Linux Learning - SELinux

###SELinux###
Features:
 1. Mandatory Access Controls (MACs)
 2. Standard Linux | Unix permissions are based on: Discretionary Access Controls (DACs)
i.e. 
-rw-rw-r--. 1 linuxcbt linuxcbt 2129783 Jan  7 17:06 temp.zip
 3. A sophisticated labeling system is applied to: subjects & objects
 4. Subjects -> users and/or processes
 5. Objects -> Files
 6. SELinux via MACs: provides a way to separate: users, processes, and objects via labeling and monitors/controls their interaction via: Advanced Vector Cache (AVC)
 7. Labels are known as types, which create the silos around: subjects & objects
 8. DACs are checked prior to MACs
 9. SELinux is enabled in 'enforcing' mode
10. SELinux operates in 3 modes: disabled (DAC), enabled(DAC/MAC), enforcing(DAC/MAC/Enforced)
11. Log information: '/var/log/audit/audit.log' - AVC logs here - Denials
12. Policy information is defined in the: 'targeted' policy




Tasks:
 1. Explore common tools
  a. 'sestatus -v' - displays current status
  b. 'setenforce 0|1(permissive|enforcing) modes'
  c. '/etc/sysconfig/selinux' - primary config file
  d. '/selinux' - '/proc'-like FS (Virtual) - maintains SELinux information
  e. 'setsebool ' - sets boolean values for SELinux - use '-P' to make changes persistent across reboots
  f. '-Z' - Use with common commands: i.e. 'ls', 'ps', 'id'
  g. Use: 'restorecon -R /var/www/html' - resets ALL files to proper type
Note: 'restorecon' is necessary if files are moved about the FS and have incorrect contexts




 2. Switch SELinux mode to: 'permissive' and evaluate with Apache->MySQL
  a. 'setenforce 0' - sets SELinux to 'permissive'
  b. 'setsebool  httpd_can_network_connect_db off' - disables Apache's ability to talk to MySQL
  c. 'setenforce 1' - sets SELinux to 'enforcing'
  d. Try to invoke Apache->MySQL session: fails


 3. Move and Copy content and evaluate SELinux context changes
Note: Moves will preserve SELinux file (object) context
Note: Copies will NOT preserve SELinux file (object) context. In this case, the object (file) will inherit the SELinux context of the target directory as defined by the SELinux 'targeted' policy.


 4. Relabel full FS of remote server
  a. 'touch /.autorelable && reboot'
Note: More files means more time to reboot

你可能感兴趣的:(Linux/SELinux)