网页安全站点设置,学校网站建设总结报告,普陀区网站建设,北京诚通新新建设有限公司网站目录
一.SElinux工作原理简介
1.system_u
2.object_r
3.httpd_sys_content_t
4.s0
二.SElinux策略的具体使用详情
1.restorecon
2.semanage
3.chcon 一.SElinux工作原理简介
通过mac方式管理进程#xff0c;管理的目标是进程是否具有读取权限的文件#xff08;文件…目录
一.SElinux工作原理简介
1.system_u
2.object_r
3.httpd_sys_content_t
4.s0
二.SElinux策略的具体使用详情
1.restorecon
2.semanage
3.chcon 一.SElinux工作原理简介
通过mac方式管理进程管理的目标是进程是否具有读取权限的文件文件、目录、端口等要使得进程和目标的安全上下文一致才能够顺利访问到资源还要受文件资源的RWX等权限影响。MAC可以针对特定的进程与特定的文件资源来进行权限的控制即使你是root在使用不同的进程时你所能取得的权限并不一定是root而得要看当时该进程的设置而定。这样一来就可以针对进程而不是用户对文件来进行访问控制。此外这个进程也不能任意使用系统文件资源因为每个文件资源也有针对进程设置可取用的权限。由于整个系统进程那么多文件那么多所以SELinux也提供一些默认的策略policy并在该策略内提供多个规则让你可以选择是否启用该控制规则。
#如下是我160主机的httpd的html目录的安全上下文内容以ls -Z来查看其中有4个字段稍后作解释
[rootR9 www]# ls -Zl
total 0
drwxr-xr-x. 2 root root system_u:object_r:httpd_sys_content_t:s0 24 Dec 23 21:38 ip
drwxr-xr-x. 2 root root system_u:object_r:httpd_sys_content_t:s0 24 Dec 27 13:29 ip1
1.system_u
身份标识root表示root、system_u表示进程程序、unconfined_u表示一般用户相关身份
2.object_r
角色字段可以判断是属于程序、文件、用户中的哪一种object_r表示文件或目录资源system_r表示是进程
3.httpd_sys_content_t
类型字段作用域哪一个域
4.s0
灵敏度一般会有s0、s1、s2数值越大灵敏度越高与MLS和MCS相关
二.SElinux策略的具体使用详情
SElinux的开启和关闭在之前的文章已经介绍到现在我们在关闭firewalld并且SElinux为EnforcingEnforcing为强制限制permissive为运行selinux但不强制disabled为关闭selinux的情况下进行演示这里所有代码段均以httpd服务为例。
[rootR9 www]# systemctl status firewalld.service | grep ActiveActive: inactive (dead)
[rootR9 www]# getenforce
Enforcing
1.restorecon
1这个命令可以将安全上下文修改为原始默认的状态如下所示
[rootR9 www]# ls -Zl #修改后安全上下文
total 0
drwxr-xr-x. 2 root root system_u:object_r:httpd_sys_content_t:s0 24 Dec 23 21:38 ip
drwxr-xr-x. 2 root root system_u:object_r:httpd_sys_content_t:s0 24 Dec 27 13:29 ip1
[rootR9 www]# restorecon -R /www/ #进行重置
[rootR9 www]# ls -ZL
system_u:object_r:default_t:s0 ip
system_u:object_r:default_t:s0 ip1
2可用参数
-R将目录及其子目录一起修改
-v将过程输出到屏幕上详情
2.semanage
1这个命令可以来进行查询和修改安全上下文设置如下所示我要修改我本机的html目录时就可以去查看httpd默认的安全上下文是怎样的在后面就可以按照这个策略进行更改
[rootR9 www]# semanage fcontext -l | grep /var/www/html
/var/www/html(/.*)?/sites/default/files(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/html(/.*)?/sites/default/settings\.php regular file system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/html(/.*)?/uploads(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/html(/.*)?/wp-content(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/html(/.*)?/wp_backups(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/html/[^/]*/cgi-bin(/.*)? all files system_u:object_r:httpd_sys_script_exec_t:s0
/var/www/html/cgi/munin.* all files system_u:object_r:munin_script_exec_t:s0
/var/www/html/configuration\.php all files system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/html/munin(/.*)? all files system_u:object_r:munin_content_t:s0
/var/www/html/munin/cgi(/.*)? all files system_u:object_r:munin_script_exec_t:s0
/var/www/html/nextcloud/data(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/html/owncloud/data(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0
2可用参数
-l查询
-a增加安全上下文设置
-m修改设置
-d删除设置
3这里以一个例子介绍一部分semanage对于端口的管理
如下所示我配置了80和8090端口的http服务80端口chcon了安全上下文8090端口为chcon安全上下文并且没有配置其的端口放行在重启服务时就会报错了
[rootR9 www]# semanage port -l | grep http_port
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
[rootR9 www]# ls -Zl
total 0
drwxr-xr-x. 2 root root system_u:object_r:httpd_sys_content_t:s0 24 Dec 23 21:38 ip
drwxr-xr-x. 2 root root system_u:object_r:default_t:s0 24 Dec 27 14:19 ip1
[rootR9 www]# cat /etc/httpd/conf.d/myweb.conf
VirtualHost 192.168.2.160servername www.ssll.comDocumentRoot /www/ipDirectory /wwwAllowOverride NoneRequire all granted/Directory
/VirtualHost
VirtualHost 192.168.2.160:8090DocumentRoot /www/ip1Directory /wwwAllowOverride NoneRequire all granted/Directory
/VirtualHost
[rootR9 www]# systemctl restart httpd
Job for httpd.service failed because the control process exited with error code.
See systemctl status httpd.service and journalctl -xeu httpd.service for details.
[rootR9 www]# systemctl status httpd
× httpd.service - The Apache HTTP ServerLoaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)Active: failed (Result: exit-code) since Wed 2023-12-27 14:21:25 CST; 7s agoDuration: 46min 40.807sDocs: man:httpd.service(8)Process: 4553 ExecStart/usr/sbin/httpd $OPTIONS -DFOREGROUND (codeexited, status1/FAILURE)Main PID: 4553 (codeexited, status1/FAILURE)Status: Reading configuration...CPU: 25ms
Dec 27 14:21:15 R9 systemd[1]: Starting The Apache HTTP Server...
Dec 27 14:21:25 R9 httpd[4553]: AH00558: httpd: Could not reliably determine the servers fully qualified domain name, using fe80::20c:
Dec 27 14:21:25 R9 httpd[4553]: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:8090
Dec 27 14:21:25 R9 httpd[4553]: (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:8090
Dec 27 14:21:25 R9 httpd[4553]: no listening sockets available, shutting down
Dec 27 14:21:25 R9 httpd[4553]: AH00015: Unable to open logs
Dec 27 14:21:25 R9 systemd[1]: httpd.service: Main process exited, codeexited, status1/FAILURE
Dec 27 14:21:25 R9 systemd[1]: httpd.service: Failed with result exit-code.
Dec 27 14:21:25 R9 systemd[1]: Failed to start The Apache HTTP Server.
接下来添加8090服务端口可以看到重启服务成功并且8090端口已被添加成功也可以成功访问
[rootR9 www]# semanage port -a -t http_port_t -p tcp 8090
[rootR9 www]# systemctl restart httpdEnter TLS private key passphrase for fe80::20c:29ff:fe49:e52%ens160:443 (RSA) : *******
[rootR9 www]# ls -Zl
total 0
drwxr-xr-x. 2 root root system_u:object_r:httpd_sys_content_t:s0 24 Dec 23 21:38 ip
drwxr-xr-x. 2 root root system_u:object_r:default_t:s0 24 Dec 27 14:19 ip1
[rootR9 www]# semanage port -l | grep http_port_t
http_port_t tcp 8090, 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
[rootSLB ~]# curl 192.168.2.160:8090
hello
删除端口时可以这样做
[rootR9 www]# semanage port -d -t http_port_t -p tcp 8090
3.chcon
1这个命令用于修改安全上下文如下所示我按照上面我查询到的策略进行修改后能够顺利访问到目录内容
[rootR9 www]# ls -Zl
total 0
drwxr-xr-x. 2 root root system_u:object_r:default_t:s0 24 Dec 23 21:38 ip
drwxr-xr-x. 2 root root system_u:object_r:default_t:s0 24 Dec 27 13:29 ip1
[rootR9 www]# chcon -t httpd_sys_rw_content_t /www/ -R
[rootR9 www]# ls -Zl
total 0
drwxr-xr-x. 2 root root system_u:object_r:httpd_sys_rw_content_t:s0 24 Dec 23 21:38 ip
drwxr-xr-x. 2 root root system_u:object_r:httpd_sys_rw_content_t:s0 24 Dec 27 13:29 ip1
[rootSLB ~]# curl 192.168.2.160
192.168.2.160
2可用参数
-R将目录及其子目录一起修改
-t跟安全上下文所要修改的字段内容
-u跟身份标识
-r跟角色字段
--reference这个表示按照哪个目录文件进行修改安全上下文
[rootR9 www]# restorecon -R /www #按照httpd默认的html目录进行修改
[rootR9 www]# chcon --reference/var/www/html -R /www
[rootR9 www]# ls -Zl
total 0
drwxr-xr-x. 2 root root system_u:object_r:httpd_sys_content_t:s0 24 Dec 23 21:38 ip
drwxr-xr-x. 2 root root system_u:object_r:httpd_sys_content_t:s0 24 Dec 27 13:29 ip1
[rootSLB ~]# curl 192.168.2.160
192.168.2.160
