Linux Security---selinux security control

Understand SELinux, set to file SELinux security files, copy, move the impact of SELinux rules, set Apache, VSFTPD SELinux rules

1. Understanding SELinux

1) DAC: Refers to the control of a user's access to resources, i.e., permissions

Mac:selinux tags, restrict the process access to resources, process is owned by the user, when the user calls the process to access the resource (file), check the SELinux security label, matching to access.

SELinux accesses resources using SELinux user, role, type, and level control processes.

Format of the SELinux attribute: User:role:type:level

Ls-z Install.log

-rw-r--r--. Root root System_u:object_r:admin_home_t:s0 Install.log

2) SELinux users: Different from the system users, SELinux users use a portion of the SELinux policy, and the system users have a mapping relationship, a system user corresponding to a selinux mapping. Semange view relationships.

Semanage user-l

3) Role roles: User space, process access-range tags, such as Object_r

4) Type or security context, tag of the resource, admin_home_t

5) Safety level: S0 most commonly used

View: SELinux properties for processes, users, files

Ps-ez |grep http # #查看http进程的selinux

Id-z # #当前用户的selinux设置

Ls-ldz/var/www/html # #查看http网页跟目录的selinux属性

2. Set the SELinux property of the file in the security context (type)

1) Temporary settings

Echo 123123 >/var/www/html/index.html

Cd/var/www/html

Ls-z index.html # #TYPE: httpd_sys_content_t, allow only Apache process access, Access test

Chcon-t admin_home_t index.html # #访问测试, unable to access the file

Restorecon-f-V index.html # #还原selinux属性,-F means mandatory,-v verbose

The SELinux setting of the directory, with the "-r" option on the file basis.

2) Permanent entry into force

Syntax: Semanage fcontext-{a|d|m} file ##-a indicates increase,-d Delete,-l display,-m modify

Note Files and directories use absolute paths

File:

Semanage fcontext-a-T Httpd_sys_content_t/web/a.file # #添加

Cat/etc/selinux/targeted/contexts/files/file_contexts.local # #发现a. SELinux Properties of File

Restorecon-v/web/a.file # #立即生效, Restorecon Recovery is based on the rules in the File_contexts.local file.

Semanage fcontext-d-T httpd_sys_content_t/web/a.file # #删除a. File's SELinux property, which is equivalent to deleting the rules in file_contexts.local and not using the VI delete.

Restorecon-f-v/web/a.file # #立即生效

Directory:

Semanage fcontext-a-T httpd_sys_content_t "/web (/.*)?" # #如果只写目录, the SELinux property of the contents of the directory will not be modified, using the regular match all content under the directory, "/web (/.*)"

Restorecon-r-f-v/web/# #立即生效

Semanage fcontext-d-T httpd_sys_content_t "/web (/.*)?" # #删除

Restorecon-r-f-v/web/

3. Impact of replication and movement on SELinux rules

Move: SELinux unchanged, overrides SELinux property when overwritten

mv/root/index.html/var/www/html/

Ls-z/var/www/html/index.html # #selinux未发生变化

cd/home/

Touch index.html

Ls-z/home/index.html # #文件的type: home_root_t

mv/home/index.html/var/www/html/

Ls-z/var/www/html/index.html # #selinux被覆盖, type becomes home_root_t

Replication: Using the properties of the target SELinux, the SELinux property is not changed when overridden

Cp/root/install.log/var/www/html

Ls-z/var/www/html/install.log # #selinux的type: httpd_sys_content_t

cp/root/install.log/var/www/html/# #覆盖, SELinux property is unchanged

Note: Compared to move and copy, replication is more conducive to maintaining SELinux properties, recommended use.

4.tar packaged backup with SELinux; special SELinux type:file_t,default_t,user_tmp_t

The default selinux is lost when Tar is packaged, and the SELinux property can be maintained using "--selinux|--xattrs".

tar-zcvf/tmp/test-sel.tar.gz/var/www/html/--selinux

Special type:

file_t: File does not have SELinux attribute

default_t: The SELinux of the file or directory does not match the File-context profile definition pattern.

Two types of files that are not accessible by the process that set the SELinux attribute.

user_tmp_t: The user temporary files, all processes can be accessed.

This article is from the "Lp-linux" blog, make sure to keep this source http://linuxlp.blog.51cto.com/11463376/1773666

Linux Security---selinux security control