1. Introduction
Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) security mechanism implemented in the kernel. SELinux was first introduced in CentOS 4.
2. Enable & Disable SELinux ( SELinux Mode )
Enforcing: The default mode which will enable and enforce the SELinux security policy on the system, denying access and logging actions
Permissive: In Permissive mode, SELinux is enabled but will not enforce the security policy, only warn and log actions. Permissive mode is useful for troubleshooting SELinux issues
Disabled: SELinux is turned off
2.1 Check Mode
[root@bhrjira1 ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
[root@bhrjira1 ~]# getenforce
Permissive
2.2 Switch between Enforcing and Permissive
[root@bhrjira1 ~]# setenforce
usage: setenforce [ Enforcing | Permissive | 1 | 0 ]
2.3 Enable SELinux
- rpm -qa | grep selinux, rpm -q policycoreutils, and rpm -qa | grep setroubleshoot commands to confirm that the SELinux packages are installed.
- configure SELINUX=permissive in /etc/selinux/config
- Reboot
- grep "SELinux is preventing" /var/log/messages command to confirm that SELinux did not deny actions during the last boot. If SELinux did not deny actions during the last boot, this command does not return any output.
- If there were no denial messages in /var/log/messages, configure SELINUX=enforcing in /etc/selinux/config
- Reboot. Then confirm getenforce output Enforcing.
To disable SELinux, configure
SELINUX=disabled
in
/etc/selinux/config
Reboot
3. Booleans
[root@bhrjira1 ~]# getsebool -a
httpd_builtin_scripting --> on
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
Set Boolean.
[root@bhrjira1 ~]# getsebool xdm_sysadm_login
xdm_sysadm_login --> off
[root@bhrjira1 ~]# setsebool xdm_sysadm_login on
[root@bhrjira1 ~]# getsebool xdm_sysadm_login
xdm_sysadm_login --> on
[root@bhrjira1 ~]#
setsebool
-P
XXX on
This change will persistent across reboot.
4.SELinux Contexts - Labeling Files
List file contexts
~]$ ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
4.1 Temporary Changes: chcon
chcon -t type file-name
Use the
restorecon -v file1 command to restore the SELinux context for the file1 file.
4.2 Persistent Changes: semanage fcontext
The
semanage fcontext
command changes the SELinux context for files. When using targeted policy, changes made with this command are added to the
/etc/selinux/targeted/contexts/files/file_contexts
file if the changes are to files that exists in
file_contexts, or are added to
file_contexts.local
for new files and directories, such as creating a /web/ directory. The
setfiles command, which is used when a file system is relabeled, and the
restorecon
command, which restores the default SELinux contexts, read these files. This means that changes made by
semanage fcontext
are persistent, even if the file system is relabeled. SELinux policy controls whether users are able to modify the SELinux context for any given file.
# semanage fcontext -a -t samba_share_t /etc/file1
# restorecon -v /etc/file1
semanage only write the rules in file_contexts. Need use restorecon to read and apply to file.
5. SELinux Packages
Default Package:
policycoreutils
— provides utilities such as restorecon, secon, setfiles, semodule,load_policy, and setsebool, for operating and managing SELinux.
selinux-policy
— provides the SELinux Reference Policy.
selinux-policy-targeted
— provides the SELinux targeted policy.
libselinux
— provides an API for SELinux applications.
libselinux-utils
— provides the avcstat, getenforce, getsebool, matchpathcon,selinuxconlist, selinuxdefcon, selinuxenabled, setenforce, togglesebool tools.
libselinux-python
— provides Python bindings for developing SELinux applications.
Optional Package:
selinux-policy-mls
— provides the MLS SELinux policy.
setroubleshoot-server
— translates denial messages, produced when access is denied by SELinux,into detailed descriptions that are viewed with sealert (which is provided by this package).
mcstrans
— translates levels, such as s0-s0:c0.c1023, to an easier to read form, such as SystemLow-SystemHigh. This package is not installed by default.
policycoreutils-python
— provides utilities such as semanage, audit2allow, audit2why and chcat, for operating and managing SELinux.
policycoreutils-gui
— provides system-config-selinux, a graphical tool for managing SELinux.
6. Log files
auditd on
/var/log/audit/audit.log
auditd off; rsyslogd on /var/log/messages
setroubleshootd, rsyslogd, and auditd on /var/log/audit/audit.log. Easier-to-read denial messages also sent to /var/log/messages
7. Main Config File
The /etc/selinux/config file is the main SELinux configuration file.
8. Allowing Access to a Port
# semanage port -a -t http_port_t -p tcp 81
# semanage port -l
扫一扫
45
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
