概念
Security-Enhanced Linux,是美国国家安全局在Linux开源社区的帮助下的一个强制访问控制(MAC,Mandatory Access Control)的安全子系统
使用SELinux技术的目的是为了让各个服务进程都受到约束,使其仅获取到本应获取的资源。
核心技术
SELinux域
对服务程序的功能进行限制,确保服务做不了出格的事情
SELinux安全上下文
文件系统上下文
对文件资源的访问进行限制,确保文件只能被其所述的服务进程访问
ls -Z xx.xx查看
进程上下文
ps -Z查看
用户上下文
id -Z查看
配置模式
三种配置模式
enforcing - 强制启用安全策略模式,将拦截服务的不合法请求
permissive - 遇到服务越权访问时,只发出警告,而不进行拦截
disabled - 对于越权的行为不警告也不拦截
修改配置模式
临时修改,重启失效
setenforce 0(0 - 禁用;1 - 启用)
# getenforce # 查看当前selinux状态
永久修改
文件 - /etc/selinux/config
配置SELinux策略 - semanage
举例(更改文件资源上下文)
[yc@yc html]$ ls -Zh /var/www/html/ -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html [yc@yc html]$ ls -Zh /data01/httpd_data/ drwxr-xr-x. root root unconfined_u:object_r:unlabeled_t:s0 html 更改目标安全上下文 [yc@yc html]$ sudo semanage fcontext -a -t httpd_sys_content_t /data01/httpd_data [yc@yc html]$ sudo semanage fcontext -a -t httpd_sys_content_t /data01/httpd_data/*.* restorecon更新selinux设置 [yc@yc html]$ sudo restorecon -Rv /data01/httpd_data/ restorecon reset /data01/httpd_data context unconfined_u:object_r:unlabeled_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /data01/httpd_data/html context unconfined_u:object_r:unlabeled_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /data01/httpd_data/html/index.html context unconfined_u:object_r:unlabeled_t:s0-> unconfined_u:object_r:httpd_sys_content_t:s0
举例(更改http服务的安全域,允许http服务提供用户个人主页功能-即可以访问/home目录下的文件)
[yc@yc html]$ sudo getsebool -a|grep http httpd_anon_write --> off httpd_builtin_scripting --> on httpd_can_check_spam --> off httpd_can_connect_ftp --> off httpd_can_connect_ldap --> off httpd_can_connect_mythtv --> off httpd_can_connect_zabbix --> off httpd_can_network_connect --> off httpd_can_network_connect_cobbler --> off httpd_can_network_connect_db --> off httpd_can_network_memcache --> off httpd_can_network_relay --> off httpd_can_sendmail --> off httpd_dbus_avahi --> off httpd_dbus_sssd --> off httpd_dontaudit_search_dirs --> off httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> off httpd_execmem --> off httpd_graceful_shutdown --> on httpd_manage_ipa --> off httpd_mod_auth_ntlm_winbind --> off httpd_mod_auth_pam --> off httpd_read_user_content --> off httpd_run_ipa --> off httpd_run_preupgrade --> off httpd_run_stickshift --> off httpd_serve_cobbler_files --> off httpd_setrlimit --> off httpd_ssi_exec --> off httpd_sys_script_anon_write --> off httpd_tmp_exec --> off httpd_tty_comm --> off httpd_unified --> off httpd_use_cifs --> off httpd_use_fusefs --> off httpd_use_gpg --> off httpd_use_nfs --> off httpd_use_openstack --> off httpd_use_sasl --> off httpd_verify_dns --> off named_tcp_bind_http_port --> off prosody_bind_http_port --> off [yc@yc html]$ sudo setsebool -P httpd_enable_homedirs=on [yc@yc html]$ sudo getsebool -a|grep httpd_enable_homedirs httpd_enable_homedirs --> on
参考资料
Linux学习之CentOS(三十)--SELinux安全系统基础
http://www.cnblogs.com/xiaoluo501395377/archive/2013/05/26/3100444.html