Preliminary understanding of SELinux Security Management

Source: Internet
Author: User

Preliminary understanding of SELinux Security Management

Today, let's take a look at the next mysterious Security Management SELinux in Linux.

Basic concepts of SELinux Security

Security Enhanced Linux (SELinux) is an additional system Security layer. The main goal of SELinux is to prevent leakage of system services from accessing user data. Most Linux administrators are familiar with standard user/group/Other permission security models. This user-and group-based model is called a free-decision access control. SELinux provides another layer of security, which is based on objects and controlled by more complex rules, called mandatory access control.

SELinux is a set of security rules used to determine which processes can access those files, directories, and ports. Each file, process, and port has a special security label called SELinux context. Context is a name, which is used by SELinux policies to determine whether a process can access files, directories, or ports. Unless explicitly authorized, the policy does not allow any interaction by default. If no rule is allowed, access is not allowed.

SELinux tags have multiple contexts: User, role, type, and sensitivity. The target policy (the Default policy enabled in Red Hat Enterprise Linux) formulates its own rules based on the third context (that is, the type context. The Type context name usually ends with _ t. The Type context of the server is httpd_t. The Type context of files and directories in/var/www/html is httpd_sys_content_t. The Type context of files and directories in/tmp and/var/tmp is tmp_t. The Type context of the Web server port is http_port_t.

SELinux simulation exercise

Exercise environment: RHEL7.0

1. If you do not know whether your SELinux has been started, you can run the following command:

[Root @ server0 ~] # Getenforce

Enforcing indicates that the current status is enabled.

Next let's take a look at how to change the SELinux mode:

[Root @ server0 ~] # Vim/etc/sysconfig/selinux

# This file controls the state of SELinux on the system.
# SELINUX = can take one of these three values:
# Enforcing-SELinux security policy is enforced.
# Permissive-SELinux prints warnings instead of enforcing.
# Disabled-No SELinux policy is loaded.
SELINUX = enforcing
# SELINUXTYPE = can take one of these two values:
# Targeted-Targeted processes are protected,
# Minimum-Modification of targeted policy. Only selected processes are protected.
# Mls-Multi Level Security protection.
SELINUXTYPE = targeted


There are three SELinux modes: Enforcing, Permissive, and Disabled. Disabled indicates that SELinux is Disabled, Permissive indicates that only security warnings are recorded but suspicious behaviors are not blocked, and Enforcing indicates that warnings are recorded and suspicious behaviors are blocked.

Change the running status of SELinux

Setenforce [Enforcing | Permissive | 1 | 0]

This command can immediately change the running status of SELinux, switch between Enforcing and Permissive, and keep the result to shutdown. A typical purpose is to check whether a service or program cannot run due to SELinux. If the service or program still fails to run after setenforce 0, it is certainly not caused by SELinux.

If you want to change the operating environment of the system SELinux permanently, you can change the configuration file/etc/sysconfig/selinux. Note: After switching from Disabled to Permissive or Enforcing mode, restart the computer and re-create the security tag (touch/. autorelabel & reboot) for the entire file system ).

2. Here is a small example:

When SELinux is set to "forced" mode, we change the root directory in httpd. conf and find that the webpage cannot be opened.

Here we change the http root directory to the following:

[Root @ server0 ~] # Vim/etc/httpd/conf/httpd. conf

DocumentRoot "/html"
<Directory "/html">

Then create an html folder under the root.

[Root @ server0 ~] # Mkdir/html
[Root @ server0 ~] # Echo "bkjia">/html/index.html

After the file is created, let's take a look at the context of the file.

Display SELinux context options (usually-Z ). For example, ps, ls, cp, and mkdir all use the-Z option to display or set SELinux context.

After the directory is changed, restart the httpd service and open the webpage. You will receive an error message indicating that you do not have the permission to access the file.

Open the webpage. Here we use the elinks command. If not, we can install it using yum.

[Root @ server0 ~] # Elinks http: // localhost/index.html

Why does it show that there is no permission? Let's look down.

3. First, let's take a look at the standard context of the/var/www/html directory.

[Root @ server0 ~] # Ll-Z/var/www/html
-Rw-r --. root unconfined_u: object_r: httpd_sys_content_t: s0 index.html

Then let's look at the context of the newly created directory.

[Root @ server0 html] # ll-Z
-Rw-r --. root system_u: object_r: default_t: s0 index.html

Here we can see that the top and bottom of the/var/www/html(source directory is httpd_sys_content_t, and the context of the index.html file created before the source directory is default_t.

Because the source context and target context have different types, the httpd process cannot read files and directories of the default_t class, so it will show that there is no permission, here we need to change the context of the/html directory to the type that can be read by httpd.

What type can httpd read? From the above we can see that httpd can read the type of httpd_sys_content_t.

Once we know this type, we will change the/html directory to this type.

4. Change The SELinux context of the file

You can use two commands to change the context of SELinux: chcon and restorecon.

The chcon command is to change the context of the file to the context specified as the command parameter.

Chcon command: Modify the security context of an object (file. For example, user: Role: Type: security level. Syntax:
Chcon [OPTIONS…] Context files .....
Chcon [OPTIONS…] -Reference = PEF_FILES FILES...
CONTEXT is the security CONTEXT to be set
FILES object)
-- Reference object
PEF_FILES reference file context
The FILES application references the file context as my context.
-F forced execution
-R recursively modifies the security context of an object
-R ROLE: Modify the security context ROLE configuration
-T TYPE: modify the configuration of the security context TYPE
-U USER: Modify the security context USER Configuration
-V displays lengthy information
-L, -- range = RANGE: Modify the security level in the security context.

The restorecon command is the preferred method to change the SELinux context of a file or directory. Unlike chcon, the context is not explicitly specified when you use this command. It uses the rules in the SELinux policy to determine the file context.

The restorecon command is used to restore the default security context of a SELinux file.
Restorecon [-iFnrRv] [-e excludedir] [-o filename] [-f filename | pathname...]
-I: Ignore nonexistent files.
-F: The infilename file infilename records the file to be processed.
-E: directory exclusion directory.
-R/-r: recursive processing Directory.
-N: does not change the file tag.
-O/outfilename: saves the file list to outfilename. If the file is incorrect.
-V: displays the process on the screen.
-F: forcibly restores the file security context.

The following is a demonstration:

Note: It is best not to use chcon to change the SELinux context of the file. If you re-mark the file system when the system starts, the file context will be restored to the default context.

As you can see in the figure above, I use chcon-t to change the type CONTEXT OF THE/html folder to the correct context of httpd. chcon only changes the context, but does not change the folder rules. When I use restorecon to restore the default context rules, the/html folder context is changed again. The above example shows that using chcon is equivalent to a temporary change. When you refresh the tag, your context will change to the original default context. If you want to refresh the tag without changing the context, you need to redefine the SELinux default context rules.

5. Define SELinux default file context rules

The semanage fcontext command can be used for display or modification, and the restorecon command is used to set the rules of the default file context. It uses an extended regular expression to specify the path and file name. What is the most common extended regular expression in the fcontext rule (/.*)? It indicates "(optional) matching/followed by any number of characters ". It will match the directory listed before the expression and recursively match all contents in the directory.

The semanage command is used to query and modify the security context of the default SELinux directory.
Semanage {login | user | port | interface | fcontext | translation}-l
Semanage fcontext-{a | d | m} [-frst] file_spec
-L: query. Fcontext: Mainly used in security context.
-A: Add. You can add the default security context type settings for some directories.
-M: modify.
-D: Delete.

Next we will use the semanage fcontext command to change the default security context of the/html directory.

In the preceding figure, we first view the context of the/html directory, then use semanage to change the default downward rules, and then use the restorecon command to restore the default context rules, now the context rules of the/html Directory have been changed. Next, let's test whether the webpage can be opened.

We also use elinks http: // localhost/index.html to open our webpage.

Now we can see that the page does not prompt that you do not have permission, but shows the bkjia field that we used echo to input.

Multi-layer security mechanism of SELinux

Security Context of SELinux

An SSH Public Key Authentication Failure Caused by SELinux

Getting started with SELinux

Simple SELinux Configuration

How to quickly disable SELinux in CentOS

How to disable SELinux in CentOS/RHEL

This article permanently updates the link address:

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.