The topic of this article is SELinux configuration on RHEL 5. RHEL also provides two methods to configure SELinux: graphical user interface (GUI) and command line. To demonstrate the ease of use of SELinux, This article uses the rhel gui to enable SELinux.
To enable SELinux from the rhel gui, choose system> Administration> Security Level and Firewall ). Go To The SELinux tab, set SELinux to "permissive mode", and restart the server.
It is a good practice to start SELinux in the allowed mode (learning to configure SELinux. In this mode, you can get close access to SELinux without affecting anything in the server and application/database. During the test, you must carefully view the log information, check all warnings, and all denial Errors generated by the program and database during the operation.
After setting SELinux to allow mode and restarting my RHEL, I did not find any difference. Log on to the system with the root account, and then run the sestatus command to view the running status of The SELinux environment.
Since SELinux has been started and runs in the allowed mode, it is time to manage SELinux. RHEL provides a GUI for SELinux policy management. the root user can use the system-config-SELinux command to initialize this GUI. This command will open the main GUI. in RHEL or Fedora Linux, you can see the following window:
You can find the main options for SELinux management in the Left box. The second option "Boolean" contains a Boolean condition for most default services and processes in SELinux management. You can use the getsebool command to list the same conditions. For example, if you only want to know the existing boolean conditions of the ftpd daemon, you can use the following command:
To change the Boolean condition, for example, allow_ftpd_use_cifs = off -- this condition means that the FTP process cannot use the cifs protocol for public file transfer. We can click the corresponding condition (Entry ), as shown in. This operation allows the FTP service to transmit public files using the cifs protocol. You can run the getsebool and grep commands on the ftpd process to check whether the operation has taken effect.
Use SELinux's security context to protect Web Servers
Suppose we want to run the Apache Web server program on the Linux server, because this server runs some key applications and is exposed on the internet, therefore, we want to ensure that this Web server is protected as much as possible.
If you start the Web service and try to configure your Web server to allow the execution of some CGI scripts, such as hello. pl. If SELinux configuration is not changed, errors will be recorded in the Linux System Log and SELinux audit log. To view these errors in The SELinux audit log, run sealert-B. This will enable the SELinux audit log, as shown below:
The question is, why does this happen? The answer is simple, because hello. pl is a CGI executable program, which should be classified as httpd_sys_script_exec_tdomain context rather than httpd_sys_content_t.
We can use the chcon command to solve this problem:
root@test3 cgi-bin]# ls -lZ *.pl-rwxr-xr-x apache apache root:object_r:httpd_sys_content_t hello.pl[root@test3 cgi-bin]# chcon -v --type=httpd_sys_script_exec_t hello.plcontext of hello.pl changed toroot:object_r:httpd_sys_script_exec_t[root@test3 cgi-root@test3 cgi-bin]# ls -lZ *.pl-rwxr-xr-x apache apache root:object_r:httpd_sys_script_exec_t hello.pl
Now we can see that our Web server executes hello. pl, and no warning or error is generated in the SELinux log.
When SELinux is configured in this way, it is difficult for intruders to gain system control by using unauthorized CGI or perl scripts. Similarly, any behavior that you want to change the root directory of a file to a subdirectory of another user in the system will fail unless the index file under the subdirectory and subdirectory has been added to the httpd domain.
Let's assume that John on our Linux server has created a subdirectory named html. After creating the Directory and index.html file, you will find that the directory and file are classified into the user_home_t context by default, as shown below:
In addition to the httpdup and down fields where the source and down files are modified, any attempt to access the index.html operation of the webserver is rejected by SELinux and an error record is left in the audit log. You can use the chcon command (for example) or semanage command to change the context.