0.基礎知識準備:首先我們需要知道在selinux沒有啟用的狀态下,系統執行的是DAC即自主通路控制,同時我們還需要知道MAC即強制通路控制的概念。
1.cat /etc/selinux/config檢視selinux的配置檔案,這裡可以看到enforcing(非授權通路會受限制) permissive(非授權通路不會受限制,但會在審計日志中進行記錄) disabled(關閉)三種可選擇的狀态。selinux是運作在核心層面的,從disabled變為enforcing的時候,系統會從核心對檔案的安全上下文進行重新開機标記。
[[email protected] ~]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
2. ll -Z這裡通過-Z參數可以看到selinux的安全上下文。這裡采用的是使用者:角色:類型:層級的标記方法,需要了解的主要是前三項,其中使用者是指selinux的使用者,需要差別于系統裡建立的使用者。
[[email protected] ~]# ll -Z
-rw-------. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 linux-3.16.61.tar.xz
-rw-------. root root unconfined_u:object_r:admin_home_t:s0 my-ks.cfg
3.getsebool -a | head -n10檢視selinux相關的功能,并檢視其功能的狀态是否開啟。
[[email protected] ~]# getsebool -a | head -n10
abrt_anon_write --> off
abrt_handle_event --> off
abrt_upload_watch_anon_write --> on
antivirus_can_scan_system --> off
antivirus_use_jit --> off
auditadm_exec_content --> on
authlogin_nsswitch_use_ldap --> off
authlogin_radius --> off
authlogin_yubikey --> off
awstats_purge_apache_log_files --> off
4.getenforce可以檢視selinux目前的狀态。setenforce 0修改selinux目前的狀态。getenforce重新檢視發現狀态已經改變。如果要關閉selinux,前面已經講過,需要去改配置檔案。
[[email protected] ~]# getenforce
Enforcing
[[email protected] ~]# setenforce 0
[[email protected] ~]# getenforce
Permissive
5.man chcon | grep OPTION檢視chcon的使用方法。ll -Z可以看到在目錄中建立的檔案會自動繼承其安全上下文。 ll -Z test.txt對建立的test.txt檔案進行驗證。touch home.txt建立一個用于測試修改安全上下文的文本。chcon -t user_tmp_t home.txt對其安全上下文的參數進行修改。ll -Z home.txt 再次檢視以确認修改。
[[email protected] ~]# man chcon | grep OPTION
chcon [OPTION]... CONTEXT FILE... ##直接修改安全上下文
chcon [OPTION]... [-u USER] [-r ROLE] [-l RANGE] [-t TYPE] FILE... ##修改安全上下文的某個參數
chcon [OPTION]... --reference=RFILE FILE... ##參照某個檔案修改安全上下文
[[email protected] ~]# cd /tmp
[[email protected] tmp]# ll -Z
drwxr-xr-x. root root unconfined_u:object_r:user_tmp_t:s0 myiso
drwx------. root root system_u:object_r:tmp_t:s0 systemd-private-4e9db8c178fd4bf494a3daf7907a3d06-chronyd.service-2xeIyI
drwx------. root root system_u:object_r:tmp_t:s0 systemd-private-4e9db8c178fd4bf494a3daf7907a3d06-vgauthd.service-vkFjaw
drwx------. root root system_u:object_r:tmp_t:s0 systemd-private-4e9db8c178fd4bf494a3daf7907a3d06-vmtoolsd.service-dedOMj
drwx------. root root system_u:object_r:tmp_t:s0 systemd-private-ee45c66a94b94ef2a87467ed2beffd6e-chronyd.service-ZBShTK
drwx------. root root system_u:object_r:tmp_t:s0 systemd-private-ee45c66a94b94ef2a87467ed2beffd6e-vgauthd.service-c8tJdm
drwx------. root root system_u:object_r:tmp_t:s0 systemd-private-ee45c66a94b94ef2a87467ed2beffd6e-vmtoolsd.service-I6rdx3
[[email protected] tmp]# touch test.txt
[[email protected] tmp]# ll -Z test.txt
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 test.txt
[[email protected] tmp]# cd
[[email protected] ~]# touch home.txt
[[email protected] ~]# ll -Z home.txt
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 home.txt
[[email protected] ~]# chcon -t user_tmp_t home.txt
[[email protected] ~]# ll -Z home.txt
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 home.txt
6.systemctl start httpd啟動WEB服務。ss -tnl | grep 80確定端口監聽。cat index.html确認建立的網頁檔案。 ll -Z檢視安全上下文(httpd_sys_content_t是httpd_t的子類型)。curl 172.20.0.131嘗試通路網頁。ps auxZ | grep httpd檢視程序。vim /etc/httpd/conf/httpd.conf修改WEB服務的預設家目錄位址。 mkdir -pv /www/html建立家目錄。cp /var/www/html/index.html /www/html/将檔案複制到新的家目錄。 ll -Z檢視安全上下文發現此時安全上下文已經發生改變。setenforce 1確定selinux處于開啟狀态。 curl 172.25.0.131/index.html再次通路會被selinux阻止。setenforce 0關閉selinux。curl 172.20.0.131/index.html可以通路網頁。chcon -t httpd_sys_content_t index.html修改安全上下文參數。setenforce 1開啟selinux。 curl 172.20.0.131/index.html還是可以通路。
[[email protected] ~]# systemctl start httpd
[[email protected] ~]# ss -tnl | grep 80
LISTEN 0 128 :::80 :::*
[[email protected] ~]# cd /var/www/html
[[email protected] html]# ls
[[email protected] html]# vim index.html
[[email protected] html]# cat index.html
Hello World!
[[email protected] html]# ll -Z
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html
[[email protected] html]# curl 172.20.0.131
Hello World!
[[email protected] html]# ps auxZ | grep httpd
system_u:system_r:httpd_t:s0 root 1701 0.0 0.2 226264 5160 ? Ss 23:36 0:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0 apache 1702 0.0 0.2 226400 3744 ? S 23:36 0:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0 apache 1703 0.0 0.1 226264 3020 ? S 23:36 0:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0 apache 1704 0.0 0.1 226264 3020 ? S 23:36 0:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0 apache 1705 0.0 0.1 226264 3020 ? S 23:36 0:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0 apache 1706 0.0 0.1 226264 3020 ? S 23:36 0:00 /usr/sbin/httpd -DFOREGROUND
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1719 0.0 0.0 112712 980 pts/0 S+ 23:41 0:00 grep --color=auto httpd
[[email protected] html]# grep \/www\/html /etc/httpd/conf/httpd.conf
DocumentRoot "/var/www/html"
<Directory "/var/www/html">
[[email protected] html]# vim /etc/httpd/conf/httpd.conf
[[email protected] html]# grep \/www\/html /etc/httpd/conf/httpd.conf
DocumentRoot "/www/html"
<Directory "/www/html">
[[email protected] html]# mkdir -pv /www/html
mkdir: created directory ‘/www’
mkdir: created directory ‘/www/html’
[[email protected] html]# cp /var/www/html/index.html /www/html/
[[email protected] html]# cd /www/html/
[[email protected] html]# ll -Z
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 index.html
[[email protected] html]# setenforce 1
[[email protected] html]# systemctl restart httpd
[[email protected] html]# curl 172.20.0.131/index.html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /index.html
on this server.</p>
</body></html>
[[email protected] html]# setenforce 0
[[email protected] html]# curl 172.20.0.131/index.html
Hello World!
[[email protected] html]# chcon -t httpd_sys_content_t index.html
[[email protected] html]# setenforce 1
[[email protected] html]# curl 172.20.0.131/index.html
Hello World!
7.
[[email protected] html]# restorecon index.html
[[email protected] html]# ll -Z
-rw-r--r--. root root system_u:object_r:default_t:s0 index.html
8.getsebool ftpd_use_nfs檢視某功能的狀态。setsebool ftpd_use_nfs on将功能開啟。getsebool ftpd_use_nfs再次檢視确認。setsebool ftpd_use_nfs off關閉功能。getsebool ftpd_use_nfs檢視确認。setsebool -P ftpd_use_nfs on永久開啟功能。getsebool ftpd_use_nfs檢視确認。
[[email protected] html]# getsebool ftpd_use_nfs
ftpd_use_nfs --> off
[[email protected] html]# setsebool ftpd_use_nfs on
[[email protected] html]# getsebool ftpd_use_nfs
ftpd_use_nfs --> on
[[email protected] html]# setsebool ftpd_use_nfs off
[[email protected] html]# getsebool ftpd_use_nfs
ftpd_use_nfs --> off
[[email protected] html]# setsebool -P ftpd_use_nfs on
[[email protected] html]# getsebool ftpd_use_nfs
ftpd_use_nfs --> on
9.tail /var/log/audit/audit.log 還可以檢視selinux相關的審計日志。
[[email protected] html]# tail /var/log/audit/audit.log
type=PROCTITLE msg=audit(1546664818.864:191): proctitle=7365747365626F6F6C00667470645F7573655F6E6673006F6E
type=MAC_CONFIG_CHANGE msg=audit(1546664836.599:192): bool=ftpd_use_nfs val=0 old_val=1 auid=0 ses=1
type=SYSCALL msg=audit(1546664836.599:192): arch=c000003e syscall=1 success=yes exit=2 a0=3 a1=7ffc5c1a7510 a2=2 a3=7ffc5c1a6f20 items=0 ppid=1308 pid=1886 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="setsebool" exe="/usr/sbin/setsebool" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=PROCTITLE msg=audit(1546664836.599:192): proctitle=7365747365626F6F6C00667470645F7573655F6E6673006F6666
type=MAC_CONFIG_CHANGE msg=audit(1546664904.385:193): bool=ftpd_use_nfs val=1 old_val=0 auid=0 ses=1
type=SYSCALL msg=audit(1546664904.385:193): arch=c000003e syscall=1 success=yes exit=2 a0=4 a1=7ffe2c0613c0 a2=2 a3=7ffe2c060de0 items=0 ppid=1308 pid=1888 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="setsebool" exe="/usr/sbin/setsebool" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=PROCTITLE msg=audit(1546664904.385:193): proctitle=7365747365626F6F6C002D5000667470645F7573655F6E6673006F6E
type=MAC_POLICY_LOAD msg=audit(1546664905.375:194): policy loaded auid=0 ses=1
type=SYSCALL msg=audit(1546664905.375:194): arch=c000003e syscall=1 success=yes exit=3725374 a0=4 a1=7f9ff0a68010 a2=38d83e a3=7ffd1e72d620 items=0 ppid=1888 pid=1892 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="load_policy" exe="/usr/sbin/load_policy" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=PROCTITLE msg=audit(1546664905.375:194): proctitle="/sbin/load_policy"