How to use SELinux to secure CentOS systems

How to use SELinux to protect CentOS system security

Introduction:
In the current Internet environment, protecting the security of the operating system has become more and more important. CentOS, as a popular Linux distribution, provides powerful tools and functions to maintain system security. One of the important components is SELinux, which is a security enhancement system developed by the US National Security Agency (NSA), which can effectively reduce the risk of malicious attacks and unauthorized access to the system. This article will introduce how to use SELinux to protect the security of CentOS systems, and come with some practical code examples.

1. What is SELinux:
SELinux is a security mechanism based on Mandatory Access Control (MAC), which provides an additional layer of security for Linux systems. By defining objects (such as files, directories, processes), subjects (such as users, processes), and operations (such as read, write, execute), SELinux limits access behavior in the system. By associating each resource and operation with a security policy, SELinux can effectively control these accesses and provide more granular security protection.

2. Turn on SELinux:
On CentOS systems, SELinux is disabled by default. To enable SELinux, you can follow these steps:

1. Edit the /etc/selinux/config file:

   vi /etc/selinux/config

2. Find the following line and modify it to "enforcing":

   SELINUX=enforcing

3. Save and close the file, restart the system:

   reboot

3. Basic SELinux commands:
Once enabled With SELinux, you can use the following basic commands to manage and configure it:

1. Get SELinux status:

   sestatus

2. Modify SELinux temporary status:

   setenforce 0     # 设置为permissive模式
   setenforce 1     # 设置为enforcing模式

3. Modify the SELinux context of a file or directory:

   chcon -R -t httpd_sys_content_t /var/www/html   # 将/var/www/html目录的上下文设置为httpd_sys_content_t，以便Apache能够访问

4. Configure SELinux policy:
In addition to basic commands, you can also Change the SELinux policy to suit your application and environment. The following are some commonly used SELinux configuration examples:

1. Custom SELinux policy module:

   cat > myapp.te <<-EOF
   module myapp 1.0;
   
   require {
       type httpd_t;
       type myapp_t;
       class file { open read };
   }
   
   allow httpd_t myapp_t:file { open read };
   
   EOF
   
   checkmodule -M -m -o myapp.mod myapp.te
   semodule_package -o myapp.pp -m myapp.mod
   semodule -i myapp.pp

2. View SELinux context:

   ls -Z /path/to/file    # 显示指定文件的SELinux上下文

3. Modify the default SELinux context of the file:

   semanage fcontext -a -t httpd_sys_content_t '/var/www/myapp(/.*)?'    # 将/var/www/myapp目录及其子目录的上下文设置为httpd_sys_content_t
   restorecon -Rv /var/www/myapp    # 应用上下文更改

4. Customize the SELinux exception policy:

   audit2allow -a    # 从审计日志生成异常策略

5. Conclusion:
SELinux is a powerful tool in CentOS systems to protect operating system security. By restricting access to resources and operations, SELinux can effectively reduce the risk of malicious attacks and unauthorized access to the system. This article explains how to enable SELinux, basic SELinux commands, and some common SELinux configuration examples. I hope this article can provide you with guidance on how to use SELinux to secure your CentOS system and help you master relevant skills in practice.

Reference resources:

• Red Hat, Inc. "SELinux User's and Administrator's Guide." (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/ 7/html/selinux_users_and_administrators_guide/index)
• CentOS Project. "CentOS Wiki." (https://wiki.centos.org/)

The above is the detailed content of How to use SELinux to secure CentOS systems. For more information, please follow other related articles on the PHP Chinese website!