First, some concepts
Second, SELinux status
Iii. related applications
Iv. Related Orders
First, some concepts
1. Linux Secure access model
DAC (discretionary access control): Autonomous access controls
2. SELinux Secure access mechanism
SELinux is a secure system based on the < domain-type > model (DOMAIN-TYPE) mandatory access control (mac:mandatory access controls)
Second, SELinux status
1. SELinux Status
(1), Disable, disable
(2), Permissive, does not really implement the SELinux function, only the violation of the policy behavior recorded into the/var/log/audit/audit.log; selinux Policy Cache directory/selinux/avc/
(3), enforcing, forced to implement SELinux
2. Check the SELinux open status
[Email protected] ~]# getenforcepermissive
Or
[Email protected] ~]# sestatus #路径为/usr/sbin/sestatusselinux status:enabledselinuxfs Mount: /selinuxcurrent mode:permissivemode from config file:permissivepolicy version: 24Policy from config file:targeted
3. Set SELinux status
(1), temporarily modify the SELinux status, immediately effective, restart after the restoration to the configuration file settings
[[email protected] ~]# setenforce 1 #设置为Enforcing状态 [[email protected] ~]# Getenforceenforcing[[email protected] ~]# set Enforce 0 #设置为Permissive状态 [[email protected] ~]# getenforcepermissive
(2), modify the configuration file/etc/selinux/config or/etc/syslconfig/selinux, restart after the effective, and permanently effective
# this file controls the state of selinux on the system.# SELINUX= can take one of these three values:# enforcing - SELinux security policy is enforced.# permissive - selinux prints warnings instead of enforcing.# disabled - selinux is fully disabled. selinux=permissive #可修改为disabled, Permissive,enforcing# selinuxtype= type of policy in use. Possible values are:# targeted - Only targeted network daemons are protected.# strict - full selinux protection. selinuxtype=targeted #此项使用targeted, basically no strict
Iii. related applications
1. SELinux security attributes for files and processes
(1), view the SELinux security properties of the file
[[Email protected] ~]# CD ~ #进到家目录 [[email protected] ~]# ll–z #查看文件安全上下文-rw-------. Root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfgdrwxr-xr-x. Root root unconfined_u:object_r:admin_home_t:s0 downloads-rw-r--r--. Root root system_u:object_r:admin_home_t:s0 install.log-rw-r--r--. Root root System_u:object_r:admin_home_t:s0 Install.log.syslog
In the above information, there is a system_u:object_r:admin_home_t, the user, group, type of SELinux, respectively.
System_u:user Identity is System
Object_r:role to Objuect
Admin_home_t:type to Admin_home
(2), review the SELinux security properties of the process
[[email protected] ~]# ps auxz #-z option, view SELinux security Properties label user pid %cpu % mem vsz rss tty stat start time commandsystem_u:system_r:init_t:s0 root 1 0.0 0.1 19232 1492 ? ss 03:36 0:01 /sbin/initsystem_u:system_r:kernel_t:s0 root 2 0.0 0.0 0 0 ? &nBsp; s 03:36 0:00 [kthreadd]system_u: system_r:kernel_t:s0 root 3 0.0 0.0 0 0 ? &NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;S&NBSP;&NBSP;&NBSP;&NBSP;03:36&NBSP;&NBSP;&NBSP;0:00&NBSP;[MIGRATION/0]
2. Modify the file SELinux security attributes
Sometimes you need to modify the file's SELinux security attributes to access the file, for example, when SELinux is turned on, the httpd Web site root directory (at this point we create a new directory, Create the home page file index.html, if its type is different from the httpd process, then the page will not be accessible, the type will be modified to the same type, you can solve the problem
(1), create site Directory, home file
[[email protected] html]# mkdir/www/htdocs-pvmkdir:created directory '/www ' mkdir:created directory '/www/htdocs ' [[EMA Il protected] html]# vim/www/htdocs/index.html
Home file contents are as follows
(2), modify httpd Master profile, delete Welcome page profile, because the test machine httpd is installed with Yum Source, its profile path/etc/httpd/conf/httpd.conf, welcome page file Path/etc/httpd/conf.d/ Welcome.conf
A, configuration
Delete the Welcome page profile, modify the httpd master profile
[Email protected] www]# cd/etc/httpd/conf.d/[[email protected] conf.d]# rm-rf welcome.conf [[email protected] conf.d]# Vim/etc/httpd/conf/httpd.conf
Modify the default path to the following:
DocumentRoot "/www/htdocs" <directory "/www/htdocs" >
Restart the HTTPD service to open SELinux
[[Email protected] ~]# service httpd start [[email protected] html]# Setenforce 1
When the browser accesses the page, you will be prompted as follows
650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;margin:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/6D/3E/wKiom1Ve2KDi0lomAABLAlkEV94898.jpg "height="/>
b, Reason, httpd process and the SELinux security attribute of the paging file, type inconsistent
[[EMAIL&NBSP;PROTECTED]&NBSP;HTDOCS]#&NBSP;PS&NBSP;AUXZ&NBSP;|&NBSP;GREP&NBSP;HTTPDUNCONFINED_U:SYSTEM_R:HTTPD _t:s0 root 1516 0.0 0.3 175700 3644 ? ss 13:49 0:00 / usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache 1518 0.0 0.2 175836 3024 ? S 13:49 0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache 1519 0.0 0.2 175700 2404 ? s 13:49 0:00 /usr/sbin/httpdunconfined_u:system_r: httpd_t:s0 apache 1520 0.0 0.2 175836 3008 ? &Nbsp; s 13:49 0:00 /usr/sbin/httpdunconfined_u: system_r:httpd_t:s0 apache 1521 0.0 0.2 175700 2404 ? s 13:49 0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache 1522 0.0 0.2 175700 2580 ? S 13:49 0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache 1523 0.0 0.2 175700 2580 ? s 13:49 0:00 /usr/sbin/ httpdunconfined_u:system_r:httpd_t:s0 apache 1524 0.0 0.2 175700 2576 ? s 13:49 0:00 /usr/sbin/ httpdunconfined_u:system_r:httpd_t:s0 apache 1525 0.0 0.2 175700 2404 ? s 13:49 0:00 /usr/sbin/httpdunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1527 0.0 0.0 103244 856 pts/0 s+ 13:52 0:00 grep httpd[[email protected] htdocs]# ll -z-rw-r--r--. root root unconfined_u:object_r:default_t:s0 index.html
C, Solution----> authorization, change the index.html selinux type to httpd
Command
[Email protected] htdocs]# setenforce 0 #需暂时设置为Permissive状态 [[email protected] htdocs]# chcon-t httpd_t index.html #-t specify type [[email protected] htdocs]# Setenforce 1 #开启
Browser Access again, you can browse the page normally
650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;margin:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/6D/3E/wKiom1Ve2KCScMD4AAAYnhzKQlU588.jpg "height="/>
3, Service Sebool value
Take VSFTPD service as an example, VSFTPD is also installed with Yum source
(1), install good vsftpd,lftp, edit/etc/vsftpd/vsftpd.conf, enable the following two items
Anon_upload_enable=yesanon_mkdir_write_enable=yes
(2), CD to/var/ftp/, modify the anonymous user FTP permissions to the pub folder
Setfacl-m u:ftp:rwx pub/
(3), restart the VSFTPD service, use lftp login server, upload a file, at this time confirm the SELinux status is enforcing, prompt 553, change the SELinux status of permissive, you can upload files
[[email protected] ftp]# lftp 127.0.0.1lftp 127.0.0.1:~> cd pub/lftp 127.0.0.1:/pub> lcd/www/htdocs/lcd OK, local C Wd=/www/htdocslftp 127.0.0.1:/pub> put index.html put:access failed:553 Could not create file. (index.html)
(4), Reason, FTP service Sebool value, through the command we can see the service related Sebool control is off
[Email protected] ftp]# Getsebool-a | grep ftpallow_ftpd_anon_write--offallow_ftpd_full_access--offallow_ftpd_use_cifs-Offallow_ftpd_use _nfs--Offftp_home_dir---offftpd_connect_db, Offftpd_use_fusefs--and Offftpd_use_passive_mode- Offhttpd_enable_ftp_server--Offtftp_anon_write---offtftp_use_cifs-Offtftp_use_nfs-off
Workaround, you can get permission uploads by using the following command:
Setsebool-p allow_ftpd_full_access on
Iv. Related Orders
Detailed use Method View Man Handbook
Chcon: Modifying File Security properties
-T: Specify type
-R: Recursive modification, modify the directory properties, and modify the properties of the files in the directory
--reference: Modify the target file as a reference for a file
Restorecon: Restore file Default security properties
[Email protected] htdocs]# Restorecon index.html [[email protected] htdocs]# ll-z #之前我们修改过文件的Type-rw-r--r--. Root root unconfined_u:object_r:default_t:s0 index.html #现在恢复默认
Getsebool: List and contents of all selinux bool value lists
Setsebool: Modifying selinux bool Value List contents
-P: This option makes the command modification result permanent and restores the default configuration after restarting without p
This article is from the "Arvin Lau" blog, be sure to keep this source http://64314491.blog.51cto.com/2784219/1653881
Initial knowledge of SELinux