Implementation of MAC access control mechanism in Linux system: SELinux

SELinux
Full name: security-enhanced Linux, security-enhanced Linux;
The original name of the SELinux system is MAC: Mandatory access control; SELinux is the implementation of MAC access control mechanism in Linux system;

Operating system security level standard (Orange book): D-level (minimum security level) C-level: C1, C2 (DAC autonomous access control, such as windows and other systems with a security level of C1 level) B level: B1, B2, B3 (mandatory access control level MAC) A-level (most High security level) access control mechanism: Dac:discretionary access control, autonomous access control: Access controls based on the way that files or data are accessed by the file system (R,W,X); mac:mandatory Access control, which enforces access controls: permissions on files or data are not set for user identity, and when a user initiates a process, the process is able to manipulate or process the file or data. Depends on whether the process and the file have domain (process domains) and type (the type of file) that can match; SELinux works in the Linux kernel: Rhel 4.0: Beta added selinux security components; Rhel 5.0: Force the installation of this component on a secure operating system, but you can choose to turn off the feature at the time of installation; RHEL 6.0+: Forces the installation of this component when the operating system is installed and automatically starts its function after the system starts; SELinux relies on security policy results for appropriate access control management, The policy results are known to have three kinds: 1, strict (strict policy): For each file must be strictly defined its type, for each process to set a specific domain, the process of the domain and file type must be strictly matched to allow the process to access the file; 2, Mls:multi-level Security, multi-level safety policy result set;//release within 3, targeted: Only a limited number of processes to the SELinux mandatory access control; As long as the domain of the process and the file type belong to the same large class, you can allow the process to access the file The results of this strategy in the Rhel operating system;//All finite processes: refers to processes that are prone to intrusion and pose a security risk to the system note: In the targeted policy result set, only the domain of the process and the type of file can match,            Not related to other security context identifiers; Sandbox (SELinux needs to be done in the sandbox): In a Linux system, the entity that can do real work is the process; Subject, action (operation), object SubjECT: Process Action (Operation) Action: Open, close, read, write, modify, delete, chmod, Chown, ... object: file, Process,    sockets, links, ...            SELinux provides a set of security labels for each file and process, which can be called the SELinux security context; user-identify:role:domain|type:sencitivity User-identify:selinux user identity, usually refers to the type of user; role: Character Domain|type: The type of the domain or file of the process; sencitivity : sensitivity; selinux Policy library (rule base): Used to store rule rules: which domain of the process can access or manipulate which types of files; stored in the/etc/selinux/targeted/policy directory;/etc/sysco The Nfig/selinux file defines the working mode of SELinux and the Resultant Set of policies used; selinux=enforcing selinuxtype=targeted selinux working mode (/etc SELinux working mode defined in/sysconfig/selinux file): Enforcing-forced to open selinux mechanism permissive-warning mode, all actions are recorded, but do not block operation D Isabled-Turn off the selinux mechanism Note: 1. Normally switch from enforcing or permissive mode to Disabled mode, or switch from disabled to enforcing or permissive mode Must be rebooted by the operating system to take effect; 2. The switch from enforcing mode to permissive mode can be done directly using the command line tool and takes effect immediately; Setenforce command: Switch selinux     Mode of operation               Setenforce [Enforcing | Permissive | 1 |                0] 1:enforcing 0:permissive getenforce command: Show SELinux mode of operation Note: The working mode of SELinux modified with the Setenforce command takes effect immediately, but not permanently, and if you want to permanently work with the modified SELinux, you need to modify the SELinux in the/etc/sysconfig/selinux file. The value of the parameter and reboot the operating system; View the SELinux security context for a process or file: File security context View: Ls-z|--context [file] process security contexts view: PS Auxz|-efz Modify File Security            Context: Chcon command: Common options:-T,--type=type: Sets the type of the target file directly;-R,--recursive: recursively modifies all files in the directory, including files in subdirectories; --reference=rfile: Refer to the security context of the file represented by the Rfile, set the exact security contexts for the target file; Usage scenario: Usually the security context of a process does not match or does not fit with the security context type of the file                Use; Example: Set the security context for the document root of the httpd virtual host: ~]# chcon-t httpd_sys_content_t-r/myweb        ~]# chcon--reference=/var/www-r/myweb restorcon command: Common options:-R,-R: Recursively modify the security context for the specified directory and its subdirectories as the default value; Example: revoking the security context for the document root of the httpd virtual host: ~]# restorcon-r/myweb View or modifyContent in policy: Getsebool command: View SELinux Boolean values Common options:-A: View all SELinux Boolean values setsebool command: Modify SELinux Boolean values common options:- P: If you add the-P option, the attached value is written directly to the policy file on disk and is permanently active; If you do not add the-P option, the default Boolean usage scenario is restored after a restart: system services that support binary policy modification; 1.vsftpd Anonymous user upload function is Selinu x restricted scene: ~]# setsebool-p ftpd_anon_write on ~]# setsebool-p Ftpd_full_access=1 2 A scenario in which Samba users access their home directories for sharing results that are throttled by SELinux: ~]# setsebool-p samba_enable_home_dirs on 3.samba service The directories shared in are created and specified by the administrator: chcon-t samba_share_t/path/to/directory semanage Command: SELinux Policy Management tool//If there is no this command, install PO                Licycoreutils-python Package semanage Port command:-A,--add: Add a port number-D,--delete: Delete a port number  -M,--modify: Modify a port number-L,--list: Lists examples of port numbers that have been defined: ~]# semanage port-a  -T Http_port_t-p TCP 8088

Implementation of MAC access control mechanism in Linux systems: SELinux