-----------------------------------
一、前言
二、环境
三、原理模式
四、案例配置
案例1.更改apache默认主站点路径
案例2.添加apache非标准端口
案例3.本地普通用户访问ftp
案例4.访问samba
-----------------------------------
一、前言
SELinux(Security-Enhanced Linux),即安全强化的linux之意,是美国国家安全局(NSA)对于强制访问控制(MAC)的实现,是 Linux历史上最杰出的新安全子系统。NSA是在Linux社区的帮助下开发了一种访问控制体系,在这种访问控制体系的限制下,进程只能访问那些在他的任务中所需要文件。也即是为了防止内部人员的误操作。
二、环境
系统:CentOS6.4 32位
IP:192.168.2.20/24
软件包:
setroubleshoot.i686
setroubleshoot-server.i686 查看SELinux日志的程序
setroubleshoot-plugins.noarch
三、原理模式
安全上下文:
identify:role:type
身份标识:角色:类型
在默认的targeted策略中,identify与role基本上是不重要的,重要的在于type字段,基本上,一个主题进程能不能读取到这个文件资源与类型字段有关。
关闭防火墙,打开SELinux(需要重启)
# vim /etc/selinux/config 7 SELINUX=enforcing 11 SELINUXTYPE=targeted
四、案例配置
案例1.更改apache默认主站点路径
# getenforce Enforcing # yum install setroubleshoot-server //查看SELinux日志的程序 # vim /etc/httpd/conf/httpd.conf //更改apache默认主站点路径 292 #DocumentRoot "/var/www/html" 293 DocumentRoot "/abc" # mkdir /abc # service httpd start # echo Welcome>/abc/index.html # ll -Z /abc/index.html -rw-r--r--. root root unconfined_u:object_r:default_t:s0 /abc/index.html # ll -Z /var/www/html/index.html //查看默认主站点的安全上下文 -rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html # ps auxZ |grep httpd //查看apache进程的安全上下文 unconfined_u:system_r:httpd_t:s0 root 2630 0.2 0.3 12016 3332 ? Ss 20:22 0:00 /usr/sbin/httpd unconfined_u:system_r:httpd_t:s0 apache 2633 0.0 0.2 12016 2144 ? S 20:22 0:00 /usr/sbin/httpd unconfined_u:system_r:httpd_t:s0 apache 2634 0.0 0.2 12016 2144 ? S 20:22 0:00 /usr/sbin/httpd unconfined_u:system_r:httpd_t:s0 apache 2635 0.0 0.2 12016 2144 ? S 20:22 0:00 /usr/sbin/httpd unconfined_u:system_r:httpd_t:s0 apache 2636 0.0 0.2 12016 2144 ? S 20:22 0:00 /usr/sbin/httpd unconfined_u:system_r:httpd_t:s0 apache 2637 0.0 0.2 12016 2144 ? S 20:22 0:00 /usr/sbin/httpd unconfined_u:system_r:httpd_t:s0 apache 2638 0.0 0.2 12016 2144 ? S 20:22 0:00 /usr/sbin/httpd unconfined_u:system_r:httpd_t:s0 apache 2639 0.0 0.2 12016 2144 ? S 20:22 0:00 /usr/sbin/httpd unconfined_u:system_r:httpd_t:s0 apache 2640 0.0 0.2 12016 2144 ? S 20:22 0:00 /usr/sbin/httpd unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2644 1.0 0.0 4356 732 pts/0 S+ 20:23 0:00 grep httpd
浏览器访问http://192.168.2.20/index.html
# tail -f /var/log/audit/audit.log //查看日志,此日志信息量较大,不易查找,但很详细。 # tail -f /var/log/messages //查看日志 May 19 23:50:54 localhost setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /abc/index.html. For complete SELinux messages. run sealert -l c8e46bf3-72a3-40ba-ac72-e345f65f7ff1 # sealert -l c8e46bf3-72a3-40ba-ac72-e345f65f7ff1 //查看错误日志具体信息及处理方法 # chcon -R -h -t httpd_sys_content_t /abc/index.html //重设安全上下文 # ll -Z /abc/index.html -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /abc/index.html
案例2.添加apache非标准端口
# vim /etc/httpd/conf/httpd.conf //添加apache非标准端口 137 Listen 800 # service httpd restart //启动失败 Stopping httpd: [ OK ] Starting httpd: (13)Permission denied: make_sock: could not bind to address [::]:8000 (13)Permission denied: make_sock: could not bind to address 0.0.0.0:8000 no listening sockets available, shutting down Unable to open logs [FAILED] # tail -f /var/log/messages //查看日志 May 18 23:56:14 localhost setroubleshoot: SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket . For complete SELinux messages. run sealert -l ef4d32e8-4325-4595-a119-f048aa9c4d24 # tail -f /var/log/audit/audit.log # man semanage //查看semanage用法 # semanage port -l |grep http http_cache_port_t tcp 3128, 8080, 8118, 8123, 10001-10010 http_cache_port_t udp 3130 http_port_t tcp 80, 443, 488, 8008, 8009, 8443 pegasus_http_port_t tcp 5988 pegasus_https_port_t tcp 5989 # semanage port -a -t http_port_t -p tcp 800 //添加非标准端口 # semanage port -l |grep http_port_t http_port_t tcp 800, 80, 443, 488, 8008, 8009, 8443 # service httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ] [root@localhost ~]# netstat -tupln |grep http tcp 0 0 :::80 :::* LISTEN 3117/httpd tcp 0 0 :::800 :::* LISTEN 3117/httpd
案例3.本地普通用户访问ftp
# service vsftpd start # ftp 127.0.0.1 //本地普通用户登录 Connected to 127.0.0.1 (127.0.0.1). 220 (vsFTPd 2.2.2) Name (127.0.0.1:root): nuo 331 Please specify the password. Password: 500 OOPS: cannot change directory:/home/nuo //登录失败 Login failed. # tail -f /var/log/messages //查看日志及相关解决意见 # getsebool -a |grep ftp //查询与ftp有关的布尔值 allow_ftpd_anon_write --> off allow_ftpd_full_access --> off allow_ftpd_use_cifs --> off allow_ftpd_use_nfs --> off ftp_home_dir --> off ftpd_connect_db --> off ftpd_use_passive_mode --> off httpd_enable_ftp_server --> off tftp_anon_write --> off # setsebool -P ftp_home_dir on //打开ftp家目录的布尔值 # getsebool -a |grep ftp allow_ftpd_anon_write --> off allow_ftpd_full_access --> off allow_ftpd_use_cifs --> off allow_ftpd_use_nfs --> off ftp_home_dir --> on ftpd_connect_db --> off ftpd_use_passive_mode --> off httpd_enable_ftp_server --> off tftp_anon_write --> off # ftp 127.0.0.1 //再次访问 Connected to 127.0.0.1 (127.0.0.1). 220 (vsFTPd 2.2.2) Name (127.0.0.1:root): nuo 331 Please specify the password. Password: 230 Login successful. //登录成功
案例4.访问samba
# chcon -R -t samba_share_t /abc/ //能进入公共目录下(/abc) # ll -dZ /abc drwxr-xr-x. root root system_u:object_r:samba_share_t:s0 /abc # setsebool -P samba_enable_home_dirs on //能进入普通用户的家目录下(/home/nuo) # ll -dZ /home/nuo/ drwx------. nuo nuo unconfined_u:object_r:user_home_dir_t:s0 /home/nuo/