Moment For Technology

SELinux and Permision denied problems

Posted on Jan. 31, 2023, 1:03 p.m. by 張惠婷
Category: The back-end Tag: The programmer The back-end

Recently, my colleague encountered a strange problem, so he asked me to check together, and after a lot of trouble to find the root of the problem.

Insmod is an LKM command that can be loaded on centos/ RHEL/Oracle Linux/Ubuntu in all previous releases. But on oracle Linux7.7, the latest version tested, the kernel modules simply couldn't be loaded.

Then print a log in the service application to confirm that insmod is executed, and then add insmod to the service script to boot up will not be able to tune up. I thought insmod must have made a mistake, so I changed the system shell to popen and redirected the error output to standard output with 21 after./test.

insmod error! errcode:-13, permision denied.
Copy the code

Mysql execute service XXX start as user root

Selinux is enabled by default. I tried to disable Selinux. After loading, it did work properly.

So what exactly is Selinux? Here's a quick introduction.

SELinux, short for Security Enhanced Linux, is a Security module found in many Linux server distributions. SELinux is a Security enhancement module for Linux that can be configured to Whether an object can operate on another object may one subject do action to another object, for example, whether a server program can read and write files in the zyg user's home directory. The following figure shows an example:

However, starting the Selinux service sometimes leads to unexpected access denial issues, such as read/write, execute, etc. If you run into this problem on a Linux server with Selinux enabled and file permissions are not a problem, it is likely to be caused by Selinux. Typically, this problem is caused by an incorrect security context (also known as a security label) assigned to an affected file or folder, concepts described in more detail below.

Experimental environment of this paper:

[[email protected] test]# cat /etc/redhat-release CentOS Linux release 7.4.1708 (Core) [[email protected] test]# uname -r 3.10.0-693. El7 x86_64Copy the code

Selinux mode selinux mode

Selinux has three modes: Enforcing, Permissive, and Disabled.

Enforing mode, Selinux implements a configured policy for permission control so that any unauthorized program or user attempting to access the file is denied and the event is recorded in the relevant log file.

In permissive mode, selinux does not apply configured policies for permission control, that is, in this mode, the configured policies do not take effect, but the access events that violate the policies are recorded in system logs.

In disabled mode, selinux does not take effect and audit logs are not recorded.

Selinux mode can be viewed using getenForce or seStatus:

[[email protected] test]# getenforce 
Copy the code

[[email protected] test]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
Copy the code

How do I turn selinux off? There are two ways:

1. Temporarily close selinux:

setenforce 0
Copy the code

2. Permanently close selinux and modify the configuration file

vi /etc/selinux/config

Change SELINUX=enforcing to SELINUX=disabled. Save the Settings and exit the system. Then reboot the system to take effect.

Selinux policy selinux policy

At the heart of Selinux are its policies, which are the engine of Selinux. A policy is a set of rules that define security and access rights for all objects on the system. Everything is a file on Linux, where all objects include users, roles, processes, files, and so on. Policies define how each object relates to another object.

To understand strategy, let's look at a few basic concepts:

  • Users, every regular user on a Linux system is mapped to one or more users next to Selinux. In Linux, an account can be used to run a program. For example, account AAA uses vi to open a test. TXT file. Or a service account runs an HTTPD daemon. In Selinux, a process (daemon or running process) is called a topic.
  • A role is like a gateway between a user and a process. A role defines which users can access and execute a process. A role is more like a filter than a group: A user can participate in or assume a role when the role is authorized to the user. Roles in selinux policy define groups of users to access a role and define which process domain the role can access. The concept of roles is also introduced because Selinux implements a partially role-based access control mechanism (RBAC).
  • Themes and objects. A theme is a process that can potentially affect an object. An object in SELinux is anything that can be active. It can be a file, directory, port, TCP socket, cursor or X server. The operations that a topic can perform on an object are its permissions
  • A domain is a context in which a SELinux topic (process) can be run. The context is like a wrapper around the topic. It tells the process what it can and cannot do. For example, a domain will define which files, directories, links, devices, or ports a topic can access.
  • A type is the context of a file context, specifying the purpose of the file. For example, the context of a file might indicate that it is a Web page, or that the file belongs to the/etc directory, or that the owner of the file is a specific SELinux user. In SELinux terminology, the context of a file is called its type.

In summary, a policy is a set of rules specifying that one or more users can only assume one or more roles, and that these roles will only be authorized to access one or more domains. These fields, in turn, can access only one or some file types. The following diagram shows the relationship between these concepts:

Finally, processes running in a particular domain can only perform certain operations on certain types of objects, known as type coercion (TE).

Security context security context

The security context has four parts: user, role, domain, and Sensitivity.

  • User, role, sensitivity are relative to file;
  • The domain is relative to the process;
  • Selinux users are suffixed '_u', roles '_r', and types or domains '_t'.

You can run the secon command to view the current user, role, type, and sensitivity.

[[email protected] test]# secon 
user: unconfined_u
role: unconfined_r
type: unconfined_t
sensitivity: s0
clearance: s0:c0.c1023
mls-range: s0-s0:c0.c1023
Copy the code

You can use the id-z command to view the security context of the current account:

[[email protected] ~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[[email protected] ~]# id -Z
Copy the code

To see the security context in which SELinux has been applied to files or folders, try running the following command:

ls -Z 
ls --context
ls --lcontext
ls --scontext
Copy the code

On systems with Selinux enabled, you can add the -z parameter to the ps command to display the security context allowed by the process:

[[email protected] test]# ps -eZf|grep login
system_u:system_r:systemd_logind_t:s0 root 756     1  0 19:30 ?        00:00:00 /usr/lib/systemd/systemd-logind
system_u:system_r:local_login_t:s0-s0:c0.c1023 root 795 1  0 19:30 ?   00:00:04 login -- root
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 4489 1738  0 22:29 pts/0 00:00:00 grep --color=auto login
Copy the code

You can modify the security context using the chcon command:

4. Selinux benefits

Selinux has the following advantages:

  • All processes and files are marked, and SELinux policy rules define how processes interact with files and with each other. Deny all access unless the policy allows it. This would be a very secure implementation, but it also means that developers must anticipate every possible license that each process might require for every possible object. The default behavior is that SELinux is associated only with certain processes.
  • Fine-grained access control. SELinux access decisions go beyond traditional UNIX permissions, which are user-determined and controlled based on Linux user and group ids, and are based on all available information, such as SELinux users, roles, types, and (optional) security levels.
  • SELinux policies are system-wide and can only be configured and managed by administrators.
  • Improved mitigation of weight - lifting attacks. Processes run in a domain and are therefore isolated from each other. SELinux policy rules define how processes access files and other processes. If a process is threatened, an attacker can access only the normal functions of the process and the files that the process has been configured to access. For example, if Apache HTTP Server is infected, an attacker cannot use the process to read files in the user's home directory unless specific SELinux policy rules are added or configured or such access is allowed.
  • SELinux can be used to ensure data confidentiality and integrity and to protect processes from untrusted input.

However, SELinux is designed to enhance the existing security mechanism, not replace it. Even when you are running SELinux, you must continue to follow good security practices, such as keeping your software up to date and using hard-to-guess passwords or firewalls.

Selinux related tools

1, the semanage

You can use Semanage to view selinux configurations with the PolicyCoreutils-python.x86_64 package:

For example, the semanage login -l command displays selinux name:

2, setroubleshoot

The default system may not be installed. You can install it as follows:

yum install setroubleshoot-server

service auditd restart

Once installed, when you have problems with SELinux, you can check the messages file directly in /var/log/messages, with recommended solutions in the log!

3, audit2allow

Let it produce a set of rules that it thinks it can use to allow behavior that is blocked by SELinux policies.

If you're interested in Selinux, Google for more information.


If you are interested, you can follow my wechat official account [Big Fat Chat programming]. There are more articles to share in my official account. You can also contact me in my official account and add friends to communicate and learn with me.

About (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.