Detailed explanation of selinux basic configuration tutorial in Linux

selinux ( Security-Enhanced Linux) is a Linux kernel module and a security subsystem of Linux.

Three modes :

Enforcing: Enforcement mode. When selinux is running, domain/type restrictions have begun.

permissive: Warning mode. When selinux is running, there will be a warning message, but the access of domain/type will not be restricted.

disabled: Disable mode.

You can use getenforce to check selinux status

The role of selinux on files:

When selinux is enabled, selinux will load a tag context for each file. The security context must be matched, otherwise the file cannot be accessed.

test:

###Enable selinux

Create files and move them to the ftp release directory

touch /mnt/filemv /mnt/file /var/ftp/

User logs in to ftp to view files

It can be found that anonymous users cannot read the files moved to ftp earlier

But the file exists in the ftp directory

View the security context of a file

ls -Z /var/ftp/

You can see that the security contexts of the two files are different, so they are not displayed.
Temporarily modify the security context

chcon -t public_content_t /var/ftp/file

Log in to ftp to view files

Since the security contexts are consistent, the file can be displayed.

chcon is only a temporary modification of the security context. When the system selinux is restarted, the modification will become invalid.

###Permanently modify the security context

##Create your own ftp home directory and modify the directory security context label

mkdir /ftphomesemanage fcontext -a -t pubilc_content_t '/ftphome(/.*)?'

###View the security context of the directory

Here you can see that the security context label has not been modified. We need to restart the kernel list service.

restorecon -RvvF /ftphome###R: recursive vv: display subdirectory or file modification information under the directory, F: force the file and directory security context in the directory to be consistent 

The security context has been modified

The role of selinux in services:

The effect of selinux on services is equivalent to adding a switch to the service, which is turned off by default. 1: turn on the switch; 0: turn off the switch

When selinux is turned on, we test the switching effect of selinux on the service by logging in to ftp.

Users cannot upload, delete, etc. files

Check the status of selinux switch for ftp

They are all in a closed state, so there are restrictions on user permissions

Turn on the function switch

setsebool -P ftp_home_dir on setsebool -P ftpd_anon_write on 

Log in to ftp again, users can upload files

Install setroubleshoot, which can provide solutions to selinux error logs

/var/log/audit/audit.log ###Record the log collected by selinux 

Download /var/log/audit/audit.log ###Record the log collected by selinux 

Summarize

The above is a detailed explanation of the basic configuration tutorial of selinux in Linux introduced by the editor. I hope it will be helpful to everyone. If you have any questions, please leave me a message and the editor will reply to you in time. I would also like to thank everyone for their support of the 123WORDPRESS.COM website!