Research on SELinux (read Bird's note) Welcome to the point of error

The acronym for SELinux "security enhanced Linux" literally means a secure, hardened Linux

Traditional file permissions and account relationships-autonomous access control (discretionary access controls, DAC)

is the ability to determine whether or not access is based on the rwx permissions of the owner of the program and the file resource

Develop a specific program with a policy code read a specific file--"Delegated access control (Mandatory access controls, MAC)

the subject is no longer the user and becomes the program The target is the file resource that the program can read

First of all, we should understand a few concepts

• Main Body (Subject):
  The main thing that SELinux wants to manage is the program, so you can equate the "subject" with the process ;
  

• Target (object):
  The "target resource" that the principal program can access is usually the file system. The objective could therefore be equated with the document System ;
  

• Policy:
  Due to the large number of programs and files, SELinux will establish basic access security policies based on certain services. Within these policies, there will also be a detailed code to specify whether different services open access to certain resources. There are only two major policies available in the current CentOS 5.x, namely:

  • Targeted: There are more restrictions on network services, less for native limit, is the default policy;

  • Strict: Full SELinux limits, tighter limits.

It is recommended that you use the default targeted policy.

code: As long as you know how to open and close a code to release or not

• Security context:
  We have just talked about the subject, the goal and the policy side, but the subject can access the target in addition to the policy designation, the security of the subject and the goal this article (somewhat similar to file system rwx) must be consistent to be able to access smoothly.

security text requires self-configuration

Program in-memory so security this article can be deposited

File security This article is placed in the inode of the file

Security in the inode can be used to confirm the comparison of this article and the RWX permission

Viewing the security of a file this article

[email protected] ~]# ll-z/usr/local/nginx/html/index.html

-rw-r--r--. root root unconfined_u:object_r:usr_t : s0/usr/local/nginx/html/index.html

Identification: Role: Type

• Identification (Identify):
  Equivalent to account identification! There are three common types of primary identification:
  

• 
  

  • Root: Indicates the identity of the root account

  • System_u: Indicates the identification of the system program, usually is the program;

  • User_u: Represents the identity associated with a general user account.
    

• Roles (role):
  Through the role field, we can know whether this data belongs to a program, a file resource, or a user. The general roles are:
  

• 
  

  • Object_r: Represents a file or directory, such as file resources, which should be the most common;

  • System_r: The representative is the program! However, general users will also be designated as System_r
    

• Type: (most important!) )
  In the default targeted policy, the Identify and Role fields are basically unimportant! The important thing is this type field! Basically, a main program can not read to this file resource, and type field related! The Type field is not defined in the same way as the program, respectively:
  

• 
  

  • Type: Above the file resource (Object) is referred to as types;

  • Domain: In the main program (Subject) is called domain (domain)!

  • Domain needs to match the type, the program will be able to read the file resources smoothly!

Correlation between the principal program and the File Type field

[email protected] ~]# ll-zd/usr/sbin/httpd/var/www/html

-rwxr-xr-x root root system_u:object_r:httpd_exec_t /usr/sbin/httpd

Drwxr-xr-x root root system_u:object_r:httpd_sys_content_t /var/www/html

650) this.width=650; "Src=" Http://s1.51cto.com/wyfs02/M00/8A/5F/wKiom1gusVDTpMJPAAAmkf_APLE787.gif-wh_500x0-wm_3 -wmp_4-s_1150444557.gif "title=" Selinux_2.gif "alt=" Wkiom1gusvdtpmjpaaamkf_aple787.gif-wh_50 "/>

1. First, we trigger a running target file, which is the type of/usr/sbin/httpd file with httpd_exec_t;

2. The type of the file will allow the principal program (Subject) created by this file to have httpd this domain, and our policy has developed many codes for this area, including the types of target resources that can be read in this field;

3. Since httpd domain is configured to read the target file (object) of the httpd_sys_content_t type, your Web page is placed in the/var/www/html/directory and can be read by the HTTPD program;

4. But finally can not read the correct data, but also to see whether rwx conforms to the Linux Authority specification!

The first is that the policy needs to formulate detailed domain/type correlation;

The second is if the file has a type configuration error, the principal program cannot read the target file resource even if the permission is configured to rwx full 777

View the SELinux mode

[email protected] ~]# Getenforce

Enforcing

Before two of the startup modes are turned off

• enforcing: Mandatory mode, on behalf of the SELinux operation, and has correctly begun to limit the domain/type;

• permissive: Tolerant mode: On behalf of SELinux operation, but only a warning message will not actually limit the access of domain/type. This model can be shipped as the use of SELinux debug;

• disabled: Off, SELinux does not actually run

View the SELinux policy

Targeted mainly manages the network service

Strict the native side of the program

[email protected] ~]# Sestatus

SELinux status:enabled

SELINUXFS Mount:/selinux

Current mode:enforcing

Mode from config file:enforcing

Policy version:24

Policy from config file: targeted

SELinux configuration file

[email protected] ~]# Vim/etc/selinux/config

Selinux=enforcing startup mode

selinuxtype=targeted Policy

SELinux start-Up and shutdown

Changing policy requires reboot

Mode is turned on (enforcing or permissive) to OFF (disabled) or vice versa reboot

Switching between modes is not required for Rebbot

Reboot need to observe if the core starts SELinux before booting

[email protected] wanjiadi]# Vim/boot/grub/menu.lst

observed ' kernel ' row does not contain selinux=0 then reboot will start

Switching between startup modes

[[email protected] ~]# setenforce 0 switch to loose mode

[[email protected] ~]# setenforce 1 switch to forced mode

Operational safety This article

Viewing the security of a program this article

[email protected] wanjiadi]# PS aux-z | grep httpd

Viewing file Security This article

[email protected] ~]# ll-z/var/www/html/1.html

-rw-r--r--. Apache Apache Unconfined_u:object_r:httpd_sys_content_t: S0 1.html

-rw-r--r--. root root unconfined_u:object_r:admin_home_t: S0 2.html Create the MV 2.html in the root directory .

-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t: S0 4.html Root was created under/var/www/html.

Modifying the security of a file this article

Here is a little bit more to declare: After the software installation, such as Apache after the installation of the/var/www after the type httpd_sys_content_t has been determined

[email protected] ~]# chcon-t httpd_sys_content_t/var/www/html/index.html

- R: recursive modification;

-T: The Type field of the security article is followed! e.g. httpd_sys_content_t;

-U: Follow-up identification, e.g. System_u;

-R: Back street role, e.g. System_r;

--reference= sample file: Take a file as an example to modify the type of file that is subsequently received!

Restore default security for files this article (based on current directory settings)

[email protected] ~]# restorecon-v/var/www/html/index.html

Restorecon reset/var/www/html/5.html Context Unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r: Httpd_sys_content_t:s0

Research on SELinux (read Bird's note) Welcome to the point of error