【Docker + SELinux】 SELinux basics knowledge

SELinux introduction

SELinux (Secure Enhanced Linux) security enhanced Linux is a brand-new Linux security strategy mechanism developed by the National Security Agency (NSA) for the security of computer infrastructure. SELinux can allow system administrators to define security policies more flexibly

SELinux is a kernel-level security mechanism. SELinux has been integrated into the kernel since the Linux2.6 kernel. Because SELinux is at the kernel level, we need to restart the operating system to make changes to its configuration files to take effect.

The SELinux mechanism is integrated into the Linux versions found in mainstream now, and the SELinux mechanism will be turned on by default in CentOS/RHEL.

SELinux basic concepts

The security mechanism of the operating system actually restricts two things: processes and system resources (files, network sockets, system calls, etc.)

The Linux operating system limits our system resources through the concept of users and groups. We know that each process requires a user to execute

Two basic concepts are defined for these two things in SELinux: domain (domin) and context (context)

The domain is used to restrict, and the context is to restrict system resources

We can use the command ps -Z to view the domain information of the current process, which is the SELinux information of the process

[root@localhost docker-web-app]# ps -Z
LABEL PID TTY TIME CMD
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1692 pts/0 00:00:00 bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 92021 pts/0 00:00:00 ps

Through the ls -Z command, we can view the file context information, which is the SELinux information of the file

[root@localhost /]# ls -Z
lrwxrwxrwx. root root system_u:object_r:bin_t:s0 bin -> usr/bin
dr-xr-xr-x. root root system_u:object_r:boot_t:s0 boot
drwxr-xr-x. root root system_u:object_r:default_t:s0 data
drwxr-xr-x. root root system_u:object_r:device_t:s0 dev
drwxr-xr-x. root root system_u:object_r:etc_t:s0 etc
drwxr-xr-x. root root system_u:object_r:home_root_t:s0 home
lrwxrwxrwx. root root system_u:object_r:lib_t:s0 lib -> usr/lib
lrwxrwxrwx. root root system_u:object_r:lib_t:s0 lib64 -> usr/lib64
drwxr-xr-x. root root system_u:object_r:mnt_t:s0 media
drwxr-xr-x. root root system_u:object_r:mnt_t:s0 mnt
drwxr-xr-x. root root system_u:object_r:usr_t:s0 opt
dr-xr-xr-x. root root system_u:object_r:proc_t:s0 proc
dr-xr-x---. root root system_u:object_r:admin_home_t:s0 root
drwxr-xr-x. root root system_u:object_r:var_run_t:s0 run
lrwxrwxrwx. root root system_u:object_r:bin_t:s0 sbin -> usr/sbin
drwxr-xr-x. root root system_u:object_r:var_t:s0 srv
dr-xr-xr-x. root root system_u:object_r:sysfs_t:s0 sys
drwxrwxrwt. root root system_u:object_r:tmp_t:s0 tmp
drwxr-xr-x. root root system_u:object_r:usr_t:s0 usr
drwxr-xr-x. root root system_u:object_r:var_t:s0 var

system_u:object_r:admin_home_t:s0
# This sentence passed: divided into four paragraphs
# The first paragraph `system_u` represents the user
# The second paragraph `object_r` represents the role
# The third paragraph is the most important information in SELinux, `admin_home` indicates the type
# The last paragraph `s0` is related to MLS and MCS, so I don’t need to worry about it for now.

• system_u refers to SElinux users, root means root account identity, user_u means ordinary users without privileges, system_u means system processes, the identity type can be confirmed by the user, and is generally used with roles. Identity and different roles have different permissions when collocation, although you can use the su command to switch users, but the SElinux user does not change, the user identity remains unchanged when switching between accounts, and the user identity has no substantial effect in the targeted policy environment

• object_r object_r is generally the role of the file directory, system_r is generally the role of the process, and the user's role in the targeted policy environment is generally system_r. The role of a user is similar to the concept of a user group. Different roles have different identity permissions. A user can have multiple roles, but only one role can be used at a time. In the targeted policy environment, the role has no substantive effect. In the targeted policy environment, the role of all process files is the system_r role.

• Both admin_home files and processes have a type, and SElinux restricts access permissions based on the relevant combination of types

SELinux Strategy

In SELinux, we control which domains can access which contexts by defining policies

In SELinux, a variety of strategy modes are preset, and we usually don’t need to define strategies ourselves, unless we need to protect some services or programs ourselves.

In CentOS/RHEL, the target strategy is used by default, so what is a target strategy?

The target policy defines that only target processes are restricted by SELinux, and non-target processes will not be restricted by SELinux. Usually our network applications are target processes, such as httpd, mysqld, dhcpd, etc.

The SELinux configuration file of CentOS is a selinux file stored in the /etc/sysconfig/ directory. We can check the contents:

[root@localhost /]# cat /etc/sysconfig/selinux

# This file controls the state of SELinux on the system.
# SELINUX = can take one of these three values:
# enforcing-SELinux security policy is enforced.
# permissive-SELinux prints warnings instead of enforcing.
# disabled-No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE = can take one of three values:
# targeted-Targeted processes are protected,
# minimum-Modification of targeted policy. Only selected processes are protected.
# mls-Multi Level Security protection.
SELINUXTYPE=targeted

SELinux mode

There are three working modes of SELinux: enforcing, permissive and disabled

• enforcing (mandatory mode): Any action that violates the policy will be forbidden and recorded as kernel information

• permissive (permissive mode): Actions that violate the policy will not be prohibited, but a warning message will be prompted (this mode is mainly used in the early configuration of the service policy, and the mandatory mode will be turned on after the policy is configured)

• Disabled (disabled mode): The current cloud servers on the market are in this mode, which can easily cause the entire system to be taken over after a certain service is hacked. Disabling SELinux is the same as the system without SELinux

View the current mode of SELinux

[root@localhost /]# getenforce
Enforcing

Temporarily enable/disable SELinux

Setting SELinux through setenforce is only a temporary modification, and it will become invalid when the system is restarted, so if you want to permanently modify it, you can modify the SELinux main configuration file

setenforce [0|1]

• setenforce 0 means set to permissive
• setenforce 1 means set to enforcing