一、启用SELinux策略并安装httpd服务,改变网站的默认主目录为/website,添加SELinux文件标签规则,使网站可访问
1、修改selinux策略并重启
[root@localhost ~]# vim /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
2、安装http服务
yum install -y httpd
3、修改默认的Directory 项指定的目录为/website
[root@localhost ~]vim /etc/httpd/conf/httpd.conf
AllowOverride None
# Allow open access:
Require all granted
# Further relax access to the default document root:
DocumentRoot "/website"
4、添加目录,创建index.html文件
[root@localhost ~]# mkdir /website
[root@localhost ~]# cd /website/
[root@localhost website]# echo "
hello world" > index.html
5、修改index文件selinux标签
[root@localhost website]# chcon -t httpd_sys_content_t index.html
[root@localhost website]# ls -Z
-rw-r–r–. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html
6、重启httpd服务,使用网页访问:
[root@localhost website]# systemctl restart httpd
[root@localhost website]# ss -tan
State Recv-Q Send-Q Local Address:Port Peer Address:Port
.......(省略).........
LISTEN 0 128 :::80 :::*
.......(省略).........
注:如遇不能访问,查看防火墙是否打开,使用iptables -F 命令关闭。
二、修改上述网站的http端口为9527,增加SELinux端口标签,使网站可访问
1、编辑httpd配置文件,将80端口替换为9527
[root@localhost website]# vim /etc/httpd/conf/httpd.conf
Listen 9527
使用vim内置命令,直接将80端口替换为9527(:%s/80/9527/)
2、添加httpd的端口
(需要使用semanage 命令,如没有,使用$(yum install -y policycoreutils-python)安装
1)查看当前http服务端口
[root@localhost website]# semanage port -l | grep http_port_t
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
2)添加http服务端口9527
3、重启httpd服务,并查看端口
[root@localhost website]# systemctl restart httpd
[root@localhost website]# ss -tan
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 :::9527 /http端口变为9527监听 :::*
4、使用网页访问,ip地址加端口号9527(因为web服务默认端口为80,如不手动添加端口,则不能访问)
三、启用相关的SELinux布尔值,使上述网站的用户student的家目录可通过http访问
(如要添加家目录中的网页能通过http访问,需将httpd服务selinux限制家目录e的规则开启:)
1)查看其相关的规则:
~]# getsebool -a | grep homedir
git_cgi_enable_homedirs --> off
git_system_enable_homedirs --> off
httpd_enable_homedirs --> off //此规则处于off状态,需要设置为on
.....(省略).....
2)将http家目录规则开启为on
[root@localhost website]# setsebool -eP httpd_enable_homedirs on //-P选项为永久更改,直接修改进规则库保存
[root@localhost website]# getsebool -a | grep homedir
git_cgi_enable_homedirs --> off
git_system_enable_homedirs --> off
httpd_enable_homedirs --> on //此时此规则为开启
(使用命令"semanage boolean -l" 可查看所有SElinux布尔型规则)
[root@localhost website]# semanage boolean -l
SELinux boolean State Default Description
ftp_home_dir (off , off) Allow ftp to home dir
smartmon_3ware (off , off) Allow smartmon to 3ware
mpd_enable_homedirs (off , off) Allow mpd to enable homedirs
xdm_sysadm_login (off , off) Allow xdm to sysadm login
.........(省略)........
(使用命令"semanage boolean -l -C " 可查看所有更改过SElinux布尔型规则)
[root@localhost website]# semanage boolean -l -C
SELinux boolean State Default Description
httpd_enable_homedirs (on , on) Allow httpd to enable homedirs
3)修改http服务的配置文件,将其中的禁用家目录字段开启
(注:Centos6和Centos7配置文件地址不相同)
Centos6配置文件:/etc/httpd/conf/httpd.conf
Centos7配置文件:/etc/httpd/conf.d/userdir.conf
[root@localhost website]# vim /etc/httpd/conf.d/userdir.conf
#
....(省略)......
#
#UserDir disabled //此项原来为开启,将其注释掉,
# To enable requests to /~user/ to serve the user's public_html
# directory, remove the "UserDir disabled" line above, and uncomment
# the following line instead:
#
UserDir web //此项原来为禁止,将其开启,意为使用用户目录访问,访问方式上面的描述已经说明了“To enable requests to /~user/ to serve the user's public_html ”,由于我更改了目录名称,“public_html”则就为web
4)在用户家目录下创建web目录,在其中创建index.html文件,更改其他用户访问权限,查看权限及标签信息
[root@localhost ~]# su - li
[li@localhost ~]$ mkdir web
[li@localhost ~]$ echo "
This is user:
li
home" > ./web/index.html[li@localhost ~]$ cd web/
[li@localhost web]$ chmod 711 index.html
[li@localhost web]$ ls -Z
-rwx--x--x. li li unconfined_u:object_r:httpd_user_content_t:s0 index.html
5)重启服务,使用格式:"IP地址/~用户名/web/index.html" 访问
[root@localhost ~]# systemctl restart httpd
原创文章,作者:Lii,如若转载,请注明出处:http://www.178linux.com/47604
扫一扫
1567
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
