Understand SELinux, set to file SELinux security files, copy, move the impact of SELinux rules, set Apache, VSFTPD SELinux rules
1. Understanding SELinux
1) DAC: Refers to the control of a user's access to resources, i.e., permissions
Mac:selinux tags, restrict the process access to resources, process is owned by the user, when the user calls the process to access the resource (file), check the SELinux security label, matching to access.
SELinux accesses resources using SELinux user, role, type, and level control processes.
Format of the SELinux attribute: User:role:type:level
Ls-z Install.log
-rw-r--r--. Root root System_u:object_r:admin_home_t:s0 Install.log
2) SELinux users: Different from the system users, SELinux users use a portion of the SELinux policy, and the system users have a mapping relationship, a system user corresponding to a selinux mapping. Semange view relationships.
Semanage user-l
3) Role roles: User space, process access-range tags, such as Object_r
4) Type or security context, tag of the resource, admin_home_t
5) Safety level: S0 most commonly used
View: SELinux properties for processes, users, files
Ps-ez |grep http # #查看http进程的selinux
Id-z # #当前用户的selinux设置
Ls-ldz/var/www/html # #查看http网页跟目录的selinux属性
2. Set the SELinux property of the file in the security context (type)
1) Temporary settings
Echo 123123 >/var/www/html/index.html
Cd/var/www/html
Ls-z index.html # #TYPE: httpd_sys_content_t, allow only Apache process access, Access test
Chcon-t admin_home_t index.html # #访问测试, unable to access the file
Restorecon-f-V index.html # #还原selinux属性,-F means mandatory,-v verbose
The SELinux setting of the directory, with the "-r" option on the file basis.
2) Permanent entry into force
Syntax: Semanage fcontext-{a|d|m} file ##-a indicates increase,-d Delete,-l display,-m modify
Note Files and directories use absolute paths
File:
Semanage fcontext-a-T Httpd_sys_content_t/web/a.file # #添加
Cat/etc/selinux/targeted/contexts/files/file_contexts.local # #发现a. SELinux Properties of File
Restorecon-v/web/a.file # #立即生效, Restorecon Recovery is based on the rules in the File_contexts.local file.
Semanage fcontext-d-T httpd_sys_content_t/web/a.file # #删除a. File's SELinux property, which is equivalent to deleting the rules in file_contexts.local and not using the VI delete.
Restorecon-f-v/web/a.file # #立即生效
Directory:
Semanage fcontext-a-T httpd_sys_content_t "/web (/.*)?" # #如果只写目录, the SELinux property of the contents of the directory will not be modified, using the regular match all content under the directory, "/web (/.*)"
Restorecon-r-f-v/web/# #立即生效
Semanage fcontext-d-T httpd_sys_content_t "/web (/.*)?" # #删除
Restorecon-r-f-v/web/
3. Impact of replication and movement on SELinux rules
Move: SELinux unchanged, overrides SELinux property when overwritten
mv/root/index.html/var/www/html/
Ls-z/var/www/html/index.html # #selinux未发生变化
cd/home/
Touch index.html
Ls-z/home/index.html # #文件的type: home_root_t
mv/home/index.html/var/www/html/
Ls-z/var/www/html/index.html # #selinux被覆盖, type becomes home_root_t
Replication: Using the properties of the target SELinux, the SELinux property is not changed when overridden
Cp/root/install.log/var/www/html
Ls-z/var/www/html/install.log # #selinux的type: httpd_sys_content_t
cp/root/install.log/var/www/html/# #覆盖, SELinux property is unchanged
Note: Compared to move and copy, replication is more conducive to maintaining SELinux properties, recommended use.
4.tar packaged backup with SELinux; special SELinux type:file_t,default_t,user_tmp_t
The default selinux is lost when Tar is packaged, and the SELinux property can be maintained using "--selinux|--xattrs".
tar-zcvf/tmp/test-sel.tar.gz/var/www/html/--selinux
Special type:
file_t: File does not have SELinux attribute
default_t: The SELinux of the file or directory does not match the File-context profile definition pattern.
Two types of files that are not accessible by the process that set the SELinux attribute.
user_tmp_t: The user temporary files, all processes can be accessed.
This article is from the "Lp-linux" blog, make sure to keep this source http://linuxlp.blog.51cto.com/11463376/1773666
Linux Security---selinux security control