JavaScript must be enabled in order for you to see "WP Copy Data Protect" effect. However, it seems JavaScript is either disabled or not supported by your browser. To see full result of "WP Copy Data Protector", enable JavaScript by changing your browser options, then try again.

Implement the mechanism of SELinux under the CentOS 6.7 x64


Hello everyone, it’s time to pose a rubbish! I have known about the brief function of SELinux, but did’t use it deeply, so I always disabled its function directly. Its full name is ‘Security Enhanced Linux’, and it’s developed by NSA. How do we use it in our system? Let’s keep reading:

1) Clarify the concept about the file permission
DAC-Discretionary Access Control(Tradition) -> Disadvantage: a. Root is unlimit. b.Change the permission through the program user owned.
MAC-Mandatory Access Control(Policy) -> Controlled by service

2) Explain the result about the SELinux of file permission
Concept:Subject(~Process):Object(~File system):Policy(targeted[default], minimum[selected], mls[complete]):Security context
#ls -Z -> Identify(1.unconfined_u[User created].2.system_u[Service created]):role(1.object_r[File/Directory]2.system_r[Process or common user]):type(1.Type[Object].2.Domain[Subject])
-rw-------. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg
-rw-r--r--. root root system_u:object_r:admin_home_t:s0 bugzilla-5.0.tar.gz
drwxr-xr-x. root root system_u:object_r:admin_home_t:s0 Desktop
drwxr-xr-x. root root system_u:object_r:admin_home_t:s0 Documents
drwxr-xr-x. root root system_u:object_r:admin_home_t:s0 Downloads
-rw-r--r--. root root system_u:object_r:admin_home_t:s0 install.log
-rw-r--r--. root root system_u:object_r:admin_home_t:s0 install.log.syslog
drwxr-xr-x. root root system_u:object_r:admin_home_t:s0 Music
drwxr-xr-x. root root system_u:object_r:admin_home_t:s0 Pictures
drwxr-xr-x. root root system_u:object_r:admin_home_t:s0 Public
drwxr-xr-x. root root system_u:object_r:admin_home_t:s0 Templates
drwxr-xr-x. root root system_u:object_r:admin_home_t:s0 Videos
#touch test
#ls -Z test
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 test
#ps -eZ | egrep -i '((cron|bash))'
system_u:system_r:crond_t:s0-s0:c0.c1023 2667 ? 00:00:01 crond
system_u:system_r:crond_t:s0-s0:c0.c1023 2682 ? 00:00:00 atd
system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 3406 ? 00:00:00 anacron
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3485 pts/0 00:00:00 bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3525 pts/1 00:00:00 bash
unconfined_u:unconfined_r -> Common user's process(Like bash or X windows)
system_u:system_r -> System account(Non-inactive system process)
#ll -Zd /usr/sbin/crond /etc/crontab /etc/cron.d
drwxr-xr-x. root root system_u:object_r:system_cron_spool_t:s0 /etc/cron.d
-rw-r--r--. root root system_u:object_r:system_cron_spool_t:s0 /etc/crontab
-rwxr-xr-x. root root system_u:object_r:crond_exec_t:s0 /usr/sbin/crond

3) Test the mechanism of SELinux w/ the file you created
#cat >> /root/checktime
10 * * * * root sleep 60s
#mv checktime /etc/cron.d
#mv checktime /etc/cron.d
#ll /etc/cron.d/checktime
-rw-r--r--. 1 root root 26 Sep 13 17:30 /etc/cron.d/checktime
service crond restart
Stopping crond: [ OK ]
Starting crond: [ OK ]
#tail /var/log/cron
Aug 7 18:46:01 study crond[28174]: ((null)) Unauthorized SELinux context=system_u:system_r:
system_cronjob_t:s0-s0:c0.c1023 file_context=unconfined_u:object_r:admin_home_t:s0
(/etc/cron.d/checktime)
Aug 7 18:46:01 study crond[28174]: (root) FAILED (loading cron table)
# 上面的意思是,有錯誤!因為原本的安全本文與檔案的實際安全本文無法搭配的緣故!
#ps -eZ | grep -E 'cron|bash'
system_u:system_r:crond_t:s0-s0:c0.c1023 2682 ? 00:00:00 atd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3485 pts/0 00:00:00 bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3525 pts/1 00:00:00 bash
unconfined_u:system_r:crond_t:s0-s0:c0.c1023 18950 ? 00:00:01 crond

4) Check common status about the function of SELinux
#getenforce
Enforcing
#sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
#cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
#yum -y install setools-*
#seinfo
Statistics for policy file: /etc/selinux/targeted/policy/policy.24
Policy Version & Type: v.24 (binary, mls)
Classes: 81 Permissions: 238
Sensitivities: 1 Categories: 1024
Types: 3904 Attributes: 295
Users: 9 Roles: 12
Booleans: 234 Cond. Expr.: 274
Allow: 318957 Neverallow: 0
Auditallow: 140 Dontaudit: 272140
Type_trans: 41844 Type_change: 38
Type_member: 48 Role allow: 19
Role_trans: 384 Range_trans: 6037
Constraints: 90 Validatetrans: 0
Initial SIDs: 27 Fs_use: 23
Genfscon: 84 Portcon: 473
Netifcon: 0 Nodecon: 0
Permissives: 90 Polcap: 2

5) Query the setting of SELinux about the crond
#sesearch -A -s crond_t | grep spool
allow daemon user_cron_spool_t : file { ioctl read write getattr lock append } ;
allow crond_t var_spool_t : file { ioctl read getattr lock open } ;
allow crond_t var_spool_t : dir { ioctl read getattr lock search open } ;
allow crond_t system_cron_spool_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;
allow crond_t system_cron_spool_t : dir { ioctl read getattr lock search open } ;
allow crond_t cron_spool_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;
allow crond_t cron_spool_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
allow crond_t user_cron_spool_t : file { ioctl read getattr lock open } ;
allow crond_t user_cron_spool_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
allow crond_t user_cron_spool_t : lnk_file { read getattr } ;
allow crond_t system_cron_spool_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;
allow crond_t user_cron_spool_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;
#ll -Z /etc/cron.d/checktime
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /etc/cron.d/checktime
#sesearch -A -s crond_t | grep admin_home_t
#sesearch -A -b httpd_enable_homedirs
Found 46 semantic av rules:
allow httpd_user_script_t home_root_t : dir { ioctl read getattr lock search open } ;
allow httpd_user_script_t home_root_t : lnk_file { read getattr } ;
allow httpd_suexec_t user_home_dir_t : dir { getattr search open } ;
allow httpd_suexec_t user_home_dir_t : lnk_file { read getattr } ;
allow httpd_sys_script_t home_root_t : dir { getattr search open } ;
allow httpd_sys_script_t home_root_t : lnk_file { read getattr } ;
allow httpd_suexec_t autofs_t : dir { ioctl read getattr lock search open } ;
allow httpd_suexec_t cifs_t : file { ioctl read getattr lock execute execute_no_trans open } ;
allow httpd_suexec_t cifs_t : dir { ioctl read getattr lock search open } ;
allow httpd_suexec_t cifs_t : lnk_file { read getattr } ;
allow httpd_suexec_t nfs_t : file { ioctl read getattr lock execute execute_no_trans open } ;
allow httpd_suexec_t nfs_t : dir { ioctl read getattr lock search open } ;
allow httpd_suexec_t nfs_t : lnk_file { read getattr } ;
allow httpd_user_script_t user_home_dir_t : dir { getattr search open } ;
allow httpd_user_script_t user_home_dir_t : lnk_file { read getattr } ;
allow httpd_t user_home_t : file { ioctl read getattr lock open } ;
allow httpd_t user_home_t : dir { ioctl read getattr lock search open } ;
allow httpd_sys_script_t user_home_dir_t : dir { ioctl read getattr lock search open } ;
allow httpd_sys_script_t autofs_t : dir { ioctl read getattr lock search open } ;
allow httpd_sys_script_t cifs_t : file { ioctl read getattr lock open } ;
allow httpd_sys_script_t cifs_t : dir { ioctl read getattr lock search open } ;
allow httpd_sys_script_t cifs_t : lnk_file { read getattr } ;
allow httpd_sys_script_t nfs_t : file { ioctl read getattr lock open } ;
allow httpd_sys_script_t nfs_t : dir { ioctl read getattr lock search open } ;
allow httpd_sys_script_t nfs_t : lnk_file { read getattr } ;
allow httpd_t user_home_type : dir { getattr search open } ;
allow httpd_t user_home_type : lnk_file { read getattr } ;
allow httpd_t home_root_t : dir { ioctl read getattr lock search open } ;
allow httpd_t home_root_t : lnk_file { read getattr } ;
allow httpd_suexec_t user_home_type : dir { getattr search open } ;
allow httpd_suexec_t user_home_type : lnk_file { read getattr } ;
allow httpd_sys_script_t user_home_t : file { ioctl read getattr lock open } ;
allow httpd_sys_script_t user_home_t : dir { ioctl read getattr lock search open } ;
allow httpd_t user_home_dir_t : dir { ioctl read getattr lock search open } ;
allow httpd_t user_home_dir_t : lnk_file { read getattr } ;
allow httpd_suexec_t home_root_t : dir { ioctl read getattr lock search open } ;
allow httpd_suexec_t home_root_t : lnk_file { read getattr } ;
allow httpd_t autofs_t : dir { ioctl read getattr lock search open } ;
allow httpd_user_script_t user_home_type : dir { getattr search open } ;
allow httpd_user_script_t user_home_type : lnk_file { read getattr } ;
allow httpd_t cifs_t : file { ioctl read getattr lock open } ;
allow httpd_t cifs_t : dir { ioctl read getattr lock search open } ;
allow httpd_t cifs_t : lnk_file { read getattr } ;
allow httpd_t nfs_t : file { ioctl read getattr lock open } ;
allow httpd_t nfs_t : dir { ioctl read getattr lock search open } ;
allow httpd_t nfs_t : lnk_file { read getattr } ;
#getsebool httpd_enable_homedirs
httpd_enable_homedirs --> off
#setsebool -P httpd_enable_homedirs 1 -> For a long time
#getsebool httpd_enable_homedirs
httpd_enable_homedirs --> on
#ll -Z /etc/hosts
-rw-r--r--. root root system_u:object_r:net_conf_t:s0 /etc/hosts
#chcon -v -t net_conf_t /etc/cron.d/checktime -> A method
changing security context of '/etc/cron.d/checktime'
#ll -Z /etc/cron.d/checktime
-rw-r--r--. root root unconfined_u:object_r:net_conf_t:s0 /etc/cron.d/checktime
#chcon -v --reference=/etc/shadow /etc/cron.d/checktime -> B method
#ll -Z /etc/shadow /etc/cron.d/checktime
-rw-r--r--. root root system_u:object_r:shadow_t:s0 /etc/cron.d/checktime
----------. root root system_u:object_r:shadow_t:s0 /etc/shadow
#restorecon -Rv /etc/cron.d -> C method
restorecon reset /etc/cron.d/checktime context system_u:object_r:shadow_t:s0->system_u:object_r:system_cron_spool_t:s0
#service crond restart
#tail /var/log/cron -> No errors about the SELinux

◎、Above progress is the brief introduction about implementing the mechanism of SELinux under the CentOS 6.7 x64, and I have refered vbird’s website to do it. You can search more information about this function if you have more interesting. That’s all for today, see you next time!

  1. Very clear. I like your post very much. I also click ads link. ker ker

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

 
This site is protected by WP-CopyRightPro