Security Hardening Linux-selinux

Write in front:

     Blog Writing in mind 5w 1 H law: w hat,w hy,w here,h ow.

The main content of this article:

Authority authentication

SELinux operating mode/startup mode

Security Context View and modification

Brief introduction:

SELinux is all called security Enhanced Linux, which means secure hardening of Linux.

It is designed to prevent "misuse of internal staff resources". It is a core module which is based on the process, file and other detail permission setting.

Authority authentication:

(1) Traditional file permissions and account relationship: Autonomous access control,DAC(discretionary access controls)

When a process needs to access the file, the system will compare the file permissions according to the initiator of the process, and if the permission is checked, the file can be accessed. Process permissions are determined based on the process owner and file rwx permissions.

May cause misuse of resources due to user misoperation, even damage to critical files. such as because the administrator gives the file a broader permission, so that the normal user to the key files have Modify permissions, and so on.

(2) Rules for permission monitoring of specific processes and specific file resources: Mandatory/delegated access control,MAC(Mandatory access controls)

The same user gets different permissions when they use different processes. According to the permissions of the process to determine the permissions, the rights control body from the user into a process, in order to achieve more granular control permissions purposes.

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/7E/D6/wKioL1cKY96CbTg8AAA3dz3sdio690.png "title=" SELinux access control flowchart. png "alt=" Wkiol1cky96cbtg8aaa3dz3sdio690.png "/>

SELinux Mode of operation:

Subject --Policy--- Object

Subject: The subject, that is, the process

Policy: Predefined policies, which can also be subdivided into detailed rules (rule), a predefined set of Boolean values.

Related configuration files:/etc/selinux/config

CentOS6:

targeted: Partial selinux permission control, only strictly monitor the process permissions of network Service

Strict: Full SELinux permissions control, strict monitoring of all process permissions

CentOS7:

targeted: Partial selinux permission control, only strictly monitor the process permissions of network Service

minimum: Targeted revised to monitor only selected process permissions

MLS: Full SELinux permissions control, strict monitoring of all process permissions

Object: The target, that is, a file or other process

Related commands:

View/Modify whether SELinux rules are enabled.

Getsebool

Getsebool-a

Get the selinux boolean rule list

Getsebool BOOLEAN

Get a selinux Boolean rule

Setsebool

Setsebool [-P] BOOLEAN VALUE | Boolean1=val1 ...

Modify Boolean value,-p specifies long-term validity

Cases:

[Email protected] html]# Getsebool-a | grep httpdallow_httpd_anon_write--offallow_httpd_mod_auth_ntlm_winbind--offallow_httpd_mod_auth_pam-- > Offallow_httpd_sys_script_anon_write--offhttpd_builtin_scripting-... Omit partial output ... [Email protected] html]# Setsebool allow_httpd_anon_write on[[email protected] html]# getsebool Allow_httpd_anon_ Writeallow_httpd_anon_write-On

Safe Context: (security context)

SELinux provides a security label for each file, as well as a security label for the process, which determines whether access is met by a security label than the process and file.

Although there are 3 parts in the entry, only the 3rd field is relevant to the process's ability to access file resources! When domain (the 3rd field of a process) matches the type (the 3rd field of the file), it can be accessed, regardless of the other fields!

Actions that do not match the security label or are not expressly authorized are rejected.

Security Label Storage location:

Process: In-memory

File: Inode

Format:

The label for the file and process is made up of 3 parts separated by colons, but with different meanings:

File:

Object:role:type

Object: Role: Type

Process:

Subject:role:domain

Topic: Roles: Domains

Object/Subject:

Equivalent to users in traditional permissions. Such as:

Unconfined_u: Unrestricted user, login user process or file is mostly recognized as this

System_u: A process or file generated by a system user, system, or software

role:

Describes whether this resource is a process, a file, or a user.

Object_r: This resource is a file

Unconfined_r: This resource is a user process

System_r: This resource is a system process

Type/domain:

A process is able to read a file resource smoothly only if domain matches the type.

View of the security context:

File:

Ls-z FILE

Process:

Ps-ez

SELinux Startup mode:

enforcing: Forced mode

permissive: tolerant mode, warning only (write log), no actual limit

disabled: Off

Related configuration files:

/etc/selinux/config

Related Commands :

Getenforce

Get SELinux Current startup mode

Setenforce 0|1

Set SELinux current startup mode

0:enforcing

1:permissive

This setting method fails after rebooting the system.

To modify the security context:

Chron

Chcon [OPTION] ... CONTEXT FILE ...

Chcon [OPTION] ... [-U USER] [-R ROLE] [-T TYPE] FILE ...

Chcon [OPTION] ...--reference=rfile FILE ...

-R: Recursive marking

Restorecon [-R] FILE

Cases:

   #安装httpd服务 [[email protected] ~]# yum -y install httpd[[email  Protected] ~]# service httpd startstarting httpd: httpd: could not  reliably determine the server ' s fully qualified domain name,  using localhost.localdomain for servername                                                              [  ok   ][[email protected] ~]# cd /var/www/html/[[email protected] html]#  echo  

View the domain of the process can read the type of those files, you can install the setools-console-* package and use the Sesearch command, detailed view of the 4th version of the bird brother of the basic article P756.

This article is from the "Freddream" blog, make sure to keep this source http://1036416056.blog.51cto.com/5943987/1762458
Security Hardening Linux-selinux