Linux SELinux Basics

I. Introduction of SELinux

SELinux (Secure enhanced Linux) security-enhanced Linux is a new Linux security policy mechanism developed by NSA for computer infrastructure security. SELinux allows system administrators to be more flexible in defining security policies. SELinux is a security architecture that is integrated into the Linux Kernel 2.6.x through the LSM (Linuxsecurity Modules) framework. Because SELinux is kernel-level, our modifications to its configuration files are required to restart the operating system to take effect.

Ii. Basic concepts of SELinux

We know that the security mechanism of the operating system is actually restricting two things: process and system resources (files, network sockets, system calls, etc.). In the previously learned knowledge, the Linux operating system uses the concept of users and groups to limit our system resources, and we know that each process requires a user to execute. There are two basic concepts defined for these two things in SELinux: domain (Domin) and context. SELinux provides a flexible, mandatory access (MAC) system embedded in the Linux kernel. SELinux defines the access and transformation permissions for each user, process, application, and file in the system, and then it uses a security policy to control the interaction between these entities (users, processes, applications, and files), and the security policy specifies how to check strictly or loosely. ll file/directory appears after ".", indicating that the file/directory is related to SELinux. Only called DAC with permission Access, limited to +selinux, called Mac mandatory access mode. SELinux assigns a label to each file, and when the label does not match, it cannot be accessed even if it has permissions. The name of the label is called the SELinux context. SELinux allows the application to run at the minimum permissions it requires. The unmodified Linux system uses autonomous access control, and the user can request a higher level of permission, so that the malware can access almost any file it wants to access, and if you grant it root, it will do the right. There is no concept of root in SELinux, the security policy is defined by the administrator, and no software can replace it. This means that the damage that potential malware can inflict can be minimized.  In general, only enterprise users who are very focused on data security will use SELinux.

The operating system has two types of access control: Autonomous access Control (DAC) and mandatory access control (MAC). Standard Linux security is a dac,selinux for Linux that adds a flexible and configurable Mac.

    all DAC mechanisms have a common weakness, which is that they do not recognize the most fundamental difference between a natural person and a computer program. Simply put, if a user is authorized to access, meaning that the program is also authorized to access, if the program is authorized to access, then the malicious program will have the same access rights.  DAC's most fundamental weakness is that the subject is vulnerable to a variety of malware attacks, and Mac is the way to avoid these attacks, and most Mac features make up a multi-layered security model.

[[Email protected] ~]# ll /roottotal 56-rw-r--r--.  1 root root    238 APR 29 11:31 ]-RW-------.  1 root root  1442  Apr 5 21:56 anaconda-ks.cfg-rw-r--r--.  1 root root 34353 Apr   5 21:55 install.log        #在权限得最后面有一个点               [[email protected] ~]# ls - Z-rw-r--r--.  ROOT ROOTSYSTEM_U:OBJECT_R:ADMIN_HOME_T:S0 ]-RW-------.  root rootsystem_ U:object_r:admin_home_t:s0 anaconda-ks.cfg-rw-r--r--.  root rootsystem_u:object_r:admin_home_t: S0 install.log-rw-r--r--.  root root system_u:object_r:admin_home_t: S0install.log.syslog-rw-r--r--.  root rootsystem_u:object_r:admin_home_t:s0 oldboy[[email  protected] ~]# ps -zlabel                              PID TTY           time cmdunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c10232003 pts/0  00:00:00 suunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c10232009 pts/0 00:00:00  bashunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c10232030 pts/0 00:00:00 ps[[email  protected] ~]# id –z     #显示shell的安全上下文unconfined_u: Unconfined_r:unconfined_ t:s0-s0:c0.c1023

Three, the SELinux simple strategy1. SELinux configuration file

in/etc/sysconfig/selinux and file/etc/selinux/conf can be modified, is/etc/sysconfig/selinux is a symbolic link, the real configuration file is:/etc/ Selinux/config

It consists of 3 options:

1. Turn SELinux on or off

2. Set which policy the system executes

3 "Setting how to execute the policy

Disabled: Turn off SELinux

Permissive: Warning, does not meet the requirements of the context, can still access

Enforcing: Forced, not satisfying context, rejecting Setenforce 0|1

2. Some simple commands

Getsebool-a #查看所有服务的开关setsebool-P #需要修改的SELiux服务布尔开关 on|offchcon-r--reference=/var/blog//var/blog/index.html #将index. The context of the HTML is modified to be the same as/var/blog chcon-r-T SELinux context File/directory #-r recursively to subdirectories #-t contexts type Resto Recon-r File/directory #继承当前目录的上下文

3. SELinux Security Policy

selinuxtype=targeted|strict-Specify which policy SELinux executes

3.1 Targeted

only the target network daemons protected. Each daemon executes a policy and can be configured through System-config-selinux. Protect common network services for selinux default values. You can use the following tools to set the Boolean value for each daemon:

1 "getsebool-a: List all the Boolean values of SELinux

2 "Setsebool: Set SELinux boolean value, such as: Setsebool-p dhcpd_disable_trans=0,-p indicates that the use of reboot is still valid.

3.2strict

    to selinux perform full protection. For all subjects and objects define a secure environment, and each action role-based-access Control (RBAC)

[[email protected] ~]#  /usr/sbin/sestatus -v    #显示系统的详细状态SELinux  status:        enabledSELinuxfs mount:       /selinuxcurrent mode:        enforcingmode  from config file:   enforcingPolicy version:        24Policy from config file:  targetedProcess contexts:Current  Context:       unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023init  context:        system_u:system_r:init_t:s0/sbin/mingetty         system_u:system_r:getty_t:s0/usr/sbin/sshd         system_u:system_r:sshd_t:s0-s0:c0.c1023File contexts:Controlling term:           unconfined_u:object_r:user_devpts_t:s0/etc/passwd           system_u:object_r:etc_t:s0/etc/shadow           system_u:object_r:shadow_t:s0/bin/bash            system_u:object_r:shell_exec_t:s0/bin/login           system_u:object_r:login_exec_t:s0/bin/sh             system_u:object_r:bin_t:s0-> system_u:object_r:shell_exec_t:s0/sbin/agetty          system_u:object_r:getty_exec_t:s0/sbin/init           system_u:object_r:init_exec_t:s0/sbin/mingetty         system_u:object_r:getty_exec_t:s0/usr/sbin/sshd         system_u:object_r:sshd_eXec_t:s0 

4. SELinux Context

Selinux context Format: User:role:type[level[:category]]

4.1 USER

1 "User identity: A uid similar to a Linux system that provides identification, which is used to record identities; part of the security context
2 "Three common User:

User_u: The default after the normal user login system;
System_u: The system process preset during the boot process;
Root:root the default after login;

3 "Users are not very important in targeted policy;
4 is important in strict policy, all of the default SELinux Users end With "_u", except for root.

4.2 ROLE

1 "Role of files, directories and devices: usually object_r;
2 "Role of the program: usually System_r;
3 User's role:targeted policy is system_r, strict policy is sysadm_r, Staff_r, user_r; Role of user, GID in similar system, different roles have different permissions User can have multiple role, but only one role at a time;

4 uses strict and MLS policies based on RBAC (Roles Based Access Control) to store role information

4.3 TYPE

1 type : Used to divide the subject (subject) and object (object) into different groups, define a type for each subject and the object in the system, and provide the lowest permission environment for the running of the process;

2 When a type is associated with a process in progress, its type is also known as domain;
3 "Type is the most important part of SELinux security context and is the heart of SELinux Type enforcement, with the default value ending with _t;

Level and Category: Define hierarchies and classifications for use in MLS policies only
Level: Represents the security level, the current defined security level is S0-S15, the class is getting higher
Category: Representative classification, currently defined by the classification as c0-c1023

As an example: System_u:object_r:admin_home_t:s0

This statement through: Divided into four paragraphs, the first paragraph System_u represents the user, the second paragraph object_r represents the role, the third paragraph is the most important information in SELinux, Admin_home represents the type, the last paragraph S0 is related to the MLS, MCS, No tube is needed for the time being.

5. Apache Instance

when we are in Apache Site Directory to create an index file . in the local host file to add local resolution, enter your URL to get the following image content. Virtual Host configuration in: http://13132323.blog.51cto.com/13122323/1953402

[[email protected] ~]# getenforce enforcing[[email  protected] ~]#/application/apache/bin/apachectl start[[email protected] ~]#  netstat -lnt |grep 80tcp       0       0 0.0.0.0:38051                0.0.0.0:*                    LISTEN      tcp        0      0 :::80                     :::*                           listen 

650) this.width=650; "src=" Https://s2.51cto.com/wyfs02/M02/9D/CF/wKioL1mGyaLiCdAmAAFzfn0kwKA938.png "title=" 1111111111111.png "alt=" Wkiol1mgyalicdamaafzfn0kwka938.png "/>

If we delete the index file of the site directory, create an index file under the/home/directory, and move it to the Apache site Directory, press F5 to refresh the browser page. You will notice that Apache's default interface does not display the contents of the index file but the default Apache test page. At this point we modify the type of index and his directory to be consistent, then we will see the top of the picture.

[[email protected] ~]# cd /var/blog [[email  protected] blog]# lsindex.html[[email protected] blog]# rm   -rf   index.html[[email protected] blog]# cp /home/index.html  . [[Email protected] blog]# ls -z-rw-r--r--.  root rootunconfined_u:object_r:home_ Root_t:s0 index.html[[email protected] blog]# ls -dz  /var/blogdrwxr-xr-x.  ett ettsystem_u:object_r:var_t:s0      /var/blog[[email  protected] blog]# chcon  -r --reference=/var/blog /var/blog/index.html [[ Email protected] blog]# ls -z   -rw-r--r--.  root root system _u:object_r:var_t:s0       index.html# #或者这个命令: Restorecon -r -v  /var/blog/index.html 

cause: we found our/var/ Blog The context type of this directory is V ar_t , And the type of index.html that we just moved over is the  

This article is from the "13122323" blog, please be sure to keep this source http://13132323.blog.51cto.com/13122323/1954019

Linux SELinux Basics