Back to Linux_Kernel

See Also: LinuxSE for Android

Security-Enhanced Linux

SELinux(Security-Enhanced Linux) 是美国国家安全局(NSA)对于强制访问控制(Mandatory Access Control)的实现,是 Linux历史上最杰出的新安全子系统。NSA是在Linux社区的帮助下开发了一种访问控制体系,它的作法是以最小权限原则(principle of least privilege)为基础,在Linux核心中使用Linux安全模块(Linux Security Modules)。在这种访问控制体系的限制下,进程只能访问那些在他的任务中所需要文件。SELinux 默认安装在 Fedora 和 Red Hat Enterprise Linux 上,也可以作为其他发行版上容易安装的包得到。

SELinux并非一个Linux发布版,而是一组可以应用在类Unix操作系统(如Linux、BSD等)的修改。从Linux 内核的2.6版本开始提供的强制访问控制(MAC)系统。对于目前可用的 Linux安全模块来说,SELinux 是功能最全面,而且测试最充分的,它是在20年的MAC研究基础上建立的。SELinux 在类型强制服务器中合并了多级安全性或一种可选的多类策略,并采用了基于角色的访问控制概念。

大部分使用 SELinux 的人使用的都是SELinux就绪的发行版,例如 Fedora、Red Hat Enterprise Linux (RHEL)、Debian或 CentOS。它们都是在内核中启用 SELinux 的,并且提供一个可定制的安全策略,还提供很多用户层的库和工具,它们都可以使用SELinux的功能。

1. SELinux Modes

SELinux has three basic modes of operation, of which Enforcing is set as the installation default mode. There is, however, an additional qualifier of targeted or mls which control how pervasive SELinux rules are applied, with targeted being the less stringent level.

The SELinux mode can be viewed and changed by using the SELinux Management GUI tool available on the Administration menu or from the command line by running 'system-config-selinux' (the SELinux Management GUI tool is part of the policycoreutils-gui package and is not installed by default).

Users who prefer the command line may use the 'sestatus' command to view the current SELinux status:

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted
The 'setenforce' command may be used to switch between Enforcing and Permissive modes on the fly but note that these changes do not persist through a system reboot.

To make changes persistent through a system reboot, edit the 'SELINUX=' line in /etc/selinux/config for either 'enforcing', 'permissive', or 'disabled'. For example: 'SELINUX=permissive'

2. FAQs

2.1. Enabling and Disabling SELinux

c# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

# cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.

# getenforce 

To disable SELinux until next reboot:

# setenforce Permissive / #csetenforce Enforcing

2.2. SELinux log Messages

By default, SELinux log messages are written to /var/log/audit/audit.log via the Linux Auditing System audits. If the audits daemon is not running, then messages are written to /var/log/messages. SELinux log messages are labeled with the AVC keyword so that they might be easily filtered from other messages, as with grep.

grep nginx /var/log/audit/audit.log | audit2allow

2.3. Create a custom SELinux policy module

We can generate a local nginx Type Enforcement policy file (nginx.te)

grep nginx /var/log/audit/audit.log | audit2allow -M nginx
semodule -i nginx.pp

# We can check the policy module loaded correctly by listing loaded modules with 
semodule -l

2.4. global requirements not met

changed the module name and it works fine

2.5. Change Service port number

# semanage port -l |grep rsync
rsync_port_t                   tcp      873
rsync_port_t                   udp      873
# semanage port -a -t rsync_port_t -p tcp 8873
# systemctl start rsyncd
# ss -tnlp|grep rsync 
LISTEN     0      5                         *:8873                     *:*      users:(("rsync",9851,4))
LISTEN     0      5                        :::8873                    :::*      users:(("rsync",9851,5))

2.6. Modify Access Control

# ls -Z /srv/www/
drwxr-xr-x. www-data www-data unconfined_u:object_r:httpd_sys_content_t:s0 html
drwxr-xr-x. www-data www-data unconfined_u:object_r:var_t:s0   moin
drwxr-xr-x. www-data www-data unconfined_u:object_r:var_t:s0   wp
# ps axZ | grep nginx 
system_u:system_r:httpd_t:s0      824 ?        Ss     0:00 nginx: master process /usr/sbin/nginx
system_u:system_r:httpd_t:s0      825 ?        S      0:01 nginx: worker process
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 9951 pts/0 S+   0:00 grep --color=auto nginx
# chcon -Rt httpd_sys_content_t /srv/www/wp/

3. Reference


MainWiki: SELinux (last edited 2015-04-07 21:59:16 by twotwo)