| A. SELInux (Security-Enhanced Linux) What? Two. What is SELinux policy? Three. Check SELinux installation Four. SELinux the default settings - / etc / sysconfig / selinux 5 SELinux service settings - setenforce 6. SELinux service settings - chcon 7 SELinux service settings - setsebool Eight. How to replace your policy? Nine. SELinux LOG 10 Audit2allow 11 avc: denied 12 References or URL | ||
| ||
What is SELinux U.S. National boanguk (US National Security Agency), sleep in the open source community rilrijeuhan security-hardened version of Linux (including code) structure as a Linux security module (Linux Security Modules (LSM) framework) mandatory access to the Linux kernel using Control (Mandatory Access Control - MAC) is to implement. From Fedora Core3 began to be applied by default, the current most modern Linux distributions are supported. SELinux to help the understanding of the DAC, MAC and I'll tell you a little bit. Standard Linux security Discretionary Access Control - DAC model. In a DAC model, file and resource decisions that only the object (objects) of the user (user id) and the ownership (ownership) is done according to the. Each user and program run by that user is assigned to the self-object has complete discretion over. In these circumstances, a malicious general or root user (for example, setuid and setgid) that runs through the faulty software can do anything you want with the given object, there is no way to thwart the system security policy to be implemented across the way do not have. MAC under SELinux, on the other hand, all subjects (subjects - users, programs, and processes) and objects (files, devices) for a local permit (granular permissions) can give. Unnecessary part of the application, except for features only the necessary permissions is able to secure grants. SELinux all the principals (users, programs, and processes) and objects (files and devices) to grant each other will allow. Therefore, one application to work properly, the program may be granted to secure the necessary permissions. | ||
| ||
SELinux policies to users, programs, processes and behavior of these devices, including the subject files and the entire system, ie, for every subject and object access permissions (access permissions) tells the package containing the. Policy package is available in Fedora strict, targeted There are two ways. Fedora Core SELinux policy strict policy of applying because of a variety of users many of the problems causes due to the (regular users using SELinux in order to high-level expertise is required), current RHEL4 a more relaxed policy packages targeted poicy installed is built upon. The only question is often part of targeted policy takes precedence and the other operates in the same way as the standard Linux security policy is applied to. Currently, targeted policy in the dhcpd, httpd (apache.te), named, nscd, ntpd, portmap, snmpd, squid, and syslogd daemon to manage for. this daemon on a policy file / etc / selinux / targeted / src / policy / domains / program can be found at: | ||
| ||
Make sure you are using SELinux, how to determine the security context in a way that can be seen. Files, users, processes, and to determine the context, a new option when using-Z can be found. ls-lZ / etc / selinux -Rw-r - r - root root system_u: object_r: selinux_config_t config drwxr-xr-x root root system_u: object_r: selinux_config_t targeted The-Z option to show the security context using this result through the "system_u" user, "object_r" role, "selinux_config_t" type can be found. Comparison of these in the context of SELinux policies to allow or deny it, if possible, so check the SELinux context is being used. In addition to process each file and user security context can be found as shown below. root @ example # PS axZ | grep squid user_u: system_r: squid_t 3912? Ss 0:00 squid-D user_u: system_r: squid_t 3 915? S 9:10 (squid)-D user_u: system_r: squid_t 3,916? Ss 0:01 (unlinkd) root @ example # id uid = 0 (root) gid = 0 (root) groups = 0 (root), 1 (bin), 2 (daemon), 3 (sys), 4 (adm), 6 (disk), 10 (wheel) context = root: system_r: unconfined_t If RedHat's SELinux packages using the command sestatus-v with the current state of SELinux can be found below. [Root @ ns selinux] # sestatus-v SELinux status: enabled SELinuxfs mount: / selinux Current mode: enforcing Mode from config file: enforcing Policy version: 18 Policy from config file: targeted Policy booleans: allow_ypbind active dhcpd_disable_trans inactive httpd_disable_trans active httpd_enable_cgi active httpd_enable_homedirs active httpd_ssi_exec active httpd_tty_comm inactive httpd_unified active mysqld_disable_trans inactive named_disable_trans active named_write_master_zonesactive nscd_disable_trans active ntpd_disable_trans inactive portmap_disable_trans inactive postgresql_disable_transinactive snmpd_disable_trans inactive squid_disable_trans inactive syslogd_disable_trans inactive winbind_disable_trans inactive ypbind_disable_trans inactive Process contexts: Current context: root: system_r: unconfined_t Init context: user_u: system_r: unconfined_t / Sbin / mingetty user_u: system_r: unconfined_t / Usr / sbin / sshd user_u: system_r: unconfined_t File contexts: Controlling term: root: object_r: devpts_t / Etc / passwd root: object_r: etc_t / Etc / shadow system_u: object_r: shadow_t / Bin / bash system_u: object_r: shell_exec_t / Bin / login system_u: object_r: bin_t / Bin / sh system_u: object_r: bin_t -> system_u: object_r: shell_exec_t / Sbin / agetty system_u: object_r: sbin_t / Sbin / init system_u: object_r: init_exec_t / Sbin / mingetty system_u: object_r: sbin_t / Usr / sbin / sshd system_u: object_r: sbin_t / Lib/libc.so.6 system_u: object_r: lib_t -> system_u: object_r: shlib_t / Lib/ld-linux.so.2 system_u: object_r: lib_t -> system_u: object_r: ld_so_t [Root @ ns selinux] # | ||
| ||
How to set the distribution is different for each service. Red Hat and Fedora distributions I've tested the file / etc / sysconfig / selinux SELinux on the set of available modes. / Etc / sysconfig / selinux file's contents # This file controls the state of SELinux on the system. # SELINUX = can take one of these three values: # Enforcing - SELinux security policy is enforced. # Permissive - SELinux prints warnings instead of enforcing. # Disabled - SELinux is fully disabled. SELINUX = enforcing # SELINUXTYPE = type of policy in use. Possible values are: # Targeted - Only targeted network daemons are protected. # Strict - Full SELinux protection. SELINUXTYPE = targeted There are two parts of this file set the status of SELINUX (enforcing, permissive, disabled), set up and activate the part of security policy (strict or targeted one of them) are part of SELINUXTYPE to determine. Disabled - If you do not want SELinux security controls used to select disalbed options. disalbed set off the security control system to disable the security policy. permissive - This selection is a denial of service to be notified of the message. When set to permissive conditions for data and program logs, once you assign a name, but does not use security policy. If you are new to the SELinux permissive state from scratch, without having to fully activate this feature, first enable this policy, the general system operations and determine what impact any time if you can be a good starting point.However, sometimes a security warning when the warning options not covered by warnings that the target-detection error (false positive) or a warning that the target does not detect the error (false negative), so the possibility also has to be taken. enforcing - SELinux enforcing To enable the option to completely let. enforcing an additional option for system security, all security policies (for example, users who do not have permission to access a particular file or program to deny) is used. SELinux is fully executed and no effect, interfere with normal operations of the system can do without getting that select this option if you want to own. |
| ||
SELinux to be of service when you need to change the status directly / etc / sysconfig / selinux file, SELINUX = enforcing, or modifying SELINUX = permissive as to how to change the command setenforce able to use it, but Is "Setenforce 0" as the command to be falling, and the same results as the SELINUX = permissive, "setenforce 1" means the enforcing mode.SELinux on the system completely if you do not want to use the file / etc / sysconfig / selinux SELINUX = disabled at system boot time or set as a boot loader and boot parameter selinux = 0 if he is. (Grub if you're using grub, press e to edit mode on the screen after the kernel line went down at the end selinux = 0 and ESC, and when the boot is pressing b.) sentenforce command sysadm_r have permission to perform; To do this, newrole command, or, or, su - to root for user switching, you can get permission sysadm_r automatically. | ||
| ||
You need to change the SELinux security context of the case, the command can use chcon. Create a directory while you are using Apache even though obviously if you get errors like this http_user_content_t as its DocumentRoot can solve haejum is applied to. chcon-R-t httpd_user_content_t / home / user account / public_html | ||
| ||
S [root @ ns ~] # cat / etc / selinux / targeted / booleans allow_ypbind = 1 dhcpd_disable_trans = 0 httpd_disable_trans = 1 httpd_enable_cgi = 1 httpd_enable_homedirs = 1 httpd_ssi_exec = 1 httpd_tty_comm = 0 httpd_unified = 1 mysqld_disable_trans = 0 named_disable_trans = 1 named_write_master_zones = 1 nscd_disable_trans = 1 ntpd_disable_trans = 0 portmap_disable_trans = 0 postgresql_disable_trans = 0 snmpd_disable_trans = 0 squid_disable_trans = 0 syslogd_disable_trans = 0 winbind_disable_trans = 0 ypbind_disable_trans = 0 RHEL4 SELinux settings, the transition of a system representing the file / etc / selinux / targeted / booleans file. In the file, each entry in system-config-securitylevel of the application or setsebool a command using the changes are capable setsebools When using the-P option if you do not use the configuration file does not change the current settings have changed, but the-P option, as If you use / etc / selinux / targeted / booleans file to change the content of the system is applied ributinghuedo. | ||
| ||
The issue is not taken lightly baejeongchaek replacement. Test equipment for research purposes (test machine) to try a new policy in addition, the production system (production system) before replacing it with a different policy on the status should seriously consider. Replacement operation is simple. This is a very safe way, but try first primary in the test system is desirable. One way to use system-config-securitylevel to change the policy, rename (relabel) is to set the file system to. Manual procedures are as follows: A. / Etc / selinux / config and edit the type of policy change in SELINUXTYPE = policyname. Two. Be able to return to reboot to make sure that, SELINUX = permissive mode is set . When you do this, SELinux commissioned under the correct policy, but, if the incorrect file naming context (labeling) and would like to log in. If you have a problem. Three. sysadm_r with the role as root to relabel the file system (relabel): id-Z root: sysadm_r: sysadm_t fixfiles relabel option-l / path / to / logfile log to standard output by using the visible and, option-o / path / to / file by using the Review (checked) or rename (relabel ed) a list of all files can be saved. Four. Reboot the system. under the new policy, restart all system processes started in the proper context and policy changes should reveal all the problems caused by. 5 sestatus-v command to check the changes took effect. Permissive mode on the new system started up, avc: denied messages in / var / log / messages to check. Under the new policy, they ensure that the system is running without problems indicates the problems that need to be addressed. 6. Under the new policy, when you return the system satisfactorily, SELINUX = enforcing to grant execute permissions to the change. real-time to enable the enforcing reboot or run setenforce 1 to. | ||
| ||
SSELinux of the log in / var / log / messages like this appear. kernel: audit (1114070701.193:0): avc: denied {read} for pid = 24216 exe = / usr / libexec / mysqld name = mysql dev = cciss/c0d0p6 ino = 16408 scontext = user_u: system_r: mysqld_t tcontext = root: object_r: var_lib_t tclass = dir This log can be interpreted as follows. - Read the request was denied. - PID 24216, a process that tries to read - The process / usr / libexec / mysqld is - / Dev/cciss/c0d0p6 is working in - Inode is the 16408. - The process of the SELinux context user_u: system_r: mysqld_t is - Tcontext = root: object_r: var_lib_t: This file is the file attempts to read twelve var_lib_t type is a file owned by root. SELinux LOG meaning of each item audit (timestamp) - This field Message from States that it's an SELinux audit and that it WAS logged at time timestamp (in seconds since Jan. 1st, one thousand nine hundred seventy). AVC - This WAS Message from the SELinux Access vector cache. Pretty much every message you are likely to see is from this cache. denied | accepted - This field Oppenheim Whether the Action WAS denied or accepted. You may see logs of accepted messages in some cases (like reloading the policy). {Read | write | unlink | ... } - This Shows the type of field that WAS Attempted Action, such as File are Reading, Writing, unlinking, loading policy, etc. for pid = exe = name = dev = I no = scontext = tclass = | ||
| ||
Useful tool for policy author / usr/bin/audit2allow, which is the / var / log / messages for avc messages that can be used by SELinux allows translation rules. If you can not use yum install policycoreutils policycoreutils package, so as part of the installation is possible. audit2allow command can be input in three ways. The default standard input (stdin) is If you use the-i option to / var / log / messages can be read from the input using the-d option if you can read input from the output of dmesg. | ||
| ||
The message that the current run SELinux policy does not allow the behavior of the application because On this there are various reasons. first, an application attempting to access is one of the files found there may be misnamed. See ten thousand and one AVC message, if a particular file, ls-alZ / path / to / file file name to the current reference by performing (current label) See investigate. If you see if it is wrong, restorecon-v / path / to / file, try. Very many associated with a file is denied (denials) If circumstances exist, fixfiles relabel or perform repeatedly in order to relabel the directory path with the-R option to restorecon you may want to perform. At other times, reject (denials ) phenomenon to be rejected by the policy can be generated by changing the settings in the program. For example, if you change port 8800 to Apache, and security policy, apache.te, also related to a change becomes necessary. For detailed information on policy creation, if you want a list of external links (External Link List) see. | ||
| ||
Home of the SELinux Project - http://www.nsa.gov/selinux/ The Un-Official SELinux FAQ - http://www.crypt.gen.nz/selinux/faq.html SELinux link Zoo - http://www.crypt.gen.nz/selinux/links.html Ubuntu Linux SELinux Pages - https://www.ubuntulinux.org/wiki/SELinux 2005.8 Sys Admin Magazine - http://www.samag.com/documents/s=9820/sam0508a/0508a.htm NSA SELinux FAQ - http://www.nsa.gov/selinux/info/faq.cfm SELinux Community page - http://selinux.sourceforge.net Unofficial FAQ - http://www.crypt.gen.nz/selinux/faq.html Writing SE Linux policy HOWTO - https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=21266 Getting Started with SE Linux HOWTO: the New SE Linux (Debian) -https://sourceforge.net/docman/display_doc.php?docid=20372&group_id=21266 |
