What we are sharing today may be that a lot of people feel that it is not meaningful, but it is not meaningless, but it is more cumbersome to use, because after the SELinux security policy is enabled, each application's access domain and file security tags need to be strictly matched to perform access operations, So if a bit of improper setting, it will cause the application error, but anything is double-sided, it is more cumbersome to set up at the same time, but also to the corresponding application data provides adequate security, for example, after we have enabled SELinux security policy for the Web service, Even if someone successfully hacked into our web server and replaced our home page, the web process would be more difficult to achieve if it had to be a policy match in order to access the Web site home page file. So there is nothing in itself that says no meaning, just that we can use it appropriately.
I. Introduction of SELinux
Selinux:secure Enhanced Linux, is the National Security Agency (Nsa=the) and SCC (Secure Computing Corporation) A security module that develops a mandatory access control for Linux. Released in 2000 under the GNU GPL, integrated into the kernel after the Linux kernel version 2.6
Dac:discretionary access Control
Mac:mandatory Access Control Enforcement
Process in DAC environment is non-binding
The process can be limited in MAC environment
Policies are used to define which resources (files and ports) the restricted process can use
By default, behavior that is not explicitly allowed is denied
1, SELinux two kinds of work level:
Strict: Each process is under the control of SELinux
Targeted: Only limited processes are controlled by SELinux to protect common network services and monitor only vulnerable processes
2, traditional Linux, all files, by users, groups, permissions control access
SELinux, all objects (object), controlled by security elements stored in the Inode's extended domain to access all files and ports, with security tags for resources and processes: security context
The security context consists of five elements:
User:role:type:sensitivity:category
such as: user_u:object_r:tmp_t:s0:c0
3, in fact, the following: stored in the file system
To view the security label for a file: ls–z filename
To view the security label for a process: ps–z
4. Expected (default) context :
stored in the binary SELinux Policy library (mapping directory and expected security context)
View default security Tags: semanage fcontext–l
5. Definition of security contextual items
User: Indicates the types of users logged on to the system, such as Root,user_u,system_u, where most local processes are part of the free (unconfined) process
Role: Defines the file, process, and user's purpose: File: Object_r, process, and User: System_r
Type: Specifies the data type, which process type is defined in the rule to access which file
Target policy is based on type implementation, multi-service common: public_content_t
Sensitivity: the need to restrict access, hierarchical security levels defined by an organization
such as unclassified, Secret,top,secret, an object with only one
Sensitivity, sub-level 0-15, S0 minimum, target policy is used by default S0
Category: For a particular organization to classify non-hierarchical categories, such as the FBI Secret,nsa Secret, an object can have multiple categroy,c0-c1023 a total of 1024 categories,
Target policy does not use category
Object: All objects that can be read, including files, directories and processes, ports, etc.
Body: process is called principal (subject)
6, SELinux in all the files are given a type of file type tag, for all processes are also given a domain label. The actions that domain tags can perform are defined by the security policy.
7. When a subject tries to access a object,kernel in a policy execution server will check AVC (Access vector cache for access vectors caches), in AVC, the permissions of subject and object are cached (cached), looking for " Security environment for apps + files. Then allow or deny access based on the results of the query
8. Security Policy: Defines the rule database in which the principal reads the object, and the rule records which type of principal is using which method to read which object is allowed or denied, and which behavior is to be filled or denied
Second, configure SELinux:
Whether SELinux is enabled
Re-hit the security label for the file
Set some Boolean lane
1, the status of SELinux:
Enforcing: Mandatory, each restricted process is bound to be limited
Permissive: Enabled, each restricted process violation will not be banned, but will be recorded in the audit log
Disabled: Disable
2. Related commands
Getenforce: Get SELinux current status
Setenforce 0 or 1
0: Set to permissive
1: Set to enforcing
This setting reboot fails
Permanent Active Profile:/etc/sysconfig/selinux,/etc/selinux/config
Selinux={disabled|enforcing|permissive}
3. Re-tag the file:
Chcon [OPTION] ... [-U USER] [-R ROLE] [-T TYPE] FILE ...
Chcon [OPTION] ...--reference=rfile FILE ...
-R: Recursive marking;
4. Restore the default security context for the directory or file:
Restorecon [-R]/path/to/file
5. Default security context Query and modification (semanage command)
Semanage command from Policycoreutils-python package
To view the default security context: Semanage Fcontext–l
Add security context: Semanage fcontext-a–t httpd_sys_content_t '/www (/.*)? '
Restore the default security context: Restorecon–rv/www
Delete Security context: Semanage fcontext-d–t httpd_sys_content_t '/www (/.*)? '
6. SELinux Port Label
View Port Tags: semanage port–l
Add Port
Semanage port-a-T port_label-p tcp|udp Port
Semanage port-a-t http_port_t-p TCP 9527
Delete Port
Semanage port-d-T port_label-p tcp|udp Port
Semanage port-d-t http_port_t-p TCP 9527
Modify an existing port to a new label
Semanage port-m-T port_label-p tcp|udp Port
Semanage port-m-t http_port_t-p TCP 9527
7. SELinux Boolean value
To view the BOOL command:
Getsebool [-A] [Boolean]
Semanage boolean–l
Semanage Boolean-l–c to view modified Boolean values
To set the bool value command:
Setsebool [-P] Boolean value (On,off)
Setsebool [-P] boolean=value (0,1)
8. SELinux Log Management
Yum Install setroubleshoot* (restart effective)
Writes the wrong information to/var/log/message
grep setroubleshoot/var/log/messages
Sealert-l UUID
View the Security event log description
Sealert-a/var/log/audit/audit.log
The use of SELinux is to share so much, the basic application of production environment is not a problem, if you want a more advanced security strategy, then into the SELinux policy development level problem, this article does not discuss.
This article is from the "Love Firewall" blog, be sure to keep this source http://183530300.blog.51cto.com/894387/1854201
Setting and application of SELinux security policy