What is SELinux

SELinux refers to security-enhanced Linux. It is a security subsystem of Linux. It is designed to enhance the security of the traditional Linux operating system and solve various permissions in the autonomous access control (DAC) system in the traditional Linux system. Problems (such as excessive root permissions, etc.). SELinux uses a mandatory access control (MAC) system, which controls whether a process has access rights to files or directories on a specific file system.

#The operating environment of this tutorial: linux7.3 system, Dell G3 computer.

What is SELinux

SELinux, the abbreviation of Security Enhanced Linux, that is, security-enhanced Linux, is developed by the U.S. National Security Agency (NSA) ) is a Linux security subsystem jointly developed by other security organizations (such as SCC Corporation) to enhance the security of the traditional Linux operating system and solve various permission issues in the Discretionary Access Control (DAC) system in traditional Linux systems (such as root privileges are too high, etc.).

The SELinux project was open sourced under the GPL license in 2000. SELinux gradually became popular when Red Hat included SELinux in its Linux distribution. Now, SELinux has been widely used by many organizations, and almost all Linux kernel versions 2.6 and above have integrated SELinux functions.

Beginners can understand SELinux in this way. It is a functional module deployed on Linux to enhance system security.

We know that in traditional Linux systems, the default permissions are to control the read, write and execution permissions of the owner, group and other people of a file or directory. This control method is called Discretionary access control (DAC) method; in SELinux, the mandatory access control (MAC) system is used, which controls whether a process has access rights to files or directories on a specific file system, and determines whether the process can access the file. Or the basis of the directory depends on many policy rules set in SELinux.

Speaking of this, it is necessary for readers to understand the characteristics of these two access control systems in detail:

• Discretionary Access Control (DAC) is the default access control method of Linux, which determines whether access is possible based on the user's identity and the identity's rwx permissions on files and directories. However, we also found some problems in the actual use of DAC access control:

  • root permissions are too high, and rwx permissions do not take effect on the root user. Once the root user is stolen or the root user itself Misoperation is a fatal threat to the Linux system.

  • Linux default permissions are too simple. They only have the identity of the owner, the group to which they belong, and other people. The permissions only have read, write, and execute permissions, which is not conducive to permission subdivision and setting.

  • Irrational allocation of permissions will lead to serious consequences, such as setting 777 permissions for sensitive files or directories in the system, or setting special permissions for sensitive files - SetUID permissions, etc.

• Mandatory Access Control (MAC) controls the access of specific processes to system file resources through the default policy rules of SELinux . In other words, even if you are a root user, if you use an incorrect process when accessing a file resource, you will not be able to access the file resource.

In this way, SELinux controls not only users and permissions, but also processes. Which file resources each process can access, and which processes each file resource can access, are determined by the SELinux rule policy.

Note that in SELinux, the default permissions of Linux are still effective. That is to say, for a user to be able to access a file, the user's permissions are required to comply with the rwx permissions, and the user is also required to The process complies with SELinux regulations.

However, there are so many processes and so many files in the system. If you manually allocate and specify them, the workload will be too large. Therefore, SELinux provides a lot of default policy rules, which are relatively complete. We will learn how to view and manage these policy rules later.

In order to give readers a clear understanding of the role played by SELinux, here is an example. Suppose a vulnerability is discovered in apache, allowing a remote user to access sensitive files of the system (such as /etc/shadow). If SELinux is enabled in our Linux, then, because the apache service process does not have the permission to access /etc/shadow, the remote user's access to the /etc/shadow file through apache will be blocked by SELinux, which protects Linux. The role of the system.

How to close Selinux

#查看selinux状态
[root@vm01]# getenforce
 
#临时关闭selinux
[root@vm01]# setenforce 0
 
#永久关闭
[root@vm01]# vi /etc/selinux/config
# SELINUX=enforcing改为SELINUX=disabled

Related recommendations: "Linux Video Tutorial"

The above is the detailed content of What is SELinux. For more information, please follow other related articles on the PHP Chinese website!