document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2025-01-25 23:11:02 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3956 from alim0x/master

Browse Source 
[translated]20160204 An Introduction to SELinux
This commit is contained in:
Yuanhao Luo 2016-05-03 23:19:27 +08:00
commit db16170303
2 changed files with 139 additions and 138 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

138
sources/tech/20160204 An Introduction to SELinux.md
View File

@ -1,138 +0,0 @@
alim0x translating
An Introduction to SELinux
===============================
![](https://www.linux.com/images/stories/66866/jack2-selinux_a.png)
>Figure 1: The getenforce command reporting SELinux is set to Enforcing.
Way back in kernel 2.6, a new security system was introduced to provide a mechanism for supporting access control security policies. This system was [Security Enhanced Linux (SELinux)][1] and was introduced by the [National Security Administration (NSA)][2] to incorporate a strong Mandatory Access Control architecture into the subsystems of the Linux kernel.
If youve spent your entire Linux career either disabling or ignoring SELinux, this article is dedicated to you — an introduction to the system that lives “under the hood” of your Linux desktop or server to limit privilege or even eliminate the possibility of damage should programs or daemons become compromised.
Before I begin, you should know that SELinux is primarily a tool for Red Hat Linux and its derivatives. The likes of Ubuntu and SUSE (and their derivatives) make use of AppArmor. SELinux and AppArmor are significantly different. You can install SELinux on SUSE, openSUSE, Ubuntu, etc., but its an incredibly challenging task unless youre very well versed in Linux.
With that said, let me introduce you to SELinux.
### DAC vs. MAC
The old-guard standard form of access control on Linux was Discretionary Access Control (DAC). With this form, an application or daemon runs under either User ID (UID) or Set owner User ID (SUID) and holds object permissions (for files, sockets, and other processes) of that user. This made it easier for malicious code to be run with a permission set that would grant it access to crucial subsystems.
Mandatory Access Control (MAC), on the other hand, enforces the separation of information based on both confidentiality and integrity to enable the confinement of damage. The confinement unit operates independently of the traditional Linux security mechanisms and has no concept of a superuser.
### How SELinux Works
Consider these pieces of the SELinux puzzle:
- Subjects
- Objects
- Policy
- Mode
When a subject (such as an application) attempts to access an object (such as a file), the SELinux Security Server (inside the kernel) runs a check against the Policy Database. Depending on the current mode, if the SELinux Security Server grants permission, the subject is given access to the object. If the SELinux Security Server denies permission, a denied message is logged in /var/log/messages.
Sounds relatively simple, right? Theres actually more to it than that, but for the sake of introduction, those are the important steps.
### The Modes
SELinux has three modes (which can be set by the user). These modes will dictate how SELinux acts upon subject request. The modes are:
- Enforcing — SELinux policy is enforced and subjects will be denied or granted access to objects based on the SELinux policy rules
- Permissive — SELinux policy is not enforced and does not deny access, although denials are logged
- Disabled — SELinux is completely disabled
Out of the box, most systems have SELinux set to Enforcing. How do you know what mode your system is currently running? You can use a simple command to report the mode; that command is getenforce. This command is incredibly simple to use (as it has the singular purpose of reporting the SELinux mode). To use this tool, open up a terminal window and issue the command getenforce. The report will come back with either, Enforcing, Permissive, or Disabled (see Figure 1 above).
Setting the SELinux mode is actually quite simple — depending upon the mode you want to set. Understand this: It is never recommended to set SELinux to Disable. Why? When you do this, you open up the possibility that files on your disk will be mislabeled and require a re-label to fix. It is also not possible to change the mode of a system when it has been booted in Disabled mode. Your best modes are either Enabled or Permissive.
You can change the SELinux mode from the command line or in the /etc/selinux/config file. To set the mod via command line, you use the setenforce tool. To set the mode to Enforcing, do the following:
1. Open up a terminal window
2. Issue the command su and then enter your administrator password
3. Issue the command setenforce 1
4. Issue the command getenforce to ensure the mode has been set (Figure 2)
![](https://www.linux.com/images/stories/66866/jack-selinux_b.png)
>Figure 2: Setting the SELinux mode to Enforcing.
To set the mode to Permissive, do this:
1. Open up a terminal window
2. Issue the command su and then enter your administrator password
3. Issue the command setenforce 0
4. Issue the command getenforce to ensure the mode has been set (Figure 3)
![](https://www.linux.com/images/stories/66866/jack-selinux_c.png)
>Figure 3: Setting the SELinux mode to Permissive.
NOTE: Setting the mode via command line overrides the setting in the SELinux config file.
If youd prefer to set the mode in the SELinux command file, open up that particular file in your favorite text editor and look for the line:
>SELINUX=permissive
You can change the mode to suit your preference and then save the file.
There is also a third method of changing the SELinux mode (via the bootloader), but I dont recommend it for a beginning user.
### Policy Type
There are two types of SELinux policies:
- Targeted — only targeted network daemons (dhcpd, httpd, named, nscd, ntpd, portmap, snmpd, squid, and syslogd) are protected
- Strict — full SELinux protection for all daemons
You can change the policy type within the /etc/selinux/config file. Open the file in your favorite text editor and look for the line:
>SELINUXTYPE=targeted
Change the option in that line to either targeted or strict to match your needs.
### Checking the Full SELinux Status
There is a handy SELinux tool you might want to know about that will display a detailed status report of your SELinux-enabled system. The command is run from a terminal window like this:
>sestatus -v
You should see output similar to that shown in Figure 4.
![](https://www.linux.com/images/stories/66866/jack-selinux_d.png)
>Figure 4: The output of the sestatus -v command.
### Just Scratching the Surface
As you might expect, I have only scratched the surface of SELinux. It is quite a complex system and will require diving much deeper to obtain a solid understanding of how it works for you and how you can make it better work for your desktops and servers. I still have yet to cover troubleshooting and creating custom SELinux policies.
SELinux is a powerful tool that any Linux administrator should know. Now that youve been introduced, I highly recommend you return to Linux.com (when more tutorials on the subject are posted) or take a look at the [NSA SELinux documentation][3] for very in-depth tutorials.
--------------------------------------------------------------------------------
via: https://www.linux.com/learn/docs/ldp/883671-an-introduction-to-selinux
作者:[Jack Wallen][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:https://www.linux.com/community/forums/person/93
[1]: http://selinuxproject.org/page/Main_Page
[2]: https://www.nsa.gov/research/selinux/
[3]: https://www.nsa.gov/research/selinux/docs.shtml

139
translated/tech/20160204 An Introduction to SELinux.md Normal file
View File

@ -0,0 +1,139 @@
An Introduction to SELinux
===============================
![](https://www.linux.com/images/stories/66866/jack2-selinux_a.png)
>图 1getenforce 命令显示 SELinux 的状态是 Enforcing 启用状态。
回到 Kernel 2.6 时代,那时候引入了一个新的安全系统,用以提供访问控制安全策略的机制。这个系统就是 [Security Enhanced Linux (SELinux)][1],它是由[美国国家安全局NSA][2]引入的,合并进 Linux 内核子系统的强制控制访问架构实现。
如果你在你整个 Linux 生涯中禁用或忽略 SELinux这篇文章就是为你量身定制的——对存在于你的 Linux 桌面或服务器之下的 SELinux 系统的介绍,它能够限制权限,甚至消除程序或守护进程的妥协而造成破坏的可能性。
在我开始之前,你应该了解的是 SELinux 主要是红帽 Red Hat Linux 以及它的衍生发行版的一个工具。这就类似 Ubuntu 和 SUSE以及它们的衍生发行版使用 AppArmor 一样。SELinux 和 AppArmor 有显著的不同。你可以在 SUSEopenSUSEUbuntu 等等发行版上安装 SELinux但这是项难以置信的挑战除非你十分精通 Linux。
说了这么多,让我来向你介绍 SELinux。
### DAC vs. MAC
Linux 上保守的访问控制标准是自主访问控制Discretionary Access ControlDAC。在这种形式下一个软件或守护进程运行在 User IDUID或 Set User IDSUID并且拥有该用户的目标权限文件套接字以及其它进程。这使得恶意代码很容易运行在特定权限之下从而取得访问关键的子系统的权限。
另一方面强制访问控制Mandatory Access ControlMAC基于保密性和完整性强制信息的隔离以限制破坏。限制单元相对于传统的 Linux 安全机制独立运作,并且没有超级用户的概念。
### SELinux 如何工作
考虑一下 SELinux 的相关概念:
- Subjects 主体
- Objects 目标
- Policy 策略
- Mode 模式
当一个主体Subject如一个程序尝试访问一个目标Object如一个文件SELinux 安全服务器SELinux Security Server在内核中从策略数据库中运行一个检查。基于当前的模式如果 SELinux 安全服务器授予权限,该主体就能够访问该目标。如果 SELinux 安全服务器拒绝了权限,一条拒绝信息会被记录到 /var/log/messages。
听起来相对比较简单是不是?实际上过程要更加复杂,但为了简单介绍,这些是重要的步骤。
### 模式
SELinux 有三个模式(可以由用户设置)。这些模式将规定 SELinux 在主体请求时如何应对。这些模式是:
- Enforcing — SELinux 策略强制执行,基于 SELinux 策略规则授予或拒绝主体对目标的访问
- Permissive — SELinux 策略不强制执行,不实际拒绝访问,但会有警告信息且拒绝会写入日志
- Disabled — 完全禁用 SELinux
默认情况下,大部分系统的 SELinux 设置为 Enforcing。你要如何知道你的系统当前是什么模式你可以使用一条简单的命令来查看这条命令就是 getenforce。这个命令用起来难以置信的简单因为它仅仅用来报告 SELinux 的模式)。要使用这个工具,打开一个终端窗口并执行 getenforce 命令。命令会返回 EnforcingPermissive或者 Disabled见上方图 1
设置 SELinux 的模式实际上很简单——取决于你想设置什么模式。记住:永远不推荐关闭 SELinux。为什么当你这么做了你就有了这种可能性你磁盘上的文件可能会被打上错误的标签需要你重新标签来修复。而且你无法修改一个以 Disabled 模式启动的系统的模式。你的最佳模式是 Enforcing 或者 Permissive。
你可以从命令行或 /etc/selinux/config 文件更改 SELinux 的模式。要从命令行设置模式,你可以使用 setenforce 工具。要设置 Enforcing 模式,按下面这么做:
1. 打开一个终端窗口
2. 执行 su 然后输入你的管理员密码
3. 执行 setenforce 1
4. 执行 getenforce 确定模式已经正确设置(图 2
![](https://www.linux.com/images/stories/66866/jack-selinux_b.png)
>图 2设置 SELinux 模式为 Enforcing。
要设置模式为 Permissive这么做
1. 打开一个终端窗口
2. 执行 su 然后输入你的管理员密码
3. 执行 setenforce 0
4. 执行 getenforce 确定模式已经正确设置(图 3
![](https://www.linux.com/images/stories/66866/jack-selinux_c.png)
>图 3设置 SELinux 模式为 Permissive.
注:通过命令行设置模式会覆盖 SELinux 配置文件中的设置。
如果你更愿意在 SELinux 命令文件中设置模式,用你喜欢的编辑器打开那个文件找到这一行:
>SELINUX=permissive
你可以按你的偏好设置模式,然后保存文件。
还有第三种方法修改 SELinux 的模式(通过 bootloader但我不推荐新用户这么做。
### 策略类型
SELinux 策略有两种:
- Targeted — 只有目标网络进程dhcpdhttpdnamednscdntpdportmapsnmpdsquid以及 syslogd受保护
- Strict — 对所有进程完全的 SELinux 保护
你可以在 /etc/selinux/config 文件中修改策略类型。用你喜欢的编辑器打开这个文件找到这一行:
>SELINUXTYPE=targeted
修改这个选项为 targeted 或 strict 以满足你的需求。
### 检查完整的 SELinux 状态
有个方便的 SELinux 工具,你可能想要用它来获取你启用了 SELinux 的系统的详细状态报告。这个命令在终端像这样运行:
>sestatus -v
你可以看到像图 4 那样的输出。
![](https://www.linux.com/images/stories/66866/jack-selinux_d.png)
>图 4sestatus -v 命令的输出。
### 仅是皮毛
和你预想的一样,我只介绍了 SELinux 的一点皮毛。SELinux 的确是个复杂的系统,想要更扎实地理解它是如何工作的,以及了解如何让它更好地为你的桌面或服务器工作需要更加地深入。我的内容还没有覆盖到疑难解答和创建自定义 SELinux 策略。
SELinux 是所有 Linux 管理员都应该知道的强大工具。现在已经向你介绍了 SELinux我强烈推荐你回到 Linux.com当有更多关于此话题的文章发表的时候或看看 [NSA SELinux 文档][3] 获得更加深入的指南。
LCTT - 相关阅读:[鸟哥的 Linux 私房菜——程序管理与 SELinux 初探][4]
--------------------------------------------------------------------------------
via: https://www.linux.com/learn/docs/ldp/883671-an-introduction-to-selinux
作者:[Jack Wallen][a]
译者:[alim0x](https://github.com/alim0x)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:https://www.linux.com/community/forums/person/93
[1]: http://selinuxproject.org/page/Main_Page
[2]: https://www.nsa.gov/research/selinux/
[3]: https://www.nsa.gov/research/selinux/docs.shtml
[4]: http://vbird.dic.ksu.edu.tw/linux_basic/0440processcontrol_5.php