What is SELINUX ?, SELINUX?
SELinux (Security-Enhanced Linux) is the implementation of mandatory access control by the National Security Agency (NSA) and the most outstanding New Security Subsystem in Linux history. NSA developed an access control system with the help of the Linux community. Under the restriction of this access control system, processes can only access the files needed in their tasks. SELinux is installed on Fedora and Red Hat Enterprise Linux by default. It can also be easily installed on other distributions.SELinux is a MAC system provided in Linux kernel 2.6. For the currently available Linux security module, SELinux is the most comprehensive and fully tested. It was established based on 20 years of MAC research. SELinux combines multi-level security or an optional multi-class policy in a type forced server, and adopts the Role-Based Access Control concept. [1]Most people who use SELinux-ready releases, such as Fedora, Red Hat Enterprise Linux (RHEL), Debian, or Centos. They enable SELinux in the kernel and provide a customizable security policy. They also provide many user-layer libraries and tools that can use the SELinux function.SELinux is a domain-type-based Mandatory Access Control (MAC) security system. It is written and designed by NSA to include the kernel module into the kernel, some security-related applications are also patched with SELinux, and finally there is a corresponding security policy. Any program has full control over its resources. If a program is planning to throw a file containing potentially important information to the/tmp directory, no one can block it in DAC. SELinux provides better access control than the traditional un ix permission.
SELINUX has three options: "disabled", "permissive", and "enforcing.
Disabled does not need to be said. permissive is effective for Selinux, but even if you violate the policy, it will allow you to continue the operation, but record the content of your violation. It is very useful when developing policies.It is equivalent to the Debug mode.Enforcing means that if you violate the policy, you cannot proceed.SELINUXTYPE: Currently, there are two main categories: targeted developed by red hat, which only protects the main network services, such as apache, sendmail, bind, and postgresql, all domain Names that do not belong to them allow them to be in the unconfined_t. They have high import performance, good availability, but cannot be protected as a whole.The other type is Strict, which is developed by NAS and can protect the entire system, but the setting is complicated. I think it is complicated, but some basic problems will arise, you can still play.In addition to setting it to/etc/sysconfig/selinux, we can also pass the selinux parameter to the kernel to control it at startup. (Ora 5 is valid by default)