()ý
Home
Ȩ ȸҰ ý Ʈ ũ
 
 
ۼ : 08-09-09 11:57
selinux
 ۾ :
ȸ : 6,693  

SELINUX


 


-       å μ ü Ͽ ִ.


-       Ŀο SELinux ϸ μ ü ִ.


-       ڿ ؼ ƴ϶ ̿ ٰ Ѵ.


-       Dhcp , httpd , named , nscd , ntpd , portmap , snmpd , squid , syslogd ȣ ִ.


 


 


 


 


SELinux Ȱȭ Ȱȭ


 


 Centos /etc/sysconfig/selinux


 


           /etc/sysconfig/selinux


           # This file controls the state of SELinux on the system.


           # SELINUX= can take one of these three values:


           # enforcing - SELinux security policy is enforced.


           # permissive - SELinux prints warnings instead of enforcing.


           # disabled - SELinux is fully disabled.


           SELINUX=enforcing & SELINUX=disabled & SELINUX=permissive () ̿


           # SELINUXTYPE= type of policy in use. Possible values are:


           # targeted - Only targeted network daemons are protected.


           # strict - Full SELinux protection.


           SELINUXTYPE=targeted


 


-       Disabled :  ʴ´.


-       Permissive : ź ޽ 뺸 ִ. å ؼ Ϲ ý ۾


    ġ ˾ ִ.( ʴ´.)


-       Enforcing : Ȱȭ.


 


SELinux


 


1.     /etc/sysconfig/selinux


 


#vi /etc/sysconfig/selinux


           SELINUX=enforcing disabled permissive


          


           enforcing Ǿ ִ.


SELINUX=enforcing ()


SELINUX=perimssive (Ȱ )


SELINUX=disabled ()


          


           ý


2.      ¿


 


¿ Ȱȭ Ȱȭ ִ.ý


´. (ֹ߼)


 


           #setenforce 0 (Ȱȭ disabled)


 


           #setenforce 1 (Ȱȭ enforcing)


 


3.     ý Ȱȭ


 


#vi /boot/grub/grub.conf


kernel /boot/vmlinuz-2.6.9-22.0.1.ELsmp ro root=/dev/sda1 rhgb quiet selinux=0


           ý


 


SELinux Ȯ


 


           #setstatus –v


 


[root@selinux proc]# sestatus


SELinux status:              enabled


SELinuxfs mount: /selinux


Current mode:              enforcing


Mode from config file:     enforcing


Policy version:               18


Policy from config file:targeted


 


-       SELinux ° Disabled SELinux õ ɾ ʴ´.


-       Current mode Ȯ .


Current mode enforcing : SELinux Ȱȭ


Current mode permissive : SELinux ź ޽ Ȱȭ( Ȱȭ)


 


SELinux


 


-       Ȱȭ ls –aZ Z ɼ  踦 ˼ ִ.


-       -Zɼ ̿ؼ ȹ ִµ ؼ "system_u" , "object_r" ,


"selinux_config_t" Ÿ ȮҼ ִ. ̷ SELinux å ؼ ϰų źϰ


ǹǷ Ȯΰϴٸ SELinux ̴.


 


#ls -lZ /etc/selinux


-rw-r--r--  root    root   system_u:object_r:selinux_config_t config


drwxr-xr-x  root    root   system_u:object_r:selinux_config_t targeted


 


           _u : ź(identify)ʵ , _r : (role)ʵ , _t :(type) ʵ


SELinux


 


-       chcon ̿Ѵ.


-       –R ɼ ̿Ѵ.


 


Centos -role file ġ: /etc/selinux/target/contexts/files/file_contexts


 


-t : ش Ͽ role


-R : 丮 Ͽ role


 


           #chcon –t httpd_user_content_t /home/www/index.htm


 


chcon ̿Ͽ ش /home/www/index.htm Ͽ httpd_user_content_t


 


SELinux


 


-       ؼ restorecon ̿ Ѵ.


 


#restorecon –Rv /home/www/index.htm


 


[root@selinux data]# ls -lZ


-rw-r--r--  root     root     root:object_r:httpd_user_content_t index.htm


[root@selinux data]# ls -lZ


-rw-r--r--  root     root     root:object_r:httpd_user_content_t index.htm


[root@selinux data]# restorecon -Rv index.htm


restorecon reset context /data/index.htm:root:object_r:httpd_user_content_t->system_u:object_r:default_t


[root@selinux data]# ls -lZ


-rw-r--r--  root     root     system_u:object_r:default_t      index.htm


[root@selinux data]#


 


SELinux ׸ å


 


           #more /etc/selinux/targeted/Booleans Ȯ


           #setsebool -a


           SELinux õ å Ȯ


 


           #setsebool –P 0 & #setsebool –P 1


å Ȱȭ Ȱȭ


          


           1 : active / 0: inactive


 


-       system-config-securitylevel ׸ å , GUI ׸ Ȯ


 


#system-config-securitylevel


 


SELinux α


 


- SELinux log


           audit(timestamp) : SELinux ˻ ޼̸ Ÿ Ѵ.


           avc : SELinux ij ׼ Ÿ Ǹ ij̴.


           denied | accepted : ش ׼ 㰡Ǿ źεǾ Ÿ.


           { read | write | unlink | .....} ʵ б,, unlink å ε ׼ '


           for pid=<PID> : ϴ ׼ μ ID Ÿ.


           exe=<executable> : Ǵ μ θ Ÿ.


           name=<name> : ׼ õϴ Ÿ ̸ Ÿ.


           dev=<device> : Ÿ ġ ̽ Ÿ.


           ino=<inode-number> : ׼ Ÿ inode Ÿ.


           scontext=<security context> : μ Ȼ() Ÿ. ,Ģ,Ÿ ִ.


           tcontext=<target context> : ׼ Ÿ(̳ 丮 Ǵ) Ȼ() Ÿ.


           tclass=<target class> : Ÿ Ʈ(,,̽,) Ŭ Ÿ.


 


α׸ м ..


 


SELinux α״ μ ź Ǿ Ѵ.(ŵǾ )


⺻å źθ 㰡 ؼ α׸ Ҽ ִ.


Ʒ SELinux α ̴.( /var/log/messages ϵȴ.)


 


kernel: audit(1114070701.193:0): avc:  denied  { read } for  pid=24216 exe=/usr/libexec/mysqld


name=mysql dev=cciss/c0d0p6 ino=16408 scontext=user_u:system_r:mysqld_t


tcontext=root:object_r:var_lib_t tclass=dir


 


켱 б 䱸 źϰ ִ. (denied {read})


б 䱸 ϴ μ ID 24216̴. (for pid=24216)


μ ̸ /usr/libexec/mysqld ̰, (exe=/usr/libexec/mysql name=mysql)


׼ Ÿ /dev/cciss/c0d0p6 ġ ǰ ִ.)


׼ Ÿ inode 16408̰, (ino=16408)


μ SELinux context user̰, mysqld Ÿ̴.(scontext=user_u:system_r:mysqld_t)


ϴ var_lib_t Ÿ  Ʈ ̴. (tcontext=root:object_r:var_lib_t)


 


ش log SELinux Ȱȭ /etc/rc.d/init.d/auditd Ȱȭ Ǿ ־ Ѵ.


-       /etc/rc.d/init.d/auditd chkconfig –list setup Ȯ ps –ef | grep auditd Ȯ


-       Auditd log /var/log/audit/audit.log Ȯ


-       Avc log SELinux ߻ Ѵ. Messages auditd .


 


!!SELinux Ȱȭ auditd Ȱȭ ش.


 


/etc/rc.d/init.d/auditd start


 


SELinux yum Ű Ʈ


 


           [root@selinux proc]# yum update selinux*


 


           selinux-policy-targeted-sources


           selinux-policy-targeted-sources.noarch 0:1.17.30-2.150.el4


           selinux-policy-targeted.noarch 0:1.17.30-2.150.el4


 


SELinux


 


 Semanage / setsebool / audit2allow


 


           #audit2allow –l –i /var/log/messages


           #audit2allow –d


           #audit2alllow –a


 


 
 

Total 106
ȣ     ۾ ¥ ȸ
106 Ƽ Ȯ
2010/10/28 8472
105 end_request: I/O error, dev sr0, sector 64
2010/05/27 12342
104 centos 4.6 IBM x3650 raidman log ϱ
2009/07/09 9260
103 x3560 centos 4.6 DSA
2009/07/01 14018
102 EXT3-fs error (device sda3) in start_transaction: Journal ha
2009/06/15 10407
101 x3650 Centos 4.6 б
2009/06/15 9416
100 WARNING: GPT (GUID Partition Table) detected on '/dev/s
2009/01/06 9708
99 hosts.allow sendmail
2008/12/16 12059
98 mysql5 ġ
2008/12/16 11712
97 DL360G5 CROM
2008/11/04 7654
96 linux bit Ȯ
2008/09/30 6310
95 selinux
2008/09/09 6694
94 Warning: invalid flag 0x0000 of partition table 4 will be co
2008/07/15 8528
93 Losing some ticks... checking if CPU frequency changed
2008/07/02 5753
92 TCP:treason uncloaked! Perr ~ shrinks windows~ Repaired
2008/06/19 12148
 1  2  3  4  5  6  7  8  
 
 
 
Administrator Login