开始学习selinux,先从配置文件说开去。

vi /etc/selinux/config


# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

#     enforcing - SELinux security policy is enforced.

#     permissive - SELinux prints warnings instead of enforcing.

#     disabled - No SELinux policy is loaded.

SELINUX=enforcing

# SELINUXTYPE= can take one of these two values:

#     targeted - Targeted processes are protected,

#     mls - Multi Level Security protection.

SELINUXTYPE=targeted


通过命令查看当前的selinux的状态。

getenforce

Permissive


立即切换 selinux 模式;只能在开启与被动模式间切换当前效状态。

setenforce 0

getenforce


查看selinux的设置

grep sunny /etc/passwd | cut -d":" -f 6

/data/upload/sunny

ls -Z /data/upload/sunny

drwx------. sunny sunny system_u:object_r:default_t:s0   up

红色字体是“类型”-type,是常常设置的一项(targeted)。


以httpd的主页为例子设置selinux。

type=`ls -Z /var/www/html/index.html | cut -d" " -f 4 | awk -F":" '{print $3}'`

echo $type

httpd_sys_content_t

vi /data/html/index.html

selinux test.

ls -Z /data/html/index.html

-rw-r--r--. root root unconfined_u:object_r:default_t:s0 /data/html/index.html

lynx localhost        (报错,权限拒绝)

Alert!: HTTP/1.1 403 Forbidden

chcon -t $type /data/html/index.php

ls -Z /data/html/index.php

-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /data/html/index.php

lynx localhost


   selinx test.


其他修改方法:

restorecon -R /data/www/        (包括其中的子文件都一起恢复)

chcon -R --reference=/var/www /data/www


查看关于 selinux 策略的设置。

getsebool -a | grep ftp | grep -v "tftp" | grep -v "http"

allow_ftpd_anon_write --> off

allow_ftpd_full_access --> off

allow_ftpd_use_cifs --> off

allow_ftpd_use_nfs --> off

ftp_home_dir --> off

ftpd_connect_db --> off

ftpd_use_fusefs --> off

ftpd_use_passive_mode --> off

setsebool ftp_home_dir 1        (在当前状态打开;修改策略文件添加“-P”)