SELinux就是Security-Enhanced Linux的简称,安全加强的linux。传统的linux权限是对文件和目录的owner, group和other的rwx进行控制,而SELinux采用的是委任式访问控制,也就是控制一个进程对具体文件系统上面的文件和目录的访问,SELinux规定了很多的规则,来决定哪个进程可以访问哪些文件和目录。
SELinux是根据进程或文件的security context来决定进程是否有权限访问文件系统的,security context由Identify:role:type三部分组成,当selinux的类型为SELINUXTYPE=targeted的时候,只有security context的type是有用的。selinux的配置文件在这里:/etc/selinux/config,内容如下:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
需要安装必要的SELinux的相关工具:
yum install policycoreutils-Python setools-console setroubleshoot setroubleshoot-server查看当前SELinux的状态:
[root@CentOS ~]# getenforce
Enforcing状态为Enforcing就代表打开了SELinux,为disabled或permissive则需要使用下面的命令开启(permissive代表如果不符合SELinux的权限控制,则会出现warning提示信息,不会真的block进程的访问):
设置SELinux为Enforcing:
[root@centos ~]# setenforce 1之后,重启电脑,并等待SELinux相关文件建立完成。
查看进程的security context:
[root@centos ~]# ps aux -Z | grep httpd
unconfined_u:system_r:httpd_t:s0 root 6056 0.0 0.3 11672 3504 ? Ss 15:31 0:03 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache 6061 0.0 0.2 11804 2664 ? S 15:31 0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache 6062 0.0 0.2 11672 2132 ? S 15:31 0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache 6063 0.0 0.2 11804 2664 ? S 15:31 0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache 6064 0.0 0.2 11804 2780 ? S 15:31 0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache 6065 0.0 0.2 11672 2132 ? S 15:31 0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache 6066 0.0 0.2 11672 2132 ? S 15:31 0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache 6067 0.0 0.2 11672 2132 ? S 15:31 0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache 6068 0.0 0.2 11672 2132 ? S 15:31 0:00 /usr/sbin/httpd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 6845 0.0 0.0 4340 752 pts/0 S+ 18:16 0:00 grep httpd查看目录的security context:
[root@centos ~]# ls -dZ /var/www/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/列出SELinux的统计信息,包括security context中的user,role和type,还有规则(Booleans):
[root@centos ~]# seinfo
Statistics for policy file: /etc/selinux/targeted/policy/policy.24
Policy Version & Type: v.24 (binary, mls)
Classes: 81 Permissions: 235
Sensitivities: 1 Categories: 1024
Types: 3488 Attributes: 273
Users: 9 Roles: 12
Booleans: 187 Cond. Expr.: 222
Allow: 273920 Neverallow: 0
Auditallow: 96 Dontaudit: 199904
Type_trans: 23469 Type_change: 38
Type_member: 48 Role allow: 20
Role_trans: 291 Range_trans: 3993
Constraints: 87 Validatetrans: 0
Initial SIDs: 27 Fs_use: 22
Genfscon: 81 Portcon: 426
Netifcon: 0 Nodecon: 0
Permissives: 59 Polcap: 2
查看所有的规则名字: