Article Title: SELINUX from understanding to hands-on configuration. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
SELinux can provide great security protection for your system. Users can be assigned pre-defined roles so that they cannot access files or access programs they do not own.
Enable and disable Selinux
Edit the/etc/selinux/conf file
SELINUX = enforcing (Force: if the policy is violated, you cannot continue the operation)
Permissive)
Disabled)
Another way to disable it: at startup, you can also pass the selinux parameter to the kernel to control it.
Edit/etc/grup. conf
Title Red Hat Enterprise Linux Server (2.6.18-8. el5)
Root (hd0, 0)
Kernel/vmlinuz-2.6.18-8.el5 ro root = LABEL =/rhgb quiet selinux = 0
Initrd/initrd-2.6.18-8.el5.img
SELINUXTYPE = targeted
This parameter is optional: targeted and strice. Targeted only controls key network services, and strice controls all services.
Query the status of selinux
[Root @ linuxas ~] #/Usr/sbin/getenforce
Enforcing
[Root @ linuxas ~] # Sestatus-bv
SELinux status: enabled
SELinuxfs mount:/selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
View the kernel module loaded by selinux
[Root @ linuxas selinux] # semodule-l
Amavis 1.1.0
Ccs 1.0.0
Clamav 1.1.0
Dcc 1.1.0
Evolution 1.1.0
Iscsid 1.0.0
Mozilla 1.1.0
Mplayer 1.1.0
Nagios 1.1.0
Oddjob 1.0.1
Pcscd 1.0.0
Pyzor 1.1.0
Razor 1.1.0
Ricci 1.0.0
Smartmon 1.1.0
View selinux error logs
[Root @ linuxas selinux] # sealert-a/var/log/audit. log
SElinux graphical management tool
[Root @ linuxas selinux] # system-config-selinux
Basic Selinux operations
View the file: ls? Z (-- context)
[Root @ linuxas ~] # Ls-Z
Drwx ------ root: object_r: user_home_t Desktop
-Rw ------- root system_u: object_r: user_home_t anaconda-ks.cfg
-Rw-r -- root: object_r: user_home_t install. log
-Rw-r -- root: object_r: user_home_t install. log. syslog
[Root @ linuxas ~] # Ls -- context
Drwx ------ root: object_r: user_home_t Desktop
-Rw ------- root system_u: object_r: user_home_t anaconda-ks.cfg
-Rw-r -- root: object_r: user_home_t install. log
-Rw-r -- root: object_r: user_home_t install. log. syslog
View the extended attributes of the file system: getfattr
[Root @ linuxas ~] # Getfattr-m.-d/etc/passwd
Getfattr: Removing leading '/' from absolute path names
# File: etc/passwd
Security. selinux = "system_u: object_r: etc_t: s0 \ 000"
The security context of this file is stored in the security. selinux attribute of the file to be viewed. Therefore, the context in the preceding example is system_ubject_r: etc_t.
All ext2/3 file systems running SE Linux have the security. selinux attribute.
Change the extension property label of the file: chcon (cannot be used on the/proc file system, that is, the/proc file system does not support this tag change .)
[Root @ linuxas test] # ls -- context aa.txt
-Rw-r -- root: object_r: user_home_t aa.txt
[Root @ linuxas test] # chcon-t etc_t aa.txt
[Root @ linuxas test] # ls -- context aa.txt
-Rw-r -- root: object_r: etc_t aa.txt
Restore the original file Tag: restorecon
[Root @ linuxas test] # restorecon aa.txt
[Root @ linuxas test] # ls-Z aa.txt
-Rw-r -- root user_u: object_r: user_home_t aa.txt
Display the current user's Selinux context
[Root @ linuxas ~] # Id-Z
Root: system_r: unconfined_t: SystemLow-SystemHigh
Runcon uses a specific context to execute commands
[Root @ linuxas ~] # Runcon-t user_home_t cat/etc/passwd
Root: system_r: user_home_t: SystemLow-SystemHigh is not a valid context
Check whether a service is protected by SELinux.
[Root @ linuxas ~] # Getsebool-a (RHEL4: inactive is protected, active is not protected; RHEL5: off is protected, on is not protected)