Linux System Management--selinux use and management

1. SELinux background

Selinux:secure enhanced Linux. It is a security module for the mandatory access control of Linux developed by the National Security Agency (Nsa=the) and the SCC (Securecomputing Corporation). Released in 2000 under the GNU GPL, the Linux kernel was integrated into the kernel after the 2.6 release.

1.1. MAC

SELinux is based on Mac for access control and all is more secure. Unlike traditional access control, dac:discretionary access controls free access control.

Mac:mandatory access control enforces access controls; The process in the DAC environment is not bound; the rules of the policy in the MAC environment determine the degree of rigor of the control; The process can be limited in the MAC environment; Policies are used to define which resources (files and ports) can be used by restricted processes, and by default, behaviors that are not explicitly allowed are rejected;

1.2. SELinux Work Process

SELinux has four types of jobs:? STRICT:CENTOS5, each process is under the control of SELinux? Targeted: To protect common network services, only limited processes are controlled by selinux, only vulnerable processes are monitored, CENTOS4 only 13 services are protected, and CENTOS5 protects 88 services? MINIMUM:CENTOS7, modify the targeted, only to select the network service? MLS: Provides security for MLS (multilevel security); Targeted is the default type, minimum and MLS are not stable enough to be applied, strict is no longer used

1.3. SELinux Security Context

Traditional Linux, all files are accessed by the user, group, and permission control; in SELinux, Everything is objects (object) controlled by the security elements stored in the Inode's extended domain ; all file and port resources and processes have security tags: security context; The security context has five elements:? User:role:type:sensitivity:category? User_u:object_r:tmp_t:s0:c0 actually the following: stored in the file system, Ls–z;ps–z; expected (default) context: stored in the binary SELinux Policy library (mapping directory and expected security context) Semanage Fcontext –l

1.4. Five Elements of security

User: Indicates the types of users logged on to the system, such as Root,user_u,system_u, where most local processes belong to the free (unconfined) process; Role: Define file, process, and User purpose: File: Object_r, process, and User: System_ Rtype: Specifies the data type, which process type is defined in the rule to access which file target policy is based on type implementation, multi-service sharing: Public_content_tsensitivity: The need to restrict access, hierarchical security levels defined by an organization, such as UNC     Lassified, Secret,top,secret, an object with only one sensitivity, 0-15 levels, S0 minimum, target policy uses s0category by default: Classification of non-hierarchical categories for specific organizations, such as FBI secret , NSA secret, an object can have multiple Categroy, c0-c1023 a total of 1024 categories, Target policy does not use category

1.5. SELinux Policy

Object: All objects that can be read, including files, directories, and processes, ports, and so on; Principal: The process is called the principal (subject); SELinux has a type tag for all files, and for all processes it also assigns a domain label to each. The operations that the domain tag can perform are defined by the security policy, and when a subject tries to access a Object,kernel policy execution server will check AVC (Access vector cache), in AVC, Subject and object permissions are cached (cached) to find the "app + file" security environment. Then allow or deny access based on the results of the query; security policy: Defines the rule database in which the principal reads an object, and the rules that record which type of principal uses which method to read which object is allowed or denied, and which behavior is to be filled or rejected;

2. Set SELinux

Configure whether Selinux:selinux is enabled, re-label files, set security labels on ports, set Boolean switches for certain operations; SELinux log management; SELinux status: Enforcing: mandatory, each restricted Process is bound to be limited; permissive: Allow, each restricted process violation action will not be banned, but will be recorded in the audit log; disabled: Disabled;

Related commands: Getenforce: Get selinux current status sestatus: View selinux status Setenforce 0|1 0: Set to permissive 1: set to Enforci Ng

Profile:/boot/grub/grub.conf use selinux=0 to disable Selinux/etc/selinux/config/etc/sysconfig/selinux SELINUX= {disabled|enforcing|permissive}

2.1. Modify the SELinux security label

To re-hit the file security label: Chcon [OPTION] ... [-U USER] [-R ROLE] [-T TYPE] File ... Chcon [OPTION] ...--reference=rfile file ...-r: Recursive marking; restore the default security context for a directory or file Restorecon [-R]/path/to/somewhere

2.2. Default security context Query and modification

Semanage: from the Policycoreutils-python package; View the default security context: Semanage fcontext–l Add security context: Semanage Fcontex        T-a–t httpd_sys_content_t '/testdir (/.*)? ' Restorecon–rv/testdir Delete Security context: Semanage fcontext-d–t httpd_sys_content_t '/testdir (/.*)? '

2.3. SELinux Port Label

     View Port Label             semanage  port –l         Add Ports          semanage port -a -t port_label -p tcp|udp PORT         semanage port -a -t http_port_t -p tcp  9527         Delete Port          semanage port -d -t port_label -p tcp|udp port         semanage port -d -t http_port_t -p tcp 9527          Modify existing port to new label         semanage  port -m -t port_label -p tcp|udp PORT         semanage port -m -t http_port_t -p tcp 9527 

2.3. SELinux Boolean value

Boolean rule: Getsebool setsebool view bool command: Getsebool [-A] [Boolean] Semanage Boolean–l Semanage boolean-l–c View Modified Boolean value set BOOL value command: Setsebool [-P] Boolean value (On,off) Setsebool [-p] Boo Lean=value (0,1)

2.4. SELinux Log Management

Yum Install Setroubleshoot (restart in effect): Writes the wrong information to/var/log/message grep setroubleshoot/var/log/messages sealert-l U UID: View Security Event Log Description sealert-a/var/log/audit/audit.log: Scan and analyze logs

2.5. SELinux Help

Yum–y Install Selinux-policy-devel (centos7.2) yum–y Install Selinux-policy-doc mandb | Makewhatis man-k _selinux

Linux System Management--selinux use and management