SELINUX
- å μ ü Ͽ ִ.
- Ŀο SELinux ϸ μ ü ִ.
- ڿ ؼ ƴ϶ ̿ ٰ Ѵ.
- Dhcp , httpd , named , nscd , ntpd , portmap , snmpd , squid , syslogd ȣ ִ.
SELinux Ȱȭ Ȱȭ
Centos ⺻ /etc/sysconfig/selinux
/etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=enforcing & SELINUX=disabled & SELINUX=permissive () ̿
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
- Disabled : ʴ´.
- Permissive : ź 뺸 ִ. å ؼ Ϲ ý ۾
ġ ˾ ִ.( ʴ´.)
- Enforcing : Ȱȭ.
SELinux
1. /etc/sysconfig/selinux
#vi /etc/sysconfig/selinux
SELINUX=enforcing disabled permissive
⺻ enforcing Ǿ ִ.
SELINUX=enforcing ()
SELINUX=perimssive (Ȱ )
SELINUX=disabled ()
ý
2. ¿
¿ Ȱȭ Ȱȭ ִ.ý
´. (ֹ)
#setenforce 0 (Ȱȭ disabled)
#setenforce 1 (Ȱȭ enforcing)
3. ý Ȱȭ
#vi /boot/grub/grub.conf
kernel /boot/vmlinuz-2.6.9-22.0.1.ELsmp ro root=/dev/sda1 rhgb quiet selinux=0
ý
SELinux Ȯ
#setstatus –v
[root@selinux proc]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 18
Policy from config file:targeted
- SELinux ° Disabled SELinux õ ɾ ʴ´.
- Current mode Ȯ .
Current mode enforcing : SELinux Ȱȭ
Current mode permissive : SELinux ź Ȱȭ( Ȱȭ)
SELinux
- Ȱȭ ls –aZ 빮 Z ɼ 踦 ˼ ִ.
- -Zɼ ̿ؼ ȹ ִµ ؼ "system_u" , "object_r" ,
"selinux_config_t" Ÿ ȮҼ ִ. ̷ SELinux å ؼ ϰų źϰ
ǹǷ Ȯΰϴٸ SELinux ̴.
#ls -lZ /etc/selinux
-rw-r--r-- root root system_u:object_r:selinux_config_t config
drwxr-xr-x root root system_u:object_r:selinux_config_t targeted
_u : ź(identify)ʵ , _r : (role)ʵ , _t :(type) ʵ
SELinux
- chcon ̿Ѵ.
- 丮 –R ɼ ̿Ѵ.
Centos -role file ġ: /etc/selinux/target/contexts/files/file_contexts
-t : ش Ͽ role
-R : 丮 Ͽ role
#chcon –t httpd_user_content_t /home/www/index.htm
chcon ̿Ͽ ش /home/www/index.htm Ͽ httpd_user_content_t
SELinux
- ؼ restorecon ̿ Ѵ.
#restorecon –Rv /home/www/index.htm
[root@selinux data]# ls -lZ
-rw-r--r-- root root root:object_r:httpd_user_content_t index.htm
[root@selinux data]# ls -lZ
-rw-r--r-- root root root:object_r:httpd_user_content_t index.htm
[root@selinux data]# restorecon -Rv index.htm
restorecon reset context /data/index.htm:root:object_r:httpd_user_content_t->system_u:object_r:default_t
[root@selinux data]# ls -lZ
-rw-r--r-- root root system_u:object_r:default_t index.htm
[root@selinux data]#
SELinux å
#more /etc/selinux/targeted/Booleans Ȯ
#setsebool -a
SELinux õ å Ȯ
#setsebool –P 0 & #setsebool –P 1
å Ȱȭ Ȱȭ
1 : active / 0: inactive
- system-config-securitylevel å , GUI Ȯ
#system-config-securitylevel
SELinux α
- SELinux log
audit(timestamp) : SELinux ˻ ̸ Ÿ Ѵ.
avc : SELinux ij Ÿ Ǹ ij̴.
denied | accepted : ش 㰡Ǿ źεǾ Ÿ.
{ read | write | unlink | .....} ʵ б,, unlink å ε '
for pid=<PID> : ϴ μ ID Ÿ.
exe=<executable> : Ǵ μ θ Ÿ.
name=<name> : õϴ Ÿ ̸ Ÿ.
dev=<device> : Ÿ ġ ̽ Ÿ.
ino=<inode-number> : Ÿ inode Ÿ.
scontext=<security context> : μ Ȼ() Ÿ. ,Ģ,Ÿ ִ.
tcontext=<target context> : Ÿ(̳ 丮 Ǵ) Ȼ() Ÿ.
tclass=<target class> : Ÿ Ʈ(丮,,̽,尰) Ŭ Ÿ.
α м ..
SELinux α״ μ ź Ǿ Ѵ.(ŵǾ )
⺻å źθ 㰡 ؼ α Ҽ ִ.
Ʒ SELinux α ̴.(⺻ /var/log/messages ϵȴ.)
kernel: audit(1114070701.193:0): avc: denied { read } for pid=24216 exe=/usr/libexec/mysqld
name=mysql dev=cciss/c0d0p6 ino=16408 scontext=user_u:system_r:mysqld_t
tcontext=root:object_r:var_lib_t tclass=dir
켱 б 䱸 źϰ ִ. (denied {read})
б 䱸 ϴ μ ID 24216̴. (for pid=24216)
μ ̸ /usr/libexec/mysqld ̰, (exe=/usr/libexec/mysql name=mysql)
Ÿ /dev/cciss/c0d0p6 ġ ǰ ִ.)
Ÿ inode 16408̰, (ino=16408)
μ SELinux context user̰, mysqld Ÿ̴.(scontext=user_u:system_r:mysqld_t)
ϴ var_lib_t Ÿ Ʈ ̴. (tcontext=root:object_r:var_lib_t)
ش log SELinux Ȱȭ /etc/rc.d/init.d/auditd Ȱȭ Ǿ ־ Ѵ.
- /etc/rc.d/init.d/auditd chkconfig –list setup Ȯ ps –ef | grep auditd Ȯ
- Auditd log /var/log/audit/audit.log Ȯ
- Avc log SELinux Ѵ. Messages auditd .
!!SELinux Ȱȭ auditd Ȱȭ ش.
/etc/rc.d/init.d/auditd start
SELinux yum Ű Ʈ
[root@selinux proc]# yum update selinux*
selinux-policy-targeted-sources
selinux-policy-targeted-sources.noarch 0:1.17.30-2.150.el4
selinux-policy-targeted.noarch 0:1.17.30-2.150.el4
SELinux
Semanage / setsebool / audit2allow
#audit2allow –l –i /var/log/messages
#audit2allow –d
#audit2alllow –a