op07-SELinux op

最新推荐文章于 2021-08-06 14:32:50 发布

原创最新推荐文章于 2021-08-06 14:32:50 发布 · 308 阅读

0 ·

CC 4.0 BY-SA版权

文章标签：

#selinux

PracticalOp 专栏收录该内容

7 篇文章

订阅专栏

本文详细介绍了SELinux的配置与使用方法，包括如何查看其状态、模式及临时与永久关闭方式。通过理解SELinux提供的更详细的权限控制，用户可以更好地保护系统免受提权攻击，并了解在实际应用中遇到的挑战。

op07-SELinux op

1 SELinux

SELinux提供了比默认ugo+rwx更详细的权限控制。开启SELinux后，即使因为0day漏洞被提权，相应程序的权限在SELinux控制下也不会造成太大影响。

SELinux复杂，会对某些程序的安装和使用带来极大的难度；在没有真正理解SELinux之前，建议关闭SELinux。

2 查看SELinux状态

[root@husa ~]# /usr/sbin/sestatus -v
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

Process contexts:
Current context:                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Init context:                   system_u:system_r:init_t:s0
/usr/sbin/sshd                  system_u:system_r:sshd_t:s0-s0:c0.c1023

File contexts:
Controlling terminal:           unconfined_u:object_r:user_devpts_t:s0
/etc/passwd                     system_u:object_r:passwd_file_t:s0
/etc/shadow                     system_u:object_r:shadow_t:s0
/bin/bash                       system_u:object_r:shell_exec_t:s0
/bin/login                      system_u:object_r:login_exec_t:s0
/bin/sh                         system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0
/sbin/agetty                    system_u:object_r:getty_exec_t:s0
/sbin/init                      system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0
/usr/sbin/sshd                  system_u:object_r:sshd_exec_t:s0

3 查看SELinux mode

[root@husa ~]# /usr/sbin/getenforce
Permissive

4 临时关闭SELinux

Use Enforcing or 1 to put SELinux in enforcing mode.
Use Permissive or 0 to put SELinux in permissive mode.

[root@husa ~]# setenforce 0
[root@husa ~]# setenforce 1

5 永久关闭SELinux

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

直接修改SELINUX的值为disabled然后重启