SELinux Introduction


SELinux Introduction

I follow a tutorial named five minutes to install Wordpress. Guess, How much time did I spent to install the fucking Wordpress in my fedora OS? The whole afternoon. Everything is fine except I configure a virtual host for Wordpress server and restart Apache. Then the nightmare coming, I restart Apache again and again with Access denied 404 Error every time. Finally I guess maybe the SELinux's problem. Then everything is Ok after I disable the SELinux and restart the machine.
A good tutorial of SELinux – security and SELinux

Table of Contents

  • 1 What's SELinux?
  • 2 Some Simple SELinux suit Utilities Usage
    • 2.1 Check current SELinux status
    • 2.2 Check file's security context
    • 2.3 change a file's security context

1 What's SELinux?

SELinux is Linux feature that provides a mechanism for supporting strict access control security policies, short for Security-Enhanced Linux. The key concepts underlying SELinux can be traced to several earlier project by the United States National security Agency.

Linux implemented some access control mechanism. One of them is Discretionary Access Control(DAC) which is the traditional file access control known as linux filesystem permission. You can control a file's permission by command "chown chmod" in this mechanism, really familiar with it right. The subject of this mechanism is the users and groups in linux, The access permission is decided by the following elements – programmer's owner, file resource's owner and file resource's permission (rwx).

This mechanism is works great when every programs with system access permission were well tested and without security flaw. But that's not the truth, programs are always have flaws in the reality, some of them maybe security crucial. Here is a scenario, A malicious or flawed program which have root role are running in a server, Then a evil fucker find it, That means this evil man have full access control of this server. That will be a disaster.

Another of the access control mechanism is mandatory access control (MAC), SELinux is the implementation of that in linux. The subject of this mechanism is the program itself, which means the access permission is targeted to special program with access permission to a set of file resource. In this mechanism, when a program want to access a file, first it must pass the DAC, then the kernel will check if the program have the access permission to this file by its security context. So when the evil guy control the vulnerable program, he can only get the access permission which distributed to this program.

2 Some Simple SELinux suit Utilities Usage

2.1 Check current SELinux status

sestatus

2.2 Check file's security context

ls -Z
get the result of
# the security context with the type: user:role:type# in following example user=system_u, role=object_t type=httpd_sys_content_t-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 openssl-toolkit.html
-rw-rw-r--. root root system_u:object_r:httpd_sys_content_t:s0 test.php

2.3 change a file's security context

# change file's security contextchcon -u system_u -r object_r -t httpd_sys_content_t
# change file's security context according to a reference filechcon --reference=./file target-file

Comments

Post a Comment

Popular posts from this blog

Bluedroid stack in android

Image
Bluedroid stack in android Table of Contents Bluetooth stack in android Bluedroid .VS. Bluez Porting guide of Bluedroid stack 1 Bluetooth stack in android From Android 4.2, google use Bluedroid stack as its default Bluetooth host stack, before android 4.2, its default Bluetooth host stack was Bluez, which is also the Linux distribution's default stack. So why google changed its Bluetooth stack? The reason is maybe that Bluez stack was designed for the desktop environment, so in order to port Bluez into android, android must solve some dependency issues, like porting Dbus, Linux desktop's default IPC, into android. So there are at least five processes to power Bluetooth before android 4.2, they are systems, Bluetooth APP, Bluez, hciattach, and Dbus. The damn thing is that there are bugs between them, so Bluetooth stack is the weakest part in the android system before android 4.2, yeah, it is the usual reason that android system corrupted. So, what's t
Read more

How to setup a NAT server?

Image
How to setup an NAT server? Table of Contents What is NAT? How to setup NAT host? a shell script from vbird's book 1 What is NAT? NAT stands for Network Address Transition, which is the basic function of gateway host. I try to hack Bluetooth tethering module in android this week, it include the Bluetooth Pan profile and the NAT setup process, which means in order to implement the Bluetooth tethering, first, two devices must be connected by Bluetooth Pan profile, and then the server part device acted as gateway host to supply the network forward service. In other words, after Bluetooth Pan profile connected, the server must to setup its NAT rules to forward the IP packages. So how to setup NAT rules? 2 How to setup NAT host? My memory is still fresh that at the start of my Linux journey, I setup my Linux desktop as an NAT host to provide Internet services for my lab's classmates. During the days as a programmer, I once did a job to hacking android&
Read more

Network programming in elisp

  Network API in elisp Table of Contents 1 Introduction 2 A example 3 Http server implemented by elisp 1 Introduction Emacs is not just an editor, Yes, that's true. Emacs lisp can do network connection programming by its network API. But there is something difference with other kinds of programming language. First, elisp do not support multi-thread, pretty cool, huh!! Yeh, Multi-threads programming is a horrible venture for you, right! Second, There is no socket similarly conception in elisp, and elisp provide network programming ability as processes. Elisp can open a network connection by function – open-network-stream .  It can make network connection server listen a special port by function - make-network-process . Both of those function return a process object. Then you can communicate with the process by process's API. 2 A example I write a snippet code to figure out How to use it. ( require ' cl ) ( defvar my-network-client-b
Read more