SELinux就是Security-Enhanced Linux的簡稱,安全加強的linux。傳統的linux許可權是對檔案和目錄的owner, group和other的rwx進行控制,而SELinux採用的是委任式存取控制,也就是控制一個進程對具體檔案系統上面的檔案和目錄的訪問,SELinux規定了很多的規則,來決定哪個進程可以訪問哪些檔案和目錄。
SELinux是根據進程或檔案的security context來決定進程是否有許可權訪問檔案系統的,security context由Identify:role:type三部分組成,當selinux的類型為SELINUXTYPE=targeted的時候,只有security context的type是有用的。selinux的設定檔在這裡:/etc/selinux/config,內容如下:
# This file controls the state of SELinux on the system.# SELINUX= can take one of these three values:# enforcing - SELinux security policy is enforced.# permissive - SELinux prints warnings instead of enforcing.# disabled - SELinux is fully disabled.SELINUX=enforcing# SELINUXTYPE= type of policy in use. Possible values are:# targeted - Only targeted network daemons are protected.# strict - Full SELinux protection.SELINUXTYPE=targeted
需要安裝必要的SELinux的相關工具:
yum install policycoreutils-python setools-console setroubleshoot setroubleshoot-server
查看當前SELinux的狀態:
[root@centos ~]# getenforceEnforcing
狀態為Enforcing就代表開啟了SELinux,為disabled或permissive則需要使用下面的命令開啟(permissive代表如果不符合SELinux的許可權控制,則會出現warning提示資訊,不會真的block進程的訪問):
設定SELinux為Enforcing:
[root@centos ~]# setenforce 1
之後,重啟電腦,並等待SELinux相關檔案建立完成。
查看進程的security context:
[root@centos ~]# ps aux -Z | grep httpdunconfined_u:system_r:httpd_t:s0 root 6056 0.0 0.3 11672 3504 ? Ss 15:31 0:03 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache 6061 0.0 0.2 11804 2664 ? S 15:31 0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache 6062 0.0 0.2 11672 2132 ? S 15:31 0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache 6063 0.0 0.2 11804 2664 ? S 15:31 0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache 6064 0.0 0.2 11804 2780 ? S 15:31 0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache 6065 0.0 0.2 11672 2132 ? S 15:31 0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache 6066 0.0 0.2 11672 2132 ? S 15:31 0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache 6067 0.0 0.2 11672 2132 ? S 15:31 0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache 6068 0.0 0.2 11672 2132 ? S 15:31 0:00 /usr/sbin/httpdunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 6845 0.0 0.0 4340 752 pts/0 S+ 18:16 0:00 grep httpd
查看目錄的security context:
[root@centos ~]# ls -dZ /var/www/drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/
列出SELinux的統計資訊,包括security context中的user,role和type,還有規則(Booleans):
[root@centos ~]# seinfoStatistics for policy file: /etc/selinux/targeted/policy/policy.24Policy Version & Type: v.24 (binary, mls) Classes: 81 Permissions: 235 Sensitivities: 1 Categories: 1024 Types: 3488 Attributes: 273 Users: 9 Roles: 12 Booleans: 187 Cond. Expr.: 222 Allow: 273920 Neverallow: 0 Auditallow: 96 Dontaudit: 199904 Type_trans: 23469 Type_change: 38 Type_member: 48 Role allow: 20 Role_trans: 291 Range_trans: 3993 Constraints: 87 Validatetrans: 0 Initial SIDs: 27 Fs_use: 22 Genfscon: 81 Portcon: 426 Netifcon: 0 Nodecon: 0 Permissives: 59 Polcap: 2
查看所有的規則名字:
[root@centos ~]# seinfo -bConditional Booleans: 187 allow_domain_fd_use allow_ftpd_full_access allow_sysadm_exec_content allow_user_exec_content allow_zebra_write_config cdrecord_read_content fcron_crond httpd_manage_ipa httpd_use_openstack mmap_low_allowed samba_share_fusefs sepgsql_enable_users_ddl abrt_handle_event allow_ftpd_use_cifs allow_httpd_mod_auth_pam allow_java_execstack cron_can_relabel.......
查看一個規則是否開啟:
[root@centos ~]# getsebool httpd_enable_homedirshttpd_enable_homedirs --> off
開啟一個規則:
[root@centos ~]# setsebool -P httpd_enable_homedirs=1[root@centos ~]# getsebool httpd_enable_homedirshttpd_enable_homedirs --> on
查看一個規則的具體資訊(也就是allow或者deny某個進程的security context的type訪問某個檔案系統的security context的type):
[root@centos ~]# sesearch -b httpd_enable_homedirs --allERROR: Cannot get avrules: Neverallow rules requested but not availableFound 46 semantic av rules: allow httpd_sys_script_t home_root_t : dir { getattr search open } ; allow httpd_sys_script_t home_root_t : lnk_file { read getattr } ; allow httpd_suexec_t user_home_dir_t : dir { getattr search open } ; allow httpd_suexec_t user_home_dir_t : lnk_file { read getattr } ; allow httpd_suexec_t autofs_t : dir { ioctl read getattr lock search open } ; allow httpd_suexec_t cifs_t : file { ioctl read getattr lock execute execute_no_trans open } ; allow httpd_suexec_t cifs_t : dir { ioctl read getattr lock search open } ; allow httpd_suexec_t cifs_t : lnk_file { read getattr } ; allow httpd_suexec_t nfs_t : file { ioctl read getattr lock execute execute_no_trans open } ; allow httpd_suexec_t nfs_t : dir { ioctl read getattr lock search open } ; allow httpd_suexec_t nfs_t : lnk_file { read getattr } ; allow httpd_t user_home_t : file { ioctl read getattr lock open } ; .............
selinux在檔案系統中是存在很多的預設設定的,可以通過semanage來查看系統中所有目錄的預設security context:
[root@centos ~]# semanage fcontext -lSELinux fcontext type Context/ directory system_u:object_r:root_t:s0 /.* all files system_u:object_r:default_t:s0 /[^/]+ regular file system_u:object_r:etc_runtime_t:s0 /\.autofsck regular file system_u:object_r:etc_runtime_t:s0 /\.autorelabel regular file system_u:object_r:etc_runtime_t:s0 /\.journal all files <>/\.suspended regular file system_u:object_r:etc_runtime_t:s0 /a?quota\.(user|group) regular file system_u:object_r:quota_db_t:s0 /afs directory system_u:object_r:mnt_t:s0 /bin directory system_u:object_r:bin_t:s0 /bin/.* all files system_u:object_r:bin_t:s0 /bin/alsaunmute regular file system_u:object_r:alsa_exec_t:s0 /bin/bash regular file system_u:object_r:shell_exec_t:s0 ...............
增加一個目錄的預設security context:
[root@centos ~]# semanage fcontext -a -t public_content_t "/srv/test(/.*)?"
上面這個命令將/srv/test的預設的security context的type設定為public_content_t
改變一個檔案的security context:
[root@centos ~]# chcon -t var_t /var/www/html/index.html [root@centos ~]# ll -Z /var/www/html/index.html -rw-r--r--. root root unconfined_u:object_r:var_t:s0 /var/www/html/index.html
上面的命令將/var/www/html/index.html的type改為var_t
可以使用restorecon命令將檔案恢複為所在目錄的預設security context:
先查看一下/var/www的預設context是什麼:
[root@centos ~]# semanage fcontext -l | grep /var/www/var/www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /var/www/[^/]*/cgi-bin(/.*)? all files system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/apcupsd/multimon\.cgi regular file system_u:object_r:httpd_apcupsd_cgi_script_exec_t:s0 /var/www/apcupsd/upsfstats\.cgi regular file system_u:object_r:httpd_apcupsd_cgi_script_exec_t:s0 .............
使用restorecon恢複/var/www的所有檔案和目錄為預設:
[root@centos ~]# restorecon -Rv /var/wwwrestorecon reset /var/www/html/index.html context unconfined_u:object_r:var_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
——————————————————————————————
selinux是提供記錄檔來記錄錯誤資訊的,錯誤資訊記錄在/var/log/messages 和 /var/log/setroubleshoot/* 裡頭,需要重啟auditd服務來開啟selinux的log服務:
[root@centos ~]# /etc/init.d/auditd restart
查看selinux的錯誤資訊:
[root@centos ~]# cat /var/log/messages | grep setroubleshootAug 9 17:46:47 centos yum[6590]: Installed: setroubleshoot-plugins-3.0.40-1.el6.noarchAug 9 17:46:50 centos yum[6590]: Installed: setroubleshoot-server-3.0.47-3.el6_3.i686Aug 9 17:46:54 centos yum[6590]: Installed: setroubleshoot-3.0.47-3.el6_3.i686Aug 9 17:58:57 centos setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html. For complete SELinux messages. run sealert -l c7a436a1-a114-4659-91a9-4155b1003dd7Aug 9 17:58:58 centos setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html. For complete SELinux messages. run sealert -l c7a436a1-a114-4659-91a9-4155b1003dd7Aug 9 18:00:35 centos setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html. For complete SELinux messages. run sealert -l c7a436a1-a114-4659-91a9-4155b1003dd7Aug 9 18:00:36 centos setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html. For complete SELinux messages. run sealert -l c7a436a1-a114-4659-91a9-4155b1003dd7
運行sealert查看具體解決方案:
[root@centos ~]# sealert -l c7a436a1-a114-4659-91a9-4155b1003dd7SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/index.html.***** Plugin restorecon (99.5 confidence) suggests *************************If you want to fix the label. /var/www/html/index.html default label should be httpd_sys_content_t.Then you can run restorecon.Do# /sbin/restorecon -v /var/www/html/index.html***** Plugin catchall (1.49 confidence) suggests ***************************If you believe that httpd should be allowed getattr access on the index.html file by default.Then you should report this as a bug.You can generate a local policy module to allow this access.Doallow this access for now by executing:# grep httpd /var/log/audit/audit.log | audit2allow -M mypol# semodule -i mypol.pp
上面的資訊已經給出了具體解決方案,就是使用restorecon將index.html恢複為預設。
——————————————————————————————
下面用httpd這個www服務簡單實驗一下:
沒裝httpd的就先裝吧。。
[root@centos ~]# yum install httpdLoaded plugins: fastestmirror, refresh-packagekit, securityLoading mirror speeds from cached hostfile * base: mirrors.ta139.com * extras: mirrors.ta139.com * updates: mirrors.ta139.comSetting up Install ProcessPackage httpd-2.2.15-15.el6.centos.1.i686 already installed and latest versionNothing to do
啟動httpd service:
[root@centos ~]# /etc/init.d/httpd restartStopping httpd: [ OK ]Starting httpd: [ OK ]
查看系統是否啟動了80連接埠監聽:
[root@centos ~]# netstat -tupln | grep httpdtcp 0 0 :::80 :::* LISTEN 9587/httpd
在root的家目錄建立index.html檔案:
[root@centos ~]# echo "Test for selinux" > index.html
查看它的context:
[root@centos ~]# ls -Z index.html -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 index.html
可以看到它的type為admin_home_t,是繼承自/root這個目錄的security context
把它copy到/var/www/html中:
[root@centos ~]# cp -a index.html /var/www/html/
注意,我們使用的是-a這個option來copy,也就是我們保留了源檔案的security context:
[root@centos ~]# ll -Z /var/www/html/index.html -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /var/www/html/index.html
使用links訪問一下這個page:
[root@centos ~]# links http://localhost/index.html -dump Forbidden You don't have permission to access /index.html on this server. -------------------------------------------------------------------------- Apache/2.2.15 (CentOS) Server at localhost Port 80
意料之中,出現permission deny了,這個時候是可以直接去看/var/log/messages來解決問題的。
我們這裡先查看一下進程httpd的context:
[root@centos ~]# ps aux -Z | grep httpdunconfined_u:system_r:httpd_t:s0 apache 9590 0.0 0.2 11804 2852 ? S 10:38 0:00 /usr/sbin/httpd
再查看一下有沒有允許httpd訪問type為admin_home_t的檔案:
[root@centos ~]# sesearch --all | grep "allow httpd_t admin_home_t"ERROR: Cannot get avrules: Neverallow rules requested but not available
查詢結果顯示,沒有這個rule,所以httpd進程被block。
查看有沒有允許httpd訪問type為httpd_sys_content_t的檔案:
root@centos ~]# sesearch --all | grep "allow httpd_t httpd_sys_content_t"ERROR: Cannot get avrules: Neverallow rules requested but not available allow httpd_t httpd_sys_content_t : file { ioctl read getattr lock open } ; allow httpd_t httpd_sys_content_t : dir { ioctl read getattr lock search open } ; allow httpd_t httpd_sys_content_t : lnk_file { read getattr } ; allow httpd_t httpd_sys_content_t : file { ioctl read getattr lock open } ; allow httpd_t httpd_sys_content_t : dir { ioctl read getattr lock search open } ; allow httpd_t httpd_sys_content_t : dir { ioctl read write getattr lock add_name remove_name search open } ; allow httpd_t httpd_sys_content_t : lnk_file { read getattr } ;
好了,恢複/var/www/html/index.html吧:
[root@centos ~]# restorecon -Rv /var/www/html/restorecon reset /var/www/html/index.html context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
在訪問一次:
[root@centos ~]# links http://localhost/index.html -dump Test for selinux
OK了。