1.开启 Selinux 的作用
>给程序及程序里面的文件一个安全上下文
2.Selinux关闭时的状况
vim /etc/sysconfig/selinux
selinux 的配置文件
SELINUX=enforcing selinux 开启
SELINUX=disabled selinux 关闭
getenforce
查看 selinux 状态
[root@dchxmj linux1]# ls
file1 linux1file1 pub
[root@dchxmj linux1]# ls -Z
-rw-r--r-- root root ? file1
-rw-r--r-- root root ? linux1file1
drwxrwxr-x root root ? pub
[root@dchxmj linux1]#
测试:
lftp IP -u username
[kiosk@foundation30 Desktop]$ lftp 172.25.254.130 -u linux1
Password:
lftp linux1@172.25.254.130:~> ls
-rw-r--r-- 1 0 0 0 Feb 21 08:50 file1
-rw-r--r-- 1 0 0 0 Feb 21 07:40 linux1file1
drwxrwxr-x 2 0 0 6 Feb 21 08:28 pub
#所有文件都可以访问到
lftp linux1@172.25.254.130:/> ls -Z
-rw-r--r-- 1 0 0 0 Feb 21 08:50 file1
-rw-r--r-- 1 0 0 0 Feb 21 07:40 linux1file1
drwxrwxr-x 2 0 0 6 Feb 21 08:28 pub
lftp linux1@172.25.254.130:/> exit
[kiosk@foundation30 Desktop]$
3.Selinux 开启时
[root@localhost pub]# ls
file1 linux linux1
[root@localhost pub]# ls -Z
-rw-r--r--. root root unconfined_u:object_r:mnt_t:s0 file1
drwxr-xr-x. root root unconfined_u:object_r:mnt_t:s0 linux
-rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 linux1
#不符合形式的文件访问不到
[root@localhost pub]#
测试:
[kiosk@foundation30 Desktop]$ lftp 172.25.254.130
lftp 172.25.254.130:~> ls
drwxr-xr-x 3 0 0 43 Feb 21 09:07 pub
lftp 172.25.254.130:/> cd pub/
lftp 172.25.254.130:/pub> ls
drwxr-xr-x 2 0 0 6 Feb 21 09:04 linux
-rw-r--r-- 1 0 0 0 Feb 21 09:05 linux1
lftp 172.25.254.130:/pub> exit
[kiosk@foundation30 Desktop]$
4.Selinux对服务的影响
(1).不符合安全上下文的文件访问不到
(2).默认情况下不安全的功能是关闭的
getsebool -a | grep ftp #查看 ftp 服务功能状态
setsebool -P ftp_home_dir on #开启
-P:表示永久开启
本地用户默认有写权限
[root@localhost ~]# getsebool -a | grep ftp
`ftp_home_dir --> off`
[root@foundation30 ~]# lftp 172.25.254.130 -u student
Password:
lftp student@172.25.254.130:~> ls
-rw-r--r-- 1 0 0 0 Feb 22 03:17 file2
drwxr-xr-x 2 0 0 6 Feb 22 01:36 linux1
lftp student@172.25.254.130:~> cd linux1/
lftp student@172.25.254.130:~/linux1> put /etc/passwd
put: Access failed: 553 Could not create file. (passwd)
lftp student@172.25.254.130:~/linux1> exit
[root@foundation30 ~]# lftp 172.25.254.130 -u student
[root@localhost ~]# setsebool -P ftp_home_dir on
[root@localhost ~]# getsebool -a | grep ftp
ftp_home_dir --> on
[root@foundation30 ~]# lftp 172.25.254.130 -u student
Password:
lftp student@172.25.254.130:~> ls
-rw-r--r-- 1 0 0 0 Feb 22 03:17 file2
drwxr-xr-x 2 0 0 6 Feb 22 01:36 linux1
lftp student@172.25.254.130:~> put /etc/passwd
2367 bytes transferred
lftp student@172.25.254.130:~> exit
[root@foundation30 ~]#
5.Selinux 日志存放位置
>
cat /var/log/audit/audit.log #默认位置
setroubleshoot-server.x86_64
###可以将/var/log/audit/audit.log里面的日志经过处理存放到/var/log/messages
>
[root@localhost ~]# yum search setroubleshoot
Loaded plugins: langpacks
========================= N/S matched: setroubleshoot ==========================
setroubleshoot-plugins.noarch : Analysis plugins for use with setroubleshoot
setroubleshoot.x86_64 : Helps troubleshoot SELinux problems
setroubleshoot-server.x86_64 : SELinux troubleshoot server
Name and summary matches only, use "search all" for everything.
[root@localhost ~]# yum install setroubleshoot-server.x86_64 -y
cat /var/log/audit/audit.log
cat /var/log/messages