(A) understand how SELinux works
SELinux (Security-Enhanced Linux) is a United States National Security Agency (NSA) to implement mandatory access control, Linux is the history of the most prominent new security subsystem. NSA is the development of an access control system with the help of the Linux community, within the limits of this access control system, the process can access only those in his task by the required documents. SELinux installed by default on Fedora and Red Hat Enterprise Linux, you can also get other distributions as easy to install package. SELinux is mandatory access control (MAC) system of the Linux kernel version 2.6 provided. For currently available for Linux security module, SELinux is the most comprehensive and most fully tested, it is built on research-based MAC 20 years on. Merge SELinux multi-level security in type coercion server or an optional multi-class strategies, and uses the concept of role-based access control.
SELinux distributions are ready to use SELinux most people use, such as Fedora, Red Hat Enterprise Linux (RHEL ), Debian or CentOS. They are enabled in the kernel, SELinux, and provide a customized security policy, also provides many user-level libraries and tools they can use SELinux functionality.
SELinux is based on "Domain - type Model" mandatory access control (MAC) security system, and it is designed to be written by the NSA kernel module into the kernel comprises a respective certain security-related applications was hit patch SELinux Finally, there is a corresponding security policy. Any program of its resources have full control. Suppose a program intends to file potentially contains important information thrown into the / tmp directory under, then no one can stop him in the DAC circumstances. SELinux provides better than traditional UNIX permissions access control.
Traditional file control is achieved by setting permissions, such as permission to a file that we set is 777, then the file anyone can read, modify and delete file operation is completely controlled by the authority, this approach is called DAC (active access control). While SELinux is performed by the tag access control by, for example, a process to access a file AA, its label is aa-fa, the other is a file access process b bb, its label is bb-fb, while the file bb permission is 777, if you want to access the process at this time a bb file, even if all permissions are read-write executables, but because labels are not the same, so it still is not accessible. So SELinux is a specific marker of the process, can only access a particular tag resources, it is the context of the concept.
(B) understand the context of SELinux
(2.1) we tried to install it on the host in vms002 http service, and set at startup. 
(2.2) due to the SELinux service has not opened, it can be set to open state. 
(2.3) using a # ps axZ | grep httpd command to view the httpd service information and context. 
(2.4) because we know the context of the / var / www / html / directory it is httpd_sys_content_t, if we create a / www directory in the root below and set 192.168.26.102/www point / www directory is created below the root. 
(2.5) Then we set the parameter information Directory / www directory in the / etc / httpd / conf / httpd.conf configuration file directory. 
(2.6) we find / www directory context is default_t, not httpd_sys_content_t context and / var / www / html / directory of the same. We use the following command to modify the context.
-R & lt -t httpd_sys_content_t the chcon # / WWW 
(2.7) since the context is the same, this case can be found in the directory access http://192.168.26.102/www/ normally be displayed. 
(2.8) if we want to restore the factory defaults, you can use the # restorecon -R / www / command. 
(2.9) if we want to refer directly to / var / www / html / directory context, you can use reference parameters. 
(2.10) if we sometimes remember specific context is not very clear, it can be set using a universal context.
(2.11) if we want to query all information about the context of the current system, you can use the # semanage fcontext -l query. 
(2.12), for example, as /var/www/html(/.*)? Regular expression representation is / var / www / html directory and all of the following files or directories can be matched. 
(2.13) if we need to modify the default directory corresponding to the context information can be used # semanage fcontext -a -t public_content_t '/www(/.* )?' Command, so that when using the # restorecon -R / www / command to restore the factory default when the value of the information displayed semanage command. 
(2.14) if we want to remove the default context is set, you can use the # semanage fcontext -d -t public_content_t "/www(/.* )?
(三)了解SELinux的几种模式
(3.1)查看SELinux模式类型的命令是getenforce。
(3.2)enforcing----->强制模式,必须要满足SELinux的条件,不满足的话,则阻止访问且警报。
permissive----->允许模式,可以不满足SELinux的条件,不满足也可以访问,但是有警报。所以有时候我们访问不了服务器的时候,想想是不是SELinux导致的,可以临时关闭SELinux,就是切换到了permissive模式。
(3.3)由于setenforce命令只是临时切换,当我们重启机器之后就不在生效了,如果希望服务器重启后也生效,则可以在/etc/selinux/config配置文件中进行设置。记住:如果是设置成disable禁止的话,修改完之后必须要重启才能生效。
(3.4)由于/etc/sysconfig/selinux目录下的配置文件是指向/etc/selinux/config配置文件的软连接,所以也可以对这个文件进行修改。
(四)了解SELinux的布尔值
一个服务有很多功能,比如是否允许写,是否允许匿名写等等。是否开启这个功能,完全由配置文件来决定,但是如果SELinux功能启用后,那么决定服务是否启动的一个条件是SELinux也要允许服务启动。
(4.1)我们首先在vms002主机上安装vsftpd服务。
(4.2)接着在vms001主机上安装lftp和ftp的客户端软件。
(4.3)首先我们在vms001主机上通过客户端软件登录vms002主机的ftp服务器,并准备将本地的books.txt文件上传到ftp服务器。但是系统显示“put: Access failed: 550 Permission denied. (books.txt)”报错。
(4.4)首先检查配置文件/etc/vsftpd/vsftpd.conf中的匿名用户权限是否都有开启。
(4.5)开启匿名用户的权限后,发现仍然没有上传文件的权限,系统显示“put: Access failed: 553 Could not create file. (books.txt)”
(4.6)创建一个/var/ftp/xx目录,并且设置目录的属主和属组为ftp用户,此时在vms001主机的客户端上进入xx目录后,尝试上传文件,发现仍然有“put: Access failed: 553 Could not create file. (books.txt)”报错信息。
(4.7)我们查询到在vms002主机上关于ftp布尔值的参数ftpd_anon_write和ftpd_full_access均为off,在/etc/vsftpd/目录下的vsftpd.conf的配置文件中已经有注释提示布尔值设置问题。
(4.8) Then we will ftpd_anon_write and ftpd_full_access parameter is set to ON 
(4.9) if we want to set a Boolean value can also be effective after the system reboots, you can add -P parameters. 
(4.10) Summary: If we build a service, to start transferring files from the server to the client, but can not transmit up, should be checked from the following three: 1. Check the configuration file is allowed to write; 2 examination. whether the file system permissions; 3. check the permissions set SELinux situation, that is the context and general aspects of SELinux Boolean value amount involved.
(4.11) we use the command line in addition to SELinux settings, you can also use the graphical interface way to set SELinux. 
(4.12) SELinux port is also provided on the context. 
(4.13) we add a listener port 808 in httpd.conf configuration file, then restart the httpd service after the discovery service can not be started normally. 
(4.14) At this point we can find the template file to view in / etc / ssh / sshd_config file. 
(4.15) 808 port to set the context service httpd, httpd service at this time can be a normal restart.
