Using two cases to get a preliminary understanding of the working mechanism of selinux in Linux

 

Using two cases to get a preliminary understanding of the working mechanism of selinux in Linux

SELinux is a MAC system provided in Linux kernel 2.6. For the currently available Linux security module, SELinux is the most comprehensive and fully tested. It was established based on 20 years of MAC research. SELinux combines multi-level security or an optional multi-class policy in a type forced server, and adopts the Role-Based Access Control concept.

Selinux is configured in/etc/sysconfig/selinux by default.

Three levels are available by default.

EnforcingLevel: The security policies set by selinux in Linux will be enabled. All services or programs related to selinux security policies will be blocked by the policies.

PermissiveLevel: The security policies set by selinux in Linux will be started, but all services or programs related to selinux security policies will not be organized by the policies, but will receive a warning.

DisabledLevel: Disable selinux, which is the same as if selinux is not installed in the system.

Generally, you can use getenforce to view the running level of selinux. you can also set the selinux running level through setenforce 0 or 1. Level 0 indicates the Permissive mode, and level 1 indicates the Enforcing mode. for the switch between the disabled mode and other modes, only the configuration file can be modified, and the command does not work. second, you must restart the system to make the modification take effect.

If you want to use some commands to manage selinux, you must install the setroubleshoot package. You can install selinux directly on the CD. Because there are many dependencies, we recommend that you create a yum source to point to the CD and install selinux through yum.

Next we will link selinux's security mechanism through two preliminary cases

Case 1: vsftpd cannot be accessed by common users in selinux Enforcing mode.

Install the vsftpd package to provide the ftp service for the client. The vsftpd service is automatically installed by default during rhel6 desktop installation. If the installation is not completed by running the rpm command or building the yum source, enable the vsftpd service after the installation is complete.

By default, the ftp access directory of a common user in linux is the home directory of the user. For the sake of test, create several files and set selinux mode to permissive mode at first.

Access the client via ftp: // 192.168.100.101/on windows, and enter the username and password of a common user to access the user's home directory.

Now we set selinux to Enforcing.

The Access failed again through a common user. Why? This is affected by the Boolean value of selinux.

We can see that selinux is playing a strange role. We can use man ftpd_selinux to view the selinux access policy of ftpd.

The man comment shows that the command "setsebool-P ftp_home_dir 1" can enable this policy.

You can also run the getsebool-a command to view all the service access policies managed by selinux (Boolean value). ftp_home_dir is disabled by default, which means that the request cannot be passed.

Use setsebool-P ftp_home_dir 1 to enable the ftp_home_dir Boolean value.

You can achieve this by accessing again.

Case 2: in the form of Linux selinuxenforcing, start the web service and copy the website master configuration information index.html to the root directory of the website.

Install the httpd software package. By default, the apache Software Package httpd has been installed in rhel6.3 desktop version.

By default, no website data is found in the/var/www/html/directory. The following information is displayed during access.

In this directory, we write a main page index.html.

Enable selinux to enforcing mode, which can be accessed through a web browser.

We can copy an index.html file from another directory such as/rootdirectory to the httpd root directory.

Set selinux level to permissive mode, which can be accessed.

The selinux mode is set to Enforcing mode, but cannot be accessed. Why? This is affected by the context value of selinux.

We can use ls-Z to view the context value of the file as follows. by default, documents created in any directory inherit the context value of the parent directory. You can see that the context value of index.html inherits the context value of the/root directory, the default context value for creating a file in the/var/www/html/directory is httpd_sys_content.

You can use the chcon -tcommand to modify the context value of index.html.

After the modification is complete, access is implemented.

Total: the preceding two simple cases show that selinux's enforcing mode determines selinux's security policy mechanism through a Boolean value or context value. however, we can use the setsebool-P command to set the Boolean value and the context value through chcon-t (The setroubleshoot package must be installed before the above two commands can be used)