The acronym for SELinux "security enhanced Linux" literally means a secure, hardened Linux
Traditional file permissions and account relationships-autonomous access control (discretionary access controls, DAC)
is the ability to determine whether or not access is based on the rwx permissions of the owner of the program and the file resource
Develop a specific program with a policy code read a specific file--"Delegated access control (Mandatory access controls, MAC)
the subject is no longer the user and becomes the program The target is the file resource that the program can read
First of all, we should understand a few concepts
Main Body (Subject):
The main thing that SELinux wants to manage is the program, so you can equate the "subject" with the process ;
Target (object):
The "target resource" that the principal program can access is usually the file system. The objective could therefore be equated with the document System ;
Policy:
Due to the large number of programs and files, SELinux will establish basic access security policies based on certain services. Within these policies, there will also be a detailed code to specify whether different services open access to certain resources. There are only two major policies available in the current CentOS 5.x, namely:
Targeted: There are more restrictions on network services, less for native limit, is the default policy;
Strict: Full SELinux limits, tighter limits.
It is recommended that you use the default targeted policy.
code: As long as you know how to open and close a code to release or not
Security context:
We have just talked about the subject, the goal and the policy side, but the subject can access the target in addition to the policy designation, the security of the subject and the goal this article (somewhat similar to file system rwx) must be consistent to be able to access smoothly.
security text requires self-configuration
Program in-memory so security this article can be deposited
File security This article is placed in the inode of the file
Security in the inode can be used to confirm the comparison of this article and the RWX permission
Viewing the security of a file this article
[email protected] ~]# ll-z/usr/local/nginx/html/index.html
-rw-r--r--. root root unconfined_u:object_r:usr_t : s0/usr/local/nginx/html/index.html
Identification: Role: Type
Identification (Identify):
Equivalent to account identification! There are three common types of primary identification:
Root: Indicates the identity of the root account
System_u: Indicates the identification of the system program, usually is the program;
User_u: Represents the identity associated with a general user account.
Roles (role):
Through the role field, we can know whether this data belongs to a program, a file resource, or a user. The general roles are:
Object_r: Represents a file or directory, such as file resources, which should be the most common;
System_r: The representative is the program! However, general users will also be designated as System_r
Type: (most important!) )
In the default targeted policy, the Identify and Role fields are basically unimportant! The important thing is this type field! Basically, a main program can not read to this file resource, and type field related! The Type field is not defined in the same way as the program, respectively:
Type: Above the file resource (Object) is referred to as types;
Domain: In the main program (Subject) is called domain (domain)!
Domain needs to match the type, the program will be able to read the file resources smoothly!
Correlation between the principal program and the File Type field
[email protected] ~]# ll-zd/usr/sbin/httpd/var/www/html
-rwxr-xr-x root root system_u:object_r:httpd_exec_t /usr/sbin/httpd
Drwxr-xr-x root root system_u:object_r:httpd_sys_content_t /var/www/html
650) this.width=650; "Src=" Http://s1.51cto.com/wyfs02/M00/8A/5F/wKiom1gusVDTpMJPAAAmkf_APLE787.gif-wh_500x0-wm_3 -wmp_4-s_1150444557.gif "title=" Selinux_2.gif "alt=" Wkiom1gusvdtpmjpaaamkf_aple787.gif-wh_50 "/>
First, we trigger a running target file, which is the type of/usr/sbin/httpd file with httpd_exec_t;
The type of the file will allow the principal program (Subject) created by this file to have httpd this domain, and our policy has developed many codes for this area, including the types of target resources that can be read in this field;
Since httpd domain is configured to read the target file (object) of the httpd_sys_content_t type, your Web page is placed in the/var/www/html/directory and can be read by the HTTPD program;
But finally can not read the correct data, but also to see whether rwx conforms to the Linux Authority specification!
The first is that the policy needs to formulate detailed domain/type correlation;
The second is if the file has a type configuration error, the principal program cannot read the target file resource even if the permission is configured to rwx full 777
View the SELinux mode
[email protected] ~]# Getenforce
Enforcing
Before two of the startup modes are turned off
enforcing: Mandatory mode, on behalf of the SELinux operation, and has correctly begun to limit the domain/type;
permissive: Tolerant mode: On behalf of SELinux operation, but only a warning message will not actually limit the access of domain/type. This model can be shipped as the use of SELinux debug;
disabled: Off, SELinux does not actually run
View the SELinux policy
Targeted mainly manages the network service
Strict the native side of the program
[email protected] ~]# Sestatus
SELinux status:enabled
SELINUXFS Mount:/selinux
Current mode:enforcing
Mode from config file:enforcing
Policy version:24
Policy from config file: targeted
SELinux configuration file
[email protected] ~]# Vim/etc/selinux/config
Selinux=enforcing startup mode
selinuxtype=targeted Policy
SELinux start-Up and shutdown
Changing policy requires reboot
Mode is turned on (enforcing or permissive) to OFF (disabled) or vice versa reboot
Switching between modes is not required for Rebbot
Reboot need to observe if the core starts SELinux before booting
[email protected] wanjiadi]# Vim/boot/grub/menu.lst
observed ' kernel ' row does not contain selinux=0 then reboot will start
Switching between startup modes
[[email protected] ~]# setenforce 0 switch to loose mode
[[email protected] ~]# setenforce 1 switch to forced mode
Operational safety This article
Viewing the security of a program this article
[email protected] wanjiadi]# PS aux-z | grep httpd
Viewing file Security This article
[email protected] ~]# ll-z/var/www/html/1.html
-rw-r--r--. Apache Apache Unconfined_u:object_r:httpd_sys_content_t: S0 1.html
-rw-r--r--. root root unconfined_u:object_r:admin_home_t: S0 2.html Create the MV 2.html in the root directory .
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t: S0 4.html Root was created under/var/www/html.
Modifying the security of a file this article
Here is a little bit more to declare: After the software installation, such as Apache after the installation of the/var/www after the type httpd_sys_content_t has been determined
[email protected] ~]# chcon-t httpd_sys_content_t/var/www/html/index.html
- R: recursive modification;
-T: The Type field of the security article is followed! e.g. httpd_sys_content_t;
-U: Follow-up identification, e.g. System_u;
-R: Back street role, e.g. System_r;
--reference= sample file: Take a file as an example to modify the type of file that is subsequently received!
Restore default security for files this article (based on current directory settings)
[email protected] ~]# restorecon-v/var/www/html/index.html
Restorecon reset/var/www/html/5.html Context Unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r: Httpd_sys_content_t:s0
Research on SELinux (read Bird's note) Welcome to the point of error