SELinux primary management of operation and maintenance learning

Primary management of SELinux

1. What is SELinux

SELinux, kernel-level enhanced firewall (a plugin on the kernel)

SELinux (security-enhanced Linux) is the United States National Security Agency (NSA) implementation of mandatory access control, is the most outstanding new security subsystem in the history of Linux. The NSA, with the help of the Linux community, has developed an access control system that, under the constraints of the access control system, can access only those files that are needed in his tasks. SELinux is installed on Fedora and Red Hat Enterprise Linux By default and can also be used as an easy-to-install package on other distributions.

SELinux is a mandatory access control (MAC) system available in the 2.6 version of the Linux kernel. For the currently available Linux security modules, SELinux is the most versatile and well-tested, built on the basis of the 20 MAC research. SELinux incorporates multi-level security or an optional multi-class policy in the type enforcement server and employs a role-based access control concept.

Most people who use SELinux use SELinux-ready distributions, such as Fedora, Red Hat Enterprise Linux (RHEL), Debian, or Centos. They all enable selinux in the kernel, provide a customizable security policy, and provide many libraries and tools at the user level, all of which can use SELinux functionality.

SELinux is an enforced access control (MAC) security system based on the domain-type model (DOMAIN-TYPE), which is written by the NSA and designed into kernel modules, and some of the corresponding security-related applications have been patched by SELinux, and finally there is a corresponding security policy. Any program has full control over its resources. If a program intends to throw a file containing potentially important information into the/tmp directory, no one can stop him in the case of a DAC. SELinux provides better access control than traditional UNIX permissions.

2. How to manage SELinux levels

SELinux turned on or off)

Vim/etc/sysconfig/selinux

selinux=disabled# #关闭状态

Selinux=enforcing# #强制状态

Selinux=permissive# #警告状态

650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M02/9E/16/wKiom1mK_PvzQyVPAAEfy5ECmig332.png "title=" 1.png "alt=" Wkiom1mk_pvzqyvpaaefy5ecmig332.png "/>

Getenforce# #查看selinux当前状态

When SELinux is turned on

Setenforce 0|1# #更改selinux运行级别

650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M00/9E/16/wKiom1mK_Rbx6UCcAACqelQcp6E215.png "title=" 2.png "alt=" Wkiom1mk_rbx6uccaacqelqcp6e215.png "/>

3. How to change the file security context

(Temporary change)

Chcon-t Security Context file

Chcon-t Public_content_t/publicftp-r

650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M02/9E/16/wKiom1mK_hyR4yAoAAFTPixFCqY946.png "title=" 3.png "alt=" Wkiom1mk_hyr4yaoaaftpixfcqy946.png "/>

Change the anonymous user home directory, the new Westos directory of the 3 files in the context of the default, in the case of SELinux open, anonymous login cannot see the file, when changed to public_content_t, login can see the file

650) this.width=650; "src=" Https://s3.51cto.com/wyfs02/M00/9E/16/wKiom1mK_pagLP6UAAH9ozXlmrM269.png "title=" 4.png "alt=" Wkiom1mk_paglp6uaah9ozxlmrm269.png "/>

Permanently changed)

Semanage fcontext-l# #列出内核安全上下文列表内容

Semanage fcontext-a-T public_content_t '/publicftp (/.*)? ' #更改安全上下文

restorecon-fvvr/publicftp/#刷新安全上下文Immediate effect

650) this.width=650; "src=" Https://s3.51cto.com/wyfs02/M02/9E/16/wKiom1mLANbhuWFbAAMAnqfjzpU471.png "style=" float : none; "title=" 5.png "alt=" Wkiom1mlanbhuwfbaamanqfjzpu471.png "/>

Change succeeded

650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M02/9E/15/wKioL1mLANehmaFVAAIMRMYtnkY232.png "style=" float : none; "title=" 6.png "alt=" Wkiol1mlanehmafvaaimrmytnky232.png "/>

4. How to control the SELinux switch to the service function

getsebool-a | grep Service Name

getsebool-a | grep FTP

setsebool-p function bool Value On|off

Setsebool-pFtpd_anon_write on

Because the SELinux service is turned on, users cannot upload files, open the home directory to perform the action options, you can upload files!

650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M01/9E/15/wKioL1mLAXiRcrz2AAIYrJw9984762.png "title=" 7.png "alt=" Wkiol1mlaxircrz2aaiyrjw9984762.png "/>

Anonymous user upload file (need to turn on high privilege)

650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M02/9E/16/wKiom1mLAtiwuxlLAANm5iNf0_I843.png-wh_500x0-wm_ 3-wmp_4-s_2609383937.png "style=" Float:none; "title=" 9.png "alt=" Wkiom1mlatiwuxllaanm5inf0_i843.png-wh_50 "/>

650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M01/9E/16/wKioL1mLAtmSzB_qAACCVFVA2X4354.png-wh_500x0-wm_ 3-wmp_4-s_3606207787.png "style=" Float:none; "title=" 10.png "alt=" Wkiol1mlatmszb_qaaccvfva2x4354.png-wh_50 "/>

5. Monitor the SELinux error message

Setroubleshoot-server

Perform an operation that is not allowed by SELinux, and then view the system log to get a solution to the problem and follow the prompts to change the error

650) this.width=650; "src=" Https://s5.51cto.com/wyfs02/M00/9E/16/wKioL1mLA07BOBxrAAEHecTwgu8016.png "style=" float : none; "title=" 11.png "alt=" Wkiol1mla07bobxraaehectwgu8016.png "/>

650) this.width=650; "src=" Https://s5.51cto.com/wyfs02/M01/9E/16/wKiom1mLA07QYR0kAAB6ZEuHeWY202.png "style=" float : none; "title=" 13.png "alt=" Wkiom1mla07qyr0kaab6zeuhewy202.png "/>

650) this.width=650; "src=" Https://s5.51cto.com/wyfs02/M00/9E/16/wKiom1mLA0_RiSMeAADl-8sXzwg318.png "style=" float : none; "title=" 14.png "alt=" Wkiom1mla0_rismeaadl-8sxzwg318.png "/>

SELinux primary management of operation and maintenance learning