The 21st day of the Linux Foundation study SELinux

Content:

Introduction and use of SELinux

1. SELinux Introduction

Selinux:secure Enhanced Linux is the NSA "nsa=the National security agency" and SCC (secure Computing Corporation) developed a security module for a mandatory access control for Linux. Released in 2000 under the GNU GPL, integrated into the kernel after the Linux kernel version 2.6

2. SELinux and common Linux differences :

Dac:discretionary access control free access controls

Mac:mandatory Access Control Enforcement

Process in DAC environment is non-binding

The rules of policy in MAC environment determine the degree of rigor of control

The process can be limited in MAC environment

Policies are used to define which resources (files and ports) the restricted process can use

By default, behavior that is not explicitly allowed is denied

A Linux system without SELinux is a DAC mode in which the process is unconstrained, such as a process running as root with all permissions

There is no concept of root in SELinux, the security policy is defined by the administrator, and no software can replace it. This means that the damage that potential malware can inflict can be minimized. In general, only enterprise users who are very focused on data security will use SELinux.

SELinux provides a flexible, mandatory access control (MAC) system embedded in the Linux kernel. SELinux defines the access and transformation permissions for each user, process, application, and file in the system, and then it uses a security policy to control the interaction between these entities (users, processes, applications, and files), and the security policy specifies how to check strictly or loosely.

The subject can access the object only when both the standard Linux access control and the SELinux access control are met.

The biggest difference between Mac and DAC is that the DAC is only for the user's permissions, such as root, has high permissions on all files, or a file with 664 permissions, then the owner of the file has read and write permissions, and in Mac mode, even root, when using different programs, The permission you get is not necessarily root, but depends on how the program was set up, so the Mac system is about the process and not the user's permissions.

3, the operation mechanism of SELinux

When a subject (for example: an application) tries to access an object (such as a file), the policy execution server in kernel will check for AVC (Access Vector cache), in AVC, subject and object permissions are cached ( Cached). If a decision is not made based on the data in the AVC, the security server is requested, and the security server looks for the "app + file" security environment in a matrix. It then allows or denies access based on the results of the query, and the reject message details are located in/var/log/messages.

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/87/40/wKiom1fY1SuwlBN6AALRmsOiXvs242.png "title=" Selinux.png "alt=" Wkiom1fy1suwlbn6aalrmsoixvs242.png "/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/87/3D/wKioL1fY1UrSngy0AACawGwARFE890.jpg "title=" SELinux working process. jpg "alt=" wkiol1fy1ursngy0aacawgwarfe890.jpg "/>

4. SELinux configuration file :

/etc/selinux/config or/etc/sysconfig/selinux

[10:59 [Email protected]/var/ftp/pub]# ll/etc/selinux/config-rw-r--r--. 1 root root 458 Jul 02:18/etc/selinux/config[10:59 [email protected]/var/ftp/pub]# ll/etc/sysconfig/selinux LRWXRWXRW X. 1 root root 02:18/etc/sysconfig/selinux. /selinux/config

The configuration file defines:

1) Turn SELinux on or off

2) Set which policy the system executes

3) Set how the system executes the policy

[19:48 [email protected]/usr/src/linux]# cat /etc/ selinux/config # this file controls the state of selinux on  the system.# selinux= can take one of these three values:#      enforcing - SELinux security policy is enforced.#      permissive - SELinux prints warnings instead of  Enforcing.#     disabled - no selinux policy is loaded. selinux=enforcing# selinuxtype= can take one of these two values:#      targeted - Targeted processes are protected,#      mls - multi level security protection. Selinuxtype=targeted 

5. SELinux Policy Type

SELinux has four types of policy:

STRICT:CENTOS5, each process is under the control of SELinux

Targeted: Used to protect common network services, only limited processes are controlled by selinux, only vulnerable processes are monitored, RHEL4 only 13 services are protected, RHEL5 protects 88 services

Minimum:centos7, modified targeted, only for selected network services

MLS: Provides security for MLS (multilevel security) mechanisms

Minimum and MLS are not stable enough to be used

Among them centos5,6 only targeted and strick two kinds of strategies, the general default is the targeted strategy, mainly for some network services to regulate, such as HTTP, samba, etc.

6. View the SELinux security context (secure contexts)

If SELinux is turned on, there will be a point (.) after 10 for permissions. The logo

[10:59 [email protected]/var/ftp/pub]# lltotal 12drwxr-xr-x. 2 root root 4096 Sep 09:57 hello-rw-r--r--. 1 root root 1192 Sep 09:58 ks6.cfg-rw-r--r--. 1 root root 1368 Sep 10:11 mylinux-ks.cfg[11:05 [email protected]/var/ftp/pub]# ll-zdrwxr-xr-x. Root root unconfined_u:object_r:public_content_t:s0 hello-rw-r--r--. Root root unconfined_u:object_r:public_content_t:s0 ks6.cfg-rw-r--r--. Root root Unconfined_u:object_r:public_content_t:s0 mylinux-ks.cfg

7. Security context (secure contexts)

All operating system access control is based on the associated object and some type of access control attribute of the subject. In SELinux, the access control property is called the security context. All objects (files, interprocess communication channels, sockets, network hosts, etc.) and principals (processes) have a security context associated with them, and a security context consists of three parts: the user, the role, and the type identifier. The security context is often specified or displayed in the following format:

The security context consists of five elements:

User:role:type:sensitivity:category

User: Indicates the types of users logged on to the system, such as Root,user_u,system_u, where most local processes are part of the free (unconfined) process "to Xxx_u"

Role: Defines the file, process, and user's purpose: File: Object_r, process, and User: System_r "with Xxx_r"

Type: Specifies the data type, the rule defines which process type to access which file target policy is based on type implementation, multi-service sharing: public_content_t "with xxx_t"

Sensitivity: the need to restrict access, hierarchical security levels defined by an organization, such as Unclassified,secret,top,secret, an object with only one sensitivity, 0-15 levels, S0 minimum, Target policy uses S0 by default

Category: For a specific organization to classify non-hierarchical categories, such as the FBI Secret,nsa Secret, an object can have multiple categroy,c0-c1023 a total of 1024 categories, Target policy does not use Cateaory

In targeted mode, the main key strategy is to see whether domain/type conforms to the established strategy, so-called domain is the program itself, and type refers to the file type, only the file type within the scope of domain itself executable, The program can access the file process, of course, even if the policy, but also to see the permissions of the file itself, is equal to two layers of insurance.

8. SELinux Related command operation

(1)

Getenforce: Get SELinux current status

Sestatus: View selinux status

Setenforce 0|1

0: Set to permissive (each restricted process violation will not be banned, but will be recorded in the audit log)

1: Set to enforcing (mandatory, each restricted process is bound to be limited)

(2)

To re-secure the file label:

Chcon[option] ... [-U USER] [-R ROLE] [-T TYPE] FILE ...

Chcon[option] ...--reference=rfile FILE ...

-R: Recursive marking;

Restore the default security context for a directory or file:

Restorecon [-R]/path/to/somewhere

(3)

Semanage: Default security context Query and modification, semanage from Policycoreutils-python package, to use Semanage to install Policycoreutils-python package first

To view the default security context

Semanage fcontext–l

Add Security context

Semanage fcontext-a–t httpd_sys_content_t '/testdir (/.*)? '

Restorecon–rv/testdir

Remove security context

Semanage fcontext-d–t httpd_sys_content_t '/testdir (/.*)? '

View Port Labels

Semanageport–l

Add Port

Semanage port-a-T port_label-p tcp|udpport

Semanage port-a-t http_port_t-p TCP 9527

Delete Port

Semanage port-d-T port_label-p tcp|udpport

Semanage port-d-t http_port_t-p TCP 9527

Modify

Semanage port-m-T port_label-p tcp|udpport

Semanage port-m-T http_port_t-p tcp9527

(4)

Boolean rule:

Getsebool

Setsebool

To view the BOOL command:

GETSEBOOL[-A] [Boolean]

Semanageboolean–l

Semanageboolean-l–c Viewing Modified Boolean values

To set the bool value command:

Setsebool [-P] Booleanvalue

Setsebool [-P] Boolean=value

This article from the "6638225" blog, reproduced please contact the author!

The 21st day of the Linux Foundation study SELinux