**************************************
SELinux Management ************
**************************************
1. Basic SELinux Security Concept
2. Display and change SELinux mode
1. Viewing) "PS Axz | Ps-zc | Ls-z "
Vim/etc/sysconfig/selinux "selinux configuration File"
(disable: off; enforcing: mandatory; permissive: warning; State switching required to restart)
ls-z XX "View the security context type of a file"
Example:PS AuZ | grep vsftpd
"Explanation: If you start SELinux, and the service is affected by selinux, such as services like VSFTPD (most of the basic network services will be affected), such as you can view the files under/var/frp/pub/, but if you MNT under the establishment of files, and MV to/var/ftp/pub, you lftp, after you view/pub/file, is not found in the file you created under/MNT. This is because the directory and file ' security context ' types are different. 】
2. Change)
1) Temporary changes (modified selinux configuration file Restart, the file type will automatically be modified to the directory default ' security context type ', if the same can be accessed, the difference will need to be modified to the appropriate type)
chcon-t public_conten_t/vat/ftp/pub-r " Change all file security context types under pub to ' public_content_t ' so you can see the"
Chcon--reference=/etc/passwd/var/www/html/index.html "A file as a template (/etc/passwd) to modify the file (/are/www/html/index.html) ' Security context ' "" Restore ' security context ' after performing Restorecon refresh
2) Permanent modification (restarting the SELinux configuration file automatically reads the ' security context ' type that you added for the modified directory. )
Semanage Fcontext-l | grep FTPDir "Example: View the default ' security context ' type for the FTPDir directory
Semanage fcontext-a-T public_content_t '/ftpdir (/.*)? '-A: All,-t: Modified type, followed by a fixed commonly used extension regular expression is ' (/.*)? ' 】
restorencon-rvvf/ftpdir/"The following files and directories are modified and will be displayed on the screen" "-R: With subdirectories modified;-V to the screen;-F to load this ' security context type ' into the default type.
3) Modify Sebool (SELinux Boolean) "This change, want to open what open, unimpeded"
getsebool-a | grep ftp "View sebool information for FTP service"
Setsebool-p ftpd_anon_write on "opens the FTP service write feature so that you manually adjust Setenforce 1|0 without affecting the functionality of the service you are using,-P means: write settings directly to the configuration file"
3. Monitor SElinux conflicts
* The Setroubleshoot-server software package must be installed to send selinux messages to/var/log/messages
*etroubleshoot-server listens for audit information in/var/log/audit/audit.log and sends a short summary to/var/log/messages
* Summary includes a unique identifier for the SELinux conflict (UUIDs), which can be used to gather more information. Sealert-l UUID is used to generate reports for specific events.
Sealert-a/var/log/audit/audit.log is used to generate a report of all events in this file.
***************************************
System Recovery *****************
***************************************
1. System Startup process
Power
||
BIOS (in read-only storage on the motherboard, basic input OP output system)
function, hardware detection, activation hardware
||
Grup system boot (grub boot is divided into two stages)
1) Stage 1 MBR (Master boot record) master boot record 0 tracks on hard disk, one sector, 446 bytes
*) dd If=/dev/zero Of=/dev/vda bs=446 count=1 empty MBR
*) go to save mode, perform chroot/mnt/sysimage switch to real/environment,
and execute GRUB2-INSTALL/DEV/VDA
2) Phase 2 Grub File boot phase
Locate the/boot partition
Read /boot/grub2/grub.cfg
missing files,grub2-mkconfig >/boot/grub2/grub.cfg
"Test" in the normal entry time, the options interface, you press C Enter the manual boot, enter the following (abnormal situation is directly into the case of C)
set root= ' hd0,msdos1 '"This address point, you can first see in the file Grub.cfg"
linux16/boot/vmliunz-3.10.0-123.e17.x86_64 ro root/dev/vda1
Initrd16/boot/initramfs-3.10.0-123.e17.x16_64.img
Boot
||
boot kernel, read-only mount /device
Testing equipment
Initialize the device driver
Enter the system initialization phase
Kernel lost, new kernel installation package can be resolved
RPM-IVH kernel-xxxxxx.rpm--force
||
System initialization phase
system Initialization phase added to initrd mirroring
Start initialization process SYSTEMD
Start SELinux
Add to Kernel parameters
Initialize the system clock, keyboard, host name
re-read/write mount /device
activating RAID,LVM
Activate quotas
start All services in the multi-user.target.wants
Turn on the Virtual Console
Start graphics
initramfs-' Uname-r '. IMG Lost by:
MKINITRD initramfs-' uname-r '. img ' uname-r '
in emergency ambulance mode You can use mkinitrd/boot/initramfs-$ (UNAME-R). IMG $ (UNAME-R) to make a lost file (initranfs-3.10-123.e17.x86_64.img) file generation.
Recovery
"Boot default selection (starting with 0 for the first) "
Grub2-set-default < serial numbers >
"Manual boot into character edit page"
*) Enter edit startup item (writable) "Press C when selecting the startup item (the interface is prompted). Enter, will fi under the linux16 ... Find the RO, from here to remove the back and the following: RW Rd.break; Ctrl+x, Reload will get a shell, go into your own shell (Chroot/sysroot), start to modify the content you want to modify "
1, the administrator password has been tampered with)
passwd (change password)
*)/.autorelable "Reload the system change configuration, for example: The experiment is to manually change the password in ambulance mode without knowing the password." Touch/.autorelable after changing the password, or the change may not be successful, which is related to (SELinux) protection. 】
2.bash deleted "You will not be able to enter your own bash, execute unexpectedly chroot/sysroot" "first into ambulance mode"
Cp/bin/bash /mnt/sysimage/bin/bash "bash is lost, you copy bash in rescue mode to your local machine, and you can."
* Understand and familiarize yourself with the file multi-user.target.wants* of the control system service boot
When the system set up the service boot, in fact, you start the service, with a soft link, connected to the boot automatically read the file,
1) For example, the boot vsftpd service, in fact, is: Ln-s/usr/lib/systemd/system/vsftpd.service/etc/systemd/system/multi-user.target.wants/ In this file. "If you delete it, the service will start up again."
2) When the system is turned on, it will automatically load/etc/systemd/system/default.target, usually graphics, this default link is connected to the graphical interface of the file (/usr/lib/systemd/system/ graphical.target.wants/), if you connect it to the reboot, your machine will restart a restart, haha, then it is over. Joking, "The solution: is to manually boot into the programmable mode, delete the link address, replace it with a graphical open interface"
"Unit9 & Unit10" SELinux management; system Recovery