SELinux
(Security enhanced Linux)
system resources are through the process to read the changes, in order to ensure the security of the system resources, traditional Linux use the concept of user, file permissions to restrict access to resources, by comparing the process of initiating users and file permissions to ensure the security of system resources, which is a free access control mode (DAC), but as system resource security requirements increase, there is a security hardening mechanism (SELinux) under Linux, which adds more restrictions to processes and files than permissions to enhance access conditions, which is enforced access control (MAC). The most intuitive contrast between these two approaches is that the traditional dac,root can access any file, and under the Mac, even root, you can only access the files allowed by the settings.
Directory
First, the working principle of SELinux
Let's start with some basic concepts under SELinux.
Body # The main body of SELinux management is process
Goal # SELinux restricts the target of process access through the management process, which refers to the file
Working mode # Determines whether the SELinux mechanism is started or not
Enforcing ===> Mandatory mode, SELinux has started
Permissive ===> tolerant mode, SELinux has been started, but will not be banned, just a warning message is presented
Disabled ===> off mode, turn off SELinux
Type of work (SELinux type) # indicates SELinux specific security policy
Strict ===> each process is restricted (only in centos5)
targeted ===> The default type is targeted, which mainly restricts network services
Minimum ===> simplified version of targetd, restricting some network services (CENTOS7)
MLS ===> multilevel security restrictions, more stringent
Security Context
This is where we are primarily modifying the process must correspond to the security context of the file (not required) in order to access it.
Ls-z file name # View the security context of the files
Ps-ez # Viewing the security context of a process
Sestatus # View the specific working status of SELinux
Working principle such as:
Ii. mode of work and type of work
2.1 Operating mode
Getenforce can view the current SELinux mode of operation,Setenforce can modify the SELinux mode of operation, but can only switch between permissive and enforcing .
[Email protected] ~]# setenforce 0|1 , respectively, represents permissive, enforcing
Using the command to modify the working mode is only valid for the current, want to power on, and if you want to switch between disabled and the other two modes, only modify the profile parameter and then restart, the profile is /etc/selinux/config, also can be /etc/sysconfig/selinux File modification, in fact the file is/etc/selinux/config soft link file
Notice:selinux when switching from disabled to other modes, the system restarts take a long time because each controlled process and file needs to be written to the security context, and my little partner thinks it is an error in the configuration process and then restores the snapshot directly.
2.2 Type of work
There are different rules for SELinux, which are turned on or off (on|off< Boolean 1|0>) based on the different types of work, and then the rules are turned on and off to specifically restrict the read of the files by different processes.
getsebool-a or Sestatus-b # View the opening or not of individual rules under the current work type
setsebool-p rule name [0|1] # Modify the open close of the specified rule under the current work type,-p indicates simultaneous modification of the file for permanent effect
Iii. Security Context
3.1 Security Context Introduction
The security context exists in the process and file, the context is stored in memory along with the process, and the context of the file resides in its corresponding inode, so the process accesses the file by reading the inode and then determining whether the file can be accessed.
Ls-z # Displaying the security context of a file
Ps-ez # Displays the security context for all processes
The context can have 5 fields, with: As a delimiter, the meanings of which are represented as follows
User |
Role |
Type |
Sensitivity |
Category |
Identity recognition Unconfined_u users or files that are not restricted
System_u a restricted process or file |
Files, processes, users Object_r File System_r processes and users |
Data type, important What type of process accesses which file |
Security level S0 Minimum As long as it makes sense under the MSL. |
Divided by the different classifications when it does not exist
|
Context Query tool Seinfo, Sesearch
Seinfo-u # Querying all types of user fields
Seinfo-r # Querying the types of all role fields
SEINFO-T # Querying all types of type fields
Sesearch-a can query what type of type of file a process can read
Sesearch-a-S process type # query type Type a process can read the file type
sesearch-a-B rule (the Boolean value of the rule, so the-B option, which is understood as a bool rule)
# Query The process that specifies the line under which the rule is able to read the file type
3.2 Current context and desired context
Every file in the system will have a context, we use ls-z query out of the context is the current context, what is expected to be the context, the system will be the default context of each file down and save, This system records the expectation context. The semanage command can manage the desired context for each file, also called the desired label.
Semanage fcontext-l # See all the expected SELinux tags
Semanage fcontext-a-T type target directory # add expected SELinux label
semanage fcontext-m-T type target directory # modify expected SELinux label
semanage fcontext-d- t type target directory # Delete expected SELinux label
Modify Specification:
~]# semanage fcontext-a-T type directory (/.*)?
3.3 Modifying the current context
Use the Chcon command to manually modify the security context, format chcon options target file
Chcon # Manually modifying the context of a file, the-r option can recursively modify the directory, and the-v option can show results before and after a context modification
Chcon-t # Modify the file's context type field
Chcon-u # Modify the User field of a file's context
chcon-r # modifying role fields
CHCON-L # Modifying security levels
Chcon-h # for Soft link file modification, do not add-H will modify the original file corresponding to the soft link
Chcon--reference=file # Modify the template with the context of file
Use the Restorecon command to modify the context for the desired context, format restorecon options destination file ,
Restorecon-r # recursively modifying directories
Restorecon-v # Show the process of modification
3.3 Semanage Modify the port number that the process accesses
Although it sounds to modify the port number, but in the end still modify the security context, we use the Semanage tool, command for Semanage Port
Query the context Type field for a service
Syntax: semanage port-l |grep Service Name
Add a port to a specified service's Access port
Syntax:semanage port-a-T Type-p Protocol port number (do not repeat with common ports)
For example, add the port number for the SSH service, which defaults to 22
Iv. Management of SELinux logs
The logging of the SELinux blocked process is stored in the/var/log/audit/audit.log file, but the content in the file is poorly read by the user and can go to cat/var/log/audit/audit.log to see So the system provides us with the sealert tool to help us organize the log file, Sealert tool to process the log file will take a little time, please wait patiently.
In addition, the SELinux log function requires Auditd.service the opening of the service.
Combine cases (Apache SELinux configuration) To learn about the Sealert Tools :
1. Ensure that the HTTPD service is configured and turned on, httpd service configuration method please refer to the blog: Apache Deployment httpd Service
The 2./USR/SBIN/HTTPD command will open the process to read the file ending in. html in the/var/www/html/directory , now create the file ~/index.html in the home directory, write the content, and then move the newly created file to/ Under the var/www/html/.
3. Through the browser, we enter the local IP in the address bar to see if it is successful or not, which indicates that the access failed when the following interface appears.
4. When we configured the service, we decided that there was no problem, and we had to think that SELinux might have prevented us from accessing it. We pass orders.
sealert-a /var/log/audit/audit.log
Looking at the SELinux log, we found httpd keywords, read content, content is our main concern, others are/var/log/audit/audit.log content, we can ignore. Finally, we prioritize changes to the smallest solution, namely modifying the SELinux label.
5. Execute the command restorecon-v/var/www/html/index.html toModify the default label that the file is accessible to httpd
6. Browser access to view results, this success.
Linux SELinux Notes Collation