【Linux】Basic understanding of Selinux

News 2023-07-19 06:53:20 views: null

Article Directory

SElinux

1 Introduction

SELinux is a kernel-level security mechanism. SELinux has been integrated into the kernel since the Linux2.6 kernel. Because SELinux is at the kernel level, we need to restart the operating system to take effect when we modify its configuration files .

The Linux versions found in the mainstream now integrate the SELinux mechanism.

CentOS/RHEL will enable the SELinux mechanism by default
insert image description here

2. Basic concepts

​The security mechanism of the operating system is actually to limit two things: processes and system resources (files, network sockets, system calls, etc.).

​The Linux operating system restricts our system resources through the concepts of users and groups .
Two basic concepts are defined for these two things in SELinux: domain (domin) and context (context) .

The domain is used to limit the process, and the context is to limit the system resources.

3. Rules

# selinux下存在不同的规则,
# selinux根据不同的工作类型设置这些规则的打开/关闭,
# 通过规则的打开/关闭具体的限制不同进程对文件的读取

# 【查看当前工作类型下各个规则的开启与否】
getsebool -a
sestatus -b

# 【修改当前工作类型下的规则】[-P 表示永久生效,改了之后需要重启]
setsebool -P 规则名称 1/0

4. Strategy

In SELinux, we define policies to control which domains can access which contexts.

In SELinux, a variety of policy modes are preset.

In CentOS/RHEL, the target policy is used by default

target strategy

  • Only the target process is restricted by SELinux (usually our network applications are target processes, such as httpd, mysqld, dhcpd, etc.)
  • Non-target processes are not restricted by SELinux

5. Working mode

There are three working modes of SELinux: enforcing, permissive and disabled

enforcing

Also known as enforcing mode. Any action that violates the policy will be prohibited and recorded as kernel information

permissive

Also known as permissive mode. Actions that violate the policy will not be banned, but will prompt a warning message (warning only)

disabled

Also called disabled mode. Disabling SELinux is the same as a system without SELinux.
Normally the mode is set to disabled.

The default working mode of SELinux isenforcing

# 查看当前SElinux的工作状态
getenforce
# 临时修改SElinux的状态
setenforce
# 永久修改:修改SElinux配置文件后重启系统
# 修改 /etc/selinux/config 或 /etc/sysconfig/selinux

[Note:] Setting SELinux through setenforce is only a temporary modification, and it will become invalid after the system restarts, so if you want to modify it permanently, you can modify the SELinux main configuration file

Guess you like

Origin blog.csdn.net/Sanayeah/article/details/131562701
Recommended
NetBSD bans submission of code generated by AI
Ranking
Talk dubbo of LRUCache
Chapter 1 Learning Summary
Introduction to Virtualization
pytorch 调用lstm
Six modules
[8086] The natural number of 1 to 36 into a 6x6 two-dimensional array of line-sequentially, and then print out the lower left half of the triangular array
mybatis mapper mapping file $ # {} {} understanding and
C language input and output buffer
c language floating-point input and output
andorid P version compatible, refer to Huawei
Daily
More
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)

Code World

© 2018 codetd.com