您当前的位置： 首页 > 学无止境 > 心得笔记 网站首页心得笔记

SELinux基础概念

发布时间：2019-07-31 22:53:36编辑：雪饮阅读（）

查看文件在selinux中的object安全上下文(文件类型)

[root@slave ~]# ls -Z

-rw-------. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg

-rw-r--r--. root root system_u:object_r:admin_home_t:s0 install.log

-rw-r--r--. root root system_u:object_r:admin_home_t:s0 install.log.syslog

查看进程在selinux中的object安全上下文(域)

[root@slave ~]# ps -auZ

Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.8/FAQ

LABEL                           USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND

system_u:system_r:getty_t:s0    root      1800  0.0  0.0   2008   508 tty2     Ss+  02:25   0:00 /sbin/mingetty /dev/tty2

system_u:system_r:getty_t:s0    root      1802  0.0  0.0   2008   508 tty3     Ss+  02:25   0:00 /sbin/mingetty /dev/tty3

system_u:system_r:getty_t:s0    root      1804  0.0  0.0   2008   504 tty4     Ss+  02:25   0:00 /sbin/mingetty /dev/tty4

system_u:system_r:getty_t:s0    root      1806  0.0  0.0   2008   512 tty5     Ss+  02:25   0:00 /sbin/mingetty /dev/tty5

system_u:system_r:getty_t:s0    root      1808  0.0  0.0   2008   508 tty6     Ss+  02:25   0:00 /sbin/mingetty /dev/tty6

unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1881 0.0  0.0 5120 1676 tty1 Ss+ 02:25   0:00 -bash

unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1941 0.0  0.0 5124 1676 pts/0 Ss 02:26   0:00 -bash

unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1977 0.0  0.0 4928 1112 pts/0 R+ 02:30   0:00 ps -auZ

selinux中Enforcing与Permissive的区别

Enforcing：当执行了一个违反selinux规则的行为，则直接拒绝并记录日志于/var/log/audit/audit.log中

Permissive: 当执行了一个违反selinux规则的行为，不拒绝但记录日志于/var/log/audit/audit.log中

修改文件的selinux类型

[root@slave ~]# ls -Z /var/log/messages

-rw-------. root root system_u:object_r:var_log_t:s0   /var/log/messages

[root@slave ~]# ls -Z /tmp/a.txt

-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/a.txt

[root@slave ~]# chcon -t var_log_t /tmp/a.txt

[root@slave ~]# ls -Z /tmp/a.txt

-rw-r--r--. root root unconfined_u:object_r:var_log_t:s0 /tmp/a.txt

文件创建在不同的目录中则文件的selinux类型是不同的

[root@slave ~]# touch /tmp/d.txt

[root@slave ~]# ls -Z /tmp/d.txt

-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/d.txt

[root@slave ~]# touch e.txt

[root@slave ~]# ls -Z e.txt

-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 e.txt

这是由selinux中模式类型为targeted所提供的默认规则所致。

targeted内置规则之httpd

环境：redhat6.4-i386

当selinux为enforcing时默认安装的httpd会将空间主机根目录默认指定到/var/www/html中

那么再此处建立一个index.html则可以被访问

[root@slave ~]# ls -Z /var/www/html/

-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html



 

但此时若要自建一个目录并同样建立index.html于该新目录中并将httpd空间主机的根目录指向新目录，则此时index.html是不能被访问的(当不能访问出现错误时就会自动进入apache提供的欢迎页面)



 

 

那么修改selinux文件标记后又可以访问了

[root@slave ~]# chcon -R -t httpd_sys_content_t /web/vhosts/bbs



targeted内置规则之samba

环境：redhat5.8x86-i386

安装

[root@localhost ~]# rpm -e samba-client samba-common

[root@localhost ~]#  rpm -ivh /test/Server/samba3x-winbind-3.5.10-0.107.el5.i386.rpm /test/Server/samba3x-common-3.5.10-0.107.el5.i386.rpm

warning: /test/Server/samba3x-winbind-3.5.10-0.107.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186

Preparing...                ########################################### [100%]

   1:samba3x-common         ########################################### [ 50%]

   2:samba3x-winbind        ########################################### [100%]

[root@localhost ~]# rpm -ivh /test/Server/samba3x-3.5.10-0.107.el5.i386.rpm

warning: /test/Server/samba3x-3.5.10-0.107.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186

Preparing...                ########################################### [100%]

   1:samba3x                ########################################### [100%]

[root@localhost ~]# rpm -ivh /test/Server/samba3x-client-3.5.10-0.107.el5.i386.rpm

warning: /test/Server/samba3x-client-3.5.10-0.107.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186

Preparing...                ########################################### [100%]

   1:samba3x-client         ########################################### [100%]

配置

配置文件/etc/samba/smb.conf中末尾新增：

[tools]

         comment = some tools

         path =       /shared

         browseable = yes

         public = yes

         write list = +magedu

配置相关目录及帐号

mkdir /shared

groupadd magedu

chgrp magedu /shared/

chmod g+w /shared/

useradd -G magedu redhat

useradd -G magedu gentoo

usermod -a -G magedu redhat

 

 

[root@localhost ~]# smbpasswd -a redhat

[root@localhost ~]# smbpasswd -a gentoo

[root@localhost ~]# smbpasswd -a root

[root@localhost ~]# service smb start

Starting SMB services:                                     [  OK  ]

测试

当前selinux状态

[root@localhost ~]# getenforce

Enforcing

公共域上传

用户可以登录共享目录，但是要想上传文件则不可以

[root@localhost ~]# cd /etc/

[root@localhost etc]#  smbclient //192.168.2.159/tools -U redhat

Enter redhat's password:

Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.5.10-0.107.el5]

smb: \> put fstab

NT_STATUS_ACCESS_DENIED opening remote file \fstab

默认selinux对于sabma的共享目录的配置

[root@localhost ~]# ls -Zd /shared/

drwxrwxr-x  root magedu root:object_r:default_t          /shared/

那么按照samba配置文件中说明，则

[root@localhost ~]# chcon -R -t samba_share_t /shared/

然后就可以上传了

smb: \> put fstab

putting file fstab as \fstab (521.4 kb/s) (average 521.5 kb/s)

smb: \>

用户自己的家目录上传

用户可以以自己身份登录以自己家目录的共享，却不能上传

[root@localhost etc]#  smbclient //192.168.2.159/redhat -U redhat

Enter redhat's password:

Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.5.10-0.107.el5]

smb: \> put issue

NT_STATUS_ACCESS_DENIED opening remote file \issue

查看selinux布尔值列表

[root@localhost ~]# getsebool -a

自己家目录竟然不能上传，这也是selinux的targeted模式自带的策略

但却不能直接使用上面的处理方式，因为按照上面的处理方式则把该用户的家目录也处理成了和tools一样的公共区域了，则家不成家。

则

[root@localhost ~]# setsebool samba_enable_home_dirs=on

然后又能上传成功了

smb: \> put issue

putting file issue as \issue (24.1 kb/s) (average 24.1 kb/s)

恢复selinux默认上下文(文件类型)

[root@slave ~]# ls -Z /web/vhosts/bbs/index.html

-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /web/vhosts/bbs/index.html

[root@slave ~]# restorecon /web/vhosts/bbs/index.html

[root@slave ~]# ls -Z /web/vhosts/bbs/index.html

-rw-r--r--. root root unconfined_u:object_r:default_t:s0 /web/vhosts/bbs/index.html

查看某个文件的默认selinux上下文

依赖安装

[root@slave ~]# yum install policycoreutils-python

查看指定文件的默认selinux上下文

[root@slave ~]# semanage fcontext -l | grep /var/www

查看已建立的selinux用户

[root@slave ~]# semanage user -l

 

                Labeling   MLS/       MLS/                         

SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

 

git_shell_u     user       s0         s0                             git_shell_r

guest_u         user       s0         s0                             guest_r

root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r

staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r

sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r

system_u        user       s0         s0-s0:c0.c1023                 system_r unconfined_r

unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r

user_u          user       s0         s0                             user_r

xguest_u        user       s0         s0                             xguest_r

基于端口的selinux策略

当前selinux状态

[root@localhost ~]# getenforce

Enforcing

查看默认的周知端口80在selinux下所绑定的进程上下文类型

[root@slave ~]# semanage port -l | grep 80

amanda_port_t                  tcp      10080-10083

amanda_port_t                  udp      10080-10082

cyphesis_port_t                tcp      6767, 6769, 6780-6799

hplip_port_t                   tcp      1782, 2207, 2208, 8290, 50000, 50002, 8292, 9100, 9101, 9102, 9220, 9221, 9222, 9280, 9281, 9282, 9290, 9291

http_cache_port_t              tcp      3128, 8080, 8118, 8123, 10001-10010

http_port_t                    tcp      80, 443, 488, 8008, 8009, 8443

jboss_management_port_t        tcp      4712, 4447, 7600, 9123, 9990, 9999, 18001

luci_port_t                    tcp      8084

ocsp_port_t                    tcp      9080

pki_ca_port_t                  tcp      9180, 9701, 9443-9447

pki_kra_port_t                 tcp      10180, 10701, 10443-10446

pki_ocsp_port_t                tcp      11180, 11701, 11443-11446

pki_tks_port_t                 tcp      13180, 13701, 13443-13446

soundd_port_t                  tcp      8000, 9433, 16001

speech_port_t                  tcp      8036

transproxy_port_t              tcp      8081

xen_port_t                     tcp      8002

zope_port_t                    tcp      8021

那么将httpd的空间主机配置文件的默认监听端口换为没有被默认selinux上下文类型所支持的端口，如8040，就会在重启服务时候就已经报错了。

[root@slave ~]# service httpd restart

Stopping httpd:                                            [  OK  ]

Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.2.212 for ServerName

(13)Permission denied: make_sock: could not bind to address [::]:8040

(13)Permission denied: make_sock: could not bind to address 0.0.0.0:8040

no listening sockets available, shutting down

Unable to open logs

                                                           [FAILED]

那么给上面我们找到的这个上下文类型添加一个8040的支持，然后再次重启httpd

[root@slave ~]# semanage port -a -t http_port_t -p tcp 8040

[root@slave ~]# service httpd restart

Stopping httpd:                                            [FAILED]

Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.2.212 for ServerName

                                                           [  OK  ]

[root@slave ~]# service httpd restart

Stopping httpd:                                            [  OK  ]

Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.2.212 for ServerName

 

                                                           [  OK  ]