SELinux其实是Security-Enhanced Linux 安全增强型linux的英文缩写,是由美国国家安全局开发的一个内核模块,它主要流行在红帽Red Hat Linux及其衍生版本中,如centos。而Ubuntu、SUSE及其衍生版本使用的是AppArmor。
传统的linux是自主访问控制 Discretionary Access Control(DAC),在这种形式下,一个进程以UserID(UID)或SetOwnerUserID(SUID)身份运行,并且拥有该用户的问、套接字等权限,这样,恶意代码就能很容易的运行在特定权限模式下。
MAC(Mandatory Access Control)强制访问控制,是基于保密性和完整性强制隔离以限制破坏。决定一个资源能否被访问,除用户身份外,还会判断每一个进程是否拥有对某一类资源的访问权限。这样,即便进程使用root身份运行的,也需要判断这个进程的类型及允许访问的资源类型,才能决定是否允许访问某个资源,进程的活动空间被压缩到最小。SELinux使用的就是MAC.
直白的理解就是,SELinux是最大限度的减小系统中服务进程可访问的资源,所以,在默认开启时,安全级别非常高,很多常规操作受限制。
在SELinux中,当一个主体(Subject),如一个程序,要访问某一个目标(Object),如一个文件,服务器内核策略数据库(PolicyDatabase),就会去获取系统当前的运行模式(Mode),根据模式选择是否授予权限访问该目标。如果拒绝,则会在 /var/log/messages中记录一条拒绝信息。
- SELinux运行模式(Mode),有三种:
- Enforcing,强制执行SELinux策略
- Permissive,不强制执行SELinux策略,不会拒绝访问,但是会记录拒绝信息到日志
- Disabled,禁用SELinux策略
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
默认情况下,现在的centos系统,SELinux为Enforcing强制执行策略。可以通过 getenforce 命令,查看当前的模式。
- 修改策略(不建议修改为Disable)
- 方法一:
- 超管执行命令
setenforce 0设置为Permissive(不强制执行安全策略); 超管执行命令setenforce 1设置为Enforcing
- 超管执行命令
- 方法二:
- 修改 /etc/selinux/config文件,修改文件中 SELINUX 的值
- 方法一:
- 策略类型SELINUXTYPE
- targeted 有目标的,对大部分网络服务相关进程(dhcpd、httpd、named、nscd、ntpd、portmap、snmpd、squid、syslogd)进行管制
- minimum 最低限度的,仅选定的进程受保护
- mls 多级安全保护,是最严格的政策
当系统SELinux策略为enforcing 或 permissive时,可以通过 sestatus -v 查看策略信息。 disabled时,不能获得更多信息
[root@centos7 ~]# getenforce Enforcing [root@centos7 ~]# sestatus -v SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 31 Process contexts: Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Init context: system_u:system_r:init_t:s0 /usr/sbin/sshd system_u:system_r:sshd_t:s0-s0:c0.c1023 File contexts: Controlling terminal: unconfined_u:object_r:user_devpts_t:s0 /etc/passwd system_u:object_r:passwd_file_t:s0 /etc/shadow system_u:object_r:shadow_t:s0 /bin/bash system_u:object_r:shell_exec_t:s0 /bin/login system_u:object_r:login_exec_t:s0 /bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0 /sbin/agetty system_u:object_r:getty_exec_t:s0 /sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0 /usr/sbin/sshd system_u:object_r:sshd_exec_t:s0
[root@centos7 ~]# setenforce 0 [root@centos7 ~]# getenforce Permissive [root@centos7 ~]# sestatus -v SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 31 Process contexts: Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Init context: system_u:system_r:init_t:s0 /usr/sbin/sshd system_u:system_r:sshd_t:s0-s0:c0.c1023 File contexts: Controlling terminal: unconfined_u:object_r:user_devpts_t:s0 /etc/passwd system_u:object_r:passwd_file_t:s0 /etc/shadow system_u:object_r:shadow_t:s0 /bin/bash system_u:object_r:shell_exec_t:s0 /bin/login system_u:object_r:login_exec_t:s0 /bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0 /sbin/agetty system_u:object_r:getty_exec_t:s0 /sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0 /usr/sbin/sshd system_u:object_r:sshd_exec_t:s0
使用 sestatus -b 可以看具体策略目标配置
[root@centos7 ~]# sestatus -b SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 31 Policy booleans: abrt_anon_write off abrt_handle_event off abrt_upload_watch_anon_write on 允许abrt上传观看记录,默认开启 antivirus_can_scan_system off antivirus_use_jit off auditadm_exec_content on 允许auditadm执行内容,默认开启 authlogin_nsswitch_use_ldap off authlogin_radius off authlogin_yubikey off awstats_purge_apache_log_files off boinc_execmem on cdrecord_read_content off cluster_can_network_connect off cluster_manage_all_files off cluster_use_execmem off cobbler_anon_write off cobbler_can_network_connect off cobbler_use_cifs off cobbler_use_nfs off collectd_tcp_network_connect off condor_tcp_network_connect off conman_can_network off conman_use_nfs off container_connect_any off container_manage_cgroup off container_use_cephfs off cron_can_relabel off cron_system_cronjob_use_shares off cron_userdomain_transition on cups_execmem off cvs_read_shadow off daemons_dump_core off daemons_enable_cluster_mode off daemons_use_tcp_wrapper off daemons_use_tty off dbadm_exec_content on dbadm_manage_user_files off dbadm_read_user_files off deny_execmem off deny_ptrace off dhcpc_exec_iptables off dhcpd_use_ldap off domain_can_mmap_files on domain_can_write_kmsg off domain_fd_use on domain_kernel_load_modules off entropyd_use_audio on exim_can_connect_db off exim_manage_user_files off exim_read_user_files off fcron_crond off fenced_can_network_connect off fenced_can_ssh off fips_mode on ftpd_anon_write off ftpd_connect_all_unreserved off ftpd_connect_db off ftpd_full_access off ftpd_use_cifs off ftpd_use_fusefs off ftpd_use_nfs off 允许ftpd服务使用nfs,默认关闭 ftpd_use_passive_mode off ganesha_use_fusefs off git_cgi_enable_homedirs off git_cgi_use_cifs off git_cgi_use_nfs off git_session_bind_all_unreserved_ports off git_session_users off git_system_enable_homedirs off git_system_use_cifs off git_system_use_nfs off gitosis_can_sendmail off glance_api_can_network off glance_use_execmem off glance_use_fusefs off global_ssp off gluster_anon_write off gluster_export_all_ro off gluster_export_all_rw on gluster_use_execmem off gpg_web_anon_write off gssd_read_tmp on guest_exec_content on haproxy_connect_any off httpd_anon_write off httpd_builtin_scripting on httpd_can_check_spam off httpd_can_connect_ftp off 允许httpd网络可以连接ftp服务,默认关闭 httpd_can_connect_ldap off httpd_can_connect_mythtv off httpd_can_connect_zabbix off httpd_can_network_connect off 允许httpd网络可以连接网络,默认关闭 httpd_can_network_connect_cobbler off httpd_can_network_connect_db off 允许httpd网络可以连接数据库,默认关闭 httpd_can_network_memcache off 允许httpd网络可以连接缓存,默认关闭 httpd_can_network_relay off 允许httpd可以网络中继,默认关闭 httpd_can_sendmail off 允许httpd可以发送邮件,默认关闭 httpd_dbus_avahi off httpd_dbus_sssd off httpd_dontaudit_search_dirs off httpd_enable_cgi on httpd_enable_ftp_server off httpd_enable_homedirs off httpd_execmem off httpd_graceful_shutdown on httpd_manage_ipa off httpd_mod_auth_ntlm_winbind off httpd_mod_auth_pam off httpd_read_user_content off httpd_run_ipa off httpd_run_preupgrade off httpd_run_stickshift off httpd_serve_cobbler_files off httpd_setrlimit off httpd_ssi_exec off httpd_sys_script_anon_write off httpd_tmp_exec off httpd_tty_comm off httpd_unified off httpd_use_cifs off httpd_use_fusefs off httpd_use_gpg off httpd_use_nfs off httpd_use_openstack off httpd_use_sasl off httpd_verify_dns off icecast_use_any_tcp_ports off irc_use_any_tcp_ports off irssi_use_full_network off kdumpgui_run_bootloader off keepalived_connect_any off kerberos_enabled on ksmtuned_use_cifs off ksmtuned_use_nfs off logadm_exec_content on logging_syslogd_can_sendmail off logging_syslogd_run_nagios_plugins off logging_syslogd_use_tty on login_console_enabled on logrotate_read_inside_containers off logrotate_use_nfs off logwatch_can_network_connect_mail off lsmd_plugin_connect_any off mailman_use_fusefs off mcelog_client off mcelog_exec_scripts on mcelog_foreground off mcelog_server off minidlna_read_generic_user_content off mmap_low_allowed off mock_enable_homedirs off mount_anyfile on mozilla_plugin_bind_unreserved_ports off mozilla_plugin_can_network_connect off mozilla_plugin_use_bluejeans off mozilla_plugin_use_gps off mozilla_plugin_use_spice off mozilla_read_content off mpd_enable_homedirs off mpd_use_cifs off mpd_use_nfs off mplayer_execstack off mysql_connect_any off 允许mysql连接所有,默认关闭 nagios_run_pnp4nagios off nagios_run_sudo off nagios_use_nfs off named_tcp_bind_http_port off named_write_master_zones off neutron_can_network off nfs_export_all_ro on nfs_export_all_rw on nfsd_anon_write off nis_enabled off nscd_use_shm on openshift_use_nfs off openvpn_can_network_connect on openvpn_enable_homedirs on openvpn_run_unconfined off pcp_bind_all_unreserved_ports off pcp_read_generic_logs off piranha_lvs_can_network_connect off polipo_connect_all_unreserved off polipo_session_bind_all_unreserved_ports off polipo_session_users off polipo_use_cifs off polipo_use_nfs off polyinstantiation_enabled off postfix_local_write_mail_spool on postgresql_can_rsync off postgresql_selinux_transmit_client_label off postgresql_selinux_unconfined_dbadm on postgresql_selinux_users_ddl on pppd_can_insmod off pppd_for_user off privoxy_connect_any on prosody_bind_http_port off puppetagent_manage_all_files off puppetmaster_use_db off racoon_read_shadow off radius_use_jit off redis_enable_notify off rpcd_use_fusefs off rsync_anon_write off rsync_client off rsync_export_all_ro off rsync_full_access off samba_create_home_dirs off samba_domain_controller off samba_enable_home_dirs off samba_export_all_ro off samba_export_all_rw off samba_load_libgfapi off samba_portmapper off samba_run_unconfined off samba_share_fusefs off samba_share_nfs off sanlock_enable_home_dirs off sanlock_use_fusefs off sanlock_use_nfs off sanlock_use_samba off saslauthd_read_shadow off secadm_exec_content on secure_mode off secure_mode_insmod off secure_mode_policyload off selinuxuser_direct_dri_enabled on selinuxuser_execheap off selinuxuser_execmod on selinuxuser_execstack on selinuxuser_mysql_connect_enabled off selinuxuser_ping on selinuxuser_postgresql_connect_enabled off selinuxuser_rw_noexattrfile on selinuxuser_share_music off selinuxuser_tcp_server off selinuxuser_udp_server off selinuxuser_use_ssh_chroot off sge_domain_can_network_connect off sge_use_nfs off smartmon_3ware off smbd_anon_write off spamassassin_can_network off spamd_enable_home_dirs on spamd_update_can_network off squid_connect_any on squid_use_tproxy off ssh_chroot_rw_homedirs off ssh_keysign off ssh_sysadm_login off staff_exec_content on staff_use_svirt off swift_can_network off sysadm_exec_content on telepathy_connect_all_ports off telepathy_tcp_connect_generic_network_ports on tftp_anon_write off tftp_home_dir off tmpreaper_use_cifs off tmpreaper_use_nfs off tmpreaper_use_samba off tomcat_can_network_connect_db off tomcat_read_rpm_db off tomcat_use_execmem off tor_bind_all_unreserved_ports off tor_can_network_relay off unconfined_chrome_sandbox_transition on unconfined_login on unconfined_mozilla_plugin_transition on unprivuser_use_svirt off use_ecryptfs_home_dirs off use_fusefs_home_dirs off use_lpd_server off use_nfs_home_dirs off use_samba_home_dirs off user_exec_content on varnishd_connect_any off virt_read_qemu_ga_data off virt_rw_qemu_ga_data off virt_sandbox_use_all_caps on virt_sandbox_use_audit on virt_sandbox_use_fusefs off virt_sandbox_use_mknod off virt_sandbox_use_netlink off virt_sandbox_use_sys_admin off virt_transition_userdomain off virt_use_comm off virt_use_execmem off virt_use_fusefs off virt_use_glusterd off virt_use_nfs on virt_use_rawip off virt_use_samba off virt_use_sanlock off virt_use_usb on virt_use_xserver off webadm_manage_user_files off webadm_read_user_files off wine_mmap_zero_ignore off xdm_bind_vnc_tcp_port off xdm_exec_bootloader off xdm_sysadm_login off xdm_write_home off xen_use_nfs off xend_run_blktap on xend_run_qemu on xguest_connect_network on xguest_exec_content on xguest_mount_media on xguest_use_bluetooth on xserver_clients_write_xshm off xserver_execmem off xserver_object_manager off zabbix_can_network off zabbix_run_sudo off zarafa_setrlimit off zebra_write_config off zoneminder_anon_write off zoneminder_run_sudo off [root@centos7 ~]#
可以通过 semanage boolean --list 查看具体配置及用法,semanage boolean -h获取帮助;setsebool 配置 状态 进行临时设置。
[root@vircent7 ~]# semanage boolean --list SELinux 布尔值 状态 默认 描述 privoxy_connect_any (开 , 开) Allow privoxy to connect any smartmon_3ware (关 , 关) Allow smartmon to 3ware mpd_enable_homedirs (关 , 关) Allow mpd to enable homedirs xdm_sysadm_login (关 , 关) Allow xdm to sysadm login xen_use_nfs (关 , 关) Allow xen to use nfs mozilla_read_content (关 , 关) Allow mozilla to read content ssh_chroot_rw_homedirs (关 , 关) Allow ssh to chroot rw homedirs mount_anyfile (开 , 开) Allow mount to anyfile cron_userdomain_transition (开 , 开) Allow cron to userdomain transition xdm_write_home (关 , 关) Allow xdm to write home openvpn_can_network_connect (开 , 开) Allow openvpn to can network connect xserver_execmem (关 , 关) Allow xserver to execmem minidlna_read_generic_user_content (关 , 关) Allow minidlna to read generic user content authlogin_nsswitch_use_ldap (关 , 关) Allow authlogin to nsswitch use ldap gluster_anon_write (关 , 关) Allow gluster to anon write piranha_lvs_can_network_connect (关 , 关) Allow piranha to lvs can network connect selinuxuser_execmod (开 , 开) Allow selinuxuser to execmod httpd_can_network_relay (关 , 关) Allow httpd to can network relay openvpn_enable_homedirs (开 , 开) Allow openvpn to enable homedirs glance_use_execmem (关 , 关) Allow glance to use execmem telepathy_tcp_connect_generic_network_ports (开 , 开) Allow telepathy to tcp connect generic network ports httpd_can_connect_mythtv (关 , 关) Allow httpd to can connect mythtv unconfined_mozilla_plugin_transition (开 , 开) Allow unconfined to mozilla plugin transition nagios_run_sudo (关 , 关) Allow nagios to run sudo httpd_can_network_connect_db (关 , 关) Allow httpd to can network connect db use_ecryptfs_home_dirs (关 , 关) Allow use to ecryptfs home dirs mpd_use_nfs (关 , 关) Allow mpd to use nfs postgresql_can_rsync (关 , 关) Allow postgresql to can rsync polipo_connect_all_unreserved (关 , 关) Allow polipo to connect all unreserved httpd_use_gpg (关 , 关) Allow httpd to use gpg samba_export_all_rw (关 , 关) Allow samba to export all rw samba_domain_controller (关 , 关) Allow samba to domain controller httpd_dbus_sssd (关 , 关) Allow httpd to dbus sssd selinuxuser_udp_server (关 , 关) Allow selinuxuser to udp server fenced_can_network_connect (关 , 关) Allow fenced to can network connect httpd_enable_cgi (开 , 开) Allow httpd to enable cgi polipo_use_cifs (关 , 关) Allow polipo to use cifs xend_run_blktap (开 , 开) Allow xend to run blktap httpd_verify_dns (关 , 关) Allow httpd to verify dns ftpd_use_cifs (关 , 关) Allow ftpd to use cifs polyinstantiation_enabled (关 , 关) Allow polyinstantiation to enabled virt_use_nfs (开 , 开) Allow virt to use nfs virt_use_comm (关 , 关) Allow virt to use comm tmpreaper_use_cifs (关 , 关) Allow tmpreaper to use cifs rsync_client (关 , 关) Allow rsync to client xdm_exec_bootloader (关 , 关) Allow xdm to exec bootloader exim_read_user_files (关 , 关) Allow exim to read user files use_nfs_home_dirs (关 , 关) Allow use to nfs home dirs
「喜欢这篇文章,您的关注和赞赏是给作者最好的鼓励」
关注作者
【版权声明】本文为墨天轮用户原创内容,转载时必须标注文章的来源(墨天轮),文章链接,文章作者等基本信息,否则作者和墨天轮有权追究责任。如果您发现墨天轮中有涉嫌抄袭或者侵权的内容,欢迎发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。
