Selinux配置

Selinux配置

  • selinux对于Linux系统可谓是十分重要。它是Linux系统的一道重要防线,主要作用不是对超级用户和普通用户进行控制,而是对系统用户进行控制,尤其是一些服务,安装之后会默认创建一些系统用户,为了避免外部人员通过服务访问Linux系统的时候进入系统,访问到其他内容,以及限制服务的作用范围。
  • 但是也可以对端口等作出操作,比如说修改一些著名的服务,比如说httpd的默认访问端口80为10000,避免外部恶意用户进行恶意访问等。
selinux状态:
  • enforcing: 使用selinux强制保护系统
  • permissive:停用selinux强制保护系统,转为提醒模式,当有相关违反服务的操作时,会进行提示,但不会阻止,以及会在日志中有相关的记录
  • disabled:完全禁用selinux,不发挥任何作用

配置文件所在位置:/etc/selinux/config

以下我将举三个例子来阐述在不同需求下如何设置Selinux上下文。

1. 常规使用httpd服务进行页面访问测试
[root@liuyunfei-CentOS-7 ~]# yum install httpd -y

[root@liuyunfei-CentOS-7 ~]# touch /tmp/f1
[root@liuyunfei-CentOS-7 ~]# touch /tmp/f2
[root@liuyunfei-CentOS-7 ~]# cp /tmp/f1 /var/www/html/
[root@liuyunfei-CentOS-7 ~]# mv /tmp/f2 /var/www/html/
[root@liuyunfei-CentOS-7 ~]# ls -Z /var/www/html/
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 f1
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 f2
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 index.html

[root@liuyunfei-CentOS-7 ~]# semanage fcontext -a -t httpd_sys_content_t /var/www/html//f2
[root@liuyunfei-CentOS-7 ~]# restorecon -v /var/www/html/f2                             [root@liuyunfei-CentOS-7 ~]# ls -Z /var/www/html/                                       -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 f1
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 f2
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 index.html

[root@liuyunfei-CentOS-7 ~]# echo "this is the html in /var/www/html/index.html" > /var/www/html/index.html

[root@liuyunfei-CentOS-7 ~]# systemctl restart httpd

Selinux配置_第1张图片

2. 转换非默认httpd服务的访问目录/var/www/html,使用自定义目录进行页面访问测试
[root@liuyunfei-CentOS-7 ~]# mkdir /httpd-test
[root@liuyunfei-CentOS-7 ~]# touch /httpd-test/first.html

[root@liuyunfei-CentOS-7 ~]# semanage fcontext -a -t httpd_sys_content_t '/httpd-test(/.*)?'
[root@liuyunfei-CentOS-7 ~]# ll -dZ /httpd-test/
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /httpd-test/
[root@liuyunfei-CentOS-7 ~]# restorecon -Rv /httpd-test
restorecon reset /httpd-test context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /httpd-test/first.html context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0

[root@liuyunfei-CentOS-7 ~]# echo "this is the html in /httpd-test/first.html" > /httpd-test/first.html

[root@liuyunfei-CentOS-7 ~]# vim /etc/httpd/conf/httpd.conf
DocumentRoot "/httpd-test"

<Directory "/httpd-test">
    AllowOverride None
    # Allow open access:
    Require all granted
</Directory>

[root@liuyunfei-CentOS-7 ~]# systemctl restart httpd

Selinux配置_第2张图片

Selinux fcontest 相关参数帮助
# 列出所有端口号
[root@liuyunfei-rhel-82 ~]# semanage port -l | grep http

-------------------------------------------------------
-a, --add             Add a record of the fcontext object type
-d, --delete          Delete a record of the fcontext object type
-m, --modify          Modify a record of the fcontext object type
-l, --list            List records of the fcontext object type
-t TYPE, --type TYPE  SELinux Type for the object
-------------------------------------------------------

[root@liuyunfei-rhel-82 ~]# semanage fcontext -m -t default_t '/var/www/html/index.html'
[root@liuyunfei-rhel-82 ~]# restorecon -rv /var/www/html/index.html
                             ------ semanage修改的restorecon不可恢复
3.转换非知名端口80进行访问httpd服务,而是使用非知名端口10000进行实验
[root@liuyunfei-CentOS-7 ~]# semanage port -l | grep http
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000

[root@liuyunfei-CentOS-7 ~]# semanage port -a -t http_port_t -p tcp 10000
[root@liuyunfei-CentOS-7 ~]# semanage port -l | grep http
http_port_t                    tcp      10000, 80, 81, 443, 488, 8008, 8009, 8443, 9000

[root@liuyunfei-CentOS-7 ~]# firewall-cmd --get-default-zone
trusted
[root@liuyunfei-CentOS-7 ~]# firewall-cmd --add-port=10000/tcp --zone=trusted
success
[root@liuyunfei-CentOS-7 ~]# firewall-cmd --list-all-zones  | grep 10000
  ports: 10000/tcp
[root@liuyunfei-CentOS-7 ~]# firewall-cmd --reload
success

[root@liuyunfei-CentOS-7 ~]# vim /etc/httpd/conf/httpd.conf
Listen 10000

[root@liuyunfei-CentOS-7 ~]# systemctl restart httpd

Selinux配置_第3张图片

你可能感兴趣的:(Linux,linux,selinux)