Linux (Radhat) Basic Learning-Understanding SELinux

Basic SELinux Security Concepts

SELINUX (Security-enhanced Linux) is an additional mechanism to protect your system's security.
SELinux (security-enhanced Linux) is the United States National Security Agency (NSA) implementation of mandatory access control, is the most outstanding new security subsystem in the history of Linux. The NSA, with the help of the Linux community, has developed an access control system that, under the constraints of the access control system, can access only those files that are needed in his tasks. SELinux is installed on Fedora and Red Hat Enterprise Linux By default and can also be used as an easy-to-install package on other distributions.

(1).在某种程度上 , 它可以被看作是与标准权限系统并行的权限系统。在常规模式中 , 以用户身份运行进程 , 并且系统上的文件(2).和其他资源都设置了权限标签 ( 控制哪些用户对哪些文件具有哪些访问权 SELINUX 的另一个不同之处在于 , 若要访问文件 ,你必须具有普通访问权限和 SELINUX 访问权限。因此 , 即使以超级用户身份root运行进程 , 根据进程以及文件或资源的SELinux安全性上下文可能拒绝访问文件或资源限 )

1.SELinux mode

SELinux has 3 status enforcing (in execution), permissive (no execution but warning), disabled (off)

getenforce  ##显示当前selinux安全模式

Change the state directly in the shell:

setenforce 0|1  ##强制性、警告性之间的模式更改0 表示 permissive # 警告1 表示 enforcing  # 强制

The disaled mode changes with the above two modes, changes in the file/etc/sysconfig/selinux, and the restart does not take effect.
Of course, these three modes can be changed in this file again.

SELINUX=enforcing | permissive | disabledenfirocing  ##强制模式permissive  ##警告模式disabled    ##关闭

2.SELinux Security Context access rules

--------> Reference article: Understanding the SELinux security context

In SELinux, the access control property is called the security context. All operating system access control is based on the associated object and some type of access control attribute of the subject. All objects (files, interprocess communication channels, sockets, network hosts, etc.) and principals (processes) have a security context associated with them, and a security context consists of three parts: the user, the role, and the type identifier. The security context is often specified or displayed in the following format:

 USER : ROLE :  TYPE [ LEVEL [: CATEGORY] ]

①user

1) useridentity: A uid similar to a Linux system that provides identity identification, which is used to record identity, part of the security context;
2) Three kinds of common user:

     ? user_u ：普通用户登录系统后的预设     ? system_u ：开机过程中系统进程的预设     ? root ：root 登录后的预设

3) Users are not very important in targeted policy;
4) It is important in strict policy that all default SELinux Users end With "_u", except for root.

②role

1) Role of files, directories and devices: usually object_r;
2) Role of the program: usually System_r;
3) The user's role:targeted policy is system_r; strict policy is sysadm_r, Staff_r, user_r; role of the user, GID in a similar system, different roles have different permissions User can have multiple role, but only one role at a time;

③type

1) Type: Used to divide the subject (subject) and object (object) into different groups, define a type for each subject and the object in the system, and provide the lowest permission environment for the running of the process;
2) When a type is associated with a process in progress, its type is also known as domain;
3) Type is the most important part of SELinux security context and is the heart of SELinux Type enforcement
4) in SELinux, the type identifier is the primary component of the security context, and for historical reasons, the type of a process is often referred to as a domain, and the "domain" and "domain type" mean the same, that is, the "type" in the security context.

? The HTTPD process of the WEB server sets the SELinux context system_u:system_r:httpd_t label. An important part of the context is the third field with a colon-delimited selinux type:.
The files and resources on the system also set the SELinux context label, and the important part is the SELinux type. For example, the files in/var/www/html have type httpd_sys_content_t. Files in/TMP and/var/tmp typically have type tmp_t.
? The Seliux policy has a rule that allows a process that runs as httpd_t to access files marked as httpd_sys_content_t. There are no rules that allow these processes to access files marked with tmp_t, so these accesses will be denied even though regular file permissions indicate that they should be allowed.

还有一个比较特殊的访问控制属性：unconfined_u:unconfined_r:unconfined_t

3. Display the SELinux file context

What determines the initial SELinux context for a file? Usually the parent directory. Assigns the context of the parent directory to the newly created file. This works for commands such as VIMCP and touch, but if the file is created elsewhere and retains permissions (as with MV or CP-A), the SELinux context is also preserved

? Many commands that process files have an option to display or set the SELinux context (usually-Z). For example, PS, LS, CP, and mkdir all use the-Z option to display or set the SELinux context

View directories and files:
1.

2.

3.

To view a process:

4. Modifying the SELinux security context

(1)chcon 参数 目录/文件    -u   修改user        -r    修改role        -t    修改type

Chcon command is a one-time custom security context, system restart will be restored, perform Restorecon refresh directory and restore

restorecon -Rv 文件/目录//-R 表示递归，如果是目录，则该目录下的所有子目录、文件都会得到修复restorecon -FvvR   目录  ##刷新列表，使目录下所有内容恢复

(2) Semanage command
The Semanage command is used to query and modify the SELinux default directory's security context.

 semanage fcontext -{a|d|m} [-frst] file_spec 选项：         -l：查询。 fcontext：主要用在安全上下文方面。          -a：增加。你可以增加一些目录的默认安全上下文类型设置。          -m：修改。          -d：删除。

Example:
Query the security context for the/var/ftp/test directory:

semanage fcontext -l | grep /var/ftp/test

Semanage Fcontext uses an extended regular expression to specify the path and file name.
The most commonly used extended regular expression in the Fcontext rule is (/.*), which means to randomly match/followed by any number of characters
Semanage Fcontext will be recursively matched to the directory listed earlier in the expression and to all content in that directory

5. SELinux Boolean value

The SELinux boolean value is a switch that changes the SELinux policy behavior. SELinux Boolean values are rules that can be enabled or disabled. The security administrator can make SELinux Boolean values to adjust the policy.

1. Use the Getsebool tool to display a list of booleans and current values.

查询命令：getsebool -a

The above output I used the pipe character to filter the majority, because the system after the entire SELinux policy loaded, different Boolean values easily reached 200 +.

2. Obtaining Boolean information

Not all Boolean values are named to make them easy to read. Use Semanage boolean–l to know the description of the Boolean value.

3. Change the Boolean status

(1). Changing SELinux Boolean values can be implemented via the Setsebool command (Boolean, on, or off, which need to be set).

setsebool xxxxx on | off   ##设置xxxxx策略开启或关闭

When you have completed these commands, the changed values will take effect immediately, but only during the active period of the currently loaded policy. That is, if the system restarts, the previous modifications will be invalidated. Or when you reload the SELinux policy directly, the previous settings will be invalidated. In other words, it's fast to switch booleans, which is useful for debugging problems.
(2). With the-P option, the SELinux boolean changes will be permanently enforced.

setsebool -P xxxxx on | off   ##设置xxxxx策略永久开启或关闭

-----> Note that the parameter P must be an uppercase letter p, otherwise it is an invalid parameter, as shown in.

In addition, this command takes a while to complete, because the SELinux policy itself needs to be rebuilt, saved, and the Boolean value will also be registered. Once completed, the Boolean value will always be active.

6. Monitor SELinux conflicts

(1). setroubleshoot-server packages must be installed to send selinux messages to/var/log/messages
(2). Setroubleshoot-server listens for audit information in/var/log/audit/audit.log and sends a short summary to/var/log/messages. The summary includes a unique identifier for the SELinux conflict (UUIDs), which can be used to gather more information.
(3). Sealert-l UUID is used to generate reports for specific events.
(4). Sealert-a/var/log/audit/audit.log used to generate a report of all events in this file

Example:

1. In the/var/ftp/directory we first have some content

Our remote FTP login can see these files

2. Create a new file in the/mnt directory and move the file to the/var/ftp directory.

3. Again in the FTP login user to see, but do not have me these new files.

This is related to our selinux security policy, which we look at in the FTP directory:

* You can see that the original file directory built in the FTP directory is public_content_t, and the file context type we built in the/MNT directory is mnt_t. Since our working mode at this time is enforcing, it is forbidden to violate the policy, so we do not refresh the page to have several files that we moved from the/MNT directory to FTP.

* Then why does the file context type We built are inconsistent? Because we just created the file in the/mnt directory, it inherits the SELinux type information from the previous level directory by default. The file directory that is built under the/var/ftp directory also inherits the SELinux type information from the previous level of the directory by default. The two directories of MNT and FTP type information are not the same, so the file directory created under it is not the same.

* The usual solution consists of two kinds:

① directly set the SELinux working mode to disabled, so there will be no policy blocking issues, but then our system will not have selinux security protection

② to repair our file context information by Restorecon or Chcon command

restorecon -Rv /var/ftp/*

Look at the remote FTP login users can also see all the files.

Linux (Radhat) Basic Learning-Understanding SELinux