Linux SELinux Notes Collation

SELinux (Security enhanced Linux)

system resources are through the process to read the changes, in order to ensure the security of the system resources, traditional Linux use the concept of user, file permissions to restrict access to resources, by comparing the process of initiating users and file permissions to ensure the security of system resources, which is a free access control mode (DAC), but as system resource security requirements increase, there is a security hardening mechanism (SELinux) under Linux, which adds more restrictions to processes and files than permissions to enhance access conditions, which is enforced access control (MAC). The most intuitive contrast between these two approaches is that the traditional dac,root can access any file, and under the Mac, even root, you can only access the files allowed by the settings.

Directory

• How SELinux Works

• Working mode and type of work

• Security context

• SELinux Log Management
  

First, the working principle of SELinux

Let's start with some basic concepts under SELinux.

Body # The main body of SELinux management is process

Goal # SELinux restricts the target of process access through the management process, which refers to the file

Working mode # Determines whether the SELinux mechanism is started or not

Enforcing ===> Mandatory mode, SELinux has started

Permissive ===> tolerant mode, SELinux has been started, but will not be banned, just a warning message is presented

Disabled ===> off mode, turn off SELinux

Type of work (SELinux type) # indicates SELinux specific security policy

Strict ===> each process is restricted (only in centos5)

targeted ===> The default type is targeted, which mainly restricts network services

Minimum ===> simplified version of targetd, restricting some network services (CENTOS7)

MLS ===> multilevel security restrictions, more stringent

Security Context

This is where we are primarily modifying the process must correspond to the security context of the file (not required) in order to access it.

Ls-z file name # View the security context of the files

Ps-ez # Viewing the security context of a process

Sestatus # View the specific working status of SELinux

Working principle such as:

Ii. mode of work and type of work

2.1 Operating mode

Getenforce can view the current SELinux mode of operation,Setenforce can modify the SELinux mode of operation, but can only switch between permissive and enforcing .

[Email protected] ~]# setenforce 0|1 , respectively, represents permissive, enforcing

Using the command to modify the working mode is only valid for the current, want to power on, and if you want to switch between disabled and the other two modes, only modify the profile parameter and then restart, the profile is /etc/selinux/config, also can be /etc/sysconfig/selinux File modification, in fact the file is/etc/selinux/config soft link file

Notice:selinux when switching from disabled to other modes, the system restarts take a long time because each controlled process and file needs to be written to the security context, and my little partner thinks it is an error in the configuration process and then restores the snapshot directly.

2.2 Type of work

There are different rules for SELinux, which are turned on or off (on|off< Boolean 1|0>) based on the different types of work, and then the rules are turned on and off to specifically restrict the read of the files by different processes.

getsebool-a or Sestatus-b # View the opening or not of individual rules under the current work type

setsebool-p rule name [0|1] # Modify the open close of the specified rule under the current work type,-p indicates simultaneous modification of the file for permanent effect

Iii. Security Context

3.1 Security Context Introduction

The security context exists in the process and file, the context is stored in memory along with the process, and the context of the file resides in its corresponding inode, so the process accesses the file by reading the inode and then determining whether the file can be accessed.

Ls-z # Displaying the security context of a file

Ps-ez # Displays the security context for all processes

The context can have 5 fields, with: As a delimiter, the meanings of which are represented as follows

User	Role	Type	Sensitivity	Category
Identity recognition Unconfined_u users or files that are not restricted System_u a restricted process or file	Files, processes, users Object_r File System_r processes and users	Data type, important What type of process accesses which file	Security level S0 Minimum As long as it makes sense under the MSL.	Divided by the different classifications when it does not exist

Context Query tool Seinfo, Sesearch

Seinfo-u # Querying all types of user fields

Seinfo-r # Querying the types of all role fields

SEINFO-T # Querying all types of type fields

Sesearch-a can query what type of type of file a process can read

Sesearch-a-S process type # query type Type a process can read the file type

sesearch-a-B rule (the Boolean value of the rule, so the-B option, which is understood as a bool rule)

# Query The process that specifies the line under which the rule is able to read the file type

3.2 Current context and desired context    

Every file in the system will have a context, we use ls-z query out of the context is the current context, what is expected to be the context, the system will be the default context of each file down and save, This system records the expectation context. The semanage command can manage the desired context for each file, also called the desired label.

Semanage fcontext-l # See all the expected SELinux tags

Semanage fcontext-a-T type target directory # add expected SELinux label

semanage fcontext-m-T type target directory # modify expected SELinux label

semanage fcontext-d- t type target directory # Delete expected SELinux label

Modify Specification:

~]# semanage fcontext-a-T type directory (/.*)?

3.3 Modifying the current context

Use the Chcon command to manually modify the security context, format chcon options target file

Chcon # Manually modifying the context of a file, the-r option can recursively modify the directory, and the-v option can show results before and after a context modification

Chcon-t # Modify the file's context type field

Chcon-u # Modify the User field of a file's context

chcon-r # modifying role fields

CHCON-L # Modifying security levels

Chcon-h # for Soft link file modification, do not add-H will modify the original file corresponding to the soft link

Chcon--reference=file # Modify the template with the context of file

Use the Restorecon command to modify the context for the desired context, format restorecon options destination file ,

Restorecon-r # recursively modifying directories

Restorecon-v # Show the process of modification

3.3 Semanage Modify the port number that the process accesses

Although it sounds to modify the port number, but in the end still modify the security context, we use the Semanage tool, command for Semanage Port

Query the context Type field for a service

Syntax: semanage port-l |grep Service Name

Add a port to a specified service's Access port

Syntax:semanage port-a-T Type-p Protocol port number (do not repeat with common ports)

For example, add the port number for the SSH service, which defaults to 22

Iv. Management of SELinux logs

The logging of the SELinux blocked process is stored in the/var/log/audit/audit.log file, but the content in the file is poorly read by the user and can go to cat/var/log/audit/audit.log to see So the system provides us with the sealert tool to help us organize the log file, Sealert tool to process the log file will take a little time, please wait patiently.

In addition, the SELinux log function requires Auditd.service the opening of the service.

Combine cases (Apache SELinux configuration) To learn about the Sealert Tools :

1. Ensure that the HTTPD service is configured and turned on, httpd service configuration method please refer to the blog: Apache Deployment httpd Service

The 2./USR/SBIN/HTTPD command will open the process to read the file ending in. html in the/var/www/html/directory , now create the file ~/index.html in the home directory, write the content, and then move the newly created file to/ Under the var/www/html/.

3. Through the browser, we enter the local IP in the address bar to see if it is successful or not, which indicates that the access failed when the following interface appears.

4. When we configured the service, we decided that there was no problem, and we had to think that SELinux might have prevented us from accessing it. We pass orders.

sealert-a /var/log/audit/audit.log

Looking at the SELinux log, we found httpd keywords, read content, content is our main concern, others are/var/log/audit/audit.log content, we can ignore. Finally, we prioritize changes to the smallest solution, namely modifying the SELinux label.

5. Execute the command restorecon-v/var/www/html/index.html toModify the default label that the file is accessible to httpd

6. Browser access to view results, this success.

Linux SELinux Notes Collation