1″ root permissions have the risk of being stolen.
2″ can get the permission to change the file resources.
2.” specifies specific procedures to read specific files with policy rules: delegate access control, MAC
MAC” allows access control to specific programs and specific file resources. Therefore, even if you are root, you may not get all the permissions when using different programs.
” file can also set the recommended permissions for the program. For example, by default, httpd can only access files in the /var/www directory. If the httpd program wants to access data in other directories,
two” and “SELinux”
3.policy：Because of the large number of programs and files, SELinux will develop basic access security policies based on certain services. There are detailed rules in these policies.
1″ targeted: has more restrictions on network services and fewer restrictions on local services. Default policy
2″ minimun: is revised from targeted and is protected only by selected procedures.
3″ MLS: the complete SELinux limit is relatively strict, and it is recommended to use targeted.
4.Security text：The text of the subject and the target must be consistent so that it can be accessed smoothly.
The focus of the above is“subject”How to get it“target”Resource access rights! We can see from the above picture.1） The main procedure must pass.SELinux After the release of the rules in the policy, we can compare the security with the target resources.
（2） If a comparison fails, the target can not be accessed. If the comparison is successful, the target can begin to be accessed. The question is whether we can ultimately access the target or file system.rwx Permission settings are related! So, joined.SELinux After that, there is no permission.
When it comes to the situation, you have to analyze the possible problems step by step.
[root@VM_167_181_centos /]# ls -Z
lrwxrwxrwx. root root system_u:object_r:bin_t:s0 bin -> usr/bin
dr-xr-xr-x. root root system_u:object_r:boot_t:s0 boot
drwxr-xr-x root root ? data
drwxr-xr-x root root ? dev
drwxr-xr-x. root root system_u:object_r:etc_t:s0 etc
drwxr-xr-x. root root system_u:object_r:home_root_t:s0 home
bash After that,
Defaultbash The environment is unacceptable.SELinux Regulated becausebash It’s not a special web service! Therefore, this is not acceptable.SELinux Restrictedbash
Most of the documents generated by the program are identified.unconfined_u this“Unrestricted”Users.
System users are mostly files produced by the system themselves.
Through this field, we can know that this data is a program, a file resource or a user.
2）system_r:Program or user
The most important field in the default targeted policy. Can the program read file resources related to type? The definition of type fields is different from files and programs.
1″ type: on file resources
2″ domain: in the main procedure
> procedure and the document type field:
|Identity recognition||role||This corresponds totargeted Significance|
|unconfined_u||unconfined_r||Users can generally log on to the program! Relatively unlimited procedures|
！Most of these are users who have successfully landed the system (whether it is the Internet).
Or the landing is available.shell） After that, the operating system is used.
Unified procedures! asbash, X window Related software and so on.
|system_u||system_r||Because of the system account, it is a non conversational system running program.|
Most of the system programs are of this type!
In the defaulttarget In policy, the most important field is the type field.type） ， Is there a right to read and write between the subject and the target?
Programdomain And documenttype Of We can use the relationship between them.crond And his configuration file to illustrate!
That is, it is/usr/sbin/crond, /etc/crontab, /etc/cron.d And so on.
# 1\. Let's take a look at the safety of crond.[root@study~]# ps -eZ | grep cron system_u:system_r:crond_t:s0-s0:c0.c1023 1338 ? 00:00:01 crond system_u:system_r:crond_t:s0-s0:c0.c1023 1340 ? 00:00:00 atd # The name of this security type is crond_t format.Be2\. Let's look at the security of executable files, configuration files and so on.[root@study~]# ll -Zd /usr/sbin/crond /etc/crontab /etc/cron.d drwxr-xr-x. root root system_u:object_r:system_cron_spool_t:s0 /etc/cron.d -rw-r--r--. root root system_u:object_r:system_cron_spool_t:s0 /etc/crontab -rwxr-xr-x. root root system_u:object_r:crond_exec_t:s0 /usr/sbin/crond
/usr/sbin/crond”“, procedure.domain”” type “crond_t”crond_t The configuration files that can be read aresystem_cron_spool_t Type.
And/var/spool/cron It’s all related.SELinux Type (/var/spool/cronForuser_cron_spool_t） 。
1.”crond_exec_t”/usr/sbin/crond”2.”Subject”) hascrond” > (domain”“;
3.”crond domain”system_cron_spool_t” > (Object”/etc/cron.d/”crond”
4.”rwx”” meet the requirements?Linux” rights”!
Three, SELinux three modes of startup, shutdown and observation
SELinuxThere are three modes according to whether or not to start.
1.enfocing:The mandatory mode represents SELinux in operation and has started to restrict domain/type correctly.
2.permissive：Tolerance mode represents SELinux in operation, but only warning information will not actually restrict.
[tang@VM_167_181_centos etc]$ getenforce
[tang@VM_167_181_centos etc]$ sestatus