centos中selinux功能及常用服務配置
阿新 • • 發佈:2019-01-08
SELinux: Secure Enhenced Linux
# getenforce
臨時啟用或禁用:
# setenfoce 0|1
永久性啟用,需要修改配置檔案
/etc/sysconfig/selinux
設定:SELINUX=permissive
/etc/selinux/config
找到其中的一項:
SELINUX={enforcing|permissive|disabled}
如果本身selinux的狀態是disabled需要設定後重啟生效
# yum install -y httpd
# ls -ldZ /var/www/html/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
# ls -lZ /var/www/html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html
# touch /tmp/a.txt
# ls -lZ /tmp/a.txt
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/a.txt
2.編輯相關的配置檔案
# mkdir /web/htdocs -pv
vim /etc/httpd/conf/httpd.conf
DocumentRoot "/web/htdocs"
<Directory "/web/htdocs">
刪除預設的主頁
# cd /etc/httpd/conf.d/
# rm welcome.conf
此時網站無法訪問,檢視檔案屬性
# ls -ldZ /web/htdocs
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /web/htdocs
# ls -lZ /web/htdocs/
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 index.html
3.使用chcon命令設定檔案屬性
將新的web目錄下的檔案參考原web目錄屬性
# chcon -R --reference=/var/www/html /web/htdocs/
設定後發現網站可以正常訪問
還原原有檔案屬性
# restorecon -R /web/htdocs/
1.安裝ftp服務
# setenforce 0
# yum install -y vsftpd
啟動服務
# service vsftpd start
selinux中查詢ftp相關的屬性
# getsebool -a | grep ftp
2.新增使用者
# useradd hadoop
# passwd hadoop
客戶端連線ftp服務可以使用ls命令
# lftp -u hadoop,hadoop 192.168.8.40
開啟selinux
# setenforce 1
# lftp -u hadoop,hadoop 192.168.8.40
lftp
ls: 登入失敗: 500 OOPS: cannot change directory:/home/hadoop
說明selinux阻止了使用者的訪問
# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_connect_db --> off
ftpd_use_fusefs --> off
ftpd_use_passive_mode --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
tftp_use_cifs --> off
tftp_use_nfs --> off
3.開啟匿名upload許可權# vim /etc/vsftpd/vsftpd.conf
anon_upload_enable=YES
anon_other_write_enable=YES
# cd /var/ftp
# mkdir incoming
# setfacl -m u:ftp:rwx /var/ftp/incoming/
# setenforce 0
此時可以上傳檔案
# setenforce 1 不能上傳檔案
4.通過setsebool開啟匿名上傳許可權
allow_ftpd_anon_write --> on
allow_ftpd_full_access --> on
# setsebool allow_ftpd_anon_write=1
# setsebool allow_ftpd_full_access=1
# getsebool -a | grep ftp
allow_ftpd_anon_write --> on
allow_ftpd_full_access --> on
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_connect_db --> off
ftpd_use_fusefs --> off
ftpd_use_passive_mode --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
tftp_use_cifs --> off
tftp_use_nfs --> off
1.安裝samba服務
# yum install -y samba
啟動服務
# service smb start
# service nmb start
新建samba使用者
# smbpasswd -a hadoop
# smbclient -L 192.168.8.40 -U hadoop
連線samba服務
# smbclient //192.168.8.40/hadoop -U hadoop
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
共享home目錄(可參考/etc/samba/smb.conf檔案)
# setsebool -P samba_enable_home_dirs=1
重新訪問共享目錄
# smbclient //192.168.8.40/hadoop -U hadoop
Enter hadoop's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.23-24.el6_7]
smb: \> ls
. D 0 Mon Mar 7 20:51:44 2016
.. D 0 Mon Mar 7 20:35:12 2016
.bash_profile H 176 Thu Jul 18 21:19:03 2013
inittab 884 Mon Mar 7 20:52:27 2016
.bash_logout H 18 Thu Jul 18 21:19:03 2013
.bashrc H 124 Thu Jul 18 21:19:03 2013
issue 47 Mon Mar 7 20:46:44 2016
51175 blocks of size 524288. 47761 blocks available
加入配置myshared
[myshared]
comment = something
path = /samba/shared
public = yes
browseable = yes
write list = hadoop
語法檢查# testparm
重啟samba服務
# for i in smb nmb; do service $i restart ; done
訪問samba共享,無法列出目錄
# smbclient //192.168.8.40/myshared -U hadoop
Enter hadoop's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.23-24.el6_7]
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
改變目錄的屬性
# chcon -R -t samba_share_t /samba/shared/
再次訪問samba共享,可以正常列出目錄
# smbclient //192.168.8.40/myshared -U hadoop
Enter hadoop's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.23-24.el6_7]
smb: \> ls
. D 0 Mon Mar 7 21:27:32 2016
.. D 0 Mon Mar 7 21:27:17 2016
fstab 921 Mon Mar 7 21:27:32 2016
51175 blocks of size 524288. 47761 blocks available
常用命令
獲取selinux的當前狀態:# getenforce
臨時啟用或禁用:
# setenfoce 0|1
永久性啟用,需要修改配置檔案
/etc/sysconfig/selinux
設定:SELINUX=permissive
/etc/selinux/config
找到其中的一項:
SELINUX={enforcing|permissive|disabled}
如果本身selinux的狀態是disabled需要設定後重啟生效
對apache服務的設定
1.安裝配置apache軟體# yum install -y httpd
# ls -ldZ /var/www/html/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
# ls -lZ /var/www/html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html
# touch /tmp/a.txt
# ls -lZ /tmp/a.txt
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/a.txt
2.編輯相關的配置檔案
# mkdir /web/htdocs -pv
vim /etc/httpd/conf/httpd.conf
DocumentRoot "/web/htdocs"
<Directory "/web/htdocs">
刪除預設的主頁
# cd /etc/httpd/conf.d/
# rm welcome.conf
此時網站無法訪問,檢視檔案屬性
# ls -ldZ /web/htdocs
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /web/htdocs
# ls -lZ /web/htdocs/
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 index.html
3.使用chcon命令設定檔案屬性
將新的web目錄下的檔案參考原web目錄屬性
# chcon -R --reference=/var/www/html /web/htdocs/
設定後發現網站可以正常訪問
還原原有檔案屬性
# restorecon -R /web/htdocs/
vsftp服務
1.安裝ftp服務
# setenforce 0
# yum install -y vsftpd
啟動服務
# service vsftpd start
selinux中查詢ftp相關的屬性
# getsebool -a | grep ftp
2.新增使用者
# useradd hadoop
# passwd hadoop
客戶端連線ftp服務可以使用ls命令
# lftp -u hadoop,hadoop 192.168.8.40
開啟selinux
# setenforce 1
# lftp -u hadoop,hadoop 192.168.8.40
lftp
ls: 登入失敗: 500 OOPS: cannot change directory:/home/hadoop
說明selinux阻止了使用者的訪問
# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_connect_db --> off
ftpd_use_fusefs --> off
ftpd_use_passive_mode --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
tftp_use_cifs --> off
tftp_use_nfs --> off
3.開啟匿名upload許可權# vim /etc/vsftpd/vsftpd.conf
anon_upload_enable=YES
anon_other_write_enable=YES
# cd /var/ftp
# mkdir incoming
# setfacl -m u:ftp:rwx /var/ftp/incoming/
# setenforce 0
此時可以上傳檔案
# setenforce 1 不能上傳檔案
4.通過setsebool開啟匿名上傳許可權
allow_ftpd_anon_write --> on
allow_ftpd_full_access --> on
# setsebool allow_ftpd_anon_write=1
# setsebool allow_ftpd_full_access=1
# getsebool -a | grep ftp
allow_ftpd_anon_write --> on
allow_ftpd_full_access --> on
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_connect_db --> off
ftpd_use_fusefs --> off
ftpd_use_passive_mode --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
tftp_use_cifs --> off
tftp_use_nfs --> off
samba服務
1.安裝samba服務
# yum install -y samba
啟動服務
# service smb start
# service nmb start
新建samba使用者
# smbpasswd -a hadoop
# smbclient -L 192.168.8.40 -U hadoop
連線samba服務
# smbclient //192.168.8.40/hadoop -U hadoop
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
共享home目錄(可參考/etc/samba/smb.conf檔案)
# setsebool -P samba_enable_home_dirs=1
重新訪問共享目錄
# smbclient //192.168.8.40/hadoop -U hadoop
Enter hadoop's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.23-24.el6_7]
smb: \> ls
. D 0 Mon Mar 7 20:51:44 2016
.. D 0 Mon Mar 7 20:35:12 2016
.bash_profile H 176 Thu Jul 18 21:19:03 2013
inittab 884 Mon Mar 7 20:52:27 2016
.bash_logout H 18 Thu Jul 18 21:19:03 2013
.bashrc H 124 Thu Jul 18 21:19:03 2013
issue 47 Mon Mar 7 20:46:44 2016
51175 blocks of size 524288. 47761 blocks available
加入配置myshared
[myshared]
comment = something
path = /samba/shared
public = yes
browseable = yes
write list = hadoop
語法檢查# testparm
重啟samba服務
# for i in smb nmb; do service $i restart ; done
訪問samba共享,無法列出目錄
# smbclient //192.168.8.40/myshared -U hadoop
Enter hadoop's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.23-24.el6_7]
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
改變目錄的屬性
# chcon -R -t samba_share_t /samba/shared/
再次訪問samba共享,可以正常列出目錄
# smbclient //192.168.8.40/myshared -U hadoop
Enter hadoop's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.23-24.el6_7]
smb: \> ls
. D 0 Mon Mar 7 21:27:32 2016
.. D 0 Mon Mar 7 21:27:17 2016
fstab 921 Mon Mar 7 21:27:32 2016
51175 blocks of size 524288. 47761 blocks available