Security-Enhanced Linux is a secure subsysysty of Forced Access Control developed by the US National Security Agency with the help of the Linux open source community. RhEL 7 systems use SELinux technology to keep individual service processes constrained to access only the resources that should have been acquired.

For example, when you download a Meitu software on your computer, and when you're focused on using it to make a picture look good, it silently listens in the background to the password information entered in the browser, which obviously shouldn't be what it should do (even if it's accessing the picture resources on your computer). The SELinux security subsysys system is designed to eliminate this situation and monitor violations in many ways: restricting the functionality of the service program (SELinux domain restrictions ensure that the service program does not do anything out of character), and restricting access to file resources (SELinux security context ensures that file resources can only be accessed by the service program to which it belongs).

Mr. Liu often refers to the "SELinux domain" and "SELinux security context" as dual insurance in Linux systems, where the service program can only get the resources it should obtain in a disciplined way, so that even if a hacker breaks into the system, it is not possible to use the service programs in the system to oversance. Unfortunately, however, SELinux services are complex and difficult to configure, and many operations personnel do not understand the technology well, resulting in many servers disabling SELinux directly after deploying Linux systems;

The SELinux service has three configuration modes, as follows.

Enforcement: Forcing security policy mode to block illegal requests for the service.

Permissive: When a service is oversanctioned, only a warning is issued and not blocked.

Disabled: No warning or interception of overseatment.

All of the experiments in this book are conducted in forced security policy mode, and while it does reduce the risk of error reporting after disabling the SELinux service, this is not recommended in a production environment. I t is recommended that you review your system to see the default state defined in the SELinux service master profile. If it's permissive or disabled, it's recommended to change it to enforcing quickly.

[root@linuxprobe ~]# vim /etc/selinux/config

This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected. 
# mls - Multi Level Security protection.
SELINUXTYPE=targeted

In the main configuration file of the SELinux service, the default running state of SELinux is defined, which can be understood as the state after the system restarts, so it does not take effect immediately after the change. You can use the getenforce command to get the current SELinux service running mode:

In root@linuxprobe order to confirm that the results shown in Figure 10-6 are indeed caused by SELinux, the current operating mode of SELinux can be modified with the setenforce| command (0 is disabled and 1 is enabled). Note that this modification is only temporary and will fail after the system restarts:

When root@linuxprobe page is refreshed again, you'll see the normal page content, as shown in Figure root@linuxprobe 10-7. As you can see, the problem is really with the SELinux service.

[root@linuxprobe wwwroot]# firefox

The contents of the Figure 10-7 page are displayed as expected

Now, let's recall what went wrong with the previous operation.

The function of the httpd service program is to allow users to access the content of the website, so SELinux will certainly release the user's request action on the site by default. H owever, we modified the default save directory for site data to /home/wwwroot, which created the problem. As noted in section 6.1, the /home directory is used to store the home directory data of the average user, and now the website service provided by httpd is going to get the data in the home directory of the average user, which is a clear violation of the regulatory principles of SELinux.

Now, let's restore the SELinux service to force-enabled security policy mode, and then look separately at whether the saved directory of the original site data has a different SELinux security context value than the saved directory of the current site data:

[root@linuxprobe ~]# setenforce 1 [root@linuxprobe ~]# ls -Zd /var/www/html drwxr-xr-x. r oot root system_u:object_r:httpd_sys_content_t:s0 /var/www/html [root@linuxprobe ~]# ls -Zd /home/wwwroot drwxrwxrwx. R oot root unconfined_u:object_r:home_root_t:s0 /home/wwwroot The SELinux security context set on a file is made up of multiple information items, such as user segments, role segments, and type segments. A mong them, the user segment system_u the identity of the system process, the role segment object_r the role representing the file directory, the type segment httpd_sys_content_t the system file representing the website service. Since the SELinux service is too complex, now we only need to be familiar with the role of the SELinux service, Mr. Liu Wei will come up with a separate chapter in the advanced part of this book to explain the SELinux service carefully.

For the current situation, we only need to use the semanage command to modify the SELinux security context of the current site directory/home/wwwroot to the same as the original site directory.

Semanage command

The semanage command is used to manage SELinux's policies in the format "Semanage ( Options ) .

The SELinux service greatly improves the security of linux systems, locking user rights firmly in cages. T he semanage command not only sets the policy for files and directories, but also manages network ports and message interfaces, as traditional chcon commands do, which are covered later in this chapter. When using the semanage command, a few parameters that are often used and their functions are as follows:

-l parameters for queries;

-a parameters are used to add;

-m parameters are used for modification;

The -d parameter is used for deletion.

For example, you can add a new SELinux security context to the new site data directory so that the directory and all the files in it can be accessed by the httpd service provider:

root@linuxprobe semanage fcontext -a -t httpd_sys_content_t /home/wwwroot(root@linuxprobe) semanage fcontext -a -t httpd_sys_content_t/home/wwwroot/? Note that the site is not immediately accessible after the above settings are performed and the set-up of the SELinux security context will take effect immediately using the restorecon command. W hen using the restorecon command, you can add the -Rv parameter to recursively manipulate the specified directory and the modification process to display the SELinux security context. Finally, refresh the page again, you can see the content of the page normally, the results are shown in Figure 10-8.

[root@linuxprobe ~]# restorecon -Rv /home/wwwroot/ restorecon reset /home/wwwroot context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /home/wwwroot/index.html context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 [root@linuxprobe ~]# firefox

Figure 10-8 sees the content of the page normally

It's a twist and turn! O riginally thought that as long as the httpd service program is configured properly can be done, but the result is repeatedly limited by the SELinux security context. T herefore, it is recommended that we must be careful and patient when configuring the httpd service program. Once the httpd service program is successfully equipped, you will find that the SELinux service is not that difficult.

Because in an RHCSA, RHCE, or RHCA exam, you need to restart your machine before executing a judgment script. Therefore, it is recommended that readers get into the habit of adding the required services to the boot item in their daily work, such as the need to add the systemctl enable httpd command here.