Linux Beginner-selinux article

Linux Beginner-selinux article

SELinux is a mandatory access control (MAC) security system, the most outstanding new security system in the history of Linux. For the Linux security module, the SELinux function is the most comprehensive, the test is also the most sufficient, this is a kernel-based security system.

1, the status of SELinux

The command "Getenforce" can view the status of SELinux, the status of SELinux is divided into the following three kinds:

Enforcing (1) Mandatory mode

Permissive (0) Warning mode

Disabled off mode

"Setenforce" can set the status of SELinux, but can only set 0 and 12, either warning mode or mandatory mode. If you need to close, change "selinux=enforcing" to "selinux=disabled" under Configuration file "/etc/sysconfig/selinux" because SELinux is a kernel-based security system. So you need to restart the kernel after the setup is complete, that is, you need to restart your computer to take effect.

2. The impact of SELinux on services

SELinux is the most comprehensive security system, so there are certain restrictions on files and services, such as FTP, for example.

SELinux creates a contextual identifier on the file, as shown in "File" under "/mnt" and "/var/ftp/pub", and "ls-z" to see the file ID. As you can see, "/mnt/file" is "mnt_t" and "/var/ftp/pub/file" is identified as "public_content_t", which causes the "/mnt/file" to be moved into the "/var/ftp/pub" directory, Connection Lftp cannot see this file.

SELinux for system security, will prohibit the use of some dangerous functions, you can enter the "getsebool-a | grep FTP to see which features of the FTP service are forbidden, as shown in, enter "Setsebool-p function On|off" to control the switches of these functions.

3. SELinux Context Management

Previously mentioned SELinux will leave the context identifier on the directory and file, and enter "Ls-z" to view. The command "chcon-t context file" Can change the context identifier of the file and directory to resolve the problem that lftp cannot see the other context identity file above. For example, the existing two different contexts identified by the files "txt" and "file" connection Lftp can see "file", after entering "Chcon-t public_content_t/var/ftp/pub/txt", Reconnect lftp, you can see " File "and" TXT "two files.

As shown, change the home directory of the anonymous user to "/westos" and change the identity to "public_content_t", and connect lftp to see the home directory. However, the status of the SELinux changed to "disabled" restart and then change back to "enforcing", reboot and reconnect lftp, found unable to see the home directory.

The above situation indicates that using the "Chcon" command to change the context identifier of a directory is only temporary. To permanently change the context identifier of a directory, the following steps are required:

A, using the command "Semanage fcontext-l | Grep/westos "To see if the directory has context rules.

B, Input "Semanage fcontext-a-T public_content_t '/westos (/.*)?" Add a context rule for "/westos" and view it with the A-step command.

C. After you see the context rule, enter the command "Restorecon-rvvf/westos" to synchronize the rules to the directory and its subdirectories.

Once the above steps are complete, you can permanently change the context identifier of the "/westos" directory, and reconnect lftp to see the directory.

4. SELinux Log

In the use of selinux, there are some errors, such as the inability to see the files after connecting to the LFTP, or the error in a step in the configuration. These errors can be traced and resolved, which is the use of the SELinux log.

SELinux logs are recorded in "/var/log/audit/audit.log" and the File "/var/log/messages", which only describes the error, but does not provide a workaround, and the reading is complex. The "/var/log/messages" file can record errors in detail and provide a workaround, and SELinux's recording software is "setroubleshoot-server.x86_64". The following will be lftp connected after the file can not be seen in detail.

As described earlier, if you do not change the context identifier of the "File1" file in, you cannot see this file.

In the absence of the "setroubleshoot-server.x86_64" software, after emptying the log, it is found that the log does not record the error.

Then after installing this software, reconnect, and then view the log, in which the specific log of this error will appear. and will provide a solution, according to the solution can solve the problem.

Linux Beginner-selinux article