Article Directory
1. Selinux
SELinux is the abbreviation of "Security-Enhanced Linux", which is an extended mandatory access control security module of Linux developed by the National Security Agency "NSA=The National Security Agency" and SCC (Secure Computing Corporation). It was originally developed on Fluke and released under the GNU GPL in 2000. SELinux is a mandatory access control (MAC) security system based on the domain-type model. It was written by NSA and designed as a kernel module to be included in the kernel. The corresponding security-related applications were also hit The SELinux patch has a corresponding security policy at the end.
Status: The most outstanding new security system
in Linux history. Quality: Mandatory Access Control (MAC) security system
1.1 Selinux closed state
- Files created in /mnt are moved to /var/ftp and can be accessed by the vsftpd service
- Anonymous users can upload files
- The file created in /mnt is used to
ls -Z
view the corresponding attribute content of the file is empty ps axZ
An attribute of the process is missing when viewing the vsftpd process
1.2 Selinux on state
- Files created in /mnt are moved to /var/ftp and cannot be accessed by the vsftpd service
- Anonymous users can still not upload files after setting
ls -Z
Information will be displayed when viewing filesps axZ
View vsftpd process
1.3 Impact of Selinux
Impact on files:
When selinux is turned on, the kernel will load tags for each file and each open program, and the security context of the program and file is recorded in the tag.
Effect on program function:
When selinux is turned on, the program function loading switch will be set, and the state of this switch will be set to off.
When this function is needed, the function switch needs to be turned on manually, this switch is called sebool
2. Selinux management status
State type | Explanation |
---|---|
Disabled | shut down |
enforcing | Failure to meet the conditions must not be allowed, and receive a warning message |
permissive | Not meeting the conditions is allowed, but will receive a warning message |
2.1 Check status
getenforce
: View selinux status
2.2 Selinux switching state
vim /etc/selinux/config
: Edit the configuration file ( take effect after restart )
#selinux关闭
SELINUX=disabled
#selinux开机设定为强制状态,为selinux开启
SELINUX=enforcing
#selinux开机设定为警告状态,为selinux开启
SELINUX=permissive
- Conversion between mandatory and warning levels after selinux is turned on ( effective immediately )
setenforce 0
: Warning mode permissive
setenforce 1
: mandatory mode enforcing
2.3 Selinux log location
/var/log/audit/audit.log
3. Selinux security context (Content)
3.1 View security context
ls -Z
: View the security context of the file: View the security context of the
ls -Zd
directory
ps axZ
: View the security context of the process
3.2 Temporarily modify the security context
chcon -t 标签 文件或目录
: Temporarily modify the security context
chcon -Rt 标签 目录
: modify the security context of the directory and all sub-files in the directorytouch /.autorelabel
: Selinux initialization file label switch file when restarting the system- Will be restored after restart
3.3 Permanently modify the security context
如果需要特殊指定安全上下文,需要修改内核安全上下文列表
semanage fcontext -l
: View the list of kernel security contextssemanage fcontext -a -t 标签 ‘目录(/.*)?’
: Permanently modify the security contextrestorecon -RvvF 目录
: Refreshtouch /.autorelabel
: Selinux initialization file label switch file when restarting the system
semanage fcontext命令:
-a 增加
-d 删除
-m 修改
4. Sebool
getsebool -a
: Query the bool value of each rule in the Selinux policysetsebool -P 标签 on或off
: Modify the bool value
4.1 File upload failed
- Condition 1: The file has write permission
- Condition 2: Virtual users can upload
- Condition 3: Selinux is mandatory
- Result:
lftp 172.25.254.127
uploading file to /var/ftp/pub/ failed
4.2 Modify Sebool solution
semanage fcontext -a -t public_content_rw_t ‘/var/ftp/pub(/.*)?’
:Set the security context to read and write (uploadable)restorecon -RvvF /var/ftp/pub/
: Refreshsetsebool -P ftpd_anon_write on
: Modify the bool value (allow anonymous users to write)getsebool -a | grep ftp
: Query the bool value of the ftp service
5. Seport (Selinux port label)
semanage port -l
: View open portssemanage port -a -t 标签 -p tcp 端口号
: Add an open portsemanage port -d -t 标签 -p tcp 端口号
: Delete open ports
- When the httpd service port number is changed to 6666, the httpd service fails to restart
- After adding the port, restart the httpd service successfully
- Restore the default port
6. SeTrouble (Selinux troubleshooting)
6.1 Setrouble installation and basic information
- Installed by default
Can rpm -qa | grep setrouble
check whether the installation
- Basic Information
- /var/log/audit/audit.log: Selinux warning message
- / var / log / messages: Selinux problem solution
- setroubleshoot-server:The function of this software is to collect warning information and analyze the solution and store it in /var/log/messages
6.2 Setrouble experiment problem
- Problem: After moving the file to /var/ftp/, it cannot be viewed after lftp login
touch /mnt/file1
: Create filemv /mnt/file1 /var/ftp/
: Move files to the default publishing directory> /var/log/messages
: Clear the log file (to prevent the difficulty of finding errors when viewing the log)lftp 192.168.43.101
: Can't view file1
6.3 Setrouble troubleshooting
- Look for solutions to the problem in the log
cat /var/log/messages
: View log files/sbin/restorecon -v /var/ftp/file1
: The problem-solving command appears in the log, execute this commandlftp 192.168.43.101
: You can view file1