Sinsing analysis of SELinux in Linux

SELinux is a project launched by the National Security Agency to strengthen the system to a level that can reach the military. This also provides a stronger guarantee for Linux security.

The so-called DAC, is the autonomous access control, that is, every user in order to be able to implement and other users to share files, before using ACLs, only by changing the permissions of other users of this file, but this method to the security of the system has brought many hidden dangers. The so-called CS, which is the security context, depends on the permissions of the initiating user and the text itself.

The so-called Mac, which is mandatory access control, which is the enforcement of access controls, is the basis for SELinux to implement access control, and SELinux is implemented by type enforce (TE), which is mandatory.

The standard UNIX security model is any access control, or DAC, in which any program has full control over its resources. If a program intends to throw a file containing potentially important information into the/tmp directory, no one can block it in the case of a DAC. However, the Mac in SELinux also allows the program to create files in the/tmp directory, and it allows the file to be scaled worldwide according to the UNIX permission word, but when the UNIX license checks the application, the SELinux license check further determines whether access to the resource is permitted. SELinux can limit the level of access and access that each process has to various resources. Who is it? When a process is using sensitive data, the data is blocked from being written to files that are readable by low-weight processes. Therefore, SELinux provides better access control than traditional UNIX permissions.

SELinux is a security system that enforces access control based on the "domain-type" model, which is written into the kernel by Linux2.6, and some of the corresponding security-related applications are also patched by SELinux, and finally a corresponding security policy.

For example, an administrator can allow an application to add records to a log file but not allow it to overwrite or delete the contents of the log file, although ext3 supports the append-only tag, we can set it through chattr, but the attribute is not distinguished from a process. You can no longer access append-only while allowing another process to have full writable rights, on the other hand, an application may be allowed to create and write data to a directory card, but cannot delete the file. These features are not available in the normal Linux kernel without selinux, and there is a network application that can bind to the port it needs, but cannot bind to other ports.

Our SELinux uses Operation's subject and object to make a "label" that can only be executed by a specific directory or user in a "type". The operation here are usually: Read, write, execute, and so on. In fact, it is a structure of the principal predicate, that is, the structure of subject Operation object. And it also has a minimum permission law, such as the definition of httpd directory/var/www for public_content_t type, then httpd can only access this particular type of file or directory, these files are called "sandbox", when using SELinux, A set of access laws must be carefully designed. For example, we could make different "domains" for different processes, make different "types" of different directories, and then implement them by defining the corresponding rules of "type" and "Domain".

The SELinux implementation mechanism has two kinds, one is strict, at this time any process is under the control of SELinux, generally does not apply, because its setting is more difficult. One is targeted, which is developed by Red Hat and specifies the selected process to be controlled by SELinux, which makes selinux more susceptible to control.

The SELinux rule file exists as a binary file, which is converted into a binary file after editing, which reduces system resource usage, which is/etc/selinux/policy. And SELinux can be some of the rules can be easily controlled functions are set to ON or off, these become Boolean types, where getsebool-a can display these Boolean types of content.

In a system that uses selinux, the context of each process contains three components: an ID, which is identify, a role, that is, role, a domain, or domains. The ID refers to the owner of the process, that is, the UNIX account, but the premise is that the account must be pre-compiled into the SELinux policy so that SELinux can recognize the account, otherwise SELinux will default to those unknown system process ID marked as System_u , the unknown user process ID is marked as User_u, and the role is typically used to determine which domains an ID in this role can enter, and to prevent an ID that is in this role from entering another domain that should not be entered.

The domain is also a type that corresponds to a process, so when checking whether a process is authorized to send a signal to another process, the domain of the process that receives the signal acts as a "type" in the domain-type model, completing the rule check for domain-type. That is, the process of communicating permissions between processes is checked. Since the role of the file has not yet been used, each file is currently defined as a object_r role, a role that is only a location and has no effect on the policy.

The ID of the file is the ID of the creator of the file, which is used in the policy source file to determine whether an access is authorized to change the context descriptor of the file. The process does not have permission to change the context descriptor of a file unless the ID field in the descriptor of the file being accessed is the same as the ID field of the owner of the process that accessed the file, either before or after the change.

We can use Ls-z to display the label of the file, we can use Ps-z to display the label of the process, for example we can use PS Auxz | grep httpd to view the specific information for SELinux.

We can use the Chcon command to modify the context, while Chcon is the abbreviation for change context, CHCON-T is modified to a specific type, where-r is a recursive modification that can change all directories under the directory, and--reference= The label of a file is changed to the same label, for example we can use Chcon-r--reference=/var/www/html/www, of course, we can also directly modify the example command is Chcon-t default_t/www/index.ht ml

We can use Restorecon to restore the default security context modification, the-r parameter of the command represents recursion, the-f parameter of the command indicates coercion, and the-v parameter of the command represents the display details, we can use Restorecon-r-v-f/www to display/ Detailed CS information for the WWW directory. We can also use Semange for information modification, usually its-d parameter means delete,-m for modification,-A for Append,-T for type.

We can use Getsebool-a | grep httpd to see the value of a corresponding Boolean type, which we can set Setsebool Httpd_enable_cgi=on, with the-P option indicating permanent validity.

Some files do not have a specified context, that is, file systems that do not support rwx tags, such as the/sys,/dev,/selinux,ls commands do not display their context, and for those file systems that cannot use the Stat command to view the current state, the LS command returns?------- -Where the owner and all groups are also marked as?. Our ID command returns the context of the current shell.

When we start a selinux, the first thing Init does is mount the/proc file system and determine if SELinux is activated i,init through the Selinuxfs file system to determine if there is selinux in the kernel, If there is no selinux parameter in the kernel or selinux=0 in the kernel parameter, the system will continue booting in a state called Non-se. If SELinux is found, then the/selinux virtual file system will be created and then Init can check the SELinux version supported by the kernel through/selinux/policyvers. Finally, the corresponding policy data is/etc/selinux/x/policy/policy. YY will be loaded into the kernel, where x is the corresponding strategy, we can use strict or targeted.

Sinsing analysis of SELinux in Linux