Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
295 views2 pages

Chapter7 Managing SELinux Security

SELinux provides mandatory access controls to isolate system services and protect user data even if the services are compromised. It defines subjects like users and services and objects like files and ports with security contexts that determine access. Booleans and policy rules specify allowed interactions. The log files can be monitored to detect SELinux violations and troubleshoot issues.

Uploaded by

Brent Michel Farmer
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
295 views2 pages

Chapter7 Managing SELinux Security

SELinux provides mandatory access controls to isolate system services and protect user data even if the services are compromised. It defines subjects like users and services and objects like files and ports with security contexts that determine access. Booleans and policy rules specify allowed interactions. The log files can be monitored to detect SELinux violations and troubleshoot issues.

Uploaded by

Brent Michel Farmer
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 2

Basic SELinux security concepts (Security Enhanced Linux):

- There are two types of security, DAC (discretionary access control) and MAC
(mandatory access control)
- A primary goal of SELinux is to protect user data from system services that have
been compromised.
- In SElinux, system is defined as subject (users,services) and object
(files/folders, ports, socket)
- A context is a label on processes, files, and ports that determine access.
- A boolean is a switch that enables/disables a set of policy rules.
- There is a policy rule that permits Apache (the web server process running as
httpd_t) to access files and directories with a context normally found in
/var/www/html and other web server directories (httpd_sys_content_t).
- There is no allow rule in the policy for files normally found in /tmp and
/var/tmp, so access is not permitted.

[root@master ~]# id -Z
[root@master ~]# ps auxZ [root@master ~]# ps aux -Z
[root@master ~]# ls -Z
[root@master ~]# netstat -Z

Ex:
system_u:object_r:admin_home_t:s0
system_u ... User type
object_r ... Role type
admin_home_t ... Type
s0 ... mls(multi level security), mcs(multi category security)
================================================================
SELinux modes:
Enforcing mode: SELinux both logs and protects.
Permissive mode: used to trouble shoot issues. SELinux only logs.
Disabled mode: completely disables SELinux.
- No reboot is required to go from enforcing to permissive or back again.
- A system reboot is required to disable SELinux entirely, or to get from disabled
mode to enforcing or permissive mode.

[root@master ~]# getenforce


[root@master ~]# sestatus
[root@master ~]# setenforce 0 (permissive mode)
[root@master ~]# setenforce 1 (enforcing mode)
[root@master ~]# vim /etc/selinux/config (RHEL7)
[root@master ~]# vim /etc/sysconfig/selinux (older versions)
================================================================
Changing SELinux Contexts:
- The context of the parent directory is assigned to the newly created file.
[root@master ~]# yum -y install httpd
[root@master ~]# systemctl start httpd
[root@master ~]# systemctl enable httpd
[root@master ~]# setenforce 0
[root@master ~]# vim /var/www/html/file.txt

firefox>> http://127.0.0.1/file.txt

[root@master ~]# chcon -t test_t /var/www/html/file.txt


[root@master ~]# setenforce 1 (file now will not be accessible)

[root@master ~]# restorecon -R /var/www/html/file.txt

- File contexts will be changed back to their default context if the system's file
systems are relabeled at boot time.
================================================================
Monitoring SELinux violations:
[root@master ~]# rpm -qa | grep setroubleshoot
[root@master ~]# tailf /var/log/messages
[root@master ~]# tailf /var/log/audit/audit.log
[root@master ~]# sealert
================================================================

You might also like