SELinux in-depth understanding

This experiment starts with configuring Apache.

1. Installing the Apache Service Program

A: Mount the disc to the/media/cdrom directory:

B: Create a yum warehouse configuration file:

The contents of the configuration file are as follows:

C: Install Apache Service Program: (Need to note: Apache Service Program's package name is httpd, not Apache)

Installation is complete!

D: Run the Apache service Program ~ View service Status:

Then open the browser, enter 127.0.0.1, you can see the default page.

In fact, we can see that this default page has a total of three reasons: (1) The file has no content; (2) Insufficient permissions; (3) SELinux context error.

But it is obvious that the problem of this place is the first one; let's write something about it:

And then we'll see:

Well, it's already a preliminary success. Next is the moment to witness the Miracle ~ ~ ~

Below, we will store the data of our website in a different place, for example, save it under/home/wwwwy. We need to edit the Apache master configuration file: The following is the original information: The directory needs to be changed:/home/wwwwy

Changed over such as:

Then, we create the appropriate directory, then write some content into the corresponding file, the most important thing is to restart the service. As follows:

Open the browser, still input 127.0.0.1, we found that it is still the default page.

This reminds us of the default page of three reasons, excluding (1) because we have just written the content (2) Our corresponding permissions are enough. Then it's natural to think of SELinux's tricks. Let's just close selinux and look at the results:

Sure enough, it came straight out of the results. So the next thing is the play.

We know that there are three modes of SELinux: (1) Enforcing: The security policy enforces mode, which intercepts illegal requests from the service. (2) Permissive: Warning mode, when encountering unauthorized access, will only issue a warning log, but will not intercept; (3) Disabled: Off mode, for ultra vires problem, do not warn, do not intercept.

Let's say that we want SELinux to know we're doing things, but please leave it out and selinux to open it. First look at the SELinux security context for the data catalog of the old and new sites:

So, we just have to change the security context, and then let the new context take effect immediately. See:

At this point, is it a more in-depth understanding of selinux? Ha haha ~

SELinux in-depth understanding