SELinux

一、访问权限控制

1、自主访问控制 Discretional Access Control

  1. UGO —— 权限的“对象” U = User(文件主人) G = Group(同组用户) O = Others(剩下的所有人)

  2. RWX —— 权限的“动作” R = Read(读/列目录) W = Write(写/删/改/建) X = eXecute(执行/进入目录

2、强制访问控制  Mandatory Access Cntrol

  SELinux == Subject(进程) + Object(资源:文件,设备,套接字) + Action

 

二、权限控制流程

1、整体检查流程:先执行DAC检查,再执行SELinux检查

image

2、SELinux内部检查流程:

首先检查AVC(Access Vector Cache)缓存,如果没有再去安全服务器解析二进制的策略文件

image

 

 

三、SELinux的三种模式

1、查看当前模式

getenforce

2、disabled: 关闭模式,设置方法如下:

vim /etc/selinux/config
修改SELINUX=permissive 为 SELINUX=disabled

3、permissive 宽容模式,设置方法如下:

setenforce 0

vim /etc/selinux/config
设置 SELINUX=permissive

 宽容模式下查看avc告警信息:

dmesg | grep avc

 4、enforcing 强制模式,设置方法如下:

setenforce 1
vim /etc/selinux/config
设置 SELINUX=enforcing

 

四、SELinux的策略规则

1、ubuntu中编译好的规则保存在目录/usr/share/selinux/default,目录中文件名后缀都显示为.bz2

xuanmiao@xuanmiao-SELinux:/usr/share/selinux/default$ pwd
/usr/share/selinux/default
    
xuanmiao@xuanmiao-SELinux:/usr/share/selinux/default$ ls
accountsd.pp.bz2    chromium.pp.bz2         fcoe.pp.bz2        kismet.pp.bz2        netlabel.pp.bz2        psad.pp.bz2         
......

2、查看内核中所有allow的规则

xuanmiao@xuanmiao-SELinux:/usr/share/selinux/default$ sesearch -A

3、查询crond进程被策略规则允许的行为

xuanmiao@xuanmiao-SELinux:/usr/share/selinux/default$ sesearch -A -s crond_t 
allow crond_t acct_exec_t:file { execute getattr ioctl map open read };
allow crond_t acct_t:process transition;
allow crond_t acngtool_exec_t:file { execute getattr ioctl map open read };
allow crond_t acngtool_t:process transition;
allow crond_t acpid_exec_t:file { execute getattr ioctl map open read };
allow crond_t acpid_t:process transition;

4、查询所有的开关布尔值(布尔值决定了策略规则是否激活生效)

getsebool -a

5、查看布尔值httpd_enable_homedirs控制的所有规则

sesearch -A -b httpd_enable_homedirs

6、查看布尔值 httpd_enable_homedirs 的作用

xuanmiao@xuanmiao-SELinux:~$ sudo semanage boolean -l | grep httpd_enable_homedirs
httpd_enable_homedirs  (关,关)  Determine whether httpd can traverse user home directories.

 

五、安全上下文

1、查看安全上下文:

(1)进程的安全上下文

xuanmiao@xuanmiao-SELinux:~$ ps -eZ | grep systemd
system_u:system_r:init_t:s0           1 ?        00:00:04 systemd
system_u:system_r:syslogd_t:s0      352 ?        00:00:02 systemd-journal
system_u:system_r:udev_t:s0-s0:c0.c1023 408 ?    00:00:02 systemd-udevd
system_u:system_r:initrc_t:s0       745 ?        00:00:25 systemd-oomd
system_u:system_r:systemd_resolved_t:s0 746 ?    00:00:00 systemd-resolve
system_u:system_r:ntpd_t:s0         747 ?        00:00:00 systemd-timesyn
system_u:system_r:systemd_logind_t:s0 804 ?      00:00:00 systemd-logind
sysadm_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1433 ? 00:00:02 systemd

进程的安全上下文类型httpd_t也称之为域

(2)目录的安全上下文

xuanmiao@xuanmiao-SELinux:~$ ls -dZ /var/www/html
system_u:object_r:httpd_sys_content_t:s0 /var/www/html

(3)用户的安全上下文

xuanmiao@xuanmiao-SELinux:~$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

 

安全上下文存储位置:文件安全上下文存储在文件的inode中,进程的安全上下文保存在内核内存数据结构中

image

 

2、安全上下文 ---- 用户

(1)查看SELinux策略定义的SELinux用户

xuanmiao@xuanmiao-SELinux:~$ sudo semanage user -l

                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

root            sysadm     s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r
staff_u         staff      s0         s0-s0:c0.c1023                 staff_r sysadm_r
sysadm_u        sysadm     s0         s0-s0:c0.c1023                 sysadm_r
system_u        user       s0         s0-s0:c0.c1023                 system_r
unconfined_u    unconfined s0         s0-s0:c0.c1023                 system_r unconfined_r
user_u          user       s0         s0                             user_r
xdm             user       s0         s0                             xdm_r

(2)查看Linux 登录用户(/etc/passwd 里的账号)到 SELinux 用户的映射

xuanmiao@xuanmiao-SELinux:~$ sudo semanage login -l                       // 此命令等同于seinfo -u

登录名                SELinux 用户          MLS/MCS 范围          服务
__default__          user_u               s0                   *
root                 unconfined_u         s0-s0:c0.c1023       *
sddm                 xdm                  s0-s0                *
xuanmiao             sysadm_u             s0-s0:c0.c1023       *

(3)新建用户并分配角色

semanage user -a -R staff_r swift_u

 

3、安全上下文 ---- 角色

文件上下文的角色只能是object_r,进程上下文的角色可以是system_r

 

4、SELinux安全上下文修改(chcon命令)

xuanmiao@xuanmiao-SELinux:~$ ls -lZ
总计 48
drwxr-xr-x. 2 xuanmiao xuanmiao system_u:object_r:user_home_t:s0 4096 12月 30 10:17 公共的
drwxr-xr-x. 2 xuanmiao xuanmiao system_u:object_r:user_home_t:s0 4096 12月 30 10:17 模板
drwxr-xr-x. 2 xuanmiao xuanmiao system_u:object_r:user_home_t:s0 4096 12月 30 10:17 视频
drwxr-xr-x. 2 xuanmiao xuanmiao system_u:object_r:user_home_t:s0 4096 12月 30 10:17 图片
drwxr-xr-x. 2 xuanmiao xuanmiao system_u:object_r:user_home_t:s0 4096 12月 30 10:17 文档
drwxr-xr-x. 2 xuanmiao xuanmiao system_u:object_r:user_home_t:s0 4096  1月 19 13:48 下载
drwxr-xr-x. 2 xuanmiao xuanmiao system_u:object_r:user_home_t:s0 4096 12月 30 10:17 音乐
drwxr-xr-x. 2 xuanmiao xuanmiao system_u:object_r:user_home_t:s0 4096 12月 30 10:17 桌面
drwx------. 4 xuanmiao xuanmiao system_u:object_r:user_home_t:s0 4096 12月 29 18:13 snap
drwxrwxr-x. 2 xuanmiao xuanmiao system_u:object_r:user_home_t:s0 4096 12月 30 10:21 software
drwxrwxr-x. 2 xuanmiao xuanmiao sysadm_u:object_r:user_home_t:s0 4096  1月 19 18:05 Test
drwxr-xr-x. 9 xuanmiao xuanmiao system_u:object_r:user_home_t:s0 4096 12月 29 18:06 vmware-tools-distrib


xuanmiao@xuanmiao-SELinux:~$ cd Test
xuanmiao@xuanmiao-SELinux:~/Test$ ls
xuanmiao@xuanmiao-SELinux:~/Test$ touch test.txt
xuanmiao@xuanmiao-SELinux:~/Test$ ls -lZ
总计 0
-rw-rw-r--. 1 xuanmiao xuanmiao sysadm_u:object_r:user_home_t:s0 0  1月 19 18:06 test.txt


xuanmiao@xuanmiao-SELinux:~/Test$ chcon -t httpd_sys_content_t ./test.txt 
xuanmiao@xuanmiao-SELinux:~/Test$ ls -lZ
总计 0
-rw-rw-r--. 1 xuanmiao xuanmiao sysadm_u:object_r:httpd_sys_content_t:s0 0  1月 19 18:06 test.txt

 

5、查询、恢复默认的安全上下文

查询 sudo semanage fcontext -l

xuanmiao@xuanmiao-SELinux:~$ sudo semanage fcontext -l | grep -E "/var/www/html"
/var/www/html/[^/]*/cgi-bin(/.*)?                  all files          system_u:object_r:httpd_sys_script_exec_t:s0 
/var/www/html/[^/]*/sites/default/files(/.*)?      all files          system_u:object_r:httpd_sys_rw_content_t:s0 
/var/www/html/[^/]*/sites/default/settings\.php    regular file       system_u:object_r:httpd_sys_rw_content_t:s0 
/var/www/html/configuration\.php                   all files          system_u:object_r:httpd_sys_rw_content_t:s0 
/var/www/html/lightsquid(/.*)?                     all files          system_u:object_r:httpd_lightsquid_content_t:s0 
/var/www/html/lightsquid/report(/.*)?              all files          system_u:object_r:lightsquid_rw_content_t:s0 
/var/www/html/munin(/.*)?                          all files          system_u:object_r:httpd_munin_content_t:s0 
/var/www/html/munin/cgi(/.*)?                      all files          system_u:object_r:httpd_munin_script_exec_t:s0 
/var/www/html/wp-content(/.*)?                     all files          system_u:object_r:httpd_sys_rw_content_t:s0

恢复默认的安全上下文 restorecon -Rv

xuanmiao@xuanmiao-SELinux:~/Test$ pwd
/home/xuanmiao/Test
xuanmiao@xuanmiao-SELinux:~/Test$ ls -lZ
总计 0
-rw-rw-r--. 1 xuanmiao xuanmiao sysadm_u:object_r:httpd_sys_content_t:s0 0  1月 19 18:06 test.txt
xuanmiao@xuanmiao-SELinux:~/Test$ 
xuanmiao@xuanmiao-SELinux:~/Test$ restorecon -Rv ./test.txt 
Relabeled /home/xuanmiao/Test/test.txt from sysadm_u:object_r:httpd_sys_content_t:s0 to sysadm_u:object_r:user_home_t:s0
xuanmiao@xuanmiao-SELinux:~/Test$ 
xuanmiao@xuanmiao-SELinux:~/Test$ 
xuanmiao@xuanmiao-SELinux:~/Test$ 
xuanmiao@xuanmiao-SELinux:~/Test$ ls -lZ
总计 0
-rw-rw-r--. 1 xuanmiao xuanmiao sysadm_u:object_r:user_home_t:s0 0  1月 19 18:06 test.txt

 

posted on 2026-01-29 08:32  轩~邈  阅读(3)  评论(0)    收藏  举报