In-depth understanding of SELinux

　　

In-depth understanding of SELinux

security-enhanced Linux (SELinux) is an implementation of the mandatory access control Mac in the Linux kernel-after the autonomous access control (DAC) check, the allowed operations are checked again. SELinux enforces permissions on files in Linux systems by defining policies that define the operations and processes.

MAC: Mandatory access control

DAC:d iscretionary access controls

Advantages

1. All files and processes are added to a specific type label, a type label defines a domain for the process, and a type is defined for the file. The SELinux policy specifies that the process accesses the file's rules and the interprocess communication rules.
2. Granular access control. The ability to access in SELinux depends on information such as user, role, type, and level (optional option).
3. The policy is set by the administrator and is system-wide.
4. Prevents permission escalation, and if a process is hijacked (compromised), the attacker can only access limited resources (resources that the process can access).
5. Enhance the security and integrity of your data

Attention:

SELinux is not anti-virus software

SELinux is not a substitute for password passwords, firewalls, or other security systems

SELinux is not an integrated security solution

　

SELinux is built on existing security solutions to enhance security rather than replace existing security solutions.

Working status

Enforcing (Enabled state): SELinux policy is mandatory. SELinux will deny access based on policy

Permissive (Free State): SELinux policy is not mandatory and only alerts users based on policy

Disabled (disabled state): SELinux is not enabled

~]# getenforce  # view enabled status enforcing

~]# Setenforce 0 # Turn off SELinux
~]# Getenforce
Permissive

Working mode

Strict (Strict mode): Each process will be controlled by SELinux

Targeted (Loose mode): Enable SELinux control for only a subset of processes

Safety Label

Format:

User, role, type, level

User, users

Role, roles

Type, types

level, rank, optional

Use ls-z to view the label of a file

[[email protected] tmp] $ls--rw-r--r--. Root root system_u:object_r:tmp_t:s0       Mbr.bak

The fourth field is the security label--"System_u:object_r:tmp_t:s0"

View the security label for a process--ps-z

[[email protected] tmp] $ps aux-Zlabel USER PID%cpu%MEM VSZ RSS TTY STAT START time COMMANDsystem_u:system_r:init_t:s0 root1  0.0  0.1  17128  1312? SsGeneva: .   0: on/sbin/inchSystem_u:system_r:kernel_t:s0 Root2  0.0  0.0      0     0? SGeneva: .   0:xx[Kthrea]system_u:system_r:kernel_t:s0 Root3  0.0  0.0      0     0? SGeneva: .   0:xx[Migrat]system_u:system_r:kernel_t:s0 Root4  0.0  0.0      0     0? SGeneva: .   0:xx[Ksofti]
...

modifying security labels

Chcon Command

To modify the SELinux security context for a file

Common options

-U Specify user

-R Specify role

-T specify type or domain

-R recursively modifying files or folders

Modifying the file security context type

[[email protected] tmp] $ls-Z mbr.bak   -rw-r--r--. Root root system_u:object_r:tmp_t:s0       - T tmp_tt_t mbr.bak                                -Z mbr.bak                          -rw-r--r--. root root system_u:object_r:tmp_tt_t:s0    Mbr.bak

Restorecon Command

Restore the file security context

Common options

-R Recursive return of the original file or folder

Getsebool

View the function modules that the process or service itself turns on or off

-A View all Boolean values

Setsebool

Modify whether the specified module uses SELinux

-P Save modified results to Local disk

Related documents

/etc/selinux/config | /etc/sysconfig/selinux Configuring the SELinux enabled state and working mode files

/var/log/audit/audit.log SELinux Change Log

In-depth understanding of SELinux