一、Selinux的功能
【1】当Selinux未开启时
- 在/mnt中建立文件被移动到/var/ftp下可以被vsftpd服务访问,ftp 本地用户可以上传文件
[root@westos_node1 ~]# touch /mnt/westosfile
[root@westos_node1 ~]# mv /mnt/westosfile /var/ftp
mv: overwrite '/var/ftp/westosfile'? yes
[root@westos_node1 ~]# lftp 172.25.18.11
lftp 172.25.18.11:~> ls
drwxrwxr-x 3 0 50 44 Aug 22 16:29 pub
-rw-r--r-- 1 0 0 0 Aug 22 15:07 systemctl
-rw-r--r-- 1 0 0 0 Aug 26 14:56 westosfile
lftp 172.25.18.11:/> exit
- 匿名用户可以通过设置后上传文件
当使用ls -Z /var/ftp查看文件时显示“?”
[root@westos_node1 ~]# ls -Z /var/ftp/
? pub ? systemctl ? westosfile
- ps auxZ | grep vsftpd 时显示:
[root@westos_node1 ~]# ps auxZ | grep vsftpd
- root 8066 0.0 0.0 26952 412 ? Ss 23:05 0:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
- root 8121 0.0 0.1 12112 980 pts/0 S+ 23:10 0:00 grep --color=auto vsftpd
【2】当selinux开启:
在/mnt中建立文件被移动到/var/ftp下不可以被vsftpd服务访问
匿名用户可以通过设置后仍然不能上传文件
[root@westos_node1 ~]# touch /mnt/westosfile1
[root@westos_node1 ~]# mv /mnt/westosfile1 /var/ftp
- 当使用ls -Z /var/ftp查看文件时显示信息:
[root@westos_node1 ~]# ls -Z /var/ftp/
system_u:object_r:public_content_t:s0 pub
system_u:object_r:public_content_t:s0 systemctl
system_u:object_r:public_content_t:s0 westosfile
unconfined_u:object_r:mnt_t:s0 westosfile1
- ps auxZ | grep vsftpd 时显示:
[root@westos_node1 ~]# ps auxZ | grep vsftpd
system_u:system_r:ftpd_t:s0-s0:c0.c1023 root 727 0.0 0.0 26952 408 ? Ss 23:22 0:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 6472 0.0 0.1 12112 1056 pts/0 R+ 23:24 0:00 grep --color=auto vsftpd
[root@westos_node1 ~]# lftp 172.25.18.11
lftp 172.25.18.11:~> ls
drwxrwxr-x 3 0 50 44 Aug 22 16:29 pub
-rw-r--r-- 1 0 0 0 Aug 22 15:07 systemctl
-rw-r--r-- 1 0 0 0 Aug 26 14:56 westosfile
lftp 172.25.18.11:/>
【3】selinux对于文件的影响:
- 当selinux开启时,内核会对每个文件及每个开启的程序进行标签加载,标签内记录程序和文件的安全上下文(context)
【4】对于程序功能的影响:
- 当selinux开启会对程序的功能加载开关,并设定此开关的状态为关闭,当需要此功能时需要手动开启功能开关,此开关叫做sebool
二、Selinux的状态及管理
【1】selinux的开启
[root@westos_node1 ~]# vim /etc/selinux/config
SELINUX=enforcing
[root@westos_node1 ~]# reboot
disabled | selinux关闭 |
---|---|
7 SELINUX=enforcing | selinux开机设定为强制状态此状态为selinux开启 |
7 SELINUX=permissive | selinux开机设定为警告状态此状态为selinux开启 |
注意:selinux开启或关闭需要重启系统
- enforcing: 不符合条件一定不能被允许,并会收到警告信息
- permissive:不符合条件被允许,并会收到警告信息
- selinux状态的查看:getenforce
- selinux开启后强制和警告级别的转换:
setenforcr 0 | 警告 |
---|---|
setenforce 1 | 强制 |
【2】 selinux日志位置:
/var/log/audit/audit.log
三、selinux的安全上下文
【1】查看
ls -Z | 查看文件的安全上下文 |
---|---|
ls -Zd | 查看目录的安全上下文 |
ps auxZ | 查看进程的安全上下文 |
【2】修改安全上下文
- 临时修改
此方式更改的安全上下文在selinux重启后会还原
chcon -t 标签 文件|目录
chcon -t public_content_t /westosdir/ # 修改目录安全上下文
chcon -Rt public_content_t /westosdir # 修改目录及目录中的所有子文件的安全上下文
[root@westos_node1 ~]# mkdir /westosdir
[root@westos_node1 ~]# touch /westosdir/westosfile{1..10}
[root@westos_node1 ~]# chcon -t public_content_t /westosdir/
[root@westos_node1 ~]# ls -Z /westosdir/ -d
unconfined_u:object_r:public_content_t:s0 /westosdir/
[root@westos_node1 ~]# ls -Z /westosdir/
unconfined_u:object_r:default_t:s0 westosfile1
unconfined_u:object_r:default_t:s0 westosfile10
unconfined_u:object_r:default_t:s0 westosfile2
unconfined_u:object_r:default_t:s0 westosfile3
unconfined_u:object_r:default_t:s0 westosfile4
unconfined_u:object_r:default_t:s0 westosfile5
unconfined_u:object_r:default_t:s0 westosfile6
unconfined_u:object_r:default_t:s0 westosfile7
unconfined_u:object_r:default_t:s0 westosfile8
unconfined_u:object_r:default_t:s0 westosfile9
[root@westos_node1 ~]# chcon -Rt public_content_t /westosdir/
[root@westos_node1 ~]# ls -Z /westosdir/
unconfined_u:object_r:public_content_t:s0 westosfile1
unconfined_u:object_r:public_content_t:s0 westosfile10
unconfined_u:object_r:public_content_t:s0 westosfile2
unconfined_u:object_r:public_content_t:s0 westosfile3
unconfined_u:object_r:public_content_t:s0 westosfile4
unconfined_u:object_r:public_content_t:s0 westosfile5
unconfined_u:object_r:public_content_t:s0 westosfile6
unconfined_u:object_r:public_content_t:s0 westosfile7
unconfined_u:object_r:public_content_t:s0 westosfile8
unconfined_u:object_r:public_content_t:s0 westosfile9
[root@westos_node1 ~]# vim /etc/selinux//config
SELINUX=disable
[root@westos_node1 ~]# reboot
[root@westos_node1 ~]# vim /etc/selinux//config
SELINUX=enforcing
[root@westos_node1 ~]# getenforce
Disabled
[root@westos_node1 ~]# reboot
[root@westos_node1 ~]# getenforce
SELINUX=enforcing
[root@westos_node1 ~]# ls -Zd /westosdir/
unconfined_u:object_r:default_t:s0 /westosdir/
[root@westos_node1 ~]# ls -Z /var/ftp/
system_u:object_r:public_content_t:s0 pub
system_u:object_r:public_content_t:s0 systemctl
system_u:object_r:public_content_t:s0 westosfile
unconfined_u:object_r:public_content_t:s0 westosfile1
[root@westos_node1 ~]# semanage fcontext -l | grep /westosdir
- 永久修改安全上下文
如果需要特殊指定安全上下文需要修改内核安全上下文列表
semanage fcontext -l #查看内核安全上写问列表
semanage fcontext -a -t public_content_t '/westosdir(/.*)?' # -a 添加 '/westosdir(/.*)?' 目录本身和里面所有的内容,由于?不能被双引号所引用,故此处使用单引号
restorecon -RvvF /westosdir
touch /.autorelable #重启系统时selinux初始化文件标签开关文件(在根下建立此文件会初始化标签)
[root@westos_node1 ~]# semanage fcontext -l | grep /var/ftp
/var/ftp(/.*)? all files system_u:object_r:public_content_t:s0
/var/ftp/bin(/.*)? all files system_u:object_r:bin_t:s0
/var/ftp/etc(/.*)? all files system_u:object_r:etc_t:s0
/var/ftp/lib(/.*)? all files system_u:object_r:lib_t:s0
/var/ftp/lib/ld[^/]*\.so(\.[^/]*)* regular file system_u:object_r:ld_so_t:s0
[root@westos_node1 ~]# mkdir /westosdir1
[root@westos_node1 ~]# touch /westosdir1/westostest{1..10}
[root@westos_node1 ~]# ls -Zd /westosdir
unconfined_u:object_r:default_t:s0 /westosdir
[root@westos_node1 ~]# ls -Zd /westosdir1
unconfined_u:object_r:default_t:s0 /westosdir1
[root@westos_node1 ~]# ls -Z /westosdir
unconfined_u:object_r:default_t:s0 westosfile1
unconfined_u:object_r:default_t:s0 westosfile10
unconfined_u:object_r:default_t:s0 westosfile2
unconfined_u:object_r:default_t:s0 westosfile3
unconfined_u:object_r:default_t:s0 westosfile4
unconfined_u:object_r:default_t:s0 westosfile5
unconfined_u:object_r:default_t:s0 westosfile6
unconfined_u:object_r:default_t:s0 westosfile7
unconfined_u:object_r:default_t:s0 westosfile8
unconfined_u:object_r:default_t:s0 westosfile9
[root@westos_node1 ~]# ls -Z /westosdir1
unconfined_u:object_r:default_t:s0 westostest1
unconfined_u:object_r:default_t:s0 westostest10
unconfined_u:object_r:default_t:s0 westostest2
unconfined_u:object_r:default_t:s0 westostest3
unconfined_u:object_r:default_t:s0 westostest4
unconfined_u:object_r:default_t:s0 westostest5
unconfined_u:object_r:default_t:s0 westostest6
unconfined_u:object_r:default_t:s0 westostest7
unconfined_u:object_r:default_t:s0 westostest8
unconfined_u:object_r:default_t:s0 westostest9
[root@westos_node1 ~]# semanage fcontext -a -t public_content_t '/westosdir(/.*)?'
[root@westos_node1 ~]# semanage fcontext -a -t public_content_t westosdir1
[root@westos_node1 ~]# semanage fcontext -l | grep /westosdir
/westosdir(/.*)? all files system_u:object_r:public_content_t:s0
/westosdir1 all files system_u:object_r:public_content_t:s0
[root@westos_node1 ~]# ls -Zd /westosdir
unconfined_u:object_r:default_t:s0 /westosdir
[root@westos_node1 ~]# restorecon -RvvF /westosdir # -R 第归 vv 表示多个
Relabeled /westosdir from unconfined_u:object_r:default_t:s0 to system_u:object_r:public_content_t:s0
Relabeled /westosdir/westosfile1 from unconfined_u:object_r:default_t:s0 to system_u:object_r:public_content_t:s0
Relabeled /westosdir/westosfile2 from unconfined_u:object_r:default_t:s0 to system_u:object_r:public_content_t:s0
Relabeled /westosdir/westosfile3 from unconfined_u:object_r:default_t:s0 to system_u:object_r:public_content_t:s0
Relabeled /westosdir/westosfile4 from unconfined_u:object_r:default_t:s0 to system_u:object_r:public_content_t:s0
Relabeled /westosdir/westosfile5 from unconfined_u:object_r:default_t:s0 to system_u:object_r:public_content_t:s0
Relabeled /westosdir/westosfile6 from unconfined_u:object_r:default_t:s0 to system_u:object_r:public_content_t:s0
[root@westos_node1 ~]# restorecon -RvvF /westosdir1
Relabeled /westosdir1 from unconfined_u:object_r:default_t:s0 to system_u:object_r:default_t:s0
Relabeled /westosdir1/westostest1 from unconfined_u:object_r:default_t:s0 to system_u:object_r:default_t:s0
Relabeled /westosdir1/westostest2 from unconfined_u:object_r:default_t:s0 to system_u:object_r:default_t:s0
Relabeled /westosdir1/westostest3 from unconfined_u:object_r:default_t:s0 to system_u:object_r:default_t:s0
Relabeled /westosdir1/westostest4 from unconfined_u:object_r:default_t:s0 to system_u:object_r:default_t:s0
Relabeled /westosdir1/westostest5 from unconfined_u:object_r:default_t:s0 to system_u:object_r:default_t:s0
Relabeled /westosdir1/westostest6 from unconfined_u:object_r:default_t:s0 to system_u:object_r:default_t:s0
Relabeled /westosdir1/westostest7 from unconfined_u:object_r:default_t:s0 to system_u:object_r:default_t:s0
Relabeled /westosdir1/westostest8 from unconfined_u:object_r:default_t:s0 to system_u:object_r:default_t:s0
Relabeled /westosdir1/westostest9 from unconfined_u:object_r:default_t:s0 to system_u:object_r:default_t:s0
Relabeled /westosdir1/westostest10 from unconfined_u:object_r:default_t:s0 to system_u:object_r:default_t:s0
Relabeled /westosdir/westosfile7 from unconfined_u:object_r:default_t:s0 to system_u:object_r:public_content_t:s0
Relabeled /westosdir/westosfile8 from unconfined_u:object_r:default_t:s0 to system_u:object_r:public_content_t:s0
Relabeled /westosdir/westosfile9 from unconfined_u:object_r:default_t:s0 to system_u:object_r:public_content_t:s0
Relabeled /westosdir/westosfile10 from unconfined_u:object_r:default_t:s0 to system_u:object_r:public_content_t:s0
[root@westos_node1 ~]# touch /.autorelabel
[root@westos_node1 ~]# reboot
[root@westos_node1 ~]# ls -Z /westosdir -d
system_u:object_r:public_content_t:s0 /westosdir
[root@westos_node1 ~]# ls -Z /westosdir
system_u:object_r:public_content_t:s0 westosfile1
system_u:object_r:public_content_t:s0 westosfile10
system_u:object_r:public_content_t:s0 westosfile2
system_u:object_r:public_content_t:s0 westosfile3
system_u:object_r:public_content_t:s0 westosfile4
system_u:object_r:public_content_t:s0 westosfile5
system_u:object_r:public_content_t:s0 westosfile6
system_u:object_r:public_content_t:s0 westosfile7
system_u:object_r:public_content_t:s0 westosfile8
system_u:object_r:public_content_t:s0 westosfile9
[root@westos_node1 ~]# ls -Z /westosdir1
system_u:object_r:default_t:s0 westostest1
system_u:object_r:default_t:s0 westostest10
system_u:object_r:default_t:s0 westostest2
system_u:object_r:default_t:s0 westostest3
system_u:object_r:default_t:s0 westostest4
system_u:object_r:default_t:s0 westostest5
system_u:object_r:default_t:s0 westostest6
system_u:object_r:default_t:s0 westostest7
system_u:object_r:default_t:s0 westostest8
system_u:object_r:default_t:s0 westostest9
四、SEBOOL
getsebool -a | 显示服务的bool值 |
---|---|
setsebool -P ftpd_anon_write on | 更改 |
[root@westos_node1 ~]# getsebool -a | grep ftp
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
tftp_home_dir --> off
[root@westos_node1 ~]# setsebool -P ftpd_anon_write on
五、SEPORT
此处以更改ssh端口为例:
semanage port -l | grep ssh # 查看ssh端口
semanage port -a -t ssh_port_t -p tcp 1111 # 添加端口
[root@westos_node1 ~]# vim /etc/ssh/sshd_config
17 Port 22
[root@westos_node1 ~]# systemctl restart sshd # 使用22端口可以正常启动
[root@westos_node1 ~]# vim /etc/ssh/sshd_config
17 Port 1111 # 修改端口为1111
[root@westos_node1 ~]# systemctl restart sshd
[root@westos_node1 ~]# getenforce # selinux状态为Permissive警告模式
Permissive
[root@westos_node1 ~]# systemctl status sshd # 启动成功
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2020-08-28 00:13:14 CST; 8s ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 6869 (sshd)
Tasks: 1 (limit: 5079)
Memory: 1.9M
CGroup: /system.slice/sshd.service
└─6869 /usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,>
[kiosk@foundation18 Desktop]$ ssh root@172.25.18.11
Aug 28 00:13:14 westos_node1.westos.com systemd[1]: Stopped OpenSSH server daemon.
Aug 28 00:13:14 westos_node1.westos.com systemd[1]: Starting OpenSSH server daemon...
Aug 28 00:13:14 westos_node1.westos.com systemd[1]: Started OpenSSH server daemon.
Aug 28 00:13:14 westos_node1.westos.com sshd[6869]: Server listening on 0.0.0.0 port 1111.
Aug 28 00:13:14 westos_node1.westos.com sshd[6869]: Server listening on :: port 1111.
[root@westos_node1 ~]# setenforce 1 # 修改selinux状态为Enforcing强制模式
[root@westos_node1 ~]# getenforce
Enforcing
[root@westos_node1 ~]# systemctl restart sshd # sshd启动失败
Job for sshd.service failed because the control process exited with error code.
See "systemctl status sshd.service" and "journalctl -xe" for details.
[root@westos_node1 ~]# semanage port -l | grep ssh
ssh_port_t tcp 22
[root@westos_node1 ~]# semanage port -a -t ssh_port_t -p tcp 1111
[root@westos_node1 ~]# semanage port -l | grep ssh
ssh_port_t tcp 1111, 22
[root@westos_node1 ~]# systemctl restart sshd # 添加1111端口后sshd重启成功
六、setrouble
/var/log/audit/audit.log | selinux警告信息 |
---|---|
/var/log/messagea | selinux问题解决方案 |
setroublesshoot-server | 此软件功能是采集警告信息并分析得到解决方案存放到message中 |
[root@westos_node1 ~]# semanage port -d -t ssh_port_t -p tcp 1111
[root@westos_node1 ~]# > /var/log/audit/audit.log # 清空日志
[root@westos_node1 ~]# > /var/log/messages # 清空日志
[root@westos_node1 ~]# systemctl restart sshd # 重新启动,方便查看报错信息
[root@westos_node1 ~]# systemctl stop sshd
[root@westos_node1 ~]# cat /var/log/audit/audit.log
[root@westos_node1 ~]# cat /var/log/messages # 按照日志中给出的方法解决
[root@westos_node1 ~]# semanage port -a -t ssh_port_t -p tcp 1111