Learn linux selinux in three minutes

Others 2021-01-27 02:45:33 views: null

Scan code to follow, learn together
Insert picture description here

1. Introduction

Security-Enhanced Linux (Security-Enhanced Linux) is referred to as SELinux, which is a Linux kernel module and a security subsystem of Linux.

SELinux is mainly developed by the National Security Agency. The Linux kernel of version 2.6 and above has integrated the SELinux module.

The structure and configuration of SELinux is very complicated, and there are a lot of conceptual things, which is difficult to learn. Many Linux system administrators have turned SELinux off for trouble.

Two, SELinux basic concepts

2.1 Subject

Can be completely equivalent to the process.

Note: In order to facilitate understanding, unless otherwise specified, the process is regarded as the main body below.

2.2 Object

The resource accessed by the subject. It can be a file, directory, port, device, etc.

Note: In order to facilitate understanding, unless otherwise specified, the following will treat files or directories as objects.

2.3 Policy & Rule

There are usually a large number of files and processes in the system. In order to save time and overhead, we usually only selectively control certain processes.

And which processes need to be controlled and how to control are determined by policy.

There are multiple rules in a set of policies. Some rules can be enabled or disabled as required (hereinafter, this type of rule is called a Boolean rule).

The rules are modular and extensible. When installing a new application, the application can add rules by adding new modules. The user can also manually add or subtract rules.

In the CentOS 7 system, there are three sets of policies, namely:

  1. targeted: Control most network service processes. This is the policy used by the system by default (this policy is used in the following).

  2. minimum: Based on targeted, only the selected network service process is controlled. Generally not used.

  3. mls: Multi-level security protection. Control all processes. This is the most stringent policy and it is very difficult to configure. Generally not used unless there are extremely high requirements for safety.

The policy can be set in /etc/selinux/config.

2.4 Security Context

The security context is the core of SELinux.

The security context is divided into "process security context" and "file security context".

One "process security context" generally corresponds to multiple "document security contexts".

Only when the security contexts of the two correspond to each other, the process can access the file. Their corresponding relationship is determined by the rules in the policy.

The file security context is determined by the location of the file creation and the process of creating the file. And the system has a set of default values, and users can also set the default values.

It should be noted that simply moving the file operation does not change the security context of the file.

The structure and meaning of the security context

The security context has four fields, separated by colons. The shape is like: system_u:object_r:admin_home_t:s0.

Three, SELinux basic operation

3.1 Query the security context of a file or directory

Basic command usage

ls -Z

Usage example

Query the security context of /etc/hosts.

ls -Z /etc/hosts

Results of the

-rw-r–r--. root root system_u:object_r:net_conf_t:s0 /etc/hosts

3.2 Query the security context of the process

Basic command usage

ps auxZ | grep -v grep | grip

Usage example

Query the security context of Nginx related processes.

ps auxZ | grep -v grep | grep nginx

Results of the

system_u:system_r:httpd_t:s0 root 7997 0.0 0.0 122784 2156 ? Ss 14:31 0:00 nginx: master process /usr/sbin/nginx

system_u:system_r:httpd_t:s0 nginx 7998 0.0 0.0 125332 7560 ? S 14:31 0:00 nginx: worker process

3.3 Manually modify the security context of a file or directory

Basic command usage

chcon [...]

Option function -u modify the user field of the security context -r modify the role field of the security context -t modify the type field of the security context -l modify the level field of the security context -reference modify the security context consistent with the specified file or directory -R recursion Operation -h modify the security context of the soft link (without this option, modify the file corresponding to the soft link)

Usage example

Modify the security context of test to aaa_u:bbb_r:ccc_t:s0.

chcon -u aaa_u -r bbb_r -t ccc_t test

3.4 Restore the security context of a file or directory to the default value

Basic command usage

restorecon [options] […]

Option function -v print operation process -R recursive operation

Usage example

After adding some web files to the directory of the Nginx server, set the correct security context for these new files.

restorecon -R /usr/share/nginx/html/

3.5 Query Boolean rules and their status in the system

Basic command usage

getsebool -a

Since this command either queries all rules or only one rule, it usually queries all rules first and then uses grep to filter.

Usage example

Query Boolean rules related to httpd.

getsebool -a | grep httpd

Results of the

httpd_anon_write --> off

httpd_builtin_scripting --> on

httpd_can_check_spam --> off

httpd_can_connect_ftp --> off

#Below omitted

3.6 Switch a boolean rule

Basic command usage

setsebool [选项]

Option function -P restart still effective

Usage example

Turn on the httpd_anon_write rule.

setebool -P httpd_anon_write on

3.7 Add the default security context of the directory

Basic command usage

semanage fcontext -a -t “(/.*)?”

Note: The default security context of a directory or file can be viewed through the semanage fcontext -l command with grep filtering.

Usage example

After adding a new website directory /usr/share/nginx/html2 for Nginx, you need to set the same default security context as the original directory.

semanage fcontext -a -t httpd_sys_content_t “/usr/share/nginx/html2(/.*)?”

3.8 Add a port that a certain type of process is allowed to access

Basic command usage

semanage port -a -t -p

Note: The port numbers allowed by various service types can be filtered through the semanage port -l command with grep.

Usage example

Nginx needs to use port 10080 for HTTP service.

semanage port -a -t http_port_t -p tcp 10080

Fourth, SELinux error analysis and resolution

4.1 Understanding SELinux log

When SELinux is turned on, some normal behaviors of many services will be regarded as violations (the errors in the title and below refer to violations).

At this time, we need to analyze and solve SELinux violation logs.

SELinux violation logs are stored in /var/log/audit/audit.log.

The content of /var/log/audit/audit.log is probably like this.

type=LOGIN msg=audit(1507898701.391:515): pid=8523 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=25 res=1

type=USER_START msg=audit(1507898701.421:516): pid=8523 uid=0 auid=0 ses=25 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg=‘op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct=“root” exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success’

The content of this file is very much, and there are many system audit logs unrelated to SELinux errors. We need to use the sealert utility to help the analysis (if you are prompted to find the command, please install the setroubleshoot package).

4.2 Use sealert to analyze errors

Basic command usage

sealert -a /var/log/audit/audit.log

After executing the command, the system takes a while to analyze the violations in the log and give an analysis report.

Five, selinux switch

selinux strategy mode

targeted: There are more restrictions on network services and less restrictions on this machine. The default is this strategy.

strict: Complete SELinux restrictions, with strict restrictions.

selinux three modes

enforcing: Mandatory mode, which means SELinux is in operation, and domain/type restrictions have been started correctly.

permissive: Permissive mode, which means SELinux is in operation, but only a warning message will not actually restrict domain/type access. This mode can be used as SELinux debug (see what causes it to be inaccessible).

disabled: disabled mode

Query the current selinux mode

getenforce

Temporary closure

setenforce 0

Guess you like

Origin blog.csdn.net/qq_43804080/article/details/106328894
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com