selinux is the most prominent new security subsystem on linux. It is an access control system under which a process can only access the files it needs in its tasks.
selinux restricts the least privilege of user program access by enhancing access control. In Linux, all files and processes have a security context, and selinux controls the control of files and processes through the role of security context;
security context security context, the meaning of security context;
1. Check the status of selinux
Change the state of selinux:
2. Edit the selinux configuration file config in the /etc/selinux directory, you can also change the status:
3. There are three selinux states: enforcing mandatory state; permissive warning state; disabled prohibited state; between these three states, the mandatory state and the warning state do not need to restart the system, while the forbidden state and any state switching require a restart system;
View the value of the security context: ls -Z filename
selinux_config_t This is the value of our contest; the context value will change with the location of the file;
The value of context will inherit the value of the previous context:
How to restore the context value of a file:
About the boolean value of selinux:
How to see the bool value:
View the bool value of selinux about the http service; if we need to open a specific service port use the following command:
Similarly, we can close the port when we are not using it;
5. In the linux system, if our SELinux is in a mandatory state, once the user violates the rules of selinux, then SELinux will block the user's access. But linux also provides users with a solution. When the user violates the rules of SELinux, the system will pop up a yellow five-pointed star and give a solution. If the yellow five-pointed star does not jump out, if the software package is not installed, then you need to install setroubleshoot;
6. Second layer firewall of selinux: tcp_wrappers
tcp_wrappers is designed as an intermediate processing software between incoming service requests and system service responses.
The basic process of action: when the system receives an external service request, the TCP Wrapper first processes the request, and the TCP Wrapper judges whether the other party uses the service according to the service requested by the request and the access control rules customized for this service. Service permissions, if so, TCP Wrapper transfers the request to the corresponding daemon process according to the rules defined in the configuration file to process and record the request action, and then waits for the processing of the next request.
The access control of tcp_wrappers is mainly two files;
/etc/hosts.allow ###Used to define users who are allowed to access
/etc/hosts.deny ###Define users who are not allowed to access
In this access control program, tcp_wrappers first access the users in the /etc/hosts.allow file , if there is no user accessing the /etc/hosts.deny file in the file; if there is still no user in the file, all access is allowed by default;
Now let's test tcp_wrappers: we set the following configuration on the server side
Edit in /etc/hosts.allow file:
Edit under /etc/hosts.deny file:
Then we test on the client: first, the client of 192.168.88.130:
Access is denied. Next, our client at 192.168.88.129: (We write this ip in the black and white list, and make sure to read that file first)