感谢支持
我们一直在努力

在CentOS 6.X上折腾SELinux

SELinux就是Security-Enhanced Linux的简称,安全加强的linux。传统的linux权限是对文件和目录的owner, group和other的rwx进行控制,而SELinux采用的是委任式访问控制,也就是控制一个进程对具体文件系统上面的文件和目录的访问,SELinux规定了很多的规则,来决定哪个进程可以访问哪些文件和目录。


SELinux是根据进程或文件的security context来决定进程是否有权限访问文件系统的,security context由Identify:role:type三部分组成,当selinux的类型为SELINUXTYPE=targeted的时候,只有security context的type是有用的。selinux的配置文件在这里:/etc/selinux/config,内容如下:


# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing – SELinux security policy is enforced.
#       permissive – SELinux prints warnings instead of enforcing.
#       disabled – SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted – Only targeted network daemons are protected.
#       strict – Full SELinux protection.
SELINUXTYPE=targeted
需要安装必要的SELinux的相关工具:


yum install policycoreutils-Python setools-console setroubleshoot setroubleshoot-server查看当前SELinux的状态:


[root@CentOS ~]# getenforce
Enforcing状态为Enforcing就代表打开了SELinux,为disabled或permissive则需要使用下面的命令开启(permissive代表如果不符合SELinux的权限控制,则会出现warning提示信息,不会真的block进程的访问):


设置SELinux为Enforcing:


[root@centos ~]# setenforce 1之后,重启电脑,并等待SELinux相关文件建立完成。


查看进程的security context:


[root@centos ~]# ps aux -Z | grep httpd
unconfined_u:system_r:httpd_t:s0 root     6056  0.0  0.3  11672  3504 ?        Ss   15:31   0:03 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache   6061  0.0  0.2  11804  2664 ?        S    15:31   0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache   6062  0.0  0.2  11672  2132 ?        S    15:31   0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache   6063  0.0  0.2  11804  2664 ?        S    15:31   0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache   6064  0.0  0.2  11804  2780 ?        S    15:31   0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache   6065  0.0  0.2  11672  2132 ?        S    15:31   0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache   6066  0.0  0.2  11672  2132 ?        S    15:31   0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache   6067  0.0  0.2  11672  2132 ?        S    15:31   0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache   6068  0.0  0.2  11672  2132 ?        S    15:31   0:00 /usr/sbin/httpd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 6845 0.0  0.0 4340 752 pts/0 S+ 18:16   0:00 grep httpd查看目录的security context:


[root@centos ~]# ls -dZ /var/www/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/列出SELinux的统计信息,包括security context中的user,role和type,还有规则(Booleans):


[root@centos ~]# seinfo


Statistics for policy file: /etc/selinux/targeted/policy/policy.24
Policy Version & Type: v.24 (binary, mls)


   Classes:            81    Permissions:       235
   Sensitivities:       1    Categories:       1024
   Types: 3488    Attributes:        273
   Users: 9    Roles: 12
   Booleans: 187    Cond. Expr.:       222
   Allow:          273920    Neverallow:          0
   Auditallow:         96    Dontaudit:      199904
   Type_trans:      23469    Type_change:        38
   Type_member:        48    Role allow:         20
   Role_trans:        291    Range_trans:      3993
   Constraints:        87    Validatetrans:       0
   Initial SIDs:       27    Fs_use:             22
   Genfscon:           81    Portcon:           426
   Netifcon:            0    Nodecon:             0
   Permissives:        59    Polcap:              2
查看所有的规则名字:


[root@centos ~]# seinfo -b
Conditional Booleans: 187
   allow_domain_fd_use
   allow_ftpd_full_access
   allow_sysadm_exec_content
   allow_user_exec_content
   allow_zebra_write_config
   cdrecord_read_content
   fcron_crond
   httpd_manage_ipa
   httpd_use_openstack
   mmap_low_allowed
   samba_share_fusefs
   sepgsql_enable_users_ddl
   abrt_handle_event
   allow_ftpd_use_cifs
   allow_httpd_mod_auth_pam
   allow_Java_execstack
   cron_can_relabel
…….
查看一个规则是否打开:


[root@centos ~]# getsebool httpd_enable_homedirs
httpd_enable_homedirs –> off
打开一个规则:


[root@centos ~]# setsebool -P httpd_enable_homedirs=1
[root@centos ~]# getsebool httpd_enable_homedirs
httpd_enable_homedirs –> on
查看一个规则的具体信息(也就是allow或者deny某个进程的security context的type访问某个文件系统的security context的type):


[root@centos ~]# sesearch -b httpd_enable_homedirs –all
ERROR: Cannot get avrules: Neverallow rules requested but not available
Found 46 semantic av rules:
   allow httpd_sys_script_t home_root_t : dir { getattr search open } ;
   allow httpd_sys_script_t home_root_t : lnk_file { read getattr } ;
   allow httpd_suexec_t user_home_dir_t : dir { getattr search open } ;
   allow httpd_suexec_t user_home_dir_t : lnk_file { read getattr } ;
   allow httpd_suexec_t autofs_t : dir { ioctl read getattr lock search open } ;
   allow httpd_suexec_t cifs_t : file { ioctl read getattr lock execute execute_no_trans open } ;
   allow httpd_suexec_t cifs_t : dir { ioctl read getattr lock search open } ;
   allow httpd_suexec_t cifs_t : lnk_file { read getattr } ;
   allow httpd_suexec_t nfs_t : file { ioctl read getattr lock execute execute_no_trans open } ;
   allow httpd_suexec_t nfs_t : dir { ioctl read getattr lock search open } ;
   allow httpd_suexec_t nfs_t : lnk_file { read getattr } ;
   allow httpd_t user_home_t : file { ioctl read getattr lock open } ;
………….
selinux在文件系统中是存在很多的默认设置的,可以通过semanage来查看系统中所有目录的默认security context:

[root@CentOS ~]# semanage fcontext -l
SELinux fcontext                                   type               Context


/                                                  directory          system_u:object_r:root_t:s0
/.*                                                all files          system_u:object_r:default_t:s0
/[^/]+                                             regular file       system_u:object_r:etc_runtime_t:s0
/\.autofsck                                        regular file       system_u:object_r:etc_runtime_t:s0
/\.autorelabel                                     regular file       system_u:object_r:etc_runtime_t:s0
/\.journal                                         all files          <>
/\.suspended                                       regular file       system_u:object_r:etc_runtime_t:s0
/a?quota\.(user|group)                             regular file       system_u:object_r:quota_db_t:s0
/afs                                               directory          system_u:object_r:mnt_t:s0
/bin                                               directory          system_u:object_r:bin_t:s0
/bin/.*                                            all files          system_u:object_r:bin_t:s0
/bin/alsaunmute                                    regular file       system_u:object_r:alsa_exec_t:s0
/bin/bash                                          regular file       system_u:object_r:shell_exec_t:s0
……………
增加一个目录的默认security context:


[root@centos ~]# semanage fcontext -a -t public_content_t “/srv/test(/.*)?”
上面这个命令将/srv/test的默认的security context的type设置为public_content_t


改变一个文件的security context:


[root@centos ~]# chcon -t var_t /var/www/html/index.html
[root@centos ~]# ll -Z /var/www/html/index.html
-rw-r–r–. root root unconfined_u:object_r:var_t:s0   /var/www/html/index.html
上面的命令将/var/www/html/index.html的type改为var_t


可以使用restorecon命令将档案恢复为所在目录的默认security context:
先查看一下/var/www的默认context是什么:


[root@centos ~]# semanage fcontext -l | grep /var/www
/var/www(/.*)?                                     all files          system_u:object_r:httpd_sys_content_t:s0
/var/www/[^/]*/cgi-bin(/.*)?                       all files          system_u:object_r:httpd_sys_script_exec_t:s0
/var/www/apcupsd/multimon\.cgi                     regular file       system_u:object_r:httpd_apcupsd_cgi_script_exec_t:s0
/var/www/apcupsd/upsfstats\.cgi                    regular file       system_u:object_r:httpd_apcupsd_cgi_script_exec_t:s0
………….
使用restorecon恢复/var/www的所有档案和目录为默认:


[root@centos ~]# restorecon -Rv /var/www
restorecon reset /var/www/html/index.html context unconfined_u:object_r:var_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
——————————————————————————————
selinux是提供日志文件来记录错误信息的,错误信息记录在/var/log/messages 和 /var/log/setroubleshoot/* 里头,需要重启auditd服务来开启selinux的log服务:


[root@centos ~]# /etc/init.d/auditd restart
查看selinux的错误信息:


[root@centos ~]# cat /var/log/messages | grep setroubleshoot
Aug  9 17:46:47 centos yum[6590]: Installed: setroubleshoot-plugins-3.0.40-1.el6.noarch
Aug  9 17:46:50 centos yum[6590]: Installed: setroubleshoot-server-3.0.47-3.el6_3.i686
Aug  9 17:46:54 centos yum[6590]: Installed: setroubleshoot-3.0.47-3.el6_3.i686
Aug  9 17:58:57 centos setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html. For complete SELinux messages. run sealert -l c7a436a1-a114-4659-91a9-4155b1003dd7
Aug  9 17:58:58 centos setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html. For complete SELinux messages. run sealert -l c7a436a1-a114-4659-91a9-4155b1003dd7
Aug  9 18:00:35 centos setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html. For complete SELinux messages. run sealert -l c7a436a1-a114-4659-91a9-4155b1003dd7
Aug  9 18:00:36 centos setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html. For complete SELinux messages. run sealert -l c7a436a1-a114-4659-91a9-4155b1003dd7
运行sealert查看具体解决方法:


[root@centos ~]# sealert -l c7a436a1-a114-4659-91a9-4155b1003dd7
SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html.


*****  Plugin restorecon (99.5 confidence) suggests  *************************


If you want to fix the label.
/var/www/html/index.html default label should be httpd_sys_content_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /var/www/html/index.html


*****  Plugin catchall (1.49 confidence) suggests  ***************************


If you believe that httpd should be allowed getattr access on the index.html file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


上面的信息已经给出了具体解决方法,就是使用restorecon将index.html恢复为默认。


——————————————————————————————
下面用httpd这个www服务简单实验一下:
没装httpd的就先装吧。。


[root@centos ~]# yum install httpd
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
 * base: mirrors.ta139.com
 * extras: mirrors.ta139.com
 * updates: mirrors.ta139.com
Setting up Install Process
Package httpd-2.2.15-15.el6.centos.1.i686 already installed and latest version
Nothing to do
启动httpd service:


[root@centos ~]# /etc/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
查看系统是否启动了80端口监听:


[root@centos ~]# netstat -tupln | grep httpd
tcp        0      0 :::80                       :::*                        LISTEN      9587/httpd    
在root的家目录创建index.html文件:


[root@centos ~]# echo “Test for selinux” > index.html
查看它的context:


[root@centos ~]# ls -Z index.html
-rw-r–r–. root root unconfined_u:object_r:admin_home_t:s0 index.html
可以看到它的type为admin_home_t,是继承自/root这个目录的security context


把它copy到/var/www/html中:


[root@centos ~]# cp -a index.html  /var/www/html/
注意,我们使用的是-a这个option来copy,也就是我们保留了源文件的security context:


[root@centos ~]# ll -Z /var/www/html/index.html
-rw-r–r–. root root unconfined_u:object_r:admin_home_t:s0 /var/www/html/index.html
使用links访问一下这个page:


[root@centos ~]# links http://localhost/index.html -dump
                                   Forbidden


   You don’t have permission to access /index.html on this server.


   ————————————————————————–


    Apache/2.2.15 (CentOS) Server at localhost Port 80
意料之中,出现permission deny了,这个时候是可以直接去看/var/log/messages来解决问题的。


我们这里先查看一下进程httpd的context:


[root@centos ~]# ps aux -Z | grep httpd
unconfined_u:system_r:httpd_t:s0 apache   9590  0.0  0.2  11804  2852 ?        S    10:38   0:00 /usr/sbin/httpd
再查看一下有没有允许httpd访问type为admin_home_t的文件:


[root@centos ~]# sesearch –all | grep “allow httpd_t admin_home_t”
ERROR: Cannot get avrules: Neverallow rules requested but not available
查询结果显示,没有这个rule,所以httpd进程被block。


查看有没有允许httpd访问type为httpd_sys_content_t的文件:


root@centos ~]# sesearch –all | grep “allow httpd_t httpd_sys_content_t”
ERROR: Cannot get avrules: Neverallow rules requested but not available
   allow httpd_t httpd_sys_content_t : file { ioctl read getattr lock open } ;
   allow httpd_t httpd_sys_content_t : dir { ioctl read getattr lock search open } ;
   allow httpd_t httpd_sys_content_t : lnk_file { read getattr } ;
   allow httpd_t httpd_sys_content_t : file { ioctl read getattr lock open } ;
   allow httpd_t httpd_sys_content_t : dir { ioctl read getattr lock search open } ;
   allow httpd_t httpd_sys_content_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
   allow httpd_t httpd_sys_content_t : lnk_file { read getattr } ;
好了,恢复/var/www/html/index.html吧:


[root@centos ~]# restorecon -Rv /var/www/html/
restorecon reset /var/www/html/index.html context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
在访问一次:


[root@centos ~]# links http://localhost/index.html -dump
   Test for selinux
OK了。

赞(0) 打赏
转载请注明出处:服务器评测 » 在CentOS 6.X上折腾SELinux
分享到: 更多 (0)

听说打赏我的人,都进福布斯排行榜啦!

支付宝扫一扫打赏

微信扫一扫打赏