Article From:


1″ root permissions have the risk of being stolen.

2″ can get the permission to change the file resources.

2.” specifies specific procedures to read specific files with policy rules: delegate access control, MAC

MAC” allows access control to specific programs and specific file resources. Therefore, even if you are root, you may not get all the permissions when using different programs.

” file can also set the recommended permissions for the program. For example, by default, httpd can only access files in the /var/www directory. If the httpd program wants to access data in other directories,

two” and “SELinux”

1.subject:program resources

3.policy:Because of the large number of programs and files, SELinux will develop basic access security policies based on certain services. There are detailed rules in these policies.

1″ targeted: has more restrictions on network services and fewer restrictions on local services. Default policy

2″ minimun: is revised from targeted and is protected only by selected procedures.

3″ MLS: the complete SELinux limit is relatively strict, and it is recommended to use targeted.

4.Security text:The text of the subject and the target must be consistent so that it can be accessed smoothly.

The focus of the above issubjectHow to get ittargetResource access rights! We can see from the above picture.1) The main procedure must pass.SELinux After the release of the rules in the policy, we can compare the security with the target resources.
2) If a comparison fails, the target can not be accessed. If the comparison is successful, the target can begin to be accessed. The question is whether we can ultimately access the target or file system.rwx Permission settings are related! So, joined.SELinux After that, there is no permission.
When it comes to the situation, you have to analyze the possible problems step by step.


[root@VM_167_181_centos /]# ls -Z
lrwxrwxrwx. root root system_u:object_r:bin_t:s0       bin -> usr/bin
dr-xr-xr-x. root root system_u:object_r:boot_t:s0      boot
drwxr-xr-x  root root ?                                data
drwxr-xr-x  root root ?                                dev
drwxr-xr-x. root root system_u:object_r:etc_t:s0       etc
drwxr-xr-x. root root system_u:object_r:home_root_t:s0 home



1″ unconfined_u:

bash After that,
Defaultbash The environment is unacceptable.SELinux Regulated becausebash It’s not a special web service! Therefore, this is not acceptable.SELinux Restrictedbash
Most of the documents generated by the program are identified.unconfined_u thisUnrestrictedUsers.


System users are mostly files produced by the system themselves.


Through this field, we can know that this data is a program, a file resource or a user.

1)object_r:Document resources

2)system_r:Program or user


The most important field in the default targeted policy. Can the program read file resources related to type? The definition of type fields is different from files and programs.

1″ type: on file resources

2″ domain: in the main procedure

> procedure and the document type field:

Identity recognitionroleThis corresponds totargeted Significance
unconfined_u unconfined_rUsers can generally log on to the program! Relatively unlimited procedures
!Most of these are users who have successfully landed the system (whether it is the Internet).
Or the landing is After that, the operating system is used.
Unified procedures! asbash, X window Related software and so on.
system_u system_r Because of the system account, it is a non conversational system running program.
Most of the system programs are of this type!


In the defaulttarget In policy, the most important field is the type field.type) , Is there a right to read and write between the subject and the target?
Programdomain And documenttype Of We can use the relationship between them.crond And his configuration file to illustrate!
That is, it is/usr/sbin/crond, /etc/crontab, /etc/cron.d And so on.  

# 1\. Let's take a look at the safety of crond.[root@study~]# ps -eZ | grep cron
system_u:system_r:crond_t:s0-s0:c0.c1023 1338 ? 00:00:01 crond
system_u:system_r:crond_t:s0-s0:c0.c1023 1340 ? 00:00:00 atd
# The name of this security type is crond_t format.Be2\. Let's look at the security of executable files, configuration files and so on.[root@study~]# ll -Zd /usr/sbin/crond /etc/crontab /etc/cron.d
drwxr-xr-x. root root system_u:object_r:system_cron_spool_t:s0 /etc/cron.d
-rw-r--r--. root root system_u:object_r:system_cron_spool_t:s0 /etc/crontab
-rwxr-xr-x. root root system_u:object_r:crond_exec_t:s0 /usr/sbin/crond

/usr/sbin/crond”“, procedure.domain”” type “crond_t”crond_t The configuration files that can be read aresystem_cron_spool_t Type.
And/var/spool/cron It’s all related.SELinux Type (/var/spool/cronForuser_cron_spool_t) 。 
1.”crond_exec_t”/usr/sbin/crond”2.”Subject”) hascrond” > (domain”“;
3.”crond domain”system_cron_spool_t” > (Object”/etc/cron.d/”crond”
4.”rwx”” meet the requirements?Linux” rights”!

Three, SELinux three modes of startup, shutdown and observation

SELinuxThere are three modes according to whether or not to start.

1.enfocing:The mandatory mode represents SELinux in operation and has started to restrict domain/type correctly.

2.permissive:Tolerance mode represents SELinux in operation, but only warning information will not actually restrict.

3.disable:Close SELinux

View mode:

[tang@VM_167_181_centos etc]$ getenforce

[tang@VM_167_181_centos etc]$ sestatus

SELinux” configuration document:/etc/selinux/config

SELinux”Pattern inenforcing Andpermissive The way to switch between


[root@study ~]# setenforce 1
Options and parameters:0 :Turn to permissive tolerance mode.1 :Converted to Enforcing mandatory modeExample 1: switch and observe SELinux between Enforcing and permissive[root@study~]# setenforce 0
[root@study ~]# getenforce
[root@study ~]# setenforce 1
[root@study ~]# getenforce


setenforce”Disabled”” mode. 

Four. Policy rules management

See if rules are activated:

getsebool [-a] [Rule name]

-a:View all rules

[root@study ~]# sesearch [-A] [-s Subject category] [-t target category] [-b Brin value]Options and parameters:-A :List the relevant data that allows "read or release" in the following data.-t :Then you need to pick up categories, such as -t httpd_t
-b :We also need to follow the rules of SELinux, for example -b httpd_enable_ftp_server
Example 1: find out the file SELinux type that the crond_t main program can read.[root@study~]# sesearch -A -s crond_t | grep spool
allow crond_t system_cron_spool_t : file { ioctl read write create getattr ..
allow crond_t system_cron_spool_t : dir { ioctl read getattr lock search op..
allow crond_t user_cron_spool_t : file { ioctl read write create getattr se..
allow crond_t user_cron_spool_t : dir { ioctl read write getattr lock add_n..
allow crond_t user_cron_spool_t : lnk_file { read getattr } ;
# allow The SELinux type, which is followed by the main program and the file, is extracted from the data above.It means that crond_t can read system_cron_spool_t files./Directory type ~ and so on!Example two: find out if crond_t can read./etc/cron.d/checktime This is our custom configuration file?[root@study~]# ll -Z /etc/cron.d/checktime
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /etc/cron.d/checktime
# Two key points, one is SELinux type for admin_home_t, the other is file.file)
[root@study ~]# sesearch -A -s crond_t | grep admin_home_t
allow domain admin_home_t : dir { getattr search open } ;
allow domain admin_home_t : lnk_file { read getattr } ;
allow crond_t admin_home_t : dir { ioctl read getattr lock search open } ;
allow crond_t admin_home_t : lnk_file { read getattr } ;
# Look carefully! Look carefully. Although crond_t admin_home_t exists, this is the general information.He did not search for certain rules, so it was still uncertain whether checktime could be read. But basically, it's SELin.UXThe type is out of order so that we can't read it.
[root@study ~]# semanage boolean -l | grep httpd_enable_homedirs
SELinux boolean State Default Description
httpd_enable_homedirs (off , off) Allow httpd to enable homedirs
# httpd_enable_homedirs The function is to allow the httpd program to read the meaning of the user folder.[root@study~]# sesearch -A -b httpd_enable_homedirs
Example 3: List the file SELinux type that the principal program can read in the httpd_enable_homedirs ruleFound43 semantic av rules:
allow httpd_t home_root_t : dir { ioctl read getattr lock search open } ;
allow httpd_t home_root_t : lnk_file { read getattr } ;
allow httpd_t user_home_type : dir { getattr search open } ;
allow httpd_t user_home_type : lnk_file { read getattr } ;
....(Omitted).The # can only be understood from the above data, in this rule, is mainly to let httpd_t read the user's home folder file!Therefore, if this rule is not started, httpd_t program will not be read.File under user main folder!
[root@study ~]# setsebool [-P] “Rule name "[1]
Options and parameters:-P :Set the settings directly to the configuration file, which will come into effect in the future.Example 1: Query the state of the rule httpd_enable_homedirs and modify the rule to a different Brin value[root@study~]# getsebool httpd_enable_homedirs
httpd_enable_homedirs --> off <==The result is off. Let's start with the theme.[root@study~]# setsebool -P httpd_enable_homedirs 1 # It will run for a long time. Please be patient![root@study~]# getsebool httpd_enable_homedirs
httpd_enable_homedirs --> on

>Usechcon Manually modifying filesSELinux type


[root@study ~]# chcon [-R] [-t type] [-u user] [-r role] file[root@study~]# chcon [-R] --reference=Sample fileOptions and parameters:-R :Together with the sub directory in this directory, it is also modified at the same time.-t :The type field of security type is followed by! For example, httpd_sys_content_t;-u :Later, identity recognition, such as system_u, is not important.-r :The role of the back street, such as system_r, (not important)-v :If the change is successful, please list the results of the change.--reference=Example file: take a file as an example to modify the type of subsequent files.Example 1: check it out./etc/hosts SELinux type, and apply this type to /etc/cron.d/checktime upper[root@study~]# ll -Z /etc/hosts
-rw-r--r--. root root system_u:object_r:net_conf_t:s0 /etc/hosts
[root@study ~]# chcon -v -t net_conf_t /etc/cron.d/checktime
changing security context of ‘/etc/cron.d/checktime’
[root@study ~]# ll -Z /etc/cron.d/checktime
-rw-r--r--. root root unconfined_u:object_r:net_conf_t:s0 /etc/cron.d/checktime
Example two: directly/etc/shadow SELinux type Apply to /etc/cron.d/checktime Up![root@study~]# chcon -v --reference=/etc/shadow /etc/cron.d/checktime
[root@study ~]# ll -Z /etc/shadow /etc/cron.d/checktime
-rw-r--r--. root root system_u:object_r:shadow_t:s0 /etc/cron.d/checktime
----------. root root system_u:object_r:shadow_t:s0 /etc/shadow


Userestorecon Let files recover correctly.SELinux type 

[root@study ~]# restorecon [-Rv] Files or directoriesOptions and parameters:-R :Together with the subdirectory,-v :Show the process to the screen.Example three: will/etc/cron.d/ The following files are all restored to the default SELinux type![root@study~]# restorecon -Rv /etc/cron.d
restorecon reset /etc/cron.d/checktime context system_u:object_r:shadow_t:s0->
# The above two lines are actually the same line! Indicates that checktime will be changed from shadow_t to system_cron_spool_t.Example four: restart crond to see if you have activated checktime correctly.[root@study~]# systemctl restart crond
[root@study ~]# tail /var/log/cron
# Look at this again./var/log/cron There should be no error message.

semanage” Post Views: 2