selinux基礎

概念

Security-Enhanced Linux，是美國國家安全局在Linux開源社區的幫助下的一個強制訪問控制（MAC，Mandatory Access Control）的安全子系統

使用SELinux技術的目的是爲了讓各個服務進程都受到約束，使其僅獲取到本應獲取的資源。

核心技術

SELinux域

對服務程序的功能進行限制，確保服務作不了出格的事情

SELinux安全上下文

文件系統上下文

       對文件資源的訪問進行限制，確保文件只能被其所述的服務進程訪問

       ls -Z xx.xx查看

進程上下文

       ps -Z查看

用戶上下文

       id -Z查看

配置模式

三種配置模式

       enforcing - 強制啓用安全策略模式，將攔截服務的不合法請求

       permissive - 遇到服務越權訪問時，只發出警告，而不進行攔截

       disabled - 對於越權的行爲不警告也不攔截

修改配置模式

臨時修改，重啓失效

　　setenforce 0（0 - 禁用；1 - 啓用）

　　# getenforce # 查看當前selinux狀態

永久修改

　　文件 - /etc/selinux/config

配置SELinux策略 - semanage

舉例（更改文件資源上下文）

[yc@yc html]$ ls -Zh /var/www/html/
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html
[yc@yc html]$ ls -Zh /data01/httpd_data/
drwxr-xr-x. root root unconfined_u:object_r:unlabeled_t:s0 html
更改目標安全上下文
[yc@yc html]$ sudo semanage fcontext -a -t httpd_sys_content_t /data01/httpd_data
[yc@yc html]$ sudo semanage fcontext -a -t httpd_sys_content_t /data01/httpd_data/*.*
restorecon更新selinux設置
[yc@yc html]$ sudo restorecon -Rv /data01/httpd_data/
restorecon reset /data01/httpd_data context unconfined_u:object_r:unlabeled_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /data01/httpd_data/html context unconfined_u:object_r:unlabeled_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /data01/httpd_data/html/index.html context unconfined_u:object_r:unlabeled_t:s0-> unconfined_u:object_r:httpd_sys_content_t:s0

View Code

舉例（更改http服務的安全域，容許http服務提供用戶我的主頁功能-便可以訪問/home目錄下的文件）

[yc@yc html]$ sudo getsebool -a|grep http
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> on
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_ipa --> off
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off
named_tcp_bind_http_port --> off
prosody_bind_http_port --> off
[yc@yc html]$ sudo setsebool -P httpd_enable_homedirs=on
[yc@yc html]$ sudo getsebool -a|grep httpd_enable_homedirs
httpd_enable_homedirs --> on

View Code

參考資料

Linux學習之CentOS(三十)--SELinux安全系統基礎

       http://www.cnblogs.com/xiaoluo501395377/archive/2013/05/26/3100444.html