1.什么是selinux
介绍:
当今世界,无处不在高速互联网连接、如备有无线接入点的咖啡馆和在网上到处传播的各种黑客工具使得出于对计算机安全的考虑成为老生常谈。出于解决安全问题,NSA在Linux社区的帮助下开发了一种访问控制体系,在这种访问控制体系的限制下,进程只能访问那些在他的任务中所需要文件。这种体系叫做 Security-Enhanced Linux或简化为SELinux。
SELinux概览:
SELinux是一种基于 域-类型 模型(domain-type)的强制访问控制(MAC)安全系统,它由NSA编写并设计成内核模块包含到内核中,相应的某些安全相关的应用也被打了SELinux的补丁,最后还有一个相应的安全策略。
引用于:https://blog.csdn.net/flaght/article/details/2973910
2.如何管理selinux级别
selinux
开启或者关闭
vim /etc/sysconfig/selinuxselinux=disabled ##关闭状态
selinux=Enforcing ##强制状态
selinux=Permissive ##警告状态
编辑文件下:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced. SELIXUX安全策略被强制执行。
# permissive - SELinux prints warnings instead of enforcing.SELIUX打印警告而不是强制执行
# disabled - No SELinux policy is loaded. 没有加载SELinux策略
SELINUX=enforcing 将selinux服务打开
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
getenforce ##查看状态
[root@localhost ftp]# getenforce
Enforcing
当selinux开启时
setenforce 0|1 ##更改selinux运行级别
3.如何更改文件安全上下文
[root@localhost ftp]# whatis chcon
chcon (1) - change file SELinux security context ##更改文件SELinux的安全上下文
[root@localhost ftp]# whatis semanage
semanage (8) - SELinux Policy Management tool ##管理工具
临时更改
chcon -t 安全上下文 文件
chcon -t public_content_t /publicftp -R ##-R递归 可以更改目录
[root@localhost ~]# touch /mnt/file ##做实验前在mnt下建立 使其拥有mnt的权限
[root@localhost ~]# mv /mnt/file /var/ftp ##mv不会改变文件权限而cp是重新建立的命令
[root@localhost ~]# ls /var/ftp/
file pub westos
[root@localhost ~]# lftp 172.25.254.242
lftp 172.25.254.242:~> ls
Interrupt
lftp 172.25.254.242:~> ls
Interrupt
lftp 172.25.254.242:~> exit
[root@localhost ~]# systemctl start vsftpd
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# lftp 172.25.254.242 ##如果连不上可以重启服务并关闭火墙
lftp 172.25.254.242:~> ls ##file没有显示
drwxr-xr-x 2 0 0 6 Mar 07 2014 pub
-rw-r--r-- 1 0 0 0 May 05 07:06 westos
lftp 172.25.254.242:/> exit
[root@localhost ~]# cd /var/ftp
[root@localhost ftp]# ls -Z
-rw-r--r--. root root unconfined_u:object_r:mnt_t:s0 file ##可以看见此文件拥有的权限时mnt目录给的
drwxr-xr-x. root root system_u:object_r:public_content_t:s0 pub
-rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 westos
[root@localhost ftp]# chcon -t public_content_t file
[root@localhost ftp]# lftp 172.25.254.242
lftp 172.25.254.242:~> ls
-rw-r--r-- 1 0 0 0 May 12 01:20 file
drwxr-xr-x 2 0 0 6 Mar 07 2014 pub
-rw-r--r-- 1 0 0 0 May 05 07:06 westos
lftp 172.25.254.242:/> exit
永久更改
[root@localhost ftp]# semanage fcontext -l | grep /var/ftp ##列出内核安全上下文列表内容
/var/ftp(/.*)? all files system_u:object_r:public_content_t:s0
/var/ftp/bin(/.*)? all files system_u:object_r:bin_t:s0
/var/ftp/etc(/.*)? all files system_u:object_r:etc_t:s0
/var/ftp/lib(/.*)? all files system_u:object_r:lib_t:s0
/var/ftp/lib/ld[^/]*\.so(\.[^/]*)* regular file system_u:object_r:ld_so_t:s0
[root@localhost ftp]# mkdir /westos
[root@localhost ftp]# touch /westos/westosfile
[root@localhost ftp]# vim /etc/vsftpd/vsftpd.conf
[root@localhost ftp]# systemctl restart vsftpd
vim内
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES
anon_root=/westos 更改匿名用户的家目录
[root@localhost ftp]# semanage fcontext -a -t public_content_t '/westos(/.*)?'
[root@localhost ftp]# semanage fcontext -l | grep /westos
/westos(/.*)? all files system_u:object_r:public_content_t:s0
[root@localhost ftp]# restorecon -FvvR /westos/ 刷新列表,同步
restorecon reset /westos context unconfined_u:object_r:public_content_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /westos/westosfile context unconfined_u:object_r:public_content_t:s0->system_u:object_r:public_content_t:s0
如服务出问题无法解决
touch /.autorelabel 初始化selinux服务
reboot后会自动初始化
4.如何控制selinux对服务功能的开关
getsebool -a | grep 服务名称
[root@localhost ftp]# getsebool -a | grep ftp
ftp_home_dir --> off ##服务是关闭的
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
tftp_anon_write --> off
tftp_home_dir --> off
setsebool -P 功能bool值 on|off
[root@localhost ftp]# setsebool -P ftp_home_dir on
[root@localhost ftp]# getsebool -a | grep ftp
ftp_home_dir --> on ##服务开启成功
setsebool -P ftp_homedir on ##-P永久的记录在文件中
5.监控selinux的错误信息
setroubleshoot-server
/var/log/messages ##在此中查看,并能看到给出的解决方案
cat /etc/services | grep
yum install httpd ##下载httpd服务
[root@localhost ftp]# yum install httpd
Loaded plugins: langpacks
Resolving Dependencies
--> Running transaction check
---> Package httpd.x86_64 0:2.4.6-17.el7 will be installed
--> Processing Dependency: httpd-tools = 2.4.6-17.el7 for package: httpd-2.4.6-17.el7.x86_64
--> Processing Dependency: /etc/mime.types for package: httpd-2.4.6-17.el7.x86_64
--> Processing Dependency: libapr-1.so.0()(64bit) for package: httpd-2.4.6-17.el7.x86_64
--> Processing Dependency: libaprutil-1.so.0()(64bit) for package: httpd-2.4.6-17.el7.x86_64
--> Running transaction check
---> Package apr.x86_64 0:1.4.8-3.el7 will be installed
---> Package apr-util.x86_64 0:1.5.2-6.el7 will be installed
---> Package httpd-tools.x86_64 0:2.4.6-17.el7 will be installed
---> Package mailcap.noarch 0:2.1.41-2.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
===============================================================================================================
Package Arch Version Repository Size
===============================================================================================================
Installing:
httpd x86_64 2.4.6-17.el7 rhel_dvd 1.2 M
Installing for dependencies:
apr x86_64 1.4.8-3.el7 rhel_dvd 103 k
apr-util x86_64 1.5.2-6.el7 rhel_dvd 92 k
httpd-tools x86_64 2.4.6-17.el7 rhel_dvd 77 k
mailcap noarch 2.1.41-2.el7 rhel_dvd 31 k
Transaction Summary
===============================================================================================================
Install 1 Package (+4 Dependent packages)
Total download size: 1.5 M
Installed size: 4.3 M
Is this ok [y/d/N]: y
Downloading packages:
(1/5): apr-1.4.8-3.el7.x86_64.rpm | 103 kB 00:00:00
(2/5): apr-util-1.5.2-6.el7.x86_64.rpm | 92 kB 00:00:00
(3/5): httpd-tools-2.4.6-17.el7.x86_64.rpm | 77 kB 00:00:00
(4/5): mailcap-2.1.41-2.el7.noarch.rpm | 31 kB 00:00:00
(5/5): httpd-2.4.6-17.el7.x86_64.rpm | 1.2 MB 00:00:00
---------------------------------------------------------------------------------------------------------------
Total 2.1 MB/s | 1.5 MB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : apr-1.4.8-3.el7.x86_64 1/5
Installing : apr-util-1.5.2-6.el7.x86_64 2/5
Installing : httpd-tools-2.4.6-17.el7.x86_64 3/5
Installing : mailcap-2.1.41-2.el7.noarch 4/5
Installing : httpd-2.4.6-17.el7.x86_64 5/5
Verifying : mailcap-2.1.41-2.el7.noarch 1/5
Verifying : httpd-tools-2.4.6-17.el7.x86_64 2/5
Verifying : apr-1.4.8-3.el7.x86_64 3/5
Verifying : apr-util-1.5.2-6.el7.x86_64 4/5
Verifying : httpd-2.4.6-17.el7.x86_64 5/5
Installed:
httpd.x86_64 0:2.4.6-17.el7
Dependency Installed:
apr.x86_64 0:1.4.8-3.el7 apr-util.x86_64 0:1.5.2-6.el7 httpd-tools.x86_64 0:2.4.6-17.el7
mailcap.noarch 0:2.1.41-2.el7
Complete!
vim /etc/httpd/conf/httpd.conf
[root@localhost ftp]# vim /etc/httpd/conf/httpd.conf ##在42行位置修改 Listen 6666
[root@localhost ftp]# setenforce 1 ##先将等级设置为强制命令
[root@localhost ftp]# systemctl restart httpd
Job for httpd.service failed. See 'systemctl status httpd.service' and 'journalctl -xn' for details.
[root@localhost ftp]# semanage port -l | grep http ##查看包含http的端口
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
[root@localhost ftp]# semanage port -a -t http_port_t -p tcp 6666 ##添加自己修改的端口
[root@localhost ftp]# semanage port -l | grep http
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 6666, 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
[root@localhost ftp]# systemctl restart httpd ##服务重启成功