op07-SELinux op

op07-SELinux op

1 SELinux

SELinux提供了比默认ugo+rwx更详细的权限控制。开启SELinux后，即使因为0day漏洞被提权，相应程序的权限在SELinux控制下也不会造成太大影响。

SELinux复杂，会对某些程序的安装和使用带来极大的难度；在没有真正理解SELinux之前，建议关闭SELinux。

2 查看SELinux状态

[root@husa ~]# /usr/sbin/sestatus -vSELinux status:                 enabledSELinuxfs mount:                /sys/fs/selinuxSELinux root directory:         /etc/selinuxLoaded policy name:             targetedCurrent mode:                   permissiveMode from config file:          permissivePolicy MLS status:              enabledPolicy deny_unknown status:     allowedMax kernel policy version:      28Process contexts:Current context:                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023Init context:                   system_u:system_r:init_t:s0/usr/sbin/sshd                  system_u:system_r:sshd_t:s0-s0:c0.c1023File contexts:Controlling terminal:           unconfined_u:object_r:user_devpts_t:s0/etc/passwd                     system_u:object_r:passwd_file_t:s0/etc/shadow                     system_u:object_r:shadow_t:s0/bin/bash                       system_u:object_r:shell_exec_t:s0/bin/login                      system_u:object_r:login_exec_t:s0/bin/sh                         system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0/sbin/agetty                    system_u:object_r:getty_exec_t:s0/sbin/init                      system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0/usr/sbin/sshd                  system_u:object_r:sshd_exec_t:s0

3 查看SELinux mode

[root@husa ~]# /usr/sbin/getenforcePermissive

4 临时关闭SELinux

Use Enforcing or 1 to put SELinux in enforcing mode.
Use Permissive or 0 to put SELinux in permissive mode.

[root@husa ~]# setenforce 0[root@husa ~]# setenforce 1

5 永久关闭SELinux

# This file controls the state of SELinux on the system.# SELINUX= can take one of these three values:#     enforcing - SELinux security policy is enforced.#     permissive - SELinux prints warnings instead of enforcing.#     disabled - No SELinux policy is loaded.SELINUX=permissive# SELINUXTYPE= can take one of three two values:#     targeted - Targeted processes are protected,#     minimum - Modification of targeted policy. Only selected processes are protected. #     mls - Multi Level Security protection.SELINUXTYPE=targeted

直接修改SELINUX的值为disabled然后重启