Initial knowledge of SELinux

First, some concepts

Second, SELinux status

Iii. related applications

Iv. Related Orders

First, some concepts

1. Linux Secure access model

DAC (discretionary access control): Autonomous access controls

2. SELinux Secure access mechanism

SELinux is a secure system based on the < domain-type > model (DOMAIN-TYPE) mandatory access control (mac:mandatory access controls)

Second, SELinux status

1. SELinux Status

(1), Disable, disable

(2), Permissive, does not really implement the SELinux function, only the violation of the policy behavior recorded into the/var/log/audit/audit.log; selinux Policy Cache directory/selinux/avc/

(3), enforcing, forced to implement SELinux

2. Check the SELinux open status

[Email protected] ~]# getenforcepermissive

Or

[Email protected] ~]# sestatus #路径为/usr/sbin/sestatusselinux status:enabledselinuxfs Mount:                 /selinuxcurrent mode:permissivemode from config file:permissivepolicy version: 24Policy from config file:targeted

3. Set SELinux status

(1), temporarily modify the SELinux status, immediately effective, restart after the restoration to the configuration file settings

[[email protected] ~]# setenforce 1 #设置为Enforcing状态 [[email protected] ~]# Getenforceenforcing[[email protected] ~]# set Enforce 0 #设置为Permissive状态 [[email protected] ~]# getenforcepermissive

(2), modify the configuration file/etc/selinux/config or/etc/syslconfig/selinux, restart after the effective, and permanently effective

# this file controls the state of selinux on the system.#  SELINUX= can take one of these three values:#        enforcing - SELinux security policy is enforced.#        permissive - selinux prints warnings instead of  enforcing.#       disabled - selinux is fully  disabled. selinux=permissive     #可修改为disabled, Permissive,enforcing# selinuxtype= type  of policy in use. Possible values are:#        targeted - Only targeted network daemons are protected.#        strict - full selinux protection. selinuxtype=targeted     #此项使用targeted, basically no strict 

Iii. related applications

1. SELinux security attributes for files and processes

(1), view the SELinux security properties of the file

[[Email protected] ~]# CD ~ #进到家目录 [[email protected] ~]# ll–z #查看文件安全上下文-rw-------. Root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfgdrwxr-xr-x. Root root unconfined_u:object_r:admin_home_t:s0 downloads-rw-r--r--. Root root system_u:object_r:admin_home_t:s0 install.log-rw-r--r--. Root root System_u:object_r:admin_home_t:s0 Install.log.syslog

In the above information, there is a system_u:object_r:admin_home_t, the user, group, type of SELinux, respectively.

System_u:user Identity is System

Object_r:role to Objuect

Admin_home_t:type to Admin_home

(2), review the SELinux security properties of the process

[[email protected] ~]# ps auxz    #-z option, view SELinux security Properties label                             user       pid %cpu % mem    vsz   rss tty      stat  start   time commandsystem_u:system_r:init_t:s0     root          1  0.0  0.1  19232   1492 ?        ss   03:36   0:01  /sbin/initsystem_u:system_r:kernel_t:s0   root          2  0.0  0.0      0      0 ?   &nBsp;    s    03:36   0:00 [kthreadd]system_u: system_r:kernel_t:s0   root         3   0.0  0.0      0     0 ?         S    03:36   0:00 [MIGRATION/0]

2. Modify the file SELinux security attributes

Sometimes you need to modify the file's SELinux security attributes to access the file, for example, when SELinux is turned on, the httpd Web site root directory (at this point we create a new directory, Create the home page file index.html, if its type is different from the httpd process, then the page will not be accessible, the type will be modified to the same type, you can solve the problem

(1), create site Directory, home file

[[email protected] html]# mkdir/www/htdocs-pvmkdir:created directory '/www ' mkdir:created directory '/www/htdocs ' [[EMA Il protected] html]# vim/www/htdocs/index.html

Home file contents are as follows

(2), modify httpd Master profile, delete Welcome page profile, because the test machine httpd is installed with Yum Source, its profile path/etc/httpd/conf/httpd.conf, welcome page file Path/etc/httpd/conf.d/ Welcome.conf
A, configuration
Delete the Welcome page profile, modify the httpd master profile
[Email protected] www]# cd/etc/httpd/conf.d/[[email protected] conf.d]# rm-rf welcome.conf [[email protected] conf.d]# Vim/etc/httpd/conf/httpd.conf
Modify the default path to the following:
DocumentRoot "/www/htdocs" <directory "/www/htdocs" >
Restart the HTTPD service to open SELinux
[[Email protected] ~]# service httpd start [[email protected] html]# Setenforce 1
When the browser accesses the page, you will be prompted as follows
650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;margin:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/6D/3E/wKiom1Ve2KDi0lomAABLAlkEV94898.jpg "height="/>
b, Reason, httpd process and the SELinux security attribute of the paging file, type inconsistent
[[EMAIL&NBSP;PROTECTED]&NBSP;HTDOCS]#&NBSP;PS&NBSP;AUXZ&NBSP;|&NBSP;GREP&NBSP;HTTPDUNCONFINED_U:SYSTEM_R:HTTPD _t:s0 root     1516  0.0  0.3 175700  3644  ?        ss   13:49   0:00 / usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache   1518  0.0  0.2  175836  3024 ?        S     13:49   0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache    1519  0.0  0.2 175700  2404 ?         s    13:49   0:00 /usr/sbin/httpdunconfined_u:system_r: httpd_t:s0 apache   1520  0.0  0.2 175836  3008 ?     &Nbsp;   s    13:49   0:00 /usr/sbin/httpdunconfined_u: system_r:httpd_t:s0 apache   1521  0.0  0.2 175700   2404 ?        s    13:49    0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache   1522  0.0   0.2 175700  2580 ?        S     13:49   0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache    1523  0.0  0.2 175700  2580 ?         s    13:49   0:00 /usr/sbin/ httpdunconfined_u:system_r:httpd_t:s0 apache   1524  0.0  0.2  175700  2576 ?         s    13:49   0:00 /usr/sbin/ httpdunconfined_u:system_r:httpd_t:s0 apache   1525  0.0  0.2  175700  2404 ?        s    13:49    0:00 /usr/sbin/httpdunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root  1527 0.0  0.0 103244 856 pts/0 s+ 13:52   0:00  grep httpd[[email protected] htdocs]# ll -z-rw-r--r--.  root root  unconfined_u:object_r:default_t:s0 index.html
C, Solution----> authorization, change the index.html selinux type to httpd
Command
[Email protected] htdocs]# setenforce 0 #需暂时设置为Permissive状态 [[email protected] htdocs]# chcon-t httpd_t index.html #-t specify type [[email protected] htdocs]# Setenforce 1 #开启
Browser Access again, you can browse the page normally
650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;margin:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/6D/3E/wKiom1Ve2KCScMD4AAAYnhzKQlU588.jpg "height="/>
3, Service Sebool value
Take VSFTPD service as an example, VSFTPD is also installed with Yum source
(1), install good vsftpd,lftp, edit/etc/vsftpd/vsftpd.conf, enable the following two items
Anon_upload_enable=yesanon_mkdir_write_enable=yes
(2), CD to/var/ftp/, modify the anonymous user FTP permissions to the pub folder
Setfacl-m u:ftp:rwx pub/
(3), restart the VSFTPD service, use lftp login server, upload a file, at this time confirm the SELinux status is enforcing, prompt 553, change the SELinux status of permissive, you can upload files
[[email protected] ftp]# lftp 127.0.0.1lftp 127.0.0.1:~> cd pub/lftp 127.0.0.1:/pub> lcd/www/htdocs/lcd OK, local C Wd=/www/htdocslftp 127.0.0.1:/pub> put index.html put:access failed:553 Could not create file. (index.html)
(4), Reason, FTP service Sebool value, through the command we can see the service related Sebool control is off
[Email protected] ftp]# Getsebool-a | grep ftpallow_ftpd_anon_write--offallow_ftpd_full_access--offallow_ftpd_use_cifs-Offallow_ftpd_use _nfs--Offftp_home_dir---offftpd_connect_db, Offftpd_use_fusefs--and Offftpd_use_passive_mode- Offhttpd_enable_ftp_server--Offtftp_anon_write---offtftp_use_cifs-Offtftp_use_nfs-off
Workaround, you can get permission uploads by using the following command:
Setsebool-p allow_ftpd_full_access on
Iv. Related Orders

Detailed use Method View Man Handbook
Chcon: Modifying File Security properties
-T: Specify type
-R: Recursive modification, modify the directory properties, and modify the properties of the files in the directory
--reference: Modify the target file as a reference for a file
Restorecon: Restore file Default security properties
[Email protected] htdocs]# Restorecon index.html [[email protected] htdocs]# ll-z #之前我们修改过文件的Type-rw-r--r--. Root root unconfined_u:object_r:default_t:s0 index.html #现在恢复默认
Getsebool: List and contents of all selinux bool value lists
Setsebool: Modifying selinux bool Value List contents
-P: This option makes the command modification result permanent and restores the default configuration after restarting without p


This article is from the "Arvin Lau" blog, be sure to keep this source http://64314491.blog.51cto.com/2784219/1653881
Initial knowledge of SELinux