Remarks: Environment----Alibaba Cloud server centos 7.8
What is SELinux ?
1) selinux is a security-enhanced linux that provides mandatory access control levels, and its security performance is better than file permissions rwx/ugo and the autonomous access control implemented by ACL
2) When the system is damaged, selinux tries its best to control the impact. For example, when the system account of the FTP service is compromised, the intention of this account to harm other services will be blocked
One, selinux status
1.1 View the status of selinux
# 查看selinux状态,包括三种状态
# enforcing - 强制模式
# permissive - 宽容模式,不阻止但将动作记录到日志中
# disabled - 禁用状态
getenforce
1.2 There are two ways to modify selinux status
# 临时生效,系统重启后恢复到原来的状态
# 说明:只有在宽容或者强制模式下才能使用这种方式切换
# 0表示permissve,1表示enforcing,也可以将数字替换成相应单词
setenforce 0# 永久生效,编辑selinux配置文件,下次重启系统后生效
# 可以将SELINUX的值修改为它上边列举的三种中任意一个
vim /etc/selinux/config 
Two, install selinux security management tool semanage
# 我用阿里云服务器7.8,默认selinux禁用,semanage未安装
# 查询semanage所在的包
yum provides semanage
# 安装semanage支持包
yum install -y policycoreutils-python
3. Query selinux mapping users and selinux users, this part is generally not changed
# 查看当前selinux映射用户
semanage login -l
# 查询selinux用户
semanage user -l
Four, selinux manages file security context
4.1 What is selinux context
1) The selinux security model is based on topics, objects, and actions. A subject is a process, such as a command or an application running in Apache; an object is a file, device, or any resource accessed by the subject; an action is an operation performed by the subject on the object;
2) selinux assigns different contexts to the object, which is actually a label. The selinux security policy determines whether the subject action is allowed to be performed on the object.
4.1.1 View file or folder context
# 查看当前目录下所有文件的上下文
ls -Z
# 查看当前目录的上下文
ls -dZ
4.1.2 The selinux file context has four elements, the selinux_type type is the key
| unconfined_u | object_r | admin_home_t | s0 |
| selinux user | selinux role | selinux type | sensitivity level |
4.1.3 How does the context of the file come from? Let's take a look at creating, copying, and moving files below
to sum up
- Creating a new file will inherit the context of the parent folder
- Copying files will inherit the context of the parent folder
- Moving the file will retain the original context
4.2 There are two ways to modify the file context: chcon and restorecon (recommended)
4.2.1 Use chcon to modify, it will be restored to the default value after the system restarts
① Modify directly: chcon -R [-t type] [-u user] [-r role] The file to be modified
② Picture the cat and draw the tiger: chcon -R --reference=reference file the file to be modified
Optional parameter description:
| -R | Recursive modification |
| -t | Specify the type field of the security context For example: admin_home_t |
| -u | Specify identity (for example: system_u) |
| -r | Specify the role (for example: system_r) |
| -v | Output results for each file processed |
| --reference | Modify according to the specified reference file |
Example 1:
# 直接修改
chcon -v -t admin_home_t /root/2.txt 
Example 2:
# 照猫画虎式修改
chcon --reference=/root/1.txt /root/2.txt 
4.2.2. Use restorecon (recommended) to restore the context
①First use the semanage fcontent command to manage the default context, the optional parameters are as follows
| -a | add: add |
| -l | list: list all |
| -m | modify: modify |
| -d | delete: delete |
| -t | type: Specify the type value of the file context |
| -e | equal: Reference target modification |
②Restore restorecon [-R] The name of the file to be modified
Example 1: Create 2.txt in /tmp and move (mv) 2.txt to /root for experiment
# 自定义2.txt默认文件上下文
# 其实是在 /etc/selinux/targeted/contexts/files/file_contexts.local中加了一条默认规则
semanage fcontext -a -t admin_home_t /root/2.txt
# 恢复到默认的上下文 -R递归修改,-v显示处理过程
restorecon -R -v /root/2.txt
Example 2: Create a 1.sh test file under /root and move (mv) to /etc/cron.d for experiment
# 自定义默认上下文
semanage fcontext -a -e 0hourly 1.sh
# 查看1.sh自定义的默认上下文
semanage fcontext -l | grep 1.sh
# 恢复到默认上下文
restorecon -R -v 1.sh
Example 3: This modification method is used when creating a virtual host, please refer to my other Apache configuration virtual host, based on the host name
# /home/www文件夹或者它下边的所有文件
# 自定义/home/www文件夹和文件夹下所有子文件的默认上下文
# ()代表整体,/代表子文件,.*代表所有文件,?代表括号所有内容匹配0次或者1次
semanage fcontext -a -t httpd_sys_content_t "/home/www(/.*)?"
# 按照上边加的默认规则,递归修改
restorecon -R /home/www/Five, selinux's port management
The normal access requirements of the cloud server Apache: the security group allows the port, the firewall to allow 8090, and the selinux security context must be satisfied
5.1 Change the Apache access port from port 80 to non-standard 8090, restart Apache
vim /etc/httpd/conf/httpd.conf
# 将Apache监听端口改为8090
#Listen 80
Listen 8090
# 重启Apache
systemctl restart httpd
# 查看Apache状态
systemctl status httpdThe startup error, the error screenshot is as follows:
5.2 View the access audit information blocked by audit
# 在audit审计日志中过滤所有被拒绝访问的 avc(访问向量缓存)的消息
grep denied /var/log/audit/audit.log | grep avcThe audit information is as follows, which means that the source port selinux label is httpd_t , and the target port 8090 selinux port label is unreserved_port_t , which does not match, so the binding to port 8090 fails
type=AVC msg=audit(1603162841.518:747): avc: denied { name_bind } for pid=1841 comm="httpd" src=8090 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
5.3 Solution, change the port selinux context
# 查看以http开头的所有默认端口上下文
semanage port -l | grep ^http
# 添加自定义端口的上下文
semanage port -a -t http_port_t -p tcp 8090
# 查看自定义端口上下文
semanage port -l -C 
5.4 Enable the cloud server security group to pass 8090 and the firewall port 8090, restart Apache for testing
# 防火墙放通8090
firewall-cmd --add-port=8090/tcp --permanent
# 重新加载防火墙规则
firewall-cmd --reload
# 查看当前放通的端口
firewall-cmd --list-port# 重启Apache
systemctl restart httpd
# 查看Apache状态
systemctl status httpd
Six, selinux's Boolean value management
Note: When configuring selinux for the service, usually modify the boolean value of /sys/fs/selinux/booleans virtual files, and their file names are descriptive
For example: httpd_enable_homedirs Boolean value allows or denies access to the user's home directory through the Apache server, which is prohibited by default
6.1 Query selinux boolean value
# 查询selinux所有布尔值
semanage boolean -l
# 查询以http开头的所有服务的布尔值
semanage boolean -l | grep ^http
6.2 Modify the Boolean value of selinux
# 查询布尔值
# user_exec_content允许selinux执行home或者tmp中可执行的脚本
getsebool user_exec_content
# 修改布尔值,允许用户(selinux用户)执行自己目录和tmp中的可执行脚本,-P 永久生效
setsebool -P user_exec_content on
# 也可以使用=数字的方式修改,-P 永久生效
setsebool -P user_exec_content=1
Seven, selinux troubleshooting tool
7.1 View the log error information related to selinux
tail -f /var/log/messages
tail -f /var/log/audit/audit.log7.2 Install sealert, analyze log audit files
# 查询sealert所在包
yum provides sealert
# 安装sealert支持包
yum install setroubleshoot-server -y# -a 指定要分析的日志文件
sealert -a /var/log/audit/audit.logThe screenshot below is a section of the analysis results. The previous error was reported when the Apache port was changed. Multiple plug-ins gave suggestions. For example, the analysis plug-in bind_ports is 92.2% confident to solve this problem, and it recommends executing: semanage port -a -t PORT_TYPE -p tcp 8090
