Linux 基础 之 SElinux 的 初级管理
程序员文章站
2022-04-26 15:37:39
...
SElinux
selinux 内核级加强型防火墙
起到限制服务功能,限制服务访问两个功能(在使用lftp访问时体现)
我们开启selinux服务,并重启虚拟机
[root@localhost ~]# vim /etc/sysconfig/selinux
SELINUX=enforcing
[root@localhost ~]# reboot
[root@localhost ~]# getenforce
Enforcingselinux分为三个级别:分别是开启(Enforing也就是强制),警告(Permissive),和关闭(disable)。由前两个级别向第三个级别相互转换时,在配置文件里改变后要重启机器才能生效,而前两个级别可以在线做转换,如下图:
getebforce可以查看selinux的状态,setenforce改变selinux的状态,跟0转换到警告状态,跟1转换到开启状态
实验步骤:
[root@localhost ~]# touch /mnt/westos3
[root@localhost ~]# mv /mnt/westos3 /var/ftp/westos3 ##移动是重命名的过程,权限不会改变,复制是新建的过程
[root@localhost ~]# lftp 172.25.254.229
lftp 172.25.254.229:~> ls
drwxr-xr-x 2 0 0 6 Mar 07 2014 pub ##不能看到文件
lftp 172.25.254.229:/> quit
[root@localhost ~]# setenforce 1 ##强制模式
[root@localhost ~]# getenforce
Enforcing
[root@localhost ~]# setenforce 0 ##警告模式,不会被拒绝
[root@localhost ~]# getenforce
Permissive
[root@localhost ~]# lftp 172.25.254.229
lftp 172.25.254.229:~> ls
drwxr-xr-x 2 0 0 6 Mar 07 2014 pub
-rw-r--r-- 1 0 0 0 May 06 08:51 westos3 ##可以看到文件
lftp 172.25.254.229:/> quit
[root@localhost ~]# cat /var/log/audit/audit.log ##查看警告日志
[root@localhost ~]# > /var/log/audit/audit.log ##清空日志安全上下文
临时修改安全上下文列表:
[root@localhost ~]# yum install vsftpd lftp -y
[root@localhost ~]# systemctl start vsftpd
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# systemctl enable vsftpd
[root@localhost ~]# systemctl disable firewalld[root@localhost ~]# touch /mnt/westos3
[root@localhost ~]# mv /mnt/westos3 /var/ftp/
[root@localhost ~]# cd /var/ftp
[root@localhost ftp]# ls
pub westos3
[root@localhost ftp]# touch file1
[root@localhost ftp]# ll
total 0
-rw-r--r--. 1 root root 0 May 11 21:37 file1
drwxr-xr-x. 2 root root 6 Mar 7 2014 pub
-rw-r--r--. 1 root root 0 May 11 21:28 westos3
[root@localhost ftp]# lftp 172.25.254.229
lftp 172.25.254.229:~> ls
-rw-r--r-- 1 0 0 0 May 12 01:37 file1
drwxr-xr-x 2 0 0 6 Mar 07 2014 pub
[root@localhost ftp]# ls -Z ##查看文件/目录的安全上下文
-rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 file1
-rw-r--r--. root root unconfined_u:object_r:mnt_t:s0 westos3
[root@localhost ftp]# semanage fcontext -l | grep /var/ftp
/var/ftp(/.*)? all files system_u:object_r:public_content_t:s0
/var/ftp/bin(/.*)? all files system_u:object_r:bin_t:s0
/var/ftp/etc(/.*)? all files system_u:object_r:etc_t:s0
/var/ftp/lib(/.*)? all files system_u:object_r:lib_t:s0
/var/ftp/lib/ld[^/]*\.so(\.[^/]*)* regular file system_u:object_r:ld_so_t:s0
[root@localhost ftp]# chcon -t public_content_t westos3 ##修改westos3文件安全上下文为public_content_t
[root@localhost ftp]# lftp 172.25.254.229
lftp 172.25.254.229:~> ls
-rw-r--r-- 1 0 0 0 May 12 01:37 file1
drwxr-xr-x 2 0 0 6 Mar 07 2014 pub
-rw-r--r-- 1 0 0 0 May 12 01:28 westos3注意:将/etc/sysconfig/selinux改为disable后重启,重启后再改为enforcing再次重启,表示将selinux重启。临时改的文件安全上下文就没有了
永久修改安全上下文:
[root@localhost ~]# mkdir /westos/
[root@localhost ~]# touch /westos/westosfile
[root@localhost ~]# vim /etc/vsftpd/vsfftpd.conf ##加入一行 anon_root=/westos 意思是我们 lftp 172.25.254.229 ls 的是westos 的内容。( 在之前anon_root=/ftpdir 我们ls 出的是 ftpdir 的内容)
[root@localhost ~]# systemctl restart vsftpd
[root@localhost ~]# lftp 172.25.254.229
lftp 172.25.254.229:~> ls
lftp 172.25.254.229:/> ls ##查看不出内容
lftp 172.25.254.229:/> quit
[root@localhost ~]# setenforce 0 ##虽然限制访问,但给它一个"警告",就可以访问,但还是会收到警告
[root@localhost ~]# lftp 172.25.254.229
lftp 172.25.254.229:~> ls
-rw-r--r-- 1 0 0 0 May 12 01:59 westosfile ##就可以查看出
lftp 172.25.254.229:/> quit
[root@localhost ~]# ls -Z /westos/ -d ##查看westos目录的安全上下文类型
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /westos/
[root@localhost ~]# lftp 172.25.254.229
lftp 172.25.254.229:~> ls
lftp 172.25.254.229:/> ls ##查看不出内容
lftp 172.25.254.229:/> quit
[root@localhost ~]# chcon -t public_content_t /westos -R ## -R 目录本身内容。临时对westos更改安全上下文类型,使文件安全上下文相匹配。
[root@localhost ~]# ls -Z /westos/ -d
drwxr-xr-x. root root unconfined_u:object_r:public_content_t:s0 /westos/ ## 当为 public_content_t 类型就可以上下匹配了。
[root@localhost ~]# lftp 172.25.254.229
lftp 172.25.254.229:~> ls
-rw-r--r-- 1 0 0 0 May 12 01:59 westosfile
lftp 172.25.254.229:/> quit
以下步骤就是来测试 chcon -t 是临时修改的文件安全上下文类型。
[root@localhost ~]# vim /etc/sysconfig/selinux ##改为disabled
[root@localhost ~]# reboot
Connection to 172.25.254.229 closed by remote host.
Connection to 172.25.254.229 closed.
[kiosk@foundation29 Desktop]$ rht-vmctl view server
[kiosk@foundation29 Desktop]$ ssh aaa@qq.com172.25.254.229
aaa@qq.com172.25.254.229's password:
Last login: Fri May 11 22:09:21 2018
[aaa@qq.com ~]# vim /etc/sysconfig/selinux ##再改为enforcing
[aaa@qq.com ~]# reboot
Connection to 172.25.254.229 closed by remote host.
Connection to 172.25.254.229 closed.
[aaa@qq.com Desktop]$ ssh aaa@qq.com
aaa@qq.com's password:
Last login: Fri May 11 22:12:14 2018
[root@localhost ~]# ls -Z /westos/ -d ##再次查看
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /westos/ ##还原成了 default_t
[root@localhost ~]# ls -Zd /westos/
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /westos/
[root@localhost ~]# ls -Zd /var/ftp/ ##举个例子,为什么这个文件就开关机是 public_content_t
drwxr-xr-x. root root system_u:object_r:public_content_t:s0 /var/ftp/
[root@localhost ~]# semanage fcontext -l | grep /var/ftp ##semanage fcontext -l查看所有被记录过的安全上下文 ,这里是单单查看 /var/ftp/
/var/ftp(/.*)? all files system_u:object_r:public_content_t:s0 ##有/var/ftp/
/var/ftp/bin(/.*)? all files system_u:object_r:bin_t:s0
/var/ftp/etc(/.*)? all files system_u:object_r:etc_t:s0
/var/ftp/lib(/.*)? all files system_u:object_r:lib_t:s0
/var/ftp/lib/ld[^/]*\.so(\.[^/]*)* regular file system_u:object_r:ld_so_t:s0
[root@localhost ~]# semanage fcontext -l | grep /westos ##查看 /westos 有没有 ,然而没有
[root@localhost ~]# semanage fcontext -a -t public_content_t '/westos(/.*)?' ##-a 添加;-t 类型;(/ 本身内容;.* 所有隐藏文件;);‘’
[root@localhost ~]# semanage fcontext -l | grep /westos
/westos(/.*)? all files system_u:object_r:public_content_t:s0
[root@localhost ~]# restorecon -FvvR /westos/
restorecon reset /westos context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /westos/westosfile context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
[root@localhost ~]# lftp 172.25.254.229
lftp 172.25.254.229:~> ls
-rw-r--r-- 1 0 0 0 May 12 01:59 westosfile
lftp 172.25.254.229:/> quit
[root@localhost ~]# touch /.autorelabel ##建立这个文件是将selinux初始化(相当于刚才的两次重启)
[root@localhost ~]# reboot
Connection to 172.25.254.229 closed by remote host.
Connection to 172.25.254.229 closed.
[kiosk@foundation29 Desktop]$ ssh aaa@qq.com172.25.254.229
aaa@qq.com172.25.254.229's password:
Last login: Fri May 11 22:21:07 2018
[aaa@qq.com ~]# ls -Zd /westos/
drwxr-xr-x. root root system_u:object_r:public_content_t:s0 /westos/
[aaa@qq.com ~]#
永久添加安全上下文(/.)?=/westos/=/westos//表示westos文件里所有文件和内容更改为public_content_t
[root@localhost ~]# semanage fcontext -l | grep /westos ##查看默认/westos安全上下文列表
/westos(/.*)? all files system_u:object_r:public_content_t:s0
[root@localhost ~]# restorecon -FvvR /westos/ ##刷新修改的/westos (-R递归 -v将过程显示在屏幕上)
restorecon reset /westos context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /westos/westosfile context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
[root@localhost ~]# lftp 172.25.254.229
lftp 172.25.254.229:~> ls ##更改安全上下文后就可以看到文件了
-rw-r--r-- 1 0 0 0 May 12 02:03 westosfile
[root@localhost ~]# touch /.autorelabel ##建立这个文件是将selinux初始化(相当于刚才的两次重启)
[root@localhost ~]# reboot ##重启
##管理selinux的布尔值##
[root@localhost ~]# lftp 172.25.254.229 -u student
Password:
lftp student@172.25.254.229:~> ls
lftp student@172.25.254.229:~> put /etc/passwd
put: Access failed: 553 Could not create file. (passwd) ##553表示权限过小
[root@localhost ~]# getsebool -a | grep ftp ##查询ftp系统的布尔值设置状况
ftp_home_dir --> off
[root@localhost ~]# setsebool -P ftp_home_dir on ##修改布尔值策略(-P表示永久设置,会把setsebool值更改在文件里,否则重启后又恢复预设值)
[root@localhost ~]# lftp 172.25.254.229 -u student
Password:
lftp student@172.25.254.229:~> put /etc/passwd
2005 bytes transferred ##监控SELinux冲突
由于selinux产生的错误信息,会在cat /var/log/messages里显示,并且安装有setroubleshoot-server的机器还会告诉你如何解决报错问题,所有的报错信息在/var/log/audit/audi.log里,但是只会报错,不会告诉你怎么解决.
[root@localhost ftp]# cd /var/ftp
[root@localhost ftp]# rm -fr *
[root@localhost ftp]# vim /etc/vsftpd/vsftpd.conf
注释#anon_root=/westos
[root@localhost ftp]# systemctl restart vsftpd
[root@localhost ftp]# touch /mnt/westos
[root@localhost ftp]# mv /mnt/westos /var/ftp
[root@localhost ftp]# cat /var/log/audit/audit.log ##查看日志
[root@localhost ftp]# cat /var/log/messages ##查看日志的解决方法
解决方案:restorecon -v '$FIX_TARGET_PATH'
[root@localhost ftp]# restorecon -v /var/ftp/*
网页浏览: ftp://172.25.254.229##更改selinux端口##
tcp dup
[root@localhost ftp]# yum install httpd
[root@localhost ftp]# vim /etc/httpd/conf/httpd.conf
42 Listen 6666
[root@localhost ftp]# systemctl restart httpd ##修改http端口后不能重启,因为http里没有6666的端口
Job for httpd.service failed. See 'systemctl status httpd.service' and 'journalctl -xn' for details.
[root@localhost ftp]# setenforce 0 ##警告
[root@localhost ftp]# systemctl restart httpd ##警告模式后可以重启
[root@localhost ftp]# semanage port -l | grep http ##查看当前selinux允许的http端口
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
[root@localhost ftp]# semanage port -a -t http_port_t -p tcp 6666 ##添加6666端口到selinux
[root@localhost ftp]# semanage port -l | grep http ##再次查看端口是否添加进去
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 6666, 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
[root@localhost ftp]# setenforce 1 ##强制警告也可以重启了
[root@localhost ftp]# systemctl restart httpd