一、修改SElinux的狀態(tài)

#sestatus --查看狀態(tài) #setenforce 0 --臨時(shí)修改 #setenforce 1 #getenforce#vim /etc/selinux/config --通過(guò)配置文件修改 SELINUX=Enforcing #systemctl reboot --重啟生效 #getenforce

二、文件的上下文
#setenforce 1
#yum install -y httpd
#mkdir /local
#echo lxjtest > /local/index.html
#ln -s /local/ /var/www/html/soft

[root@rhel1 html]# ll -Z /local/index.html -rw-r--r--. root root unconfined_u:object_r:default_t:s0 /local/index.html [root@rhel1 html]# ll -Z /var/www/ drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 cgi-bin drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html

修改文件上下文的三種方法：

方法1：修改/local目錄的的fcontext為httpd_sys_content_t
#semanage fcontext -l | grep http
#chcon -R -t httpd_sys_content_t /local/
方法2：
修改/local目錄的的fcontext為跟/var/www目錄一致
#chcon -R --reference /var/www/ /local/
方法3：
#semanage fcontext -a -t httpd_sys_content_t '/local(/.*)?'
#restorecon -FRv /local
# man semanage fcontext

#推薦使用第3鐘方法，文件夾上下文類(lèi)型將寫(xiě)入內(nèi)核

在RHEL2上訪問(wèn)測(cè)試：
#setenforce 1
http://192.168.100.1/soft??? #未在RHEL1修改上下文，訪問(wèn)會(huì)被Forbidden，修改正確后可訪問(wèn)

實(shí)驗(yàn)一、端口的上下文
#查看端口的上下文
#semanage port -l | grep http
#添加端口的上下文
#semanage port -a -t http_port_t -p tcp 8899
#刪除端口的上下文
#semanage port -d -t http_port_t -p tcp 8899
#修改端口的上下文
#semanage port -m -t http_port_t -p tcp 8899
#修改防火墻
#firewall-cmd --permanent --add-port=8899/tcp
#firewall-cmd --reload
#修改httpd配置文件，以監(jiān)聽(tīng)8899端口
#vim /etc/httpd/conf/httpd.conf
Listen 8899? #增加

#mkdir /var/www/8899
#echo 8899 > /var/www/8899/index.html

#vim /etc/httpd/conf.d/0.conf

< VirtualHost 192.168.100.1:80>DocumentRoot "/var/www/html"ServerName 192.168.100.1 < /VirtualHost> < VirtualHost 192.168.100.1:8899>DocumentRoot "/var/www/8899"ServerName 192.168.100.1 < /VirtualHost>

#systemctl restart httpd

在rhel1和rhel2上訪問(wèn)測(cè)試：
http://192.168.100.1
http://192.168.100.1:8899

實(shí)驗(yàn)二、布爾值
使用SElinux圖形畫(huà)界面來(lái)配置selinux
#yum provides system-config-selinux
#yum install -y policycoreutils-gui-2.2.5-11.el7.x86_64
#system-config-selinux 打開(kāi)SElinux圖形界面

例：
#yum install -y samba
#getsebool -a
#getsebool -a | grep samba
#setsebool -P samba_enable_home_dir on
#setsebool -P samba_export_all_rw on
-a 列出
-P 永久生效permanent

實(shí)驗(yàn)三、SElinux在網(wǎng)絡(luò)各服務(wù)中的配置
man selinux
常見(jiàn)有一些服務(wù)的SElinux配置
===ftp===
//If you want to share files anonymously <如果你想把這個(gè)共享給匿名的話(huà)，需要開(kāi)啟以下>
chcon -R -t public_content_t /var/ftp
//If you want to setup a directory where you can upload files
＜如果你想讓你設(shè)置的FTP目錄可以上傳文件的話(huà)，SELINUX需要設(shè)置＞
chcon -t public_content_rw_t /var/ftp/incoming
//You must also turn on the boolean allow_ftpd_anon_write <允許匿名用戶(hù)寫(xiě)入權(quán)限＞
setsebool -P allow_ftpd_anon_write=1
//If you are setting up this machine as a ftpd server and wish to allow users to access their home directorories<如果你希望你的FTP用戶(hù)可以訪問(wèn)自己的家目錄的話(huà)，需要開(kāi)啟>
setsebool -P ftp_home_dir 1
//If you want to run ftpd as a daemon<如果你希望將vsftpd以daemon的方式運(yùn)行的話(huà)，需要開(kāi)啟>
setsebool -P ftpd_is_daemon 1
//You can disable SELinux protection for the ftpd daemon<你可以讓SElinux停止保護(hù)vsftpd的daemon方式動(dòng)行>
setsebool -P ftpd_disable_trans 1

===httpd===
//If you want a particular domain to write to the public_content_rw_t domain
< 如果希望具體個(gè)doman具有可寫(xiě)權(quán)限的話(huà)，需要設(shè)置>
setsebool -P allow_httpd_anon_write=1
or
setsebool -P allow_httpd_sys__anon_write=1
//httpd can be setup to allow cgi s to be executed <HTTP被設(shè)置允許cgi的設(shè)置>
setsebool -P httpd_enable_cgi 1
//If you want to allow access to users home directories<允許用戶(hù)HHTP訪問(wèn)其家目錄，該設(shè)定限僅于用戶(hù)的家目錄主頁(yè)>
setsebool -P httpd_enable_homedirs 1
chcon -R -t httpd_sys_content_t ~user/public_html
//httpd is allowed access to the controling terminal<允許httpd訪問(wèn)終端＞
setsebool -P httpd_tty_comm 1
//such that one httpd service can not interfere with another
setsebool -P httpd_unified 0
//loadable modules run under the same context as httpd
setsebool -P httpd_builtin_ing 0
//httpd s are allowed to connect out to the network
setsebool -P httpd_can_network_connect 1
// You can disable suexec transition
setsebool -P httpd_suexec_disable_trans 1
//You can disable SELinux protection for the httpd daemon by executing <關(guān)閉Selinux的關(guān)于httpd進(jìn)程守護(hù)的保護(hù)>
setsebool -P httpd_disable_trans 1
service httpd restart

===named===
//If you want to have named update the master zone files <關(guān)于named,master更新selinux設(shè)定>
setsebool -P named_write_master_zones 1
//You can disable SELinux protection for the named daemon by executing
< 關(guān)閉named的進(jìn)程守護(hù)保護(hù)>
setsebool -P named_disable_trans 1
service named restart

===nfs===
//If you want to setup this machine to share nfs partitions read only
< Selinux將本機(jī)的NFS共享設(shè)置成只讀>
setsebool -P nfs_export_all_ro 1
//If you want to share files read/write<Selinux將本機(jī)的NFS共享設(shè)置成可讀可寫(xiě)>
setsebool -P nfs_export_all_rw 1
//If you want to use a remote NFS server for the home directories on this machine
＜如果你想要將遠(yuǎn)程N(yùn)FS的家目錄共享到本機(jī)，需要開(kāi)啟>
setsebool -P use_nfs_home_dirs 1

===samba===
//If you want to share files other than home directorie
< 如果你希望將目錄共享給其他用戶(hù)，你需要設(shè)置>
chcon -t samba_share_t /directory
//If you want to share files with multiple domains
如果samba服務(wù)器共享目錄給多個(gè)域，則需要：
setsebool -P allow_smbd_anon_write=1
//If you are setting up this machine as a Samba server and wish to share the home directories
samba服務(wù)器要共享家目錄時(shí)：
setsebool -P samba_enable_home_dirs 1
//If you want to use a remote Samba server for the home directories on this machine
如果你需在本機(jī)上使用遠(yuǎn)程samba服務(wù)器的家目錄
setsebool -P use_samba_home_dirs 1
//You can disable SELinux protection for the samba daemon by executing
關(guān)閉selinux關(guān)于samba的進(jìn)程守護(hù)的保護(hù)
setsebool -P smbd_disable_trans 1
service smb restart

===rsync===
//If you want to share files using the rsync daemon
共享rsync目錄時(shí)：
chcon -t public_content_t /directories
//If you want to share files with multiple domains
允許其他用戶(hù)寫(xiě)入時(shí)
setsebool -P allow_rsync_anon_write=1
//You can disable SELinux protection for the rsync daemon by executing
停止rsync的進(jìn)程保護(hù)
setsebool -P rsync_disable_trans 1

===kerberos===
//allow your system to work properly in a Kerberos environment
允許系統(tǒng)使用kerberos
setsebool -P allow_kerberos 1
//If you are running Kerberos daemons kadmind or krb5kdc
setsebool -P krb5kdc_disable_trans 1
service krb5kdc restart
setsebool -P kadmind_disable_trans 1
service kadmind restart

===nis===
Allow your system to work properly in a NIS environment
系統(tǒng)工作在nis環(huán)境時(shí)
setsebool -P allow_ypbind 1

實(shí)驗(yàn)四、selinux的troubleshoot
關(guān)閉SElinux問(wèn)題直接解決說(shuō)明很可能是SElinux的問(wèn)題
方法一
如果SElinux阻止了某項(xiàng)服務(wù)，可以先設(shè)置SElinux為permissive模式，然后查看日志
方法二
#service auditd restart
#tail -f /var/log/message

Nov 10 16:58:13 rhel2 setroubleshoot: SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket port 8899.
For complete SELinux messages run: sealert -l 477211dd-4f0a-4c46-a295-7eef08bf545b Nov 10 16:58:13 rhel2 python: SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket port 8899.#012#012*****
Plugin bind_ports (92.2 confidence) suggests ************************#012#012If you want to allow /usr/sbin/httpd to bind to network port 8899
#012Then you need to modify the port type.#012Do#012# semanage port -a -t PORT_TYPE -p tcp 8899#012
where PORT_TYPE is one of the following: http_cache_port_t, http_port_t, jboss_management_port_t, jboss_messaging_port_t, ntop_port_t, puppet_port_t.
#012#012***** Plugin catchall_boolean (7.83 confidence) suggests ******************#012#012If you want to allow nis to enabled
#012Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.#012You can read 'None' man page for more details.
#012Do#012setsebool -P nis_enabled 1#012#012***** Plugin catchall (1.41 confidence) suggests **************************
#012#012If you believe that httpd should be allowed name_bind access on the port 8899 tcp_socket by default.
#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.
#012Do#012allow this access for now by executing:#012# ausearch -c 'httpd' --raw | audit2allow -M my-httpd#012
# semodule -i my-httpd.pp#012

#sealert -l 477211dd-4f0a-4c46-a295-7eef08bf545b

[root@rhel2 ~]# sealert -l 477211dd-4f0a-4c46-a295-7eef08bf545b SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket port 8899.***** Plugin bind_ports (92.2 confidence) suggests ************************If you want to allow /usr/sbin/httpd to bind to network port 8899 Then you need to modify the port type. Do # semanage port -a -t PORT_TYPE -p tcp 8899where PORT_TYPE is one of the following: http_cache_port_t, http_port_t, jboss_management_port_t, jboss_messaging_port_t, ntop_port_t, puppet_port_t.***** Plugin catchall_boolean (7.83 confidence) suggests ******************If you want to allow system to run with NIS Then you must tell SELinux about this by enabling the 'nis_enabled' boolean. You can read 'None' man page for more details. Do setsebool -P nis_enabled 1***** Plugin catchall (1.41 confidence) suggests **************************If you believe that httpd should be allowed name_bind access on the port 8899 tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'httpd' --raw | audit2allow -M my-httpd # semodule -i my-httpd.ppAdditional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:unreserved_port_t:s0 Target Objects port 8899 [ tcp_socket ] Source httpd Source Path /usr/sbin/httpd Port 8899 Host rhel2.rusky.com Source RPM Packages httpd-2.4.6-67.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-166.el7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name rhel2.rusky.com Platform Linux rhel2.rusky.com 3.10.0-693.el7.x86_64 #1 SMPThu Jul 6 19:56:57 EDT 2017 x86_64 x86_64 Alert Count 4 First Seen 2017-11-10 16:49:42 CST Last Seen 2017-11-10 16:58:12 CST Local ID 477211dd-4f0a-4c46-a295-7eef08bf545bRaw Audit Messages type=AVC msg=audit(1510304292.2:1743): avc: denied { name_bind } for pid=12009 comm="httpd" src=8899 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_sockettype=SYSCALL msg=audit(1510304292.2:1743): arch=x86_64 syscall=bind success=no exit=EACCES a0=5 a1=55cf7ca992e8 a2=10 a3=7ffca3c9125c items=0 ppid=1 pid=12009 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)Hash: httpd,httpd_t,unreserved_port_t,tcp_socket,name_bind

#sealert -b --通過(guò)圖形化界面troubleshooting

方法三
audit2why < /var/log/audit/audit.log
audit2allow < /var/log/audit/audit.log

?

轉(zhuǎn)載于:https://www.cnblogs.com/rusking/p/7815689.html

總結(jié)

以上是生活随笔為你收集整理的SElinux测试及排错的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問(wèn)題。

如果覺(jué)得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。