First, display and set SELinux
[[email protected] ~]# vim/etc/sysconfig/selinux//Mandatory mode licensing mode disable mode
[[email protected] ~]# Getenforce//view current SELinux status
[[email protected] ~]# setenforce//can switch between forced mode (1) license mode (0)
[[email protected] ~]# sestatus//list directory SELinux policies used
Second, view the security context
Process
PS-ZC sshd
File
ll-dz/var/www/html/
Port
[email protected] ~]# Yum provides *bin/semanage
[Email protected] ~]# semanage port-l |egrep ' \<80\> '
http_port_t TCP 80, 443, 488, 8008, 8009,8443
Iii. Modifying the SELinux context
CP, MV to context image
CP: The security context is regenerated
MV: The security context does not change
Chcon:
1, Chcon–r Httpd_sys_content_t/webdata
2, Chcon–r–reference/var/www/html/webdata//The context of the previous file as a reference, assigned to/webdata
Example: FTP anonymous upload
- Permissions for the file system
[Email protected] ~]# Mkdir/var/ftp/music
[Email protected] ~]# setfacl-m u:ftp:rwx/var/ftp/music/
2. FTP Server Configuration
Anonymous_enable=yes
Anon_upload_enable=yes
Anon_mkdir_write_enable=yes
Modify Context
Chcon–r public_content_rw_t/var/ftp/music/
3. View
[Email protected] ~]# Getsebool-a | Grepftpd
4. Settings
[Email protected] ~]# setsebool-p allow_ftpd_anon_write on
5. Start
[Email protected] ~]# Systemctlstart vsftpd
Iv. monitoring of the SELinux policy conflict
Deploying the SELinux Log Analysis tool
1. Install the Setroubleshoot-server software package to send selinux messages to/var/log/messages
Setroubleshoot-server listens for audit information in/var/log/audit/audit.log and sends a short summary to/var/log/messages
The summary includes a unique identifier for the SELinux conflict (UUIDs), which can be used to gather more information
2, Systemctl restart Rsyslog
Systemctl Restart AUDITD
3. Testing
[R[email protected] ~]# vim/tmp/index.html
[Email protected] ~]# mv/tmp/index.html/var/www/html/
[Email protected] ~]# Curl http://localhost
<! DOCTYPE HTML Public "-//ietf//dtdhtml 2.0//en" >
<title>403 forbidden</title>
<p>you don't have permission toaccess/index.html//Permission denied, cannot access
On this server.</p>
</body>
4. View/var/log/messages
Nov 02:03:35 localhost setroubleshoot:selinux is preventing httpd from open access on the file/var/www/html/index.html. For complete SELinux messages Run:sealert-l f1243e54-7eb7-458b-a260-ca1f8ff61070
..............................................................
If you want to fix the label.
/var/www/html/index.html default labelshould be httpd_sys_content_t.
Then you can run Restorecon.
Do
#/sbin/restorecon-v/var/www/html/index.html
....................
[Email protected] ~]#/sbin/restorecon-v/var/www/html/index.html
/sbin/restorecon reset/var/www/html/index.html Contextunconfined_u:object_r:user_tmp_t:s0->unconfined_u:o Bject_r:httpd_sys_content_t:s0
5. Successful Access
[Email protected] ~]# Curl http://localhost
------------------------------
This is a test web!
selinux-Network Service Security