SELinux
系统配置文件: /boot/grub/grub.conf 使用selinux=0禁用SELinux
# grub.conf generated by anaconda # # Note that you do not have to rerun grub after making changes to this file # NOTICE: You have a /boot partition. This means that # all kernel and initrd paths are relative to /boot/, eg. # root (hd0,0) # kernel /vmlinuz-version ro root=/dev/sda5 # initrd /initrd-[generic-]version.img #boot=/dev/sda default=0 timeout=5 splashimage=(hd0,0)/grub/splash.xpm.gz hiddenmenu title CentOS 6 (2.6.32-696.el6.x86_64) root (hd0,0) kernel /vmlinuz-2.6.32-696.el6.x86_64 ro root=UUID=27c83a74-cdac-4ba8-8deb-9c74394b9896 rd_NO_LUKS rd_NO_LVM.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet selinux-0 initrd /initramfs-2.6.32-696.el6.x86_64.img
selinux配置文件
/etc/sysconfig/selinux 连接到- - - > /etc/selinux/config SELINUX={disabled|enforcing|permissive}
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing #下次系统启动状态 # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted
selinux的三种模式
enforcing:强制模式,每个受限的进程都必然受限
permissive: 警告模式,启用,每一受限的的进程违规操作不会被禁止,但会被记录在审计日志中.
disabled:关闭模式
getenforce: 获取selinux当前状态(简洁)
[root@centos7 ~]# getenforce #获取selinux当前状态 Enforcing [root@centos7 ~]# setenforce 0 #临时有效:警告模式 [root@centos7 ~]# getenforce Permissive [root@centos7 ~]# setenforce 1 #临时有效:强制模式 [root@centos7 ~]# getenforce Enforcing
setenforce 0|1 警告|强制
0: 设置为permissive
1: 设置为enforcing
此设定:仅当前有效,重启系统无效
sestatus 查看当前的模式状态(详细)
[root@centos7 ~]# getenforce #获取selinux当前式状态(简洁的) Enforcing [root@centos7 ~]# sestatus #查看当前selinux的模式状态(详细) SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing #当前模式 Mode from config file: enforcing #下次启动生效模式 Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
重启有效需要更改配置文件:
配置文件: /etc/selinux/config , /etc/selinux/config
SELINUX=enforcing|permissive|disabled 决定下次开机时的selinux状态
系统启动在stage 2阶段的时,可更改内核参数,最后加上selinux=0表示disabled selinux=1表示enforcing
上下问关系.(期望值,当前值).....标签就是元数据中的信息
cp会刷新标签值,更改元数据
mv不会刷新标签,不会更改元数据元数据
centos6
从新给文件打标签(修改当前值)
[root@centos6mini app]# ls -Z -rw-r--r--. root root unconfined_u:object_r:etc_runtime_t:s0 passwd [root@centos6mini app]# chcon -t etc_t passwd #更改passwd文件标签 [root@centos6mini app]# ls -Z -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 passwd -R:递归打标
还原文件默认标签(还原期望值)
semanage fcontext -l 查看所有文件的期望值
[root@centos7 app]# semanage fcontext -l 查看所有文件的期望值 [root@centos7 app]# semanage fcontext -l |grep /root/ #配个grep一起使用 /root/.ppprc regular file system_u:object_r:pppd_etc_t:s0 [root@centos7 app]# restorecon /app/passwd 还原期望值 [root@centos7 app]# restorecon -R /app/ #递归还原 [root@centos6mini app]# restorecon -v passwd #显示详细的还原过程 restorecon reset /app/passwd context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:default_t:s0 [root@centos7 app]# systemctl restart rsyslog # 重启服务
Semanage:来自policycoreutils-python包
文件期望值设置
查看默认的安全上下文 semanage fcontext –l
增加期望值
[root@centos7 website]# semanage fcontext -a -t httpd_sys_content_t '/app/website(/.*)?' #增加期望值
修改期望值
[root@centos7 website]# semanage fcontext -m -t var_log_t '/app/website(/.*)?' #修改期望值
删除期望值
[root@centos7 website]# semanage fcontext -d '/app/website(/.*)?' #删除期望值
端口标签设置
查看端口标签 semanage port –l
[root@centos7 yum.repos.d]# semanage port -l |grep ssh #查看指定ssh服务的标签,端口信息 ssh_port_t tcp 22
服务增加端口号
semanage port -a -t http_port_t -p tcp 9527 #服务增加端口号
服务删除端口号
semanage port -d -t http_port_t -p tcp 9527 #服务删除端口号
设定布尔型规则:
[root@centos6mini app]# getsebool -a #查看所有?状态 tftp_use_nfs --> off [root@centos6mini app]# getsebool tftp_use_nfs 查看单个状态 tftp_use_nfs --> off [root@centos6mini app]# setsebool tftp_use_nfs 1 #开启(临时有效) [root@centos6mini app]# getsebool tftp_use_nfs tftp_use_nfs --> on [root@centos6mini app]# setsebool tftp_use_nfs 0 #关闭(临时有效) [root@centos6mini app]# getsebool tftp_use_nfs tftp_use_nfs --> off [root@centos6mini app]# setsebool tftp_use_nfs on #开启(临时有效) [root@centos6mini app]# getsebool tftp_use_nfs tftp_use_nfs --> on [root@centos6mini app]# setsebool tftp_use_nfs off #关闭(临时有效) [root@centos6mini app]# getsebool tftp_use_nfs tftp_use_nfs --> off [root@centos6mini app]# setsebool -P tftp_use_nfs on #开启(永久有效) [root@centos6mini app]# getsebool tftp_use_nfs tftp_use_nfs --> on [root@centos6mini app]# setsebool -P tftp_use_nfs off #关闭(永久有效) [root@centos6mini app]# getsebool tftp_use_nfs tftp_use_nfs --> off
查看日志文件
[root@centos6mini app]# file /var/log/audit/audit.log /var/log/audit/audit.log: ASCII text, with very long lines [root@centos6mini app]# tail /var/log/audit/audit.log #查看日志文件 type=CRED_DISP msg=audit(1522101661.721:115): user pid=4246 uid=0 auid=0 ses=11 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_END msg=audit(1522101661.721:116): user pid=4246 uid=0 auid=0 ses=11 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'