SELinux security subsystem
SELinux (Security-Enhanced Linux) is a Mandatory Access Control (MAC, Mandatory Access Control) of the US National Security Agency developed with the help of the open source Linux community security subsystem. The purpose of using SELinux technology RHEL 7 system is to allow each service process is constrained, it is only to obtain resources should have acquired.
For example, you download on your computer a software Mito, when you use it with rapt attention to the beauty of the photographs, it silently in the background, listening for password information entered in the browser, which obviously should not be it should do. SELinux security subsystem is designed to prevent such situations, it can monitor illegal activities in many ways: the function of the service program limit (SELinux domain restrictions could ensure that the service program can not do outrageous things); access to the file resources limit (SELinux security context to ensure that files can only be accessed resources of its service program belongs).
SELinux service three modes:
- enforcing: Enforce security policy model, the intercept illegal requesting service.
- permissive: the face of unauthorized access services, without forcing the issue only a warning, interception.
- disabled: For the ultra vires conduct was not warned not to intercept.
I have here is enforcing the default (you can view the service master configuration file / etc / selinux / config).
vi / etc / selinux / config Reboot |
The current operating mode SELinux modifications disabled (command setenforce [0|1]
, 0 for disabled, 1 for enabled), the modification expire after rebooting the system
You can view the status of SELinux service run by getenforce command.
# setenforce 0
# getenforce
Permissive
Function httpd service program that allows users to access website content, so the default SELinux will certainly release a user request to operate the site. However, we will save the default data directory website in order to modify / home / wwwroot, and this generates a problem. / Home directory is used to store general data of the user's home directory, and now, the site has provided service httpd going to get the data the average user's home directory, which is clearly in violation of the regulatory principles of SELinux.
SELinux to restore service to enforce security policy mode is enabled, and then view the directory to save the original site data with different values SELinux security context save directory website whether you have the current data:
# ls -Zd /var/www/html
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/htm
# ls -Zd /home/safiri
drwx------. safiri safiri unconfined_u:object_r:user_home_dir_t:s0 /home/safiri
User segment system_u
identity roles segment represents the system processes the object_r
role segment represents the type of file directory httpd_sys_content_t
on behalf of the site system files and services.
This view of the current situation, we only need to use semanage command, the current site directory / home / wwwroot SELinux security context modification is the same as with the original Web site directory on it.
semanage command
Semanage command for managing SELinux policy, in the form "semanage [options] [file]." Common parameters and functions: -l query, -a added, -m modify, -d delete
Adding to the new site data directory in a new SELinux security context, so that the directory and all files which can be accessed to httpd service program:
Installation semanage
# yum provides semanage
***********
*********
**** contents omitted ****
***********
# Filename: / usr / sbin / semanage
After the above command is successful, then execute:
# yum -y install the policycoreutils-python.x86_64
You may be used to install seinfo / sesearch
# yum install setools-console.x86_64