centos

sys.19.1 SELinux

luciferLeave a comment

 

SELinux:Secure Enhanced Linux,工作于Linux内核中;

1、SELinux的2种工作级别:
strict:每个进程都受到SELinux的控制;
targeted:仅有限个进程受到SELinux的控制;只监控容易被入侵的进程;

2、SELinux为每个文件提供安全标签,也为进程提供安全标签;

SELinux的安全标签格式有5段组成:
user:role:type

user:指的是SELinux的用户;
role:角色;
type:类型;

查看当前目录下所有文件或目录的SELinux标签;
~]# ls  -Z

[root@KOU ~]# 
[root@KOU ~]# getenforce 
Enforcing
[root@KOU ~]# 
[root@KOU ~]# ls -Z
-rw-------. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 Desktop
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 Documents
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 Downloads
-rw-r--r--. root root system_u:object_r:admin_home_t:s0 initial-setup-ks.cfg
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 Music
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 Pictures
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 Public
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 Templates
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 Videos
[root@KOU ~]#
============================================================================================================================
[root@KOU ~]# 
[root@KOU ~]# ps -auxZ
LABEL                           USER        PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
system_u:system_r:init_t:s0     root          1  0.0  0.5 193724  5136 ?        Ss   May22   0:33 /usr/lib/systemd/systemd --switched-root --system --deserialize 22
system_u:system_r:kernel_t:s0   root          2  0.0  0.0      0     0 ?        S    May22   0:00 [kthreadd]
system_u:system_r:kernel_t:s0   root          3  0.0  0.0      0     0 ?        S    May22   0:13 [ksoftirqd/0]
system_u:system_r:kernel_t:s0   root          5  0.0  0.0      0     0 ?        S<   May22   0:00 [kworker/0:0H]
system_u:system_r:kernel_t:s0   root          7  0.0  0.0      0     0 ?        S    May22   0:15 [migration/0]
system_u:system_r:kernel_t:s0   root          8  0.0  0.0      0     0 ?        S    May22   0:00 [rcu_bh]
system_u:system_r:kernel_t:s0   root          9  0.0  0.0      0     0 ?        S    May22   0:40 [rcu_sched]
system_u:system_r:kernel_t:s0   root         10  0.0  0.0      0     0 ?        S<   May22   0:00 [lru-add-drain]
system_u:system_r:kernel_t:s0   root         11  0.0  0.0      0     0 ?        S    May22   0:05 [watchdog/0]
system_u:system_r:kernel_t:s0   root         12  0.0  0.0      0     0 ?        S    May22   0:06 [watchdog/1]
system_u:system_r:kernel_t:s0   root         13  0.0  0.0      0     0 ?        S    May22   0:07 [migration/1]
system_u:system_r:kernel_t:s0   root         14  0.0  0.0      0     0 ?        S    May22   0:10 [ksoftirqd/1]
system_u:system_r:kernel_t:s0   root         16  0.0  0.0      0     0 ?        S<   May22   0:00 [kworker/1:0H]

‘unconfined_u:object_r:admin_home_t:s0’ : 类似这种信息,表示SELinux为指定文件标记的标签;

 

3、SELinux配置文件

/etc/selinux/config

[root@KOU ~]# 
[root@KOU ~]# ll /etc/sysconfig/selinux 
lrwxrwxrwx. 1 root root 17 May 21 20:19 /etc/sysconfig/selinux -> ../selinux/config
[root@KOU ~]# 
[root@KOU ~]# cat /etc/sysconfig/selinux 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted 


[root@KOU ~]#

SELinux的3种状态:

enforcing:强制,每个受限的进程都必然受限;
permissive:启用,每个受限的进程违规操作下不会被禁止,但会被记录于审计日志;
disabled:关闭;

配置SELinux:
1> SELinux是否启用;
2> 给文件重新打标签;
3> 设定某些布尔型特性;

4、SELinux的相关命令

getenforce:               获取SELinux的当前状态;
setenforce  {0|1}  :  ‘0’表示设置SELinux为”permissive”,’1’表示设置SELinux为”enforcing”;此设定在系统重启后会失效;

5、给文件标识或重新标识SELinux的标签

chcon命令:change  file  SELinux  security  context;

命令使用格式:

chcon  [OPTION] …  CONTEXT  FILE…
chcon  [OPTION] …  [-u USER]  [-r ROLE]  [-l RANGE]  [-t TYPE]  FILE…
chcon  [OPTION] …  –reference=RFILE FILE…

一般只修改'[-t TYPE]’类型;

[root@KOU ~]# ll -Z /var/www
drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 cgi-bin
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html
[root@KOU ~]# 

#############

httpd_sys_content_t  : 表示"html"这个文件的SELinux的标签类型;

还原文件的默认标签:
restorecon  /PATH/TO/FILENAME
restorecon  -R  /PATH/TO/DIRECTORY_NAME

6、布尔型规则的设置

getsebool命令:get  SELinux  boolean  value(s)

getsebool  [-a]  [boolean]

setsebool命令: set  SELinux  boolean  value

setsebool  [ -PNV ]  boolean  value  |  bool1=val1  bool2=val2  …

-P : 大写字母’P’,表示把设置写入配置文件,系统重启后配置依然生效;

Leave a Reply

Your email address will not be published. Required fields are marked *