SELinux is short for security-enhanced Linux. The traditional Linux permission controls the owner, group, and other rwx of files and directories, while SELinux uses the delegated access control, that is to say, to control the access of a process to the files and directories on a specific file system, SELinux sets many rules to determine which processes can access which files and directories.
SELinux determines whether a process has the permission to access the file system based on the security context of the process or file. security context consists of three parts: Identify: Role: type, when the SELinux type is selinuxtype = targeted, only the security context type is useful. The SELinux configuration file is here:/etc/SELinux/config, the content is as follows:
# This file controls the state of SELinux on the system.# SELINUX= can take one of these three values:# enforcing - SELinux security policy is enforced.# permissive - SELinux prints warnings instead of enforcing.# disabled - SELinux is fully disabled.SELINUX=enforcing# SELINUXTYPE= type of policy in use. Possible values are:# targeted - Only targeted network daemons are protected.# strict - Full SELinux protection.SELINUXTYPE=targeted
Necessary SELinux tools need to be installed:
yum install policycoreutils-python setools-console setroubleshoot setroubleshoot-server
View the current status of SELinux:
[root@centos ~]# getenforceEnforcing
If the status is enforcing, SELinux is enabled. If the status is disabled or permissive, you must use the following command to enable SELinux (permissive indicates that if the permission control does not comply with SELinux, a warning message is displayed, does not really block process access ):
Set SELinux to enforcing:
[root@centos ~]# setenforce 1
Restart the computer and wait until the SELinux file is created.
View the process's security context:
[root@centos ~]# ps aux -Z | grep httpdunconfined_u:system_r:httpd_t:s0 root 6056 0.0 0.3 11672 3504 ? Ss 15:31 0:03 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache 6061 0.0 0.2 11804 2664 ? S 15:31 0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache 6062 0.0 0.2 11672 2132 ? S 15:31 0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache 6063 0.0 0.2 11804 2664 ? S 15:31 0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache 6064 0.0 0.2 11804 2780 ? S 15:31 0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache 6065 0.0 0.2 11672 2132 ? S 15:31 0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache 6066 0.0 0.2 11672 2132 ? S 15:31 0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache 6067 0.0 0.2 11672 2132 ? S 15:31 0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache 6068 0.0 0.2 11672 2132 ? S 15:31 0:00 /usr/sbin/httpdunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 6845 0.0 0.0 4340 752 pts/0 S+ 18:16 0:00 grep httpd
View the security context of the directory:
[root@centos ~]# ls -dZ /var/www/drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/
List the statistics of SELinux, including the user, role, and type in the security context, as well as the Rules (booleans ):
[root@centos ~]# seinfoStatistics for policy file: /etc/selinux/targeted/policy/policy.24Policy Version & Type: v.24 (binary, mls) Classes: 81 Permissions: 235 Sensitivities: 1 Categories: 1024 Types: 3488 Attributes: 273 Users: 9 Roles: 12 Booleans: 187 Cond. Expr.: 222 Allow: 273920 Neverallow: 0 Auditallow: 96 Dontaudit: 199904 Type_trans: 23469 Type_change: 38 Type_member: 48 Role allow: 20 Role_trans: 291 Range_trans: 3993 Constraints: 87 Validatetrans: 0 Initial SIDs: 27 Fs_use: 22 Genfscon: 81 Portcon: 426 Netifcon: 0 Nodecon: 0 Permissives: 59 Polcap: 2
View All rule names:
[root@centos ~]# seinfo -bConditional Booleans: 187 allow_domain_fd_use allow_ftpd_full_access allow_sysadm_exec_content allow_user_exec_content allow_zebra_write_config cdrecord_read_content fcron_crond httpd_manage_ipa httpd_use_openstack mmap_low_allowed samba_share_fusefs sepgsql_enable_users_ddl abrt_handle_event allow_ftpd_use_cifs allow_httpd_mod_auth_pam allow_java_execstack cron_can_relabel.......
Check whether a rule is Enabled:
[root@centos ~]# getsebool httpd_enable_homedirshttpd_enable_homedirs --> off
Open a rule:
[root@centos ~]# setsebool -P httpd_enable_homedirs=1[root@centos ~]# getsebool httpd_enable_homedirshttpd_enable_homedirs --> on
View the specific information of a rule (that is, the security context type of a process named allow or deny accesses the security context type of a file system ):
[root@centos ~]# sesearch -b httpd_enable_homedirs --allERROR: Cannot get avrules: Neverallow rules requested but not availableFound 46 semantic av rules: allow httpd_sys_script_t home_root_t : dir { getattr search open } ; allow httpd_sys_script_t home_root_t : lnk_file { read getattr } ; allow httpd_suexec_t user_home_dir_t : dir { getattr search open } ; allow httpd_suexec_t user_home_dir_t : lnk_file { read getattr } ; allow httpd_suexec_t autofs_t : dir { ioctl read getattr lock search open } ; allow httpd_suexec_t cifs_t : file { ioctl read getattr lock execute execute_no_trans open } ; allow httpd_suexec_t cifs_t : dir { ioctl read getattr lock search open } ; allow httpd_suexec_t cifs_t : lnk_file { read getattr } ; allow httpd_suexec_t nfs_t : file { ioctl read getattr lock execute execute_no_trans open } ; allow httpd_suexec_t nfs_t : dir { ioctl read getattr lock search open } ; allow httpd_suexec_t nfs_t : lnk_file { read getattr } ; allow httpd_t user_home_t : file { ioctl read getattr lock open } ; .............
SELinux has many default settings in the file system. You can use semanage to view the default security context of all directories in the system:
[root@centos ~]# semanage fcontext -lSELinux fcontext type Context/ directory system_u:object_r:root_t:s0 /.* all files system_u:object_r:default_t:s0 /[^/]+ regular file system_u:object_r:etc_runtime_t:s0 /\.autofsck regular file system_u:object_r:etc_runtime_t:s0 /\.autorelabel regular file system_u:object_r:etc_runtime_t:s0 /\.journal all files <>/\.suspended regular file system_u:object_r:etc_runtime_t:s0 /a?quota\.(user|group) regular file system_u:object_r:quota_db_t:s0 /afs directory system_u:object_r:mnt_t:s0 /bin directory system_u:object_r:bin_t:s0 /bin/.* all files system_u:object_r:bin_t:s0 /bin/alsaunmute regular file system_u:object_r:alsa_exec_t:s0 /bin/bash regular file system_u:object_r:shell_exec_t:s0 ...............
Add the default security context of a directory:
[root@centos ~]# semanage fcontext -a -t public_content_t "/srv/test(/.*)?"
The above command sets the default security context type of/srv/test to public_content_t
Change the security context of a file:
[root@centos ~]# chcon -t var_t /var/www/html/index.html [root@centos ~]# ll -Z /var/www/html/index.html -rw-r--r--. root root unconfined_u:object_r:var_t:s0 /var/www/html/index.html
The above command changes the type of/var/www/html/index.html to var_t.
You can use the restorecon command to restore the file to the default security context in the directory:
First, check the default context of/var/www:
[root@centos ~]# semanage fcontext -l | grep /var/www/var/www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /var/www/[^/]*/cgi-bin(/.*)? all files system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/apcupsd/multimon\.cgi regular file system_u:object_r:httpd_apcupsd_cgi_script_exec_t:s0 /var/www/apcupsd/upsfstats\.cgi regular file system_u:object_r:httpd_apcupsd_cgi_script_exec_t:s0 .............
Use restorecon to restore all/var/WWW Files And Directories. The default value is:
[root@centos ~]# restorecon -Rv /var/wwwrestorecon reset /var/www/html/index.html context unconfined_u:object_r:var_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
------------------------------
SELinux provides log files to record error information. The error information is recorded in/var/log/messages and/var/log/setroubleshoot, you need to restart the auditd service to enable the Log Service of SELinux:
[root@centos ~]# /etc/init.d/auditd restart
View the error message of SELinux:
[root@centos ~]# cat /var/log/messages | grep setroubleshootAug 9 17:46:47 centos yum[6590]: Installed: setroubleshoot-plugins-3.0.40-1.el6.noarchAug 9 17:46:50 centos yum[6590]: Installed: setroubleshoot-server-3.0.47-3.el6_3.i686Aug 9 17:46:54 centos yum[6590]: Installed: setroubleshoot-3.0.47-3.el6_3.i686Aug 9 17:58:57 centos setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html. For complete SELinux messages. run sealert -l c7a436a1-a114-4659-91a9-4155b1003dd7Aug 9 17:58:58 centos setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html. For complete SELinux messages. run sealert -l c7a436a1-a114-4659-91a9-4155b1003dd7Aug 9 18:00:35 centos setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html. For complete SELinux messages. run sealert -l c7a436a1-a114-4659-91a9-4155b1003dd7Aug 9 18:00:36 centos setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html. For complete SELinux messages. run sealert -l c7a436a1-a114-4659-91a9-4155b1003dd7
Run sealert to view the specific solution:
[root@centos ~]# sealert -l c7a436a1-a114-4659-91a9-4155b1003dd7SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html.***** Plugin restorecon (99.5 confidence) suggests *************************If you want to fix the label. /var/www/html/index.html default label should be httpd_sys_content_t.Then you can run restorecon.Do# /sbin/restorecon -v /var/www/html/index.html***** Plugin catchall (1.49 confidence) suggests ***************************If you believe that httpd should be allowed getattr access on the index.html file by default.Then you should report this as a bug.You can generate a local policy module to allow this access.Doallow this access for now by executing:# grep httpd /var/log/audit/audit.log | audit2allow -M mypol# semodule -i mypol.pp
The corresponding information has been released to solve the problem. The metadata uses restoreconto restore index.html to the default value.
------------------------------
The following is a simple experiment with the httpd WWW Service:
Install httpd first ..
[root@centos ~]# yum install httpdLoaded plugins: fastestmirror, refresh-packagekit, securityLoading mirror speeds from cached hostfile * base: mirrors.ta139.com * extras: mirrors.ta139.com * updates: mirrors.ta139.comSetting up Install ProcessPackage httpd-2.2.15-15.el6.centos.1.i686 already installed and latest versionNothing to do
Start HTTPd service:
[root@centos ~]# /etc/init.d/httpd restartStopping httpd: [ OK ]Starting httpd: [ OK ]
Check whether the system has enabled port 80 listening:
[root@centos ~]# netstat -tupln | grep httpdtcp 0 0 :::80 :::* LISTEN 9587/httpd
Create the index.html file in the rootdirectory:
[root@centos ~]# echo "Test for selinux" > index.html
View its context:
[root@centos ~]# ls -Z index.html -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 index.html
We can see that its type is admin_home_t, which is the security context inherited from the/root directory.
Copy it to/var/www/html:
[root@centos ~]# cp -a index.html /var/www/html/
Note that we use the-A option for copy, that is, we retain the security context of the source file:
[root@centos ~]# ll -Z /var/www/html/index.html -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /var/www/html/index.html
Use links to access this page:
[root@centos ~]# links http://localhost/index.html -dump Forbidden You don't have permission to access /index.html on this server. -------------------------------------------------------------------------- Apache/2.2.15 (CentOS) Server at localhost Port 80
Expected, permission deny occurs. In this case, you can directly view/var/log/messages to solve the problem.
Let's first check the context of the HTTPd process:
[root@centos ~]# ps aux -Z | grep httpdunconfined_u:system_r:httpd_t:s0 apache 9590 0.0 0.2 11804 2852 ? S 10:38 0:00 /usr/sbin/httpd
Check whether httpd is allowed to access the file admin_home_t:
[root@centos ~]# sesearch --all | grep "allow httpd_t admin_home_t"ERROR: Cannot get avrules: Neverallow rules requested but not available
The query result shows that this rule is not available, so the HTTPd process is blocked.
Check whether httpd is allowed to access a file whose type is httpd_sys_content_t:
root@centos ~]# sesearch --all | grep "allow httpd_t httpd_sys_content_t"ERROR: Cannot get avrules: Neverallow rules requested but not available allow httpd_t httpd_sys_content_t : file { ioctl read getattr lock open } ; allow httpd_t httpd_sys_content_t : dir { ioctl read getattr lock search open } ; allow httpd_t httpd_sys_content_t : lnk_file { read getattr } ; allow httpd_t httpd_sys_content_t : file { ioctl read getattr lock open } ; allow httpd_t httpd_sys_content_t : dir { ioctl read getattr lock search open } ; allow httpd_t httpd_sys_content_t : dir { ioctl read write getattr lock add_name remove_name search open } ; allow httpd_t httpd_sys_content_t : lnk_file { read getattr } ;
Now, restore/var/www/html/index.html:
[root@centos ~]# restorecon -Rv /var/www/html/restorecon reset /var/www/html/index.html context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
Once accessed:
[root@centos ~]# links http://localhost/index.html -dump Test for selinux
OK.