1:概念
SElinux全称Security-Enhanced Linux。起源于美国,他是一种和权限类似的东东,顾名思义,他就是为安全而生,安全增强型linux,那么他的安全性体现在哪里呢?简单说一下,就是当SElinux开启时,我们用户的权限达到了最小,我们可以理解为就是当用户拥有两个权力的结合时才会或者可以实现想要的功能,有时甚至他还能拒绝root用户呢!
2:SElinux三种模式
enfirocing 强制模式
强制模式我们可以理解为开启模式,就是当这个模式开启时,所有违反规定的动作都不能执行。
permissive 警告模式
警告模式就是当你提出要做一个违反规定的动作时,他会给你提醒,但是你还时可以执行违规动作的
disabled 关闭
关闭状态就是当你在做违规动作时,他不会拒绝你,也不会提醒你,而是拿个小本子把你的一言一行记录下来
切换方式
讲完了三种模式,我们就要知道他如何切换
编辑 /etc/sysconfig/selinux
修改SELINUX=enforcing / permissive / /disabled 来切换
修改完成后
reboot 重启之后就切换成功
显示SElinux状态
命令行切换
[root@localhost pub]# getenforce
Enforcing
[root@localhost pub]# setenforce 0
[root@localhost pub]# getenforce
Permissive
[root@localhost pub]# setenforce 1
[root@localhost pub]# getenforce
Enforcing
[root@localhost pub]#
3:修改SElinux安全上下文
临时修改
[root@localhost pub]# lftp 172.25.254.211
lftp 172.25.254.211:~> ls
drwxr-xr-x 4 0 0 47 Aug 12 02:36 pub
lftp 172.25.254.211:/> cd /pub
lftp 172.25.254.211:/pub> ls
drwxr-xr-x 6 0 0 58 Aug 12 02:30 westos
drwxr-xr-x 2 0 0 6 Aug 12 02:28 westosfile
lftp 172.25.254.211:/pub> quit
[root@localhost pub]# ls -Z ##查看目录标签
-rw-r--r--. root root unconfined_u:object_r:mnt_t:s0 file
drwxr-xr-x. root root unconfined_u:object_r:public_content_t:s0 westos
drwxr-xr-x. root root unconfined_u:object_r:public_content_t:s0 westosfile
[root@localhost pub]# chcon -t public_content_t file
[root@localhost pub]# ls -Z
-rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 file
drwxr-xr-x. root root unconfined_u:object_r:public_content_t:s0 westos
drwxr-xr-x. root root unconfined_u:object_r:public_content_t:s0 westosfile
[root@localhost pub]# lftp 172.25.254.211
lftp 172.25.254.211:~> ls
drwxr-xr-x 4 0 0 47 Aug 12 02:36 pub
lftp 172.25.254.211:/> cd /pub
lftp 172.25.254.211:/pub> ls
-rw-r--r-- 1 0 0 0 Aug 12 02:36 file
drwxr-xr-x 6 0 0 58 Aug 12 02:30 westos
drwxr-xr-x 2 0 0 6 Aug 12 02:28 westosfile
永久修改
[root@localhost pub]# cd /mnt
[root@localhost mnt]# mkdir redhat
[root@localhost mnt]# ls -Z
drwxr-xr-x. root root unconfined_u:object_r:mnt_t:s0 redhat
[root@localhost mnt]# mv redhat/ /var/ftp/pub/
[root@localhost mnt]# cd /var/ftp/pub/
[root@localhost pub]# ls -Z
-rw-r--r--. root root unconfined_u:object_r:mnt_t:s0 file
drwxr-xr-x. root root unconfined_u:object_r:mnt_t:s0 redhat
drwxr-xr-x. root root unconfined_u:object_r:public_content_t:s0 westos
drwxr-xr-x. root root unconfined_u:object_r:public_content_t:s0 westosfile
[root@localhost pub]# mkdir redhat/redhat{1..3} -p
[root@localhost pub]# ls -Z
-rw-r--r--. root root unconfined_u:object_r:mnt_t:s0 file
drwxr-xr-x. root root unconfined_u:object_r:mnt_t:s0 redhat
drwxr-xr-x. root root unconfined_u:object_r:public_content_t:s0 westos
drwxr-xr-x. root root unconfined_u:object_r:public_content_t:s0 westosfile
[root@localhost pub]# cd redhat/
[root@localhost redhat]# ls -Z
drwxr-xr-x. root root unconfined_u:object_r:mnt_t:s0 redhat1
drwxr-xr-x. root root unconfined_u:object_r:mnt_t:s0 redhat2
drwxr-xr-x. root root unconfined_u:object_r:mnt_t:s0 redhat3
[root@localhost redhat]# cd ..
[root@localhost pub]# lftp 172.25.254.211
lftp 172.25.254.211:~> ls
drwxr-xr-x 5 0 0 60 Aug 12 02:55 pub
lftp 172.25.254.211:/> cd /pub
lftp 172.25.254.211:/pub> ls
drwxr-xr-x 5 0 0 48 Aug 12 02:56 redhat
drwxr-xr-x 6 0 0 58 Aug 12 02:30 westos
drwxr-xr-x 2 0 0 6 Aug 12 02:28 westosfile
lftp 172.25.254.211:/pub> cd redhat/
lftp 172.25.254.211:/pub/redhat> ls
lftp 172.25.254.211:/pub/redhat> quit
[root@localhost pub]# semanage fcontext -a -t public_content_t '/redhat(/.*)?'
[root@localhost pub]# restorecon -RvvF redhat/
restorecon reset /var/ftp/pub/redhat context unconfined_u:object_r:mnt_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /var/ftp/pub/redhat/redhat1 context unconfined_u:object_r:mnt_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /var/ftp/pub/redhat/redhat2 context unconfined_u:object_r:mnt_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /var/ftp/pub/redhat/redhat3 context unconfined_u:object_r:mnt_t:s0->system_u:object_r:public_content_t:s0
[root@localhost pub]# lftp 172.25.254.211
lftp 172.25.254.211:~> ls
drwxr-xr-x 5 0 0 60 Aug 12 02:55 pub
lftp 172.25.254.211:/> cd /pub
lftp 172.25.254.211:/pub> ls
drwxr-xr-x 5 0 0 48 Aug 12 02:56 redhat
drwxr-xr-x 6 0 0 58 Aug 12 02:30 westos
drwxr-xr-x 2 0 0 6 Aug 12 02:28 westosfile
lftp 172.25.254.211:/pub> cd redhat/
lftp 172.25.254.211:/pub/redhat> ls
drwxr-xr-x 2 0 0 6 Aug 12 02:56 redhat1
drwxr-xr-x 2 0 0 6 Aug 12 02:56 redhat2
drwxr-xr-x 2 0 0 6 Aug 12 02:56 redhat3
4:管理和修改SElinux布尔值
SELinux 布尔值是更改 SELinux 策略行为的开关。 SELinux 布尔值是可以启用或禁用的规则。安全管理员可以使 SELinux 布尔值来调整策略 , 以有选择地进行调整
查看布尔值
[root@localhost pub]# getsebool -a | grep ftp
ftp_home_dir --> off
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
tftp_anon_write --> off
tftp_home_dir --> off
修改布尔值
数字修改
[root@localhost pub]# setsebool -P ftp_home_dir 1 #1表示开,0表示关
[root@localhost pub]# getsebool -a | grep ftp
ftp_home_dir --> on
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
tftp_anon_write --> off
tftp_home_dir --> off
字母修改
[root@localhost pub]# setsebool -P ftpd_anon_write on[root@localhost pub]# getsebool -a | grep ftpftp_home_dir --> on
ftpd_anon_write --> on
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
tftp_anon_write --> off
tftp_home_dir --> off
semanage boolean -l 将显示布尔值是否永久
[root@localhost pub]# semanage boolean -l
SELinux boolean State Default Description
ftp_home_dir (on , on) Allow ftp to home dir
smartmon_3ware (off , off) Allow smartmon to 3ware
mpd_enable_homedirs (off , off) Allow mpd to enable homedirs
xdm_sysadm_login (off , off) Allow xdm to sysadm login
xen_use_nfs (off , off) Allow xen to use nfs
mozilla_read_content (off , off) Allow mozilla to read content
ssh_chroot_rw_homedirs (off , off) Allow ssh to chroot rw homedirs
mount_anyfile (on , on) Allow mount to anyfile
icecast_use_any_tcp_ports (off , off) Allow icecast to use any tcp ports
openvpn_can_network_connect (off , off) Allow openvpn to can network connect
zoneminder_anon_write (off , off) Allow zoneminder to anon write
telepathy_connect_all_ports (off , off) Allow telepathy to connect all ports
spamassassin_can_network (off , off) Allow spamassassin to can network
gluster_anon_write (off , off) Allow gluster to anon write
deny_ptrace (off , off) Allow deny to ptrace
selinuxuser_execmod (on , on) Allow selinuxuser to execmod