# SELinux 系统安全介绍

## 中文叙述

SElinux 就是一个强制访问控制系统(Security-Enhanced Linux)，一般有两个策略，一个是 NSA 用的 mls(restrict)，一个是普通 linux 的用的 targed，默认说的都是targed的策略。

if use iptables

or firewall

### 简明运作

selinux 是构建在 linux 系统权限控制之上的一套系统，linux 权限控制明显的一个问题就是，只分 user/group/other，这个 other 有很多不同的用户，如果 other 的权限过大，会导致很多的问题出现。
selinux 要的就是，user 的权限是整个 selinux 系统中最小权限的存在。selinux 也有一个天生缺陷，就是总有一个 GOD 可以操控一切.

## SELINUX DETAIL

selinux has two policy for targeted and stricted,CentOS apply targeted.

MLS: Multi-LevelSecurity(MLS) and non-MLS

## Basic

system_u:object_r:locale_t:s0

• Each Linux user account maps to an SELinux user
• the root user that owns the file is mapped to the system_u SELinux user. This mapping is done by the SELinux policy.
• In Linux, a user runs a process. This can be as simple as the user jo opening a document in the vi editor (it will be jo’s account running the vi process) or a service account running the httpd daemon. In the SELinux world, a process (a daemon or a running program) is called a subject.
• An object in SELinux is anything that can be acted upon. This can be a file, a directory, a port, a tcp socket, the cursor, or perhaps an X server. The actions that a subject can perform on an object are the subject’s permissions.
• third section,This is the part that defines what type the file or directory belongs to.
• The fourth part of the security context, s0, has to do with multilevel security or MLS. Basically this is another way of enforcing SELinux security policy, and this part shows the sensitivity of the resource (s0)

SELinux Users are suffixed by “u”, roles are suffixed by “r” and types (for files) or domains (for processes) are suffixed by “_t”.

### Permernet store

chcon is a temporary measure, a file system relabel or running the restorecon command will revert the file back to its original context.
But if you don’t know the file’s correct context, how does the system know which context to apply when it runs restorecon?
Conveniently, SELinux “remembers” the context of every file or directory in the server. In CentOS 7, contexts of files already existing in the system are listed in the /etc/selinux/targeted/contexts/files/file_contexts file. It’s a large file and it lists every file type associated with every application supported by the Linux distribution. Contexts of new directories and files are recorded in the /etc/selinux/targeted/contexts/files/file_contexts.local file.

## the SELinux domain

### two-step process

tips:if show

you may install full selinux distribution

To make sure, we can check the file context database (note that we are using the file_contexts.local file):

You should see the updated contexts:

Next, we will run the restorecon command. This will relabel the file or directory with what’s been recorded in the previous step:
There is a nifty tool called matchpathcon that can help troubleshoot context-related problems.
matchpathcon -V /www/html/index.html
/www/html/index.html has context unconfined_u:object_r:default_t:s0, should be system_u:object_r:httpd_sys_content_t:s0

## Domain Transition

So far we have seen how processes access file system resources. We will now see how processes access other processes.

This transition is not something the application or the user can control. This has been stipulated in the SELinux policy that loads into memory as the system boots. In a non-SELinux server a user can start a process by switching to a more powerful account (provided she or he has the right to do so). In SELinux, such access is controlled by pre-written policies. And that’s another reason SELinux is said to implement Mandatory Access Control.

The result shows that processes within initt domain can read, get attribute, execute, and open files of ftpdexec_t context:

Found 1 semantic av rules:
allow init_t ftpd_exec_t : file { read getattr execute open } ;
Next, we check if the binary file is the entrypoint for the target domain ftpd_t:

And indeed it is so:

Found 1 semantic av rules:
allow ftpd_t ftpd_exec_t : file { ioctl read getattr lock execute execute_no_trans entrypoint open } ;
And finally, the source domain initt needs to have permission to transition to the target domain ftpdt:

As we can see below, the source domain has that permission:

Found 1 semantic av rules:
allow init_t ftpd_t : process transition ;

### the SELinux user

Multi Category Security (MLS / MCS)
SELinux users are defined in the policy that’s loaded into memory at boot time, and there are only a few of these users.
When SELinux is enforced, each regular Linux user account is mapped to an SELinux user account. There can be multiple user accounts mapped to the same SELinux user. This mapping enables a regular account to inherit the permission of its SELinux counterpart.
to seee mapping

system_u is a different class of user, meant for running processes or daemons.
to see what SELinux users are available in the system

So what this really means is that any Linux user that maps to the unconfined_u user will have the privileges to run any app that runs within the unconfined_t domain.
id -Z

## Other

restorecond - daemon that watches for file creation and then sets the default SELinux file context