Home > Others

selinux-Network Service Security

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

First, display and set SELinux

[[email protected] ~]# vim/etc/sysconfig/selinux//Mandatory mode licensing mode disable mode
[[email protected] ~]# Getenforce//view current SELinux status
[[email protected] ~]# setenforce//can switch between forced mode (1) license mode (0)
[[email protected] ~]# sestatus//list directory SELinux policies used

Second, view the security context

Process

PS-ZC sshd

File

ll-dz/var/www/html/

Port

[email protected] ~]# Yum provides *bin/semanage
[Email protected] ~]# semanage port-l |egrep ' \<80\> '
http_port_t TCP 80, 443, 488, 8008, 8009,8443

Iii. Modifying the SELinux context

CP, MV to context image

CP: The security context is regenerated

MV: The security context does not change

Chcon:

1, Chcon–r Httpd_sys_content_t/webdata

2, Chcon–r–reference/var/www/html/webdata//The context of the previous file as a reference, assigned to/webdata

Example: FTP anonymous upload

    1. Permissions for the file system
      [Email protected] ~]# Mkdir/var/ftp/music
      [Email protected] ~]# setfacl-m u:ftp:rwx/var/ftp/music/
      2. FTP Server Configuration
      Anonymous_enable=yes
      Anon_upload_enable=yes
      Anon_mkdir_write_enable=yes

Modify Context

Chcon–r public_content_rw_t/var/ftp/music/

3. View

[Email protected] ~]# Getsebool-a | Grepftpd

4. Settings

[Email protected] ~]# setsebool-p allow_ftpd_anon_write on

5. Start

[Email protected] ~]# Systemctlstart vsftpd

Iv. monitoring of the SELinux policy conflict

Deploying the SELinux Log Analysis tool

1. Install the Setroubleshoot-server software package to send selinux messages to/var/log/messages

Setroubleshoot-server listens for audit information in/var/log/audit/audit.log and sends a short summary to/var/log/messages
The summary includes a unique identifier for the SELinux conflict (UUIDs), which can be used to gather more information

2, Systemctl restart Rsyslog

Systemctl Restart AUDITD

3. Testing

[R[email protected] ~]# vim/tmp/index.html

[Email protected] ~]# mv/tmp/index.html/var/www/html/

[Email protected] ~]# Curl http://localhost

<! DOCTYPE HTML Public "-//ietf//dtdhtml 2.0//en" >

<title>403 forbidden</title>

<p>you don't have permission toaccess/index.html//Permission denied, cannot access

On this server.</p>

</body>

4. View/var/log/messages

Nov 02:03:35 localhost setroubleshoot:selinux is preventing httpd from open access on the file/var/www/html/index.html. For complete SELinux messages Run:sealert-l f1243e54-7eb7-458b-a260-ca1f8ff61070

..............................................................

If you want to fix the label.

/var/www/html/index.html default labelshould be httpd_sys_content_t.

Then you can run Restorecon.

Do

#/sbin/restorecon-v/var/www/html/index.html

....................

[Email protected] ~]#/sbin/restorecon-v/var/www/html/index.html

/sbin/restorecon reset/var/www/html/index.html Contextunconfined_u:object_r:user_tmp_t:s0->unconfined_u:o Bject_r:httpd_sys_content_t:s0

5. Successful Access

[Email protected] ~]# Curl http://localhost

------------------------------

This is a test web!

selinux-Network Service Security

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
aws security token service asmx web service security norton security customer service adfs security token service security service phone number adp security customer service barracuda email security service

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More