SELinux management process, whether the process can properly access the resource files, depending on their security context. Process and file has its own security context, SELinux adds to process and file security information labels, such as SELinux user, role, type, category, etc., when running SELinux, all of this information will serve as the basis for access control.
First, take a look at how to view files and directories through a security context instance, execute the following command:
[root @ localhost ~] # LS -Z
# use -Z option to view the security context of files and directories
-rw ---. the root the root system_u: object_r: admin_home_t: S0 Anaconda-the ks.cfg
-rw-R & lt-R-. the root the root system_u: object_r: admin_home_t: S0 the install.log
-rw-R & lt-R-. root root system_u: object_r: admin_home_t: S0 install.log.syslog
You can see the security context to view the file is very simple, is to use the "ls -Z" command. And on this basis, if you want to view the security context of the directory, you need to add "-d" option, on behalf of look at a directory, rather than a directory subfolder under. for example:
[root@localhost ~]# ls -Zd /var/www/html/
drwxr-xr-x.root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
So, the security context of the process of how to view it? Just use the ps command. Command is as follows:
[root @ localhost ~] # Service httpd Start
# start apache service
[root @ localhost ~] # PS auxZ | grep httpd
unconfined_u: system_r: httpd_t: S0 root 25620 0.0 0.5 11188 3304 Ss?
03:44 0:02 / usr / sbin / the httpd
... output omitted ...
In other words, as long as the security context of the matching process and documents, the process can access the file resources. In the above command output, bold is our security context.
Security context looks complicated, it uses ":" divided into four fields, in fact, a total of five fields, only the last one "type" field is optional, for example:
system_u: object_r: httpd_sys_content_t: s0: [category] # field identity: role: type: Sensitivity: [category]
The following describes the effect of five fields will be described.
1) identity field (user)
This data is used to identify which owned the identity, rights equivalent user identity in. This field is not special role, know like. Common identity There are three types:
- - root: to represent the identity of the security context is root.
- - system_u: a system user's identity, which "_u" represents the user.
- - user_u: representation related to the general user account identity, which "_u" represents the user.
user field is only used to identify the data or process which is owned by the identity, user data field general system is system_u, user data and user field is user_u.
So, SELinux user identity field in in the end how much can recognize it? We can use seinfo command to query. SELinux related commands is generally based on "se" at the beginning, so it is more easy to remember.
seinfo command format is as follows:
[root @ localhost ~] # seinfo [ options] Options:
-u: list all SELinux identity (the User);
-r: SELinux list all the roles (Role);
-t: list all SELinux type (of the type);
-b: list all Boolean value (that is, the name of the specific rules in the policy);
-x: display more information;
Function seinfo command more, we are here just want to query the SELinux identity, simply execute the following command:
[root@localhost ~]# seinfo -u
Users:9
sysadm_u
system_u
xguest_u
root
guest_u
staff_u
user_u
unconfined_u
git_shell_u
We can see the SELinux user identity that can be recognized by a total of 9. But this field, in actual use and not much action, you can find out.
2) the role (role)
This data is primarily used to represent a process or a file or directory. This field does not need to be modified in actual use, it is enough to understand.
There are two common roles:
- - object_r: on behalf of the data file or a directory, where the "_r" the representative role.
- - system_r: The data is representative of the process, where the "_r" the representative role.
So, how many roles in SELinux in the end have it? Use seinfo command can also query the following command:
[root@localhost ~]# seinfo -r
Roles:12
guest_r
staff_r
user_r
git_shell_r
logadm_r
object_r
sysadm_r
system_r
webadm_r
xguest_r
nx_server_r
unconfined_r
3) type (type)
Type field is the security context of the most important fields, whether the process can access the file, mainly to see the security context of the type of field security context of the process of whether the Type field and file matches, if the match can be accessed.
Note that the type of field is called a type (type) in the security context of files or directories, but it is called domain (domain) in the security context of the process. That is, in the main body (Subject) has been carefully prepared for everyone to learn Information System data from Linux-Hadoop-spark -......, need little friends can click on the security context, this field is called the domain; target (Object) security context, this field is called type. And the need to match the domain type (type of process and the type of file you want to match), can be accessed correctly.
SELinux is type in the number in the end by seinfo query command, the command is as follows:
[root @ localhost ~] # seinfo -t | More
Types: 3488
# A total of 3488 type
bluetooth_conf_t
cmirrord_exec_t
foghorn_exec_t
jacorb_port_t
sosreport_t
etc_runtime_t
... output omitted ...
We know the type of effect, but how do we know the type of domain and file of the process of match it? It is necessary to query specific policy rules, and we then described later.
However, we know apache process can access the / var / www / html / (This directory is the default directory main page RPM packages installed the apache) Web page files in the directory, so the apache process domain and / var / www / html / type catalog should be matched, we inquire about the following command:
[root @ localhost ~] # PS auxZ | grep httpd
unconfined_u: system_r: httpd_t: S0 root 25620 0.0 0.5 11188 3304 Ss?
03:44 0:02 / usr / sbin / httpd
domain #apache process is httpd_t
[root @ localhost ~] # LS DZ / var / WWW / HTML /
drwxr-XR-X. the root system_u the root: object_r: httpd_sys_content_t: S0 / var / www / html /
# / var / type www / html / directory is httpd_sys_content_t
Domain apache process is httpd_t, / var / type www / html / directory is httpd_sys_content_t, the security context of the type of the body through policy rules than the right, yes, and the security context of the type of target that matches, so apache process can access / var / www / html / directory.
Our most frequently encountered problems in SELinux just do not match the type of domain and file of the process, so we must learn how to modify the type field.
4) Sensitivity
Sensitivity is generally used s0, s1, s2 named, classification numbers represent sensitivity. The larger the value, the higher the sensitivity of the representative.
5) Category
Class field is not to be there, so we use ls and ps command to check the time and did not see the Category field. But we can be queried by seinfo command, the command is as follows:
[root @ localhost ~] # seinfo -u -x
# query all the user fields, and view details
system_u
#user field names
default Level: S0
# Default sensitivity of
the Range: S0 - S0: c0.c1023
# sensitivity can be recognized class
the roles:
# able to match the user's role (role)
object_r
system_r
unconfined_r
