了解SELinux
安全增强型 Linux(Security-Enhanced Linux)简称 SELinux,它是一个 Linux 内核模块,也是 Linux 的一个安全子系统
SELinux 的结构及配置非常复杂,而且有大量概念性的东西,要学精难度较大。很多 Linux 系统管理员嫌麻烦都把 SELinux 关闭了
SELinux 主要作用就是最大限度地减小系统中服务进程可访问的资源(最小权限原则)
SELinux 有三种工作模式,分别是:
1. enforcing:强制模式。违反 SELinux 规则的行为将被阻止并记录到日志中。
2. permissive:宽容模式。违反 SELinux 规则的行为只会记录到日志中。一般为调试用。
3. disabled:关闭 SELinux。
SELinux 工作模式可以在 /etc/selinux/config 中设定
[root@localhost ~]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
[root@localhost ~]#
如果想从 disabled 切换到 enforcing 或者 permissive 的话,需要重启系统。反过来也一样。
enforcing 和 permissive 模式可以通过 setenforce 1|0 命令快速切换
SELinux状态设置和查看
setenforce 0|1 permissive|enforcing
getenforce 查看selinux的状态
[root@localhost ~]# getenforce
Enforcing
[root@localhost ~]# setenforce 0
[root@localhost ~]# getenforce
Permissive
[root@localhost ~]# setenforce 1
[root@localhost ~]# getenforce
Enforcing
防火墙状态设置及查看
systemctl status firewalld ; service firewalld status 查看防火墙状态
firewall-cmd --state 也可查询防火墙运行状态
systemctl disable firewalld 设置开机不再启动防火墙
[root@localhost ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: active (running) since Sun 2019-11-17 17:46:40 CST; 15min ago
Docs: man:firewalld(1)
Main PID: 1881 (firewalld)
Tasks: 2
CGroup: /system.slice/firewalld.service
└─1881 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
Nov 17 17:46:40 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
Nov 17 17:46:40 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
[root@localhost ~]# service firewalld status
Redirecting to /bin/systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: active (running) since Sun 2019-11-17 17:46:40 CST; 19min ago
Docs: man:firewalld(1)
Main PID: 1881 (firewalld)
Tasks: 2
CGroup: /system.slice/firewalld.service
└─1881 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
Nov 17 17:46:40 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
Nov 17 17:46:40 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
[root@localhost ~]# firewall-cmd --state
running
[root@localhost ~]#
systemctl stop|start|restart|enable|disable firewalld 设置防火墙各种状态
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# service firewalld status
Redirecting to /bin/systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
Nov 17 17:46:40 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
Nov 17 17:46:40 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
Nov 17 18:11:44 localhost.localdomain systemd[1]: Stopping firewalld - dynamic firewall daemon...
Nov 17 18:11:45 localhost.localdomain systemd[1]: Stopped firewalld - dynamic firewall daemon.
[root@localhost ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
Nov 17 17:46:40 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
Nov 17 17:46:40 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
Nov 17 18:11:44 localhost.localdomain systemd[1]: Stopping firewalld - dynamic firewall daemon...
Nov 17 18:11:45 localhost.localdomain systemd[1]: Stopped firewalld - dynamic firewall daemon.
[root@localhost ~]#
iptables防火墙
# 查看防火墙状态
service iptables status
# 永久关闭防火墙
chkconfig iptables off
# 永久关闭后重启
chkconfig iptables on