Security Context of SELinux

When SELinux is enabled, I disabled it in the Secure linux system. However, after selinux is enabled, some of our services may have some restrictions, it is better that you may not be able to access the webpage, ftp, and so on normally. We will solve these problems by setting SELinux.
 
1. If your SELinux is not started, there are several startup methods.


Unavailable status
Enable SELinux
Vim/etc/sysconfig/selinux is as follows:


You can also use the graphical interface to modify the command system-config-selinux or system-cofig-securitylevel to set SELinux to "forced"
The preceding three methods can take effect only after the computer is restarted.

2. When SELinux is set to "forced" mode, we change the root directory in httpd. conf and find that httpd cannot be restarted, and the old directory fails ,,,,
Change the root directory as follows:
DocumentRoot "/www"
Mkdir/www
Echo "123">/www/index.html


When httpd is restarted, an error is reported and it cannot be restarted. Check the log and find the following:
Dec 23 11:33:03 localhost setroubleshoot: SELinux is preventing access to files with the default label, default_t. For complete SELinux messages. run sealert-l 511c4eda-797d-4b79-a1e3-51477afed4e6
Follow the log prompts to allow the sealert-l 511c4eda-797d-4b79-a1e3-51477afed4e6 command to have the following information:


The types of the source context and target context are different. httpd cannot read files and directories of the default_t class, so it cannot be started and changed to the type that can be read by httpd.
What type can httpd read? Run the following commands to view
Command ll-Z directory or file


Or the command semanage fcontext-l | grep http


We can see from the above that the type that httpd can read is httpd_sys_context_t.

Now that we know this type, we can set the/www directory to this type of command with chcon (change context) or restorecon usage as follows:

Chcon-R -- reference =/var/www/html // www/or chcon-t httpd_sys_content_t/www/
Change back to the original type with restorecon-v-R/www


Httpdis started normally and can be accessed to the index.html webpage.

When you restart httpd, an error is reported. In addition to reading logs, you can also use the following command to troubleshoot
Sealert-B or click Xiaoxing in the upper-right corner of the graphic interface.


The web uses the default port 80. If we want to create a port-based virtual host, can we use SELinux... If we change the port to 8001,
Listen 8001 www.2cto.com
Restart the httpd service


An error occurred. Port 8001 cannot be bound.

The error message is as follows:




The SELinux Security Policy Library does not have port 8001 for httpd, so we need to add it.
Semanage port-a-t http_port_t-p tcp 8001
Restart the httpd service.

Some ftp questions about SELinux
After logging on to ftp, you cannot see any files and folders in your home directory at dir:


The troubleshooting method is as follows:


Let's take a look at the Boolean value of ftp.


If SELinux is not allowed by default, you need to change it to the ON command as follows:
Setsebool-P ftp_home_dir = ON or setsebool-P ftp_home_dir = 1


Dir again




Some Problems about SELinux in Samba

The shared directory is/wsm.
[Public]
Comment = Public
Path =/wsm
Public = yes
However, the/wsm and its home directory logs cannot be accessed as follows:
Dec 23 14:35:15 localhost smbd [13169]: [14:35:15, 0] smbd/service. c: make_connection_snum (1003)
Dec 23 14:35:15 localhost smbd [13169]: '/wsm' does not exist or permission denied when connecting to [public] Error was permission is insufficient
SELinux needs to be set. The configuration of SELinux is described in smb. conf.
Run the following command:
Chcon-R-t samba_share_t/wsm/


Open your home directory
Setsebool-P samba_enable_home_dirs = ON

Everything OK