SELinux and Permision denied problems
Recently, my colleague encountered a strange problem, so he asked me to check together, and after a lot of trouble to find the root of the problem.
Insmod is an LKM command that can be loaded on centos/ RHEL/Oracle Linux/Ubuntu in all previous releases. But on oracle Linux7.7, the latest version tested, the kernel modules simply couldn't be loaded.
Then print a log in the service application to confirm that insmod is executed, and then add insmod to the service script to boot up will not be able to tune up. I thought insmod must have made a mistake, so I changed the system shell to popen and redirected the error output to standard output with 21 after./test.
insmod error! errcode:-13, permision denied. Copy the code
Mysql execute service XXX start as user root
Selinux is enabled by default. I tried to disable Selinux. After loading, it did work properly.
So what exactly is Selinux? Here's a quick introduction.
SELinux, short for Security Enhanced Linux, is a Security module found in many Linux server distributions. SELinux is a Security enhancement module for Linux that can be configured to Whether an object can operate on another object may one subject do action to another object, for example, whether a server program can read and write files in the zyg user's home directory. The following figure shows an example:
However, starting the Selinux service sometimes leads to unexpected access denial issues, such as read/write, execute, etc. If you run into this problem on a Linux server with Selinux enabled and file permissions are not a problem, it is likely to be caused by Selinux. Typically, this problem is caused by an incorrect security context (also known as a security label) assigned to an affected file or folder, concepts described in more detail below.
Experimental environment of this paper:
[[email protected] test]# cat /etc/redhat-release CentOS Linux release 7.4.1708 (Core) [[email protected] test]# uname -r 3.10.0-693. El7 x86_64Copy the code
Selinux mode selinux mode
Selinux has three modes: Enforcing, Permissive, and Disabled.
Enforing mode, Selinux implements a configured policy for permission control so that any unauthorized program or user attempting to access the file is denied and the event is recorded in the relevant log file.
In permissive mode, selinux does not apply configured policies for permission control, that is, in this mode, the configured policies do not take effect, but the access events that violate the policies are recorded in system logs.
In disabled mode, selinux does not take effect and audit logs are not recorded.
Selinux mode can be viewed using getenForce or seStatus:
[[email protected] test]# getenforce Enforcing Copy the code
[[email protected] test]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 Copy the code
How do I turn selinux off? There are two ways:
1. Temporarily close selinux:
setenforce 0 Copy the code
2. Permanently close selinux and modify the configuration file
Change SELINUX=enforcing to SELINUX=disabled. Save the Settings and exit the system. Then reboot the system to take effect.
Selinux policy selinux policy
At the heart of Selinux are its policies, which are the engine of Selinux. A policy is a set of rules that define security and access rights for all objects on the system. Everything is a file on Linux, where all objects include users, roles, processes, files, and so on. Policies define how each object relates to another object.
To understand strategy, let's look at a few basic concepts:
- Users, every regular user on a Linux system is mapped to one or more users next to Selinux. In Linux, an account can be used to run a program. For example, account AAA uses vi to open a test. TXT file. Or a service account runs an HTTPD daemon. In Selinux, a process (daemon or running process) is called a topic.
- A role is like a gateway between a user and a process. A role defines which users can access and execute a process. A role is more like a filter than a group: A user can participate in or assume a role when the role is authorized to the user. Roles in selinux policy define groups of users to access a role and define which process domain the role can access. The concept of roles is also introduced because Selinux implements a partially role-based access control mechanism (RBAC).
- Themes and objects. A theme is a process that can potentially affect an object. An object in SELinux is anything that can be active. It can be a file, directory, port, TCP socket, cursor or X server. The operations that a topic can perform on an object are its permissions
- A domain is a context in which a SELinux topic (process) can be run. The context is like a wrapper around the topic. It tells the process what it can and cannot do. For example, a domain will define which files, directories, links, devices, or ports a topic can access.
- A type is the context of a file context, specifying the purpose of the file. For example, the context of a file might indicate that it is a Web page, or that the file belongs to the/etc directory, or that the owner of the file is a specific SELinux user. In SELinux terminology, the context of a file is called its type.
In summary, a policy is a set of rules specifying that one or more users can only assume one or more roles, and that these roles will only be authorized to access one or more domains. These fields, in turn, can access only one or some file types. The following diagram shows the relationship between these concepts:
Finally, processes running in a particular domain can only perform certain operations on certain types of objects, known as type coercion (TE).
Security context security context
The security context has four parts: user, role, domain, and Sensitivity.
- User, role, sensitivity are relative to file;
- The domain is relative to the process;
- Selinux users are suffixed '_u', roles '_r', and types or domains '_t'.
You can run the secon command to view the current user, role, type, and sensitivity.
[[email protected] test]# secon user: unconfined_u role: unconfined_r type: unconfined_t sensitivity: s0 clearance: s0:c0.c1023 mls-range: s0-s0:c0.c1023 Copy the code
You can use the id-z command to view the security context of the current account:
[[email protected] ~]# id uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [[email protected] ~]# id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Copy the code
To see the security context in which SELinux has been applied to files or folders, try running the following command:
ls -Z ls --context ls --lcontext ls --scontext Copy the code
On systems with Selinux enabled, you can add the -z parameter to the ps command to display the security context allowed by the process:
[[email protected] test]# ps -eZf|grep login system_u:system_r:systemd_logind_t:s0 root 756 1 0 19:30 ? 00:00:00 /usr/lib/systemd/systemd-logind system_u:system_r:local_login_t:s0-s0:c0.c1023 root 795 1 0 19:30 ? 00:00:04 login -- root unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 4489 1738 0 22:29 pts/0 00:00:00 grep --color=auto login Copy the code
You can modify the security context using the chcon command:
4. Selinux benefits
Selinux has the following advantages:
- All processes and files are marked, and SELinux policy rules define how processes interact with files and with each other. Deny all access unless the policy allows it. This would be a very secure implementation, but it also means that developers must anticipate every possible license that each process might require for every possible object. The default behavior is that SELinux is associated only with certain processes.
- Fine-grained access control. SELinux access decisions go beyond traditional UNIX permissions, which are user-determined and controlled based on Linux user and group ids, and are based on all available information, such as SELinux users, roles, types, and (optional) security levels.
- SELinux policies are system-wide and can only be configured and managed by administrators.
- Improved mitigation of weight - lifting attacks. Processes run in a domain and are therefore isolated from each other. SELinux policy rules define how processes access files and other processes. If a process is threatened, an attacker can access only the normal functions of the process and the files that the process has been configured to access. For example, if Apache HTTP Server is infected, an attacker cannot use the process to read files in the user's home directory unless specific SELinux policy rules are added or configured or such access is allowed.
- SELinux can be used to ensure data confidentiality and integrity and to protect processes from untrusted input.
However, SELinux is designed to enhance the existing security mechanism, not replace it. Even when you are running SELinux, you must continue to follow good security practices, such as keeping your software up to date and using hard-to-guess passwords or firewalls.
Selinux related tools
1, the semanage
You can use Semanage to view selinux configurations with the PolicyCoreutils-python.x86_64 package:
For example, the semanage login -l command displays selinux name:
The default system may not be installed. You can install it as follows:
yum install setroubleshoot-server
service auditd restart
Once installed, when you have problems with SELinux, you can check the messages file directly in /var/log/messages, with recommended solutions in the log!
Let it produce a set of rules that it thinks it can use to allow behavior that is blocked by SELinux policies.
If you're interested in Selinux, Google for more information.
If you are interested, you can follow my wechat official account [Big Fat Chat programming]. There are more articles to share in my official account. You can also contact me in my official account and add friends to communicate and learn with me.