In-depth understanding of SELinux
security-enhanced Linux (SELinux) is an implementation of the mandatory access control Mac in the Linux kernel-after the autonomous access control (DAC) check, the allowed operations are checked again. SELinux enforces permissions on files in Linux systems by defining policies that define the operations and processes.
MAC: Mandatory access control
DAC:d iscretionary access controls
Advantages
- All files and processes are added to a specific type label, a type label defines a domain for the process, and a type is defined for the file. The SELinux policy specifies that the process accesses the file's rules and the interprocess communication rules.
- Granular access control. The ability to access in SELinux depends on information such as user, role, type, and level (optional option).
- The policy is set by the administrator and is system-wide.
- Prevents permission escalation, and if a process is hijacked (compromised), the attacker can only access limited resources (resources that the process can access).
- Enhance the security and integrity of your data
Attention:
SELinux is not anti-virus software
SELinux is not a substitute for password passwords, firewalls, or other security systems
SELinux is not an integrated security solution
SELinux is built on existing security solutions to enhance security rather than replace existing security solutions.
Working status
Enforcing (Enabled state): SELinux policy is mandatory. SELinux will deny access based on policy
Permissive (Free State): SELinux policy is not mandatory and only alerts users based on policy
Disabled (disabled state): SELinux is not enabled
~]# getenforce # view enabled status enforcing
~]# Setenforce 0 # Turn off SELinux
~]# Getenforce
Permissive
Working mode
Strict (Strict mode): Each process will be controlled by SELinux
Targeted (Loose mode): Enable SELinux control for only a subset of processes
Safety Label
Format:
User, role, type, level
User, users
Role, roles
Type, types
level, rank, optional
Use ls-z to view the label of a file
[[email protected] tmp] $ls--rw-r--r--. Root root system_u:object_r:tmp_t:s0 Mbr.bak
The fourth field is the security label--"System_u:object_r:tmp_t:s0"
View the security label for a process--ps-z
[[email protected] tmp] $ps aux-Zlabel USER PID%cpu%MEM VSZ RSS TTY STAT START time COMMANDsystem_u:system_r:init_t:s0 root1 0.0 0.1 17128 1312? SsGeneva: . 0: on/sbin/inchSystem_u:system_r:kernel_t:s0 Root2 0.0 0.0 0 0? SGeneva: . 0:xx[Kthrea]system_u:system_r:kernel_t:s0 Root3 0.0 0.0 0 0? SGeneva: . 0:xx[Migrat]system_u:system_r:kernel_t:s0 Root4 0.0 0.0 0 0? SGeneva: . 0:xx[Ksofti]
...
modifying security labels
Chcon Command
To modify the SELinux security context for a file
Common options
-U Specify user
-R Specify role
-T specify type or domain
-R recursively modifying files or folders
Modifying the file security context type
[[email protected] tmp] $ls-Z mbr.bak -rw-r--r--. Root root system_u:object_r:tmp_t:s0 - T tmp_tt_t mbr.bak -Z mbr.bak -rw-r--r--. root root system_u:object_r:tmp_tt_t:s0 Mbr.bak
Restorecon Command
Restore the file security context
Common options
-R Recursive return of the original file or folder
Getsebool
View the function modules that the process or service itself turns on or off
-A View all Boolean values
Setsebool
Modify whether the specified module uses SELinux
-P Save modified results to Local disk
Related documents
/etc/selinux/config | /etc/sysconfig/selinux Configuring the SELinux enabled state and working mode files
/var/log/audit/audit.log SELinux Change Log
In-depth understanding of SELinux