Home IT Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ Preliminary understanding of SELinux security management     - Java String type time compare the size (Programming)

- CentOS 7 - use cgroups limit process resource (Linux)

- How to Disable Linux IPv6 (Linux)

- Linux operating system security tools of the Logs (Linux)

- Redis 3.0.3 Cluster Setup (Database)

- Json data with double backslashes to a single backslash Json data processing (Programming)

- Perl said method B if A judge (Programming)

- Use MySQL optimization of security to prevent misuse of aliases (Database)

- QEMU code analysis: BIOS loading process (Linux)

- Oracle View index and use indexes Precautions (Database)

- Add a custom encryption algorithm in OpenSSL (Linux)

- Linux system using the command line shutdown or restart (Linux)

- Python-- for anomalies and reflection of objects articles (Programming)

- Linux crontab use (Linux)

- Linux network security backdoor technology and advanced skill practice (Linux)

- Getting Started with Linux: Nginx Web Server How to Block Specific User Agents (UA) (Server)

- Linux file permissions chmod chown (Linux)

- How to install Perl modules from CPAN (Linux)

- Python Multithreaded Programming (Programming)

- Java deserialization test (Programming)

  Preliminary understanding of SELinux security management
  Add Date : 2016-04-25      
  Today we look at a mysterious Linux system security management SELinux.

The basic concept of SELinux security

Security Enhanced Linux (SELinux) is an extra layer of security system. The main objective is to prevent SELinux has suffered leaks system services to access user data. Most Linux administrators are familiar with the standard user / group / other permissions security model. This model is based on user and group called discretionary access control. SELinux provides another layer of security, based on the object by his more sophisticated control rules, called mandatory access control.

SELinux is used to determine that the process can access a set of safety rules for those files, directories and ports. Each file, process and port has a special security label, called SELinux context. Context is a name, SELinux policy to use it to determine whether a process to access files, directories, or ports. Unless explicitly grant access rules, otherwise, by default, the policy does not allow any interaction. If there is no allow rule, access is not allowed.

SELinux labels with a variety of contexts: the user, role, type and sensitivity. Target strategy (which is the default in Red Hat Enterprise Linux strategy enabled) will come to develop their own rules based on the third context (ie, the type of context). Type the name of the context is usually _t the end. Type the context server is httpd_t. Usually located in / var / www / html type in the context of files and directories are httpd_sys_content_t. Usually located in / tmp and / var / tmp files and directories in the context of a type is tmp_t. Web server type port context is http_port_t.

SELinux simulation exercises

Exercise Environment: RHEL7.0

1, if you do not know SELinux have not already started, you can use the following command to view:

[Root @ server0 ~] # getenforce

Enforcing means that the current state is open

Let us look at how to change the SELinux mode:

[Root @ server0 ~] # vim / etc / sysconfig / selinux

# This file controls the state of SELinux on the system.
# SELINUX = can take one of these three values:
# Enforcing - SELinux security policy is enforced.
# Permissive - SELinux prints warnings instead of enforcing.
# Disabled - No SELinux policy is loaded.
SELINUX = enforcing
# SELINUXTYPE = can take one of these two values:
# Targeted - Targeted processes are protected,
# Minimum -. Modification of targeted policy Only selected processes are protected.
# Mls - Multi Level Security protection.
SELINUXTYPE = targeted


SELinux mode is divided into three types: Enforcing, Permissive and Disabled. Disabled representatives SELinux is disabled, Permissive only represent a security warning, but do not stop recording the suspicious behavior, Enforcing the representative recorded warning and block suspicious behavior.

Change SELinux operating status

setenforce [Enforcing | Permissive | 1 | 0]

This command can instantly change SELinux running, between Enforcing and Permissive switch off to keep the result. A typical use is to see in the end is not SELinux lead to a service or program can not run. If the service or program still does not run after setenforce 0, then it can certainly not caused by SELinux.

If you want to permanently change the system running SELinux environment, you can change the configuration file / etc / sysconfig / selinux implementation. Note When switching from Disabled to Enforcing mode Permissive or need to restart the computer and re-create the security label (touch /.autorelabel && reboot) for the entire file system.

2, let's do a small example:

When we SELinux is set to "Forced" mode, we put in the root directory after httpd.conf changes, you will find on the page could not be opened.

Here we will be the root of http changed as follows:

[Root @ server0 ~] # vim /etc/httpd/conf/httpd.conf

DocumentRoot "/ html"
< Directory "/ html" >

Then create html folder in the root

[Root @ server0 ~] # mkdir / html
[Root @ server0 ~] # echo "linuxidc"> /html/index.html

After you have created us look at the context we create file

Display option SELinux context (typically -Z). For example, ps, ls, cp, and mkdir all use -Z option to display or set the SELinux context.

After you change the directory service httpd restart Then we open the page, you'll get an error message stating that you do not have permission to access the file.

Here we open a Web page using elinks command, if not you can be installed through yum.

[Root @ server0 ~] # elinks http: //localhost/index.html

Why do they not have power? Let's read on.

3, first let's look at what / var / www context / html directory standard Yes.

[Root @ server0 ~] # ll -Z / var / www / html
. -rw-R - r-- root root unconfined_u: object_r: httpd_sys_content_t: s0 index.html

Then take a look at what we have just created a new directory context Yes.

[Root @ server0 html] # ll -Z
. -rw-R - r-- root root system_u: object_r: default_t: s0 index.html

Here we see that / var / www / context html (source directory) is httpd_sys_content_t, and we create a context (the target directory) before index.html file is default_t.

Since the type of the source context and the target context is different, httpd process can not default_t class files and directories to read, it will show no permission, here we need to / html directory context changes to the type httpd can read.

httpd what type able to read it, from the top we can see the type httpd can read the type of httpd_sys_content_t.

Know this type, we put / html directory into this category.

4, change the file's SELinux context

Change SELinux context can use two commands: chcon and restorecon.

chcon command is to change the context of a file has been specified for the context command parameters.

chcon command: Modify object (file) security context. For example: user: role: type: security level. grammar:
  Chcon [OPTIONS ...] CONTEXT FILES ... ..
  Chcon [OPTIONS ...] -reference = PEF_FILES FILES ...
    CONTEXT security context to be set
    FILES object (file)
    Object reference --reference
    PEF_FILES reference file context
    FILES application reference file context for my context.
    OPTIONS as follows:
        -f enforce
        -R Recursively modify the security context object
        -r ROLE Role modify the security context configuration
        -t TYPE modify the security context of the type of configuration
        -u USER modify the security context of the user's profile
        -v Display verbose information
        -l, --range = RANGE modify the security context of the security level

restorecon command to change the file or directory is the preferred method of SELinux context. Unlike chcon, when using this command that does not explicitly specify the context. It uses SELinux policy rules to determine which should be the kind of file contexts.

restorecon command to restore the SELinux file attributes, namely to restore the default file security context.
 restorecon [-iFnrRv] [-e excludedir] [-o filename] [-f filename | pathname ...]
-i: Ignore the file does not exist.
-f: infilename infilename file in the log file to be processed.
-e: directory exclude directories.
-R / -r: Recursive processing directory.
-n: Do not change the file tabs.
-o / outfilename: Save the file list to outfilename, in the case file is incorrect.
-v: The process is displayed on the screen.
-F: Force the file to restore security context.

Below we show you:

Note: It is best not to use chcon to change file SELinux context. If you relabel their filesystems at system startup, the context will revert to the default file context.

I used to type chcon -t / html folder httpd context change into the correct context, chcon only changed the context, but did not change the rules of the folder. When I used to restore the rule restorecon default context when the context / html folder and change back. The above example shows that you use chcon equivalent temporary changes when you refresh the tab, you will become the context of the original default context. If you want no matter how flush the label are the same context, you need to re-define the default SELinux context of the rules.

5, the definition of default SELinux file context rules

semanage fcontext command can be used to display or modify, restorecon command to set the default file context rules. It uses extended regular expressions to specify the path and file name. fcontext rules most commonly used is the extended regular expression (/.*) means:? "(optional) match / followed by any number of characters." He will match the preceding expression listed in the directory and recursively all directories that match the content.

semanage command is used to query and modify the default directory SELinux security context.
 semanage {login | user | port | interface | fcontext | translation} -l
 semanage fcontext - {a | d | m} [-frst] file_spec
 -l: query. fcontext: mainly used in the security context of respect.
 -a: grows, you can increase the default security context to set up some type of directory.
 -m: Modify.
 -d: delete.

Here we will use semanage fcontext command to change my / html directory of the default security context.

We first checked the context / html directory, and then change the rules of the default semanage down text, and finally restorecon command to restore the default context rules now / html directory on the context of the rules changing for the better, then we have to test the page whether open.

Also still using elinks http: //localhost/index.html to open our pages

Now we can see that the page is not suggesting no authority, but there has been input echo before we go linuxidc fields.
- Python closure and function objects (Programming)
- Enterprise Encrypting File System eCryptfs Comments (Linux)
- CentOS installed JDK8 (Linux)
- Depth understanding of JavaScript new mechanism (Programming)
- Incremental garbage collection mechanism for Ruby 2.2 (Programming)
- Oracle 11g statistics collection - collection of multi-column statistics (Database)
- Caffe install under Ubuntu 14.04 64bit (Linux)
- How to Install Node.js in CentOS 7 (Linux)
- Ubuntu 14.04 build Android 5.1 development environment and compiler (Linux)
- 10 tips daily Docker (Server)
- 14.04.3 Ubuntu configuration and successfully compiled source code Android 6.0 r1 (Programming)
- How to force Linux users to change the initial password the first time you log in (Linux)
- The most common and most effective security settings under linux (Linux)
- Linux System Getting Started tutorial: Ubuntu desktop using the command line to change the system proxy settings (Linux)
- How do you know your public IP terminal in Linux (Linux)
- SaltStack installation and testing (Server)
- Linux Telnet access Windows 7 configuration procedure (Linux)
- Performance comparison Fibonacci recursive and non-recursive (Programming)
- How to modify the SQL Server auto-increment value and the corresponding solution (Database)
- Java filter (Programming)
  CopyRight 2002-2016 newfreesoft.com, All Rights Reserved.