The SELinux of Linux

SELinux Overview:
SELinux full Name Security Enhanced Linux (Security enhanced Linux) by the NSA
NSA (National Security Agency) developed, built on kernel cookbook, with flexible and mandatory access control
Architecture, designed to improve the security of Linux systems, provide robust security assurances against unknown attacks, and are allegedly quite B1
Level of military security performance;
has been integrated into more than 2.6 kernel;
Traditional Linux in the absence of selinux protection, if the operation of cookbook on the service is hacked, its server maximum permissions
May be lost with cookbook, but if the protection of SELinux, the intrusion is only the service itself, the entire server is the highest
Authority is still alive;
Information security Assessment criteria: Class 4, Level 7. From low to High: D,C1,C2,B1, B2,b3,a

SELinux features (1)
1, MAC (Mandatory access Control)-to complete the controls of access, access to all files, login, ports,
are based on the policy set. These policies are set by the administrator, the general user is not authorized to change;
2. RBAC (Role Base access Control)-the user is given only minimal permissions. To the user, is divided into some role,
Even the root user, if you are not in the Sysadm_r, still can not implement sysadm_t management operations.
3. TE (Type Enforcement)-gives the process only minimal operational privileges, and the TE concept is very important in SELinux;
is to assign a file type tag to a file called type, which assigns a label called Domain to the process, and can specify a process
Only certain types of files can be executed.
Process A, you can read a file labeled T1.

A.txt T 1 b.txt T 2 vim can only edit files labeled T1.

The SELinux execution mode

Enforcing mandatory mode, as long as SELinux is not allowed to execute;
Permissive warning mode, the event is recorded login, still allow execution;
Disabled off SELinux;

The operating mechanism of SELinux

650) this.width=650; "title=" 1.png "alt=" Wkiol1dsz8dtnuxvaazuzmvif0a399.png "src=" http://s3.51cto.com/wyfs02/M01/ 82/5e/wkiol1dsz8dtnuxvaazuzmvif0a399.png "/> Specifies which file to open in the process.

Installing SELinux
The system is installed by default.
Related packages:

[Email protected] ~]# Rpm-qa | grep SELinux
Libselinux-devel-2.0.94-5.2.el6.x86_64
Libselinux-utils-2.0.94-5.2.el6.x86_64
Libselinux-2.0.94-5.2.el6.x86_64
Libselinux-python-2.0.94-5.2.el6.x86_64
Selinux-policy-3.7.19-126.el6.noarch
Selinux-policy-targeted-3.7.19-126.el6.noarch

Configuration file Location:
[Email protected] packages]# Vim/etc/selinux/config

Start off SELinux
Getenforce #查询当前selinux Running State
Mandatory: Enforcing

Allow: Permissive

Disabled: Disabled

Selinux=enforcing (Mandatory: You cannot continue the operation if you violate the policy)
Permissive (valid, but not mandatory: it allows you to continue the operation if it violates the policy, but login down the contents of your violation)
Disabled (Disabled)

Ways to turn on SELinux:
Example 2. SELinux status switch, from off to on
Note: The configuration file must be modified from off to on
[Email protected] ~]# Vim/etc/selinux/config
Change: selinux=disabled
is: selinux=enforcing

Restart to take effect
Note: Startup time is longer when initial startup because you want to update the file label
Reboot or Init 6

Turn off SELinux
Example 3:selinux state toggle, from on to off
Method One:
[Email protected] ~]# Setenforce 0
[Email protected] ~]# Getenforce
Permissive

Switch from pemissive to enforcing
[Email protected] ~]# Setenforce 1
[Email protected] ~]# Getenforce
Enforcing

Method Two:
#vim/boot/grub/grub.conf
Change: Kernel/vmlinuz ... selinux=0
Or
When booting up, edit the Grub interface to send a message to the kernel: The Selinux=0 method is the same as entering single-user mode.


Enter, press the B key to start the operating system.

SELinux operating mode:

Targeted: Protection of common network services, is the default value of SELinux;
MLS-Multilevel security.
For example, the United States play "shield agent", agents are divided into: 4-level agents, 5 agents, 10 agents and so on. Different levels of agents can access different content.

Example of SELinux configuration:
Security context: The Secure Contexts (security environment) are composed of the following:
system_u:object_r:httpd_sys_content_t
User Role types
Policy: Policies (Control rules, which processes can access which resources. ）

Security context
When SELinux is started, all files and objects have a security context. The security context for a process is domain domains,
The security context is represented by: User: Role: type.
(1) The system sets the security context for the user to run the program according to the/lib64/security/pam_selinux.so module in the PAM subsystem
(2) RPM package installation generates a security context based on the internal records of the RPM package.
(3) If it is built by hand, the security context will be set according to the policy rules.
(4) If it is CP, the security context is regenerated.
(5) If the MV, the security context does not change.

Security context Format
The security context consists of three parts of User:role:type, each of which illustrates its role:
1, User: Similar to the UID in the Linux system, provide identification, a part of the security context.
There are three common user types:
User_u: Normal User Login system after default;
System_u: The system process presets during the boot process;
Unconfined_u: Unrestricted, no definition

2. Role
The role of files and directories, usually object_r;
The role of a program, usually a system_r;
The role of the user, similar to the GID in the system, different roles have different permissions, the user can have more than one role, but can only use a role in the same time;

3. Type
Type: Used to divide the subject and the object into different groups, each body of the group and the object in the system define a type and provide the lowest permission environment for the process to run.

Example 4: View the SELinux security context for a profile
Viewing files: ls-z
OR: LS--context
[email protected] ~]# Touch a.txt
[Email protected] ~]# ls-z a.txt
-rw-r--r--. Root root Unconfined_u:object_r:admin_home_t:s0 a.txt
The first paragraph Unconfined_u represents the user,
The second paragraph object_r represents the role, and ordinary files and directories are object_r roles,
The third paragraph is the most important information in SELinux, admin_home_t represents the type,
① First paragraph: refers to the SELinux user, root represents the root account identity, User_u represents the ordinary user unprivileged user, System_u represents the system user, through the user can confirm the identity type, general collocation role use.
②object_r Object_r is generally the role of files and directories, System_r is generally a process role, and the role of the user in the targeted policy environment is generally system_r.
③admin_home files and processes have a type

Example 5: Viewing the security context of a directory
[Email protected] ~]# ls-zd/root/
Dr-xr-x---. Root root system_u:object_r:admin_home_t:s0/root/
System_u indicates that the system user
Object_r Object_r generally the role of files and directories
admin_home_t represents the administrator's home directory

Example 6: Viewing the security context of a normal user host directory
[Email protected] ~]# Useradd RM
[Email protected] ~]# ls-zd/home/rm/
DRWX------. RM RM unconfined_u:object_r:user_home_dir_t:s0/home/rm/

[Email protected] ~]# ls-z/etc/passwd
-rw-r--r--. Root root system_u:object_r:etc_t:s0/etc/passwd

4, Chcon
Description: Variable the selinux attribute label of the file directory.
How to use:
Chcon [OPTION] ... CONTEXT FILE ...
Chcon [OPTION] ...--reference (reference) =rfile FILE ...
The parameters are as follows:
-u user:set user user in the target security context
-R role:set role role in the target security context
-T Type:set type type in the target security context

Note: After SELinux is turned on, the process can only access files and directories that are identified as having only enough access to the security context.
Example 7: Modifying the security context of a file
[Email protected] ~]# ls-z/etc/hosts
-rw-r--r--. Root root system_u:object_r:net_conf_t:s0/etc/hosts
[Email protected] ~]# ls-zd/var/
Drwxr-xr-x. Root root system_u:object_r:var_t:s0/var/

Change:
[Email protected] ~]# chcon-t var_t/etc/hosts
[Email protected] ~]# ls-z/etc/hosts
-rw-r--r--. Root root system_u:object_r:var_t:s0/etc/hosts

[[ Email protected] ~]# mkdir/tmp/abc
[[email protected] ~]# ls-zd/tmp/abc/
drwxr-xr-x. Root root unconfined_u:object_r:user_tmp_t:s0/tmp/abc/
Modify the context:
[[email protected] ~]# chcon-r-t samba_share_t/tmp /abc/
[[email protected] ~]# ls-zd/tmp/abc/
drwxr-xr-x. Root root Unconfined_u:object_r:samba_share_t:s0 /tmp/abc/

[[ Email protected] ~]# echo "2016-4-11" > A.html
[[email protected] ~]# mv a.html/var/www/html/
[[ Email protected] ~]# echo "2016-4-12" >/var/www/html/b.html
[[email protected] ~]# ls-z/var/www/html /
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 a.html
-rw-r--r--. root root unconfined_u:object_ R:httpd_sys_content_t:s0 b.html

start httpd service
[[email  Protected] ~]# service httpd restart
Test:
http://192.168.31.245/b.html   OK
http://192.168.31.245 /a.html   not OK
temporarily close SELinux
[[email protected] ~]# setenforce 0
Test:
http://192.168.31.245 /b.html
Http://192.168.31.245/a.html
Modify the security context
[[email protected] ~]# Chcon--reference=/var/www/html //var/www/html/a.html
[[email protected] ~]# ls-z/var/www/html/
-rw-r--r--. root root system_u:object_r: Httpd_sys_content_t:s0 a.html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 b.html
[[ Email protected] ~]# setenforce 1

test:
http://192.168.31.245/ b.html
http://192.168.31.245/a.html
When a file or directory is copied, the security context changes to the type of the target directory
[[email protected] ~]# echo aaaaaa > c.html
[[email protected] ~]# cp c.html/var/www/html/
[[email protected] ~]# ls-z/var/www/html/
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 a.html
-rw-r--r--. root root unconfined_u:o Bject_r:httpd_sys_content_t:s0 b.html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 c.html
Test:
http://192.168.31.245/c.html

5, command: Restorecon
Description: Restore the default security context
Rule source for the archive directory: File_contexts and File_ within the/etc/selinux/targeted/contexts/files/directory Contexts.local
View the saved rules in the system:
[[email protected] ~]# ls/etc/selinux/targeted/contexts/files/
File_ contexts  file_contexts.homedirs  Media
[[email protected] ~]# cd /etc/selinux/targeted/ Contexts/files/
[[email protected] files]# vim file_contexts  #查看
/.*     System_u:object_r:default_t:s0
/[^/]+ --      system_u:object_r:etc_runtime_t: S0
/a?quota\. ( User|group)  --      System_u:object_r:quota_db_t:s0
For example: www
 

Restorecon commonly used parameters are as follows:
-r | -r: Contains subdirectories and directories under files
-V: Shows the execution process
[Email protected] ~]# ls-z/etc/ntp.conf
-rw-r--r--. Root root system_u:object_r:net_conf_t:s0/etc/ntp.conf
[Email protected] ~]# chcon-t var_t/etc/ntp.conf
[Email protected] ~]# ls-z/etc/ntp.conf
-rw-r--r--. Root root system_u:object_r:var_t:s0/etc/ntp.conf
[Email protected] ~]# restorecon-v/etc/ntp.conf
Restorecon reset/etc/ntp.conf Context System_u:object_r:var_t:s0->system_u:object_r:net_conf_t:s0

The above content is the content of the security context

SELinux Policy
1. Getsebool command to view SELinux policy. Policy: role that specifies which files the process can access
Example: Get a native SELinux policy value, also known as a bool value.
[[Email protected]]# getsebool-a
Networkmanager_disable_trans--> off
Allow_cvs_read_shadow--> off
Allow_daemons_dump_core--> on

Note: SELinux settings are typically done in two parts, one is the security context, the other is a policy, and the policy value complements the security context.

Description: SELinux regulates a number of Boolean list files that provide the ability to turn functional access items on or off, and these values are stored in the relevant files in the/selinux/booleans/directory with only two values: 1 (Enabled) or 0 (off)
Example: viewing bool values
[Email protected] ~]# ls/selinux/booleans/| More
Abrt_anon_write
Abrt_handle_event
Allow_console_login

[Email protected] ~]# Cat/selinux/booleans/allow_ftpd_anon_write
0 0
Description: Set selinux bool Value List table and contents
How to use: Setsebool [-P] Boolean value | Bool1=val1 bool2=val2 Bool3=val3 ...
Parameter:-P is a permanent setting, otherwise the default value is restored after reboot.

Example 1: When you log in to FTP using a system user, you automatically switch to your home directory.
Allow normal users to log in to FTP and upload downloaded files when SELinux is turned on
[Email protected] ~]# Useradd RM
[Email protected] ~]# echo 123456 | passwd--stdin RM

[Email protected] ~]# yum-y install VSFTPD
[[Email protected] ~]# service VSFTPD start
[Email protected] ~]# Setenforce 1
Testing: Using RM to sign in to FTP

Unable to login

Solve:
[Email protected] ~]# Getsebool-a | grep ftp_home
Ftp_home_dir--off
[Email protected] ~]# setsebool-p Ftp_home_dir=on

Example 2: Setting allow FTP server anonymous users to log on to create a file
The default modification of vsftpd.conf only allows anonymous users to log in and allow downloads, and does not allow uploads.

Modify FTP configuration file, turn on upload and write function

[Email protected] ~]# service vsftpd restart
Service VSFTPD Restart
Test:
Still create failed, show as permission not allowed

Change SELinux:
[Email protected] ~]# Setenforce 0
[Email protected] ~]# chmod 777/var/ftp/pub/

[Email protected] ~]# Getsebool-a | grep allow_ftpd
Allow_ftpd_anon_write--off
[Email protected] ~]# setsebool-p Allow_ftpd_anon_write=on

To test again:
[Email protected] ~]# Setenforce 1

Fix, modify file type:
[Email protected] ~]# ls-zd/var/ftp/pub/
Drwxrwxrwx. Root root system_u:object_r:public_content_t:s0/var/ftp/pub/
[Email protected] ~]# chcon-t public_content_rw_t/var/ftp/pub/

The SELinux of Linux