centos selinux应用支持

SELinux in CentOS: Application Support and Management

SELinux (Security-Enhanced Linux) is a mandatory access control (MAC) system integrated into the Linux kernel, providing fine-grained control over process and user access to system resources. CentOS, as a Red Hat-based distribution, has native support for SELinux, which is enabled by default in most versions (e.g., CentOS 7/8). This support includes a robust framework for configuring, managing, and troubleshooting SELinux policies to secure applications and services.

1. Core Components of SELinux Application Support

SELinux’s application support relies on three key concepts to enforce security:

• Security Context: A label (e.g., system_u:system_r:nginx_t:s0) assigned to files, processes, and ports. It consists of three parts:
  • User: Identity of the user running the process (e.g., system_u).
  • Role: Role of the user/process (e.g., system_r for system processes).
  • Type: The most critical part, defining the “domain” a process runs in (e.g., nginx_t for Nginx) and the objects it can access.
• Policies: Rules that define allowed interactions between subjects (processes) and objects (files/ports). CentOS defaults to the targeted policy, which focuses on securing common network services (e.g., Nginx, Apache, FTP) while leaving untargeted processes with fewer restrictions.
• Modes: SELinux operates in three modes:
  • Enforcing: Actively enforces policies (default in CentOS).
  • Permissive: Logs policy violations but does not block them (useful for debugging).
  • Disabled: Completely turns off SELinux (not recommended for production).

2. Default Application Support

SELinux includes built-in policies for popular CentOS applications, ensuring they run with minimal privileges. Examples include:

• Web Servers: Nginx (nginx_t) and Apache (httpd_t) are protected by default. Policies restrict access to web content directories (e.g., /var/www/html with httpd_sys_content_t) and prevent unauthorized network connections.
• FTP Servers: vsftpd (vsftpd_t) is configured to access specific directories (e.g., /var/ftp with public_content_t) and limits user home directory access unless explicitly permitted.
• Databases: MySQL/MariaDB (mysqld_t) is restricted to its data directory (e.g., /var/lib/mysql with mysqld_db_t) and prevents shell access.
• SSH: The SSH daemon (sshd_t) is limited to authenticated user sessions and restricts port usage to 22 by default.

3. Configuring SELinux for Applications

To tailor SELinux to specific application needs, administrators use tools like semanage, chcon, and setsebool:

• Changing File/Directory Context: Use chcon to modify the security context of an application’s files. For example, to allow Nginx to serve files from a custom directory (/data/web), run:

  sudo chcon -R -t httpd_sys_content_t /data/web
  

  To make the change permanent, use semanage fcontext and restorecon:

  sudo semanage fcontext -a -t httpd_sys_content_t "/data/web(/.*)?"
  sudo restorecon -Rv /data/web
  

• Managing Ports: Use semanage port to allow applications to use non-default ports. For example, to let Nginx use port 8080:

  sudo semanage port -a -t http_port_t -p tcp 8080
  

• Adjusting Boolean Values: Booleans are on/off switches for specific policy rules. For example, to allow Apache to connect to the network (e.g., for PHP-FPM):

  sudo setsebool -P httpd_can_network_connect=1
  

  Use getsebool -a to list all available booleans.

4. Troubleshooting Application Issues

When an application fails due to SELinux, follow these steps to diagnose and resolve the issue:

• Check SELinux Status: Verify SELinux is enabled and in enforcing mode:

  sestatus
  

• Review Logs: Examine /var/log/audit/audit.log (or /var/log/messages if auditd is disabled) for “AVC denied” messages. Use ausearch to filter relevant logs:

  sudo ausearch -m AVC -ts recent
  

• Generate Policy Fixes: Use audit2why to interpret logs and audit2allow to create custom policies. For example:

  sudo ausearch -m AVC -ts recent | audit2why
  sudo ausearch -m AVC -ts recent | audit2allow -M myapp_policy
  sudo semodule -i myapp_policy.pp
  

  Note: Custom policies should be reviewed to avoid overly permissive rules.

5. Advanced Application Protection

For advanced use cases, you can create custom SELinux modules to handle unique application requirements. For example, to allow a custom Python application (myapp_t) to access a specific directory (/opt/myapp/data with myapp_data_t):

• Create a policy file (/etc/selinux/targeted/src/policy/myapp.te):

  module myapp 1.0;
  
  require {
      type myapp_t;
      type myapp_data_t;
      class dir { read write };
  }
  
  allow myapp_t myapp_data_t:dir { read write };
  

• Compile and load the module:

  checkmodule -M -m -o myapp.mod myapp.te
  semodule_package -o myapp.pp -m myapp.mod
  sudo semodule -i myapp.pp
  

This approach ensures granular control over application permissions without relaxing global policies.

By leveraging these tools and techniques, CentOS administrators can effectively use SELinux to secure applications while maintaining the principle of least privilege.