SELinux (Security-Enhanced Linux) in Fedora is an implementation of mandatory access control in the Linux kernel using the Linux Security Modules (LSM) framework. Standard Linux security is a discretionary access control model.
Discretionary access control (DAC)
DAC is standard Linux security, and it provides minimal protection from broken software or malware running as a normal user or root. Users can grant risky levels of access to files they own.
Mandatory access control (MAC)
MAC provides full control over all interactions of software. Administratively defined policy closely controls user and process interactions with the system, and can provide protection from broken software or malware running as any user.
目前 SELinux 支持三種模式,分別如下:
enforcing :強制模式,代表 SELinux 運作中,且已經正確的開始限制 domain/type 了;
permissive:寬容模式:代表 SELinux 運作中,不過僅會有警告訊息並不會實際限制 domain/type 的存取。這種模式可以
用來作為 SELinux 的 debug 之用;
disabled :關閉,SELinux 並沒有實際運作
在Linux下查看是否開啟了SeLinux,可以用下面兩種方法
1: 可以使用下面命令sestatus,SELinux status 為enabled表示開啟了SeLinux功能
[root@DB-Server ~]# /usr/sbin/sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
[root@DB-Server ~]#
[root@DB-Server ~]# /usr/sbin/sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
Process contexts:
Current context: root:system_r:unconfined_t:SystemLow-SystemHigh
Init context: system_u:system_r:init_t
/sbin/mingetty system_u:system_r:getty_t
/usr/sbin/sshd system_u:system_r:unconfined_t:SystemLow-SystemHigh
File contexts:
Controlling term: root:object_r:devpts_t
/etc/passwd system_u:object_r:etc_t
/etc/shadow system_u:object_r:shadow_t
/bin/bash system_u:object_r:shell_exec_t
/bin/login system_u:object_r:login_exec_t
/bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/sbin/agetty system_u:object_r:getty_exec_t
/sbin/init system_u:object_r:init_exec_t
/sbin/mingetty system_u:object_r:getty_exec_t
/usr/sbin/sshd system_u:object_r:sshd_exec_t
/lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:lib_t
/lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t
You have new mail in /var/spool/mail/root
[root@DB-Server ~]#
2:使用命令getenforce
[root@DB-Server ~]# getenforce
Enforcing
如何開啟、關閉SeLinux呢?最簡單的方式使用setenforce,這樣不用重啟服務器. 但是該命令只能將SeLinux在enforcing、permissive這兩種模式之間切換.服務器重啟后,又會恢復到/etc/selinux/config 下,也就是說setenforce的修改是不能持久的。
[root@DB-Server ~]# setenforce 0
[root@DB-Server ~]# getenforce
Permissive
[root@DB-Server ~]# setenforce 1
[root@DB-Server ~]# getenforce;
Enforcing
[root@DB-Server ~]#
另外就是修改/etc/selinux/config ,如下所示,可以配置SELINUX為enforcing、permissive、disabled三個值,修改后必須重啟系統才能生效
[root@DB-Server ~]# more /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
You have new mail in /var/spool/mail/root
[root@DB-Server ~]#
如果由 enforcing 或 permissive 改成 disabled ,或由 disabled 改成其他兩個,那也必須要重新開機。這是因為 SELinux 是整合到核心里面去的, 你只可以在SELinux 運作下切換成為強制 (enforcing) 或寬容 (permissive) 模式,不能夠直接關閉 SELinux 的!同時,由 SELinux 關閉 (disable) 的狀態到開啟的狀態也需要重新開機啦!