Tossing SELinux on centos 6. x

Source: Internet
Author: User

SELinux is short for security-enhanced Linux. The traditional Linux permission controls the owner, group, and other rwx of files and directories, while SELinux uses the delegated access control, that is to say, to control the access of a process to the files and directories on a specific file system, SELinux sets many rules to determine which processes can access which files and directories.

SELinux determines whether a process has the permission to access the file system based on the security context of the process or file. security context consists of three parts: Identify: Role: type, when the SELinux type is selinuxtype = targeted, only the security context type is useful. The SELinux configuration file is here:/etc/SELinux/config, the content is as follows:

# This file controls the state of SELinux on the system.# SELINUX= can take one of these three values:#       enforcing - SELinux security policy is enforced.#       permissive - SELinux prints warnings instead of enforcing.#       disabled - SELinux is fully disabled.SELINUX=enforcing# SELINUXTYPE= type of policy in use. Possible values are:#       targeted - Only targeted network daemons are protected.#       strict - Full SELinux protection.SELINUXTYPE=targeted

Necessary SELinux tools need to be installed:

yum install policycoreutils-python setools-console setroubleshoot setroubleshoot-server

View the current status of SELinux:

[root@centos ~]# getenforceEnforcing

If the status is enforcing, SELinux is enabled. If the status is disabled or permissive, you must use the following command to enable SELinux (permissive indicates that if the permission control does not comply with SELinux, a warning message is displayed, does not really block process access ):

Set SELinux to enforcing:

[root@centos ~]# setenforce 1

Restart the computer and wait until the SELinux file is created.

View the process's security context:

[root@centos ~]# ps aux -Z | grep httpdunconfined_u:system_r:httpd_t:s0 root     6056  0.0  0.3  11672  3504 ?        Ss   15:31   0:03 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache   6061  0.0  0.2  11804  2664 ?        S    15:31   0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache   6062  0.0  0.2  11672  2132 ?        S    15:31   0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache   6063  0.0  0.2  11804  2664 ?        S    15:31   0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache   6064  0.0  0.2  11804  2780 ?        S    15:31   0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache   6065  0.0  0.2  11672  2132 ?        S    15:31   0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache   6066  0.0  0.2  11672  2132 ?        S    15:31   0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache   6067  0.0  0.2  11672  2132 ?        S    15:31   0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache   6068  0.0  0.2  11672  2132 ?        S    15:31   0:00 /usr/sbin/httpdunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 6845 0.0  0.0 4340 752 pts/0 S+ 18:16   0:00 grep httpd

View the security context of the directory:

[root@centos ~]# ls -dZ /var/www/drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/

List the statistics of SELinux, including the user, role, and type in the security context, as well as the Rules (booleans ):

[root@centos ~]# seinfoStatistics for policy file: /etc/selinux/targeted/policy/policy.24Policy Version & Type: v.24 (binary, mls)   Classes:            81    Permissions:       235   Sensitivities:       1    Categories:       1024   Types: 3488    Attributes:        273   Users: 9    Roles: 12   Booleans: 187    Cond. Expr.:       222   Allow:          273920    Neverallow:          0   Auditallow:         96    Dontaudit:      199904   Type_trans:      23469    Type_change:        38   Type_member:        48    Role allow:         20   Role_trans:        291    Range_trans:      3993   Constraints:        87    Validatetrans:       0   Initial SIDs:       27    Fs_use:             22   Genfscon:           81    Portcon:           426   Netifcon:            0    Nodecon:             0   Permissives:        59    Polcap:              2

View All rule names:

[root@centos ~]# seinfo -bConditional Booleans: 187   allow_domain_fd_use   allow_ftpd_full_access   allow_sysadm_exec_content   allow_user_exec_content   allow_zebra_write_config   cdrecord_read_content   fcron_crond   httpd_manage_ipa   httpd_use_openstack   mmap_low_allowed   samba_share_fusefs   sepgsql_enable_users_ddl   abrt_handle_event   allow_ftpd_use_cifs   allow_httpd_mod_auth_pam   allow_java_execstack   cron_can_relabel.......

Check whether a rule is Enabled:

[root@centos ~]# getsebool httpd_enable_homedirshttpd_enable_homedirs --> off

Open a rule:

[root@centos ~]# setsebool -P httpd_enable_homedirs=1[root@centos ~]# getsebool httpd_enable_homedirshttpd_enable_homedirs --> on

View the specific information of a rule (that is, the security context type of a process named allow or deny accesses the security context type of a file system ):

[root@centos ~]# sesearch -b httpd_enable_homedirs --allERROR: Cannot get avrules: Neverallow rules requested but not availableFound 46 semantic av rules:   allow httpd_sys_script_t home_root_t : dir { getattr search open } ;    allow httpd_sys_script_t home_root_t : lnk_file { read getattr } ;    allow httpd_suexec_t user_home_dir_t : dir { getattr search open } ;    allow httpd_suexec_t user_home_dir_t : lnk_file { read getattr } ;    allow httpd_suexec_t autofs_t : dir { ioctl read getattr lock search open } ;    allow httpd_suexec_t cifs_t : file { ioctl read getattr lock execute execute_no_trans open } ;    allow httpd_suexec_t cifs_t : dir { ioctl read getattr lock search open } ;    allow httpd_suexec_t cifs_t : lnk_file { read getattr } ;    allow httpd_suexec_t nfs_t : file { ioctl read getattr lock execute execute_no_trans open } ;    allow httpd_suexec_t nfs_t : dir { ioctl read getattr lock search open } ;    allow httpd_suexec_t nfs_t : lnk_file { read getattr } ;    allow httpd_t user_home_t : file { ioctl read getattr lock open } ; .............

SELinux has many default settings in the file system. You can use semanage to view the default security context of all directories in the system:

[root@centos ~]# semanage fcontext -lSELinux fcontext                                   type               Context/                                                  directory          system_u:object_r:root_t:s0 /.*                                                all files          system_u:object_r:default_t:s0 /[^/]+                                             regular file       system_u:object_r:etc_runtime_t:s0 /\.autofsck                                        regular file       system_u:object_r:etc_runtime_t:s0 /\.autorelabel                                     regular file       system_u:object_r:etc_runtime_t:s0 /\.journal                                         all files          <>/\.suspended                                       regular file       system_u:object_r:etc_runtime_t:s0 /a?quota\.(user|group)                             regular file       system_u:object_r:quota_db_t:s0 /afs                                               directory          system_u:object_r:mnt_t:s0 /bin                                               directory          system_u:object_r:bin_t:s0 /bin/.*                                            all files          system_u:object_r:bin_t:s0 /bin/alsaunmute                                    regular file       system_u:object_r:alsa_exec_t:s0 /bin/bash                                          regular file       system_u:object_r:shell_exec_t:s0 ...............

Add the default security context of a directory:

[root@centos ~]# semanage fcontext -a -t public_content_t "/srv/test(/.*)?"

The above command sets the default security context type of/srv/test to public_content_t

Change the security context of a file:

[root@centos ~]# chcon -t var_t /var/www/html/index.html [root@centos ~]# ll -Z /var/www/html/index.html -rw-r--r--. root root unconfined_u:object_r:var_t:s0   /var/www/html/index.html

The above command changes the type of/var/www/html/index.html to var_t.

You can use the restorecon command to restore the file to the default security context in the directory:
First, check the default context of/var/www:

[root@centos ~]# semanage fcontext -l | grep /var/www/var/www(/.*)?                                     all files          system_u:object_r:httpd_sys_content_t:s0 /var/www/[^/]*/cgi-bin(/.*)?                       all files          system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/apcupsd/multimon\.cgi                     regular file       system_u:object_r:httpd_apcupsd_cgi_script_exec_t:s0 /var/www/apcupsd/upsfstats\.cgi                    regular file       system_u:object_r:httpd_apcupsd_cgi_script_exec_t:s0 .............

Use restorecon to restore all/var/WWW Files And Directories. The default value is:

[root@centos ~]# restorecon -Rv /var/wwwrestorecon reset /var/www/html/index.html context unconfined_u:object_r:var_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0

------------------------------
SELinux provides log files to record error information. The error information is recorded in/var/log/messages and/var/log/setroubleshoot, you need to restart the auditd service to enable the Log Service of SELinux:

[root@centos ~]# /etc/init.d/auditd restart

View the error message of SELinux:

[root@centos ~]# cat /var/log/messages | grep setroubleshootAug  9 17:46:47 centos yum[6590]: Installed: setroubleshoot-plugins-3.0.40-1.el6.noarchAug  9 17:46:50 centos yum[6590]: Installed: setroubleshoot-server-3.0.47-3.el6_3.i686Aug  9 17:46:54 centos yum[6590]: Installed: setroubleshoot-3.0.47-3.el6_3.i686Aug  9 17:58:57 centos setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html. For complete SELinux messages. run sealert -l c7a436a1-a114-4659-91a9-4155b1003dd7Aug  9 17:58:58 centos setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html. For complete SELinux messages. run sealert -l c7a436a1-a114-4659-91a9-4155b1003dd7Aug  9 18:00:35 centos setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html. For complete SELinux messages. run sealert -l c7a436a1-a114-4659-91a9-4155b1003dd7Aug  9 18:00:36 centos setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html. For complete SELinux messages. run sealert -l c7a436a1-a114-4659-91a9-4155b1003dd7

Run sealert to view the specific solution:

[root@centos ~]# sealert -l c7a436a1-a114-4659-91a9-4155b1003dd7SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html.*****  Plugin restorecon (99.5 confidence) suggests  *************************If you want to fix the label. /var/www/html/index.html default label should be httpd_sys_content_t.Then you can run restorecon.Do# /sbin/restorecon -v /var/www/html/index.html*****  Plugin catchall (1.49 confidence) suggests  ***************************If you believe that httpd should be allowed getattr access on the index.html file by default.Then you should report this as a bug.You can generate a local policy module to allow this access.Doallow this access for now by executing:# grep httpd /var/log/audit/audit.log | audit2allow -M mypol# semodule -i mypol.pp

The corresponding information has been released to solve the problem. The metadata uses restoreconto restore index.html to the default value.

------------------------------
The following is a simple experiment with the httpd WWW Service:
Install httpd first ..

[root@centos ~]# yum install httpdLoaded plugins: fastestmirror, refresh-packagekit, securityLoading mirror speeds from cached hostfile * base: mirrors.ta139.com * extras: mirrors.ta139.com * updates: mirrors.ta139.comSetting up Install ProcessPackage httpd-2.2.15-15.el6.centos.1.i686 already installed and latest versionNothing to do

Start HTTPd service:

[root@centos ~]# /etc/init.d/httpd restartStopping httpd:                                            [  OK  ]Starting httpd:                                            [  OK  ]

Check whether the system has enabled port 80 listening:

[root@centos ~]# netstat -tupln | grep httpdtcp        0      0 :::80                       :::*                        LISTEN      9587/httpd     

Create the index.html file in the rootdirectory:

[root@centos ~]# echo "Test for selinux" > index.html 

View its context:

[root@centos ~]# ls -Z index.html -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 index.html

We can see that its type is admin_home_t, which is the security context inherited from the/root directory.

Copy it to/var/www/html:

[root@centos ~]# cp -a index.html  /var/www/html/

Note that we use the-A option for copy, that is, we retain the security context of the source file:

[root@centos ~]# ll -Z /var/www/html/index.html -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /var/www/html/index.html

Use links to access this page:

[root@centos ~]# links http://localhost/index.html -dump                                   Forbidden   You don't have permission to access /index.html on this server.   --------------------------------------------------------------------------    Apache/2.2.15 (CentOS) Server at localhost Port 80

Expected, permission deny occurs. In this case, you can directly view/var/log/messages to solve the problem.

Let's first check the context of the HTTPd process:

[root@centos ~]# ps aux -Z | grep httpdunconfined_u:system_r:httpd_t:s0 apache   9590  0.0  0.2  11804  2852 ?        S    10:38   0:00 /usr/sbin/httpd

Check whether httpd is allowed to access the file admin_home_t:

[root@centos ~]# sesearch --all | grep "allow httpd_t admin_home_t"ERROR: Cannot get avrules: Neverallow rules requested but not available

The query result shows that this rule is not available, so the HTTPd process is blocked.

Check whether httpd is allowed to access a file whose type is httpd_sys_content_t:

root@centos ~]# sesearch --all | grep "allow httpd_t httpd_sys_content_t"ERROR: Cannot get avrules: Neverallow rules requested but not available   allow httpd_t httpd_sys_content_t : file { ioctl read getattr lock open } ;    allow httpd_t httpd_sys_content_t : dir { ioctl read getattr lock search open } ;    allow httpd_t httpd_sys_content_t : lnk_file { read getattr } ;    allow httpd_t httpd_sys_content_t : file { ioctl read getattr lock open } ;    allow httpd_t httpd_sys_content_t : dir { ioctl read getattr lock search open } ;    allow httpd_t httpd_sys_content_t : dir { ioctl read write getattr lock add_name remove_name search open } ;    allow httpd_t httpd_sys_content_t : lnk_file { read getattr } ; 

Now, restore/var/www/html/index.html:

[root@centos ~]# restorecon -Rv /var/www/html/restorecon reset /var/www/html/index.html context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0

Once accessed:

[root@centos ~]# links http://localhost/index.html -dump   Test for selinux

OK.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.