significant impact on the entire system, even if it is compromised, the process or user's permissions are minimized by the user.
Some of the benefits of SELinux.
Complete control of Access
Features 1:mac (Mandatory access Control)
For all files, directories, ports such as resource access, can be based on policy settings, these policies are custom-made by the administrator, the general user does not have permission to change.
Only minimal permissions are given to the process
Feature 2:te (Type Enforcement)---only minimal permissions are given to the process
The TE concept is very important in SELinux. It is characterized by a file type tag called type for all files, and a label for each of the processes called domain. The actions that domain tags can perform are also determined by the access vector in the strategy.
We are familiar with the Apache server, httpd process can only run in httpd_t, this httpd_t domain can perform operations, such as the ability to read Web content files to give httpd_sys_content_t, password files to shadow_t, TCP port 80 is given http_port_t and so on. If we do not allow http_t to operate on http_port_t in Access vector, Apache boot will not start. Conversely, we allow only 80 ports to read only the files labeled httpd_sys_content_t, httpd_t cannot use any other ports, and cannot change the files that are labeled httpd_sys_content_t (Read only).
Prevent privilege escalation
Features 3:domain migration-prevent privilege escalation
Run point-to-point download software in the user environment Azureus, your current domain is fu_t, but, you consider the security issue, you intend to let him run in azureus_t, if you start azureus with command in terminal, The domain of its process will inherit the fu_t of the shell you are implementing by default.
With domain migration, we can let Azureus run in our designated azureus_t, which is preferable to security, which does not affect your fu_t.
The following are examples of domain migration instructions:
Domain_auto_trans (fu_t,azureus_exec_t,azureus_t)
This means that when a file labeled azureus_exec_t is implemented in fu_t domain, domain migrates from fu_t to azureus_t. The following is an Apache-initiated migration diagram. Note that since which domain can be migrated to httpd_t is fixed in the strategy, so if we manually (/ETC/INIT.D/HTTPD start) launch Apache, may still remain in the sysadm_t, so that the correct migration can not be completed. To start manually, use the Run_init command.
Give the user only minimal permissions
Feature 4:rbac (role base access control) ――――― gives minimal permissions to users
For the user, is divided into some role, even if the root user, if you are not in the Sysadm_r, also can not implement sysadm_t management operations. Because those role can execute those domain is also set in the strategy. Role can also be migrated, but can only be migrated as defined by policy.
selinux--Overview and basic operation commands