Initial knowledge of SELinux

Source: Internet
Author: User

First, some concepts

Second, SELinux status

Iii. related applications

Iv. Related Orders

First, some concepts

1. Linux Secure access model

DAC (discretionary access control): Autonomous access controls

2. SELinux Secure access mechanism

SELinux is a secure system based on the < domain-type > model (DOMAIN-TYPE) mandatory access control (mac:mandatory access controls)


Second, SELinux status

1. SELinux Status

(1), Disable, disable

(2), Permissive, does not really implement the SELinux function, only the violation of the policy behavior recorded into the/var/log/audit/audit.log; selinux Policy Cache directory/selinux/avc/

(3), enforcing, forced to implement SELinux

2. Check the SELinux open status

[Email protected] ~]# getenforcepermissive

Or

[Email protected] ~]# sestatus #路径为/usr/sbin/sestatusselinux status:enabledselinuxfs Mount:                 /selinuxcurrent mode:permissivemode from config file:permissivepolicy version: 24Policy from config file:targeted

3. Set SELinux status

(1), temporarily modify the SELinux status, immediately effective, restart after the restoration to the configuration file settings

[[email protected] ~]# setenforce 1 #设置为Enforcing状态 [[email protected] ~]# Getenforceenforcing[[email protected] ~]# set Enforce 0 #设置为Permissive状态 [[email protected] ~]# getenforcepermissive

(2), modify the configuration file/etc/selinux/config or/etc/syslconfig/selinux, restart after the effective, and permanently effective

# this file controls the state of selinux on the system.#  SELINUX= can take one of these three values:#        enforcing - SELinux security policy is enforced.#        permissive - selinux prints warnings instead of  enforcing.#       disabled - selinux is fully  disabled. selinux=permissive     #可修改为disabled, Permissive,enforcing# selinuxtype= type  of policy in use. Possible values are:#        targeted - Only targeted network daemons are protected.#        strict - full selinux protection. selinuxtype=targeted     #此项使用targeted, basically no strict 

Iii. related applications

1. SELinux security attributes for files and processes

(1), view the SELinux security properties of the file

[[Email protected] ~]# CD ~ #进到家目录 [[email protected] ~]# ll–z #查看文件安全上下文-rw-------. Root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfgdrwxr-xr-x. Root root unconfined_u:object_r:admin_home_t:s0 downloads-rw-r--r--. Root root system_u:object_r:admin_home_t:s0 install.log-rw-r--r--. Root root System_u:object_r:admin_home_t:s0 Install.log.syslog

In the above information, there is a system_u:object_r:admin_home_t, the user, group, type of SELinux, respectively.

System_u:user Identity is System

Object_r:role to Objuect

Admin_home_t:type to Admin_home

(2), review the SELinux security properties of the process

[[email protected] ~]# ps auxz    #-z option, view SELinux security Properties label                             user       pid %cpu % mem    vsz   rss tty      stat  start   time commandsystem_u:system_r:init_t:s0     root          1  0.0  0.1  19232   1492 ?        ss   03:36   0:01  /sbin/initsystem_u:system_r:kernel_t:s0   root          2  0.0  0.0      0      0 ?   &nBsp;    s    03:36   0:00 [kthreadd]system_u: system_r:kernel_t:s0   root         3   0.0  0.0      0     0 ?   &NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;S&NBSP;&NBSP;&NBSP;&NBSP;03:36&NBSP;&NBSP;&NBSP;0:00&NBSP;[MIGRATION/0]

2. Modify the file SELinux security attributes

Sometimes you need to modify the file's SELinux security attributes to access the file, for example, when SELinux is turned on, the httpd Web site root directory (at this point we create a new directory, Create the home page file index.html, if its type is different from the httpd process, then the page will not be accessible, the type will be modified to the same type, you can solve the problem

(1), create site Directory, home file

[[email protected] html]# mkdir/www/htdocs-pvmkdir:created directory '/www ' mkdir:created directory '/www/htdocs ' [[EMA Il protected] html]# vim/www/htdocs/index.html

Home file contents are as follows

(2), modify httpd Master profile, delete Welcome page profile, because the test machine httpd is installed with Yum Source, its profile path/etc/httpd/conf/httpd.conf, welcome page file Path/etc/httpd/conf.d/ Welcome.conf

A, configuration

Delete the Welcome page profile, modify the httpd master profile

[Email protected] www]# cd/etc/httpd/conf.d/[[email protected] conf.d]# rm-rf welcome.conf [[email protected] conf.d]# Vim/etc/httpd/conf/httpd.conf

Modify the default path to the following:

DocumentRoot "/www/htdocs" <directory "/www/htdocs" >

Restart the HTTPD service to open SELinux

[[Email protected] ~]# service httpd start [[email protected] html]# Setenforce 1

When the browser accesses the page, you will be prompted as follows

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;margin:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/6D/3E/wKiom1Ve2KDi0lomAABLAlkEV94898.jpg "height="/>

b, Reason, httpd process and the SELinux security attribute of the paging file, type inconsistent

[[EMAIL&NBSP;PROTECTED]&NBSP;HTDOCS]#&NBSP;PS&NBSP;AUXZ&NBSP;|&NBSP;GREP&NBSP;HTTPDUNCONFINED_U:SYSTEM_R:HTTPD _t:s0 root     1516  0.0  0.3 175700  3644  ?        ss   13:49   0:00 / usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache   1518  0.0  0.2  175836  3024 ?        S     13:49   0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache    1519  0.0  0.2 175700  2404 ?         s    13:49   0:00 /usr/sbin/httpdunconfined_u:system_r: httpd_t:s0 apache   1520  0.0  0.2 175836  3008 ?     &Nbsp;   s    13:49   0:00 /usr/sbin/httpdunconfined_u: system_r:httpd_t:s0 apache   1521  0.0  0.2 175700   2404 ?        s    13:49    0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache   1522  0.0   0.2 175700  2580 ?        S     13:49   0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache    1523  0.0  0.2 175700  2580 ?         s    13:49   0:00 /usr/sbin/ httpdunconfined_u:system_r:httpd_t:s0 apache   1524  0.0  0.2  175700  2576 ?         s    13:49   0:00 /usr/sbin/ httpdunconfined_u:system_r:httpd_t:s0 apache   1525  0.0  0.2  175700  2404 ?        s    13:49    0:00 /usr/sbin/httpdunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root  1527 0.0  0.0 103244 856 pts/0 s+ 13:52   0:00  grep httpd[[email protected] htdocs]# ll -z-rw-r--r--.  root root  unconfined_u:object_r:default_t:s0 index.html

C, Solution----> authorization, change the index.html selinux type to httpd

Command

[Email protected] htdocs]# setenforce 0 #需暂时设置为Permissive状态 [[email protected] htdocs]# chcon-t httpd_t index.html #-t specify type [[email protected] htdocs]# Setenforce 1 #开启

Browser Access again, you can browse the page normally

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;margin:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/6D/3E/wKiom1Ve2KCScMD4AAAYnhzKQlU588.jpg "height="/>

3, Service Sebool value

Take VSFTPD service as an example, VSFTPD is also installed with Yum source

(1), install good vsftpd,lftp, edit/etc/vsftpd/vsftpd.conf, enable the following two items

Anon_upload_enable=yesanon_mkdir_write_enable=yes

(2), CD to/var/ftp/, modify the anonymous user FTP permissions to the pub folder

Setfacl-m u:ftp:rwx pub/

(3), restart the VSFTPD service, use lftp login server, upload a file, at this time confirm the SELinux status is enforcing, prompt 553, change the SELinux status of permissive, you can upload files

[[email protected] ftp]# lftp 127.0.0.1lftp 127.0.0.1:~> cd pub/lftp 127.0.0.1:/pub> lcd/www/htdocs/lcd OK, local C Wd=/www/htdocslftp 127.0.0.1:/pub> put index.html put:access failed:553 Could not create file. (index.html)

(4), Reason, FTP service Sebool value, through the command we can see the service related Sebool control is off

[Email protected] ftp]# Getsebool-a | grep ftpallow_ftpd_anon_write--offallow_ftpd_full_access--offallow_ftpd_use_cifs-Offallow_ftpd_use _nfs--Offftp_home_dir---offftpd_connect_db, Offftpd_use_fusefs--and Offftpd_use_passive_mode- Offhttpd_enable_ftp_server--Offtftp_anon_write---offtftp_use_cifs-Offtftp_use_nfs-off

Workaround, you can get permission uploads by using the following command:

Setsebool-p allow_ftpd_full_access on

Iv. Related Orders


Detailed use Method View Man Handbook

Chcon: Modifying File Security properties

-T: Specify type

-R: Recursive modification, modify the directory properties, and modify the properties of the files in the directory

--reference: Modify the target file as a reference for a file

Restorecon: Restore file Default security properties

[Email protected] htdocs]# Restorecon index.html [[email protected] htdocs]# ll-z #之前我们修改过文件的Type-rw-r--r--. Root root unconfined_u:object_r:default_t:s0 index.html #现在恢复默认

Getsebool: List and contents of all selinux bool value lists

Setsebool: Modifying selinux bool Value List contents

-P: This option makes the command modification result permanent and restores the default configuration after restarting without p



This article is from the "Arvin Lau" blog, be sure to keep this source http://64314491.blog.51cto.com/2784219/1653881

Initial knowledge of SELinux

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.