Selinux
配置文件 /etc/sysconfig/selinux
#vim /etc/sysconfig/selinux
1 # This file controls the state of SELinux on the system.
2 # SELINUX= can take one of these three values:
3 # enforcing - SELinux security policy is enforced.
4 # permissive - SELinux prints warnings instead of enforcing.
5 # disabled - SELinux is fully disabled.
6 SELINUX=disabled
7 # SELINUXTYPE= type of policy in use. Possible values are:
8 # targeted - Only targeted network daemons are protected.
9 # strict - Full SELinux protection.
10 SELINUXTYPE=targeted
安全机制
DAC :自主访问控制 主体是用户
MAC :强制访问控制 主体是进程
启用Selinux后
#cd /root/
#ll -Z //查看文件的安全上下文(标签)
#ps -eZ|grep httpd //查看进程的标签
#chcon -t httpd_sys_content_t /var/www/html/2.html //修改文件的安全上下文中的类型,apache才能访问
[root@station252 ~]#semanage port -l |grep http //查看http进程能使用的端口和安全上下文的类型
http_cache_port_t tcp 3128, 8080, 8118, 11211, 10001-10010
http_cache_port_t udp 3130, 11211
http_port_t tcp 80, 443, 488, 8008, 8009, 8443
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
[root@station252 ~]#
修改httpd 监听端口为8888后,需要将8888端口加入到安全上下文的http_port_t 类型,否则启动不了http
[root@station252 ~]# semanage port -a -t http_port_t -p tcp 8888
[root@station252 ~]# semanage port -l|grep http
http_cache_port_t tcp 3128, 8080, 8118, 11211, 10001-10010
http_cache_port_t udp 3130, 11211
http_port_t tcp 8888, 80, 443, 488, 8008, 8009, 8443
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
[root@station252 ~]#
[root@station252 ~]# service httpd start
[root@station3 ~]# getsebool -a |grep ftp //查看selinux中ftp的bool值
[root@station3 ~]# setsebool -P ftp_home_dir on //修改bool值
[root@vm8 ule]# getenforce
Enforcing
[root@vm8 ule]# setenforce 0
[root@vm8 ule]# getenforce
Permissive
[root@vm8 ule]# setenforce 1
[root@vm8 ule]# getenforce
Enforcing
[root@vm8 ule]# setenforce 2
usage: setenforce [ Enforcing | Permissive | 1 | 0 ]
[root@vm8 ule]#
配置文件 /etc/sysconfig/selinux
#vim /etc/sysconfig/selinux
1 # This file controls the state of SELinux on the system.
2 # SELINUX= can take one of these three values:
3 # enforcing - SELinux security policy is enforced.
4 # permissive - SELinux prints warnings instead of enforcing.
5 # disabled - SELinux is fully disabled.
6 SELINUX=disabled
7 # SELINUXTYPE= type of policy in use. Possible values are:
8 # targeted - Only targeted network daemons are protected.
9 # strict - Full SELinux protection.
10 SELINUXTYPE=targeted
安全机制
DAC :自主访问控制 主体是用户
MAC :强制访问控制 主体是进程
启用Selinux后
#cd /root/
#ll -Z //查看文件的安全上下文(标签)
#ps -eZ|grep httpd //查看进程的标签
#chcon -t httpd_sys_content_t /var/www/html/2.html //修改文件的安全上下文中的类型,apache才能访问
[root@station252 ~]#semanage port -l |grep http //查看http进程能使用的端口和安全上下文的类型
http_cache_port_t tcp 3128, 8080, 8118, 11211, 10001-10010
http_cache_port_t udp 3130, 11211
http_port_t tcp 80, 443, 488, 8008, 8009, 8443
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
[root@station252 ~]#
修改httpd 监听端口为8888后,需要将8888端口加入到安全上下文的http_port_t 类型,否则启动不了http
[root@station252 ~]# semanage port -a -t http_port_t -p tcp 8888
[root@station252 ~]# semanage port -l|grep http
http_cache_port_t tcp 3128, 8080, 8118, 11211, 10001-10010
http_cache_port_t udp 3130, 11211
http_port_t tcp 8888, 80, 443, 488, 8008, 8009, 8443
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
[root@station252 ~]#
[root@station252 ~]# service httpd start
[root@station3 ~]# getsebool -a |grep ftp //查看selinux中ftp的bool值
[root@station3 ~]# setsebool -P ftp_home_dir on //修改bool值
[root@vm8 ule]# getenforce
Enforcing
[root@vm8 ule]# setenforce 0
[root@vm8 ule]# getenforce
Permissive
[root@vm8 ule]# setenforce 1
[root@vm8 ule]# getenforce
Enforcing
[root@vm8 ule]# setenforce 2
usage: setenforce [ Enforcing | Permissive | 1 | 0 ]
[root@vm8 ule]#