Scan code to follow, learn together
1. Introduction
Security-Enhanced Linux (Security-Enhanced Linux) is referred to as SELinux, which is a Linux kernel module and a security subsystem of Linux.
SELinux is mainly developed by the National Security Agency. The Linux kernel of version 2.6 and above has integrated the SELinux module.
The structure and configuration of SELinux is very complicated, and there are a lot of conceptual things, which is difficult to learn. Many Linux system administrators have turned SELinux off for trouble.
Two, SELinux basic concepts
2.1 Subject
Can be completely equivalent to the process.
Note: In order to facilitate understanding, unless otherwise specified, the process is regarded as the main body below.
2.2 Object
The resource accessed by the subject. It can be a file, directory, port, device, etc.
Note: In order to facilitate understanding, unless otherwise specified, the following will treat files or directories as objects.
2.3 Policy & Rule
There are usually a large number of files and processes in the system. In order to save time and overhead, we usually only selectively control certain processes.
And which processes need to be controlled and how to control are determined by policy.
There are multiple rules in a set of policies. Some rules can be enabled or disabled as required (hereinafter, this type of rule is called a Boolean rule).
The rules are modular and extensible. When installing a new application, the application can add rules by adding new modules. The user can also manually add or subtract rules.
In the CentOS 7 system, there are three sets of policies, namely:
-
targeted: Control most network service processes. This is the policy used by the system by default (this policy is used in the following).
-
minimum: Based on targeted, only the selected network service process is controlled. Generally not used.
-
mls: Multi-level security protection. Control all processes. This is the most stringent policy and it is very difficult to configure. Generally not used unless there are extremely high requirements for safety.
The policy can be set in /etc/selinux/config.
2.4 Security Context
The security context is the core of SELinux.
The security context is divided into "process security context" and "file security context".
One "process security context" generally corresponds to multiple "document security contexts".
Only when the security contexts of the two correspond to each other, the process can access the file. Their corresponding relationship is determined by the rules in the policy.
The file security context is determined by the location of the file creation and the process of creating the file. And the system has a set of default values, and users can also set the default values.
It should be noted that simply moving the file operation does not change the security context of the file.
The structure and meaning of the security context
The security context has four fields, separated by colons. The shape is like: system_u:object_r:admin_home_t:s0.
Three, SELinux basic operation
3.1 Query the security context of a file or directory
Basic command usage
ls -Z
Usage example
Query the security context of /etc/hosts.
ls -Z /etc/hosts
Results of the
-rw-r–r--. root root system_u:object_r:net_conf_t:s0 /etc/hosts
3.2 Query the security context of the process
Basic command usage
ps auxZ | grep -v grep | grip
Usage example
Query the security context of Nginx related processes.
ps auxZ | grep -v grep | grep nginx
Results of the
system_u:system_r:httpd_t:s0 root 7997 0.0 0.0 122784 2156 ? Ss 14:31 0:00 nginx: master process /usr/sbin/nginx
system_u:system_r:httpd_t:s0 nginx 7998 0.0 0.0 125332 7560 ? S 14:31 0:00 nginx: worker process
3.3 Manually modify the security context of a file or directory
Basic command usage
chcon [...]
Option function -u modify the user field of the security context -r modify the role field of the security context -t modify the type field of the security context -l modify the level field of the security context -reference modify the security context consistent with the specified file or directory -R recursion Operation -h modify the security context of the soft link (without this option, modify the file corresponding to the soft link)
Usage example
Modify the security context of test to aaa_u:bbb_r:ccc_t:s0.
chcon -u aaa_u -r bbb_r -t ccc_t test
3.4 Restore the security context of a file or directory to the default value
Basic command usage
restorecon [options] […]
Option function -v print operation process -R recursive operation
Usage example
After adding some web files to the directory of the Nginx server, set the correct security context for these new files.
restorecon -R /usr/share/nginx/html/
3.5 Query Boolean rules and their status in the system
Basic command usage
getsebool -a
Since this command either queries all rules or only one rule, it usually queries all rules first and then uses grep to filter.
Usage example
Query Boolean rules related to httpd.
getsebool -a | grep httpd
Results of the
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
#Below omitted
3.6 Switch a boolean rule
Basic command usage
setsebool [选项]
Option function -P restart still effective
Usage example
Turn on the httpd_anon_write rule.
setebool -P httpd_anon_write on
3.7 Add the default security context of the directory
Basic command usage
semanage fcontext -a -t “(/.*)?”
Note: The default security context of a directory or file can be viewed through the semanage fcontext -l command with grep filtering.
Usage example
After adding a new website directory /usr/share/nginx/html2 for Nginx, you need to set the same default security context as the original directory.
semanage fcontext -a -t httpd_sys_content_t “/usr/share/nginx/html2(/.*)?”
3.8 Add a port that a certain type of process is allowed to access
Basic command usage
semanage port -a -t -p
Note: The port numbers allowed by various service types can be filtered through the semanage port -l command with grep.
Usage example
Nginx needs to use port 10080 for HTTP service.
semanage port -a -t http_port_t -p tcp 10080
Fourth, SELinux error analysis and resolution
4.1 Understanding SELinux log
When SELinux is turned on, some normal behaviors of many services will be regarded as violations (the errors in the title and below refer to violations).
At this time, we need to analyze and solve SELinux violation logs.
SELinux violation logs are stored in /var/log/audit/audit.log.
The content of /var/log/audit/audit.log is probably like this.
type=LOGIN msg=audit(1507898701.391:515): pid=8523 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=25 res=1
type=USER_START msg=audit(1507898701.421:516): pid=8523 uid=0 auid=0 ses=25 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg=‘op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct=“root” exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success’
…
The content of this file is very much, and there are many system audit logs unrelated to SELinux errors. We need to use the sealert utility to help the analysis (if you are prompted to find the command, please install the setroubleshoot package).
4.2 Use sealert to analyze errors
Basic command usage
sealert -a /var/log/audit/audit.log
After executing the command, the system takes a while to analyze the violations in the log and give an analysis report.
Five, selinux switch
selinux strategy mode
targeted: There are more restrictions on network services and less restrictions on this machine. The default is this strategy.
strict: Complete SELinux restrictions, with strict restrictions.
selinux three modes
enforcing: Mandatory mode, which means SELinux is in operation, and domain/type restrictions have been started correctly.
permissive: Permissive mode, which means SELinux is in operation, but only a warning message will not actually restrict domain/type access. This mode can be used as SELinux debug (see what causes it to be inaccessible).
disabled: disabled mode
Query the current selinux mode
getenforce
Temporary closure
setenforce 0