"Unit9 & Unit10" SELinux management; system Recovery

**************************************

SELinux Management ************

**************************************

1. Basic SELinux Security Concept

2. Display and change SELinux mode

1. Viewing) "PS Axz | Ps-zc | Ls-z "

Vim/etc/sysconfig/selinux "selinux configuration File"

(disable: off; enforcing: mandatory; permissive: warning; State switching required to restart)

ls-z XX "View the security context type of a file"

Example:PS AuZ | grep vsftpd

"Explanation: If you start SELinux, and the service is affected by selinux, such as services like VSFTPD (most of the basic network services will be affected), such as you can view the files under/var/frp/pub/, but if you MNT under the establishment of files, and MV to/var/ftp/pub, you lftp, after you view/pub/file, is not found in the file you created under/MNT. This is because the directory and file ' security context ' types are different. 】

2. Change)

1) Temporary changes (modified selinux configuration file Restart, the file type will automatically be modified to the directory default ' security context type ', if the same can be accessed, the difference will need to be modified to the appropriate type)

chcon-t public_conten_t/vat/ftp/pub-r " Change all file security context types under pub to ' public_content_t ' so you can see the"

Chcon--reference=/etc/passwd/var/www/html/index.html "A file as a template (/etc/passwd) to modify the file (/are/www/html/index.html) ' Security context ' "" Restore ' security context ' after performing Restorecon refresh

2) Permanent modification (restarting the SELinux configuration file automatically reads the ' security context ' type that you added for the modified directory. ）

Semanage Fcontext-l | grep FTPDir "Example: View the default ' security context ' type for the FTPDir directory

Semanage fcontext-a-T public_content_t '/ftpdir (/.*)? '-A: All,-t: Modified type, followed by a fixed commonly used extension regular expression is ' (/.*)? ' 】

restorencon-rvvf/ftpdir/"The following files and directories are modified and will be displayed on the screen" "-R: With subdirectories modified;-V to the screen;-F to load this ' security context type ' into the default type.

3) Modify Sebool (SELinux Boolean) "This change, want to open what open, unimpeded"

getsebool-a | grep ftp "View sebool information for FTP service"

Setsebool-p ftpd_anon_write on "opens the FTP service write feature so that you manually adjust Setenforce 1|0 without affecting the functionality of the service you are using,-P means: write settings directly to the configuration file"

3. Monitor SElinux conflicts

* The Setroubleshoot-server software package must be installed to send selinux messages to/var/log/messages

*etroubleshoot-server listens for audit information in/var/log/audit/audit.log and sends a short summary to/var/log/messages

* Summary includes a unique identifier for the SELinux conflict (UUIDs), which can be used to gather more information. Sealert-l UUID is used to generate reports for specific events.

Sealert-a/var/log/audit/audit.log is used to generate a report of all events in this file.

***************************************

System Recovery *****************

***************************************

1. System Startup process

Power

||

BIOS (in read-only storage on the motherboard, basic input OP output system)

function, hardware detection, activation hardware

||

Grup system boot (grub boot is divided into two stages)

1) Stage 1 MBR (Master boot record) master boot record 0 tracks on hard disk, one sector, 446 bytes

*) dd If=/dev/zero Of=/dev/vda bs=446 count=1 empty MBR

*) go to save mode, perform chroot/mnt/sysimage switch to real/environment,

and execute GRUB2-INSTALL/DEV/VDA

2) Phase 2 Grub File boot phase

Locate the/boot partition

Read /boot/grub2/grub.cfg

missing files,grub2-mkconfig >/boot/grub2/grub.cfg

"Test" in the normal entry time, the options interface, you press C Enter the manual boot, enter the following (abnormal situation is directly into the case of C)

set root= ' hd0,msdos1 '"This address point, you can first see in the file Grub.cfg"

linux16/boot/vmliunz-3.10.0-123.e17.x86_64 ro root/dev/vda1

Initrd16/boot/initramfs-3.10.0-123.e17.x16_64.img

Boot

||

boot kernel, read-only mount /device

Testing equipment

Initialize the device driver

Enter the system initialization phase

Kernel lost, new kernel installation package can be resolved

RPM-IVH kernel-xxxxxx.rpm--force

||

System initialization phase

system Initialization phase added to initrd mirroring

Start initialization process SYSTEMD

Start SELinux

Add to Kernel parameters

Initialize the system clock, keyboard, host name

re-read/write mount /device

activating RAID,LVM

Activate quotas

start All services in the multi-user.target.wants

Turn on the Virtual Console

Start graphics

initramfs-' Uname-r '. IMG Lost by:

MKINITRD initramfs-' uname-r '. img ' uname-r '

in emergency ambulance mode You can use mkinitrd/boot/initramfs-$ (UNAME-R). IMG $ (UNAME-R) to make a lost file (initranfs-3.10-123.e17.x86_64.img) file generation.

Recovery

"Boot default selection (starting with 0 for the first) "

Grub2-set-default < serial numbers >

"Manual boot into character edit page"

*) Enter edit startup item (writable) "Press C when selecting the startup item (the interface is prompted). Enter, will fi under the linux16 ... Find the RO, from here to remove the back and the following: RW Rd.break; Ctrl+x, Reload will get a shell, go into your own shell (Chroot/sysroot), start to modify the content you want to modify "

1, the administrator password has been tampered with)

passwd (change password)

*)/.autorelable "Reload the system change configuration, for example: The experiment is to manually change the password in ambulance mode without knowing the password." Touch/.autorelable after changing the password, or the change may not be successful, which is related to (SELinux) protection. 】

2.bash deleted "You will not be able to enter your own bash, execute unexpectedly chroot/sysroot" "first into ambulance mode"

Cp/bin/bash /mnt/sysimage/bin/bash "bash is lost, you copy bash in rescue mode to your local machine, and you can."

* Understand and familiarize yourself with the file multi-user.target.wants* of the control system service boot

When the system set up the service boot, in fact, you start the service, with a soft link, connected to the boot automatically read the file,

1) For example, the boot vsftpd service, in fact, is: Ln-s/usr/lib/systemd/system/vsftpd.service/etc/systemd/system/multi-user.target.wants/ In this file. "If you delete it, the service will start up again."

2) When the system is turned on, it will automatically load/etc/systemd/system/default.target, usually graphics, this default link is connected to the graphical interface of the file (/usr/lib/systemd/system/       graphical.target.wants/), if you connect it to the reboot, your machine will restart a restart, haha, then it is over. Joking, "The solution: is to manually boot into the programmable mode, delete the link address, replace it with a graphical open interface"

"Unit9 & Unit10" SELinux management; system Recovery