Selinux

1.开启 Selinux 的作用

>给程序及程序里面的文件一个安全上下文

2.Selinux关闭时的状况

vim /etc/sysconfig/selinux

selinux 的配置文件
    SELINUX=enforcing   selinux 开启
    SELINUX=disabled    selinux 关闭

getenforce

查看 selinux 状态

[root@dchxmj linux1]# ls
file1  linux1file1  pub
[root@dchxmj linux1]# ls -Z
-rw-r--r-- root root ?                                file1
-rw-r--r-- root root ?                                linux1file1
drwxrwxr-x root root ?                                pub
[root@dchxmj linux1]# 

测试:

lftp IP -u username

[kiosk@foundation30 Desktop]$ lftp 172.25.254.130 -u linux1
Password: 
lftp linux1@172.25.254.130:~> ls       
-rw-r--r--    1 0        0               0 Feb 21 08:50 file1
-rw-r--r--    1 0        0               0 Feb 21 07:40 linux1file1
drwxrwxr-x    2 0        0               6 Feb 21 08:28 pub
#所有文件都可以访问到
lftp linux1@172.25.254.130:/> ls -Z
-rw-r--r--    1 0        0               0 Feb 21 08:50 file1
-rw-r--r--    1 0        0               0 Feb 21 07:40 linux1file1
drwxrwxr-x    2 0        0               6 Feb 21 08:28 pub
lftp linux1@172.25.254.130:/> exit
[kiosk@foundation30 Desktop]$ 

3.Selinux 开启时

[root@localhost pub]# ls
file1  linux  linux1
[root@localhost pub]# ls -Z
-rw-r--r--. root root unconfined_u:object_r:mnt_t:s0   file1
drwxr-xr-x. root root unconfined_u:object_r:mnt_t:s0   linux
-rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 linux1
#不符合形式的文件访问不到
[root@localhost pub]#

测试:

[kiosk@foundation30 Desktop]$ lftp 172.25.254.130 
lftp 172.25.254.130:~> ls
drwxr-xr-x    3 0        0              43 Feb 21 09:07 pub
lftp 172.25.254.130:/> cd pub/
lftp 172.25.254.130:/pub> ls
drwxr-xr-x    2 0        0               6 Feb 21 09:04 linux
-rw-r--r--    1 0        0               0 Feb 21 09:05 linux1
lftp 172.25.254.130:/pub> exit
[kiosk@foundation30 Desktop]$ 

4.Selinux对服务的影响

(1).不符合安全上下文的文件访问不到
(2).默认情况下不安全的功能是关闭的
getsebool -a | grep ftp     #查看 ftp 服务功能状态 
setsebool -P ftp_home_dir on    #开启
       -P:表示永久开启
      本地用户默认有写权限
[root@localhost ~]# getsebool -a | grep ftp
`ftp_home_dir --> off`
[root@foundation30 ~]# lftp 172.25.254.130 -u student
Password: 
lftp student@172.25.254.130:~> ls      
-rw-r--r--    1 0        0               0 Feb 22 03:17 file2
drwxr-xr-x    2 0        0               6 Feb 22 01:36 linux1
lftp student@172.25.254.130:~> cd linux1/
lftp student@172.25.254.130:~/linux1> put /etc/passwd
put: Access failed: 553 Could not create file. (passwd)
lftp student@172.25.254.130:~/linux1> exit
[root@foundation30 ~]# lftp 172.25.254.130 -u student
[root@localhost ~]# setsebool -P ftp_home_dir on
[root@localhost ~]# getsebool -a | grep ftp
ftp_home_dir --> on
[root@foundation30 ~]# lftp 172.25.254.130 -u student
Password: 
lftp student@172.25.254.130:~> ls      
-rw-r--r--    1 0        0               0 Feb 22 03:17 file2
drwxr-xr-x    2 0        0               6 Feb 22 01:36 linux1
lftp student@172.25.254.130:~> put /etc/passwd
2367 bytes transferred
lftp student@172.25.254.130:~> exit
[root@foundation30 ~]# 

5.Selinux 日志存放位置

>

cat /var/log/audit/audit.log #默认位置
setroubleshoot-server.x86_64 
###可以将/var/log/audit/audit.log里面的日志经过处理存放到/var/log/messages

>

[root@localhost ~]# yum search setroubleshoot
Loaded plugins: langpacks
========================= N/S matched: setroubleshoot ==========================
setroubleshoot-plugins.noarch : Analysis plugins for use with setroubleshoot
setroubleshoot.x86_64 : Helps troubleshoot SELinux problems
setroubleshoot-server.x86_64 : SELinux troubleshoot server

  Name and summary matches only, use "search all" for everything.
[root@localhost ~]# yum install setroubleshoot-server.x86_64  -y


cat /var/log/audit/audit.log
cat /var/log/messages

你可能感兴趣的:(Selinux)