Linux 第21天: (09月14日) 练习和作业

Linux 第21天: (09月14日) 练习和作业

 

 

系统自动化安装

 

cd /misc/cd
cd isolinux/
hexdump -C -v boot.cat
hexdump -C -v isolinux.bin
cat isolinux.cfg   类似于grub.conf

 

cat /root/anaconda-ks.cfg

 

 

system-config-kickstart

 

cd /etc/yum.repos.d/
mkdir bak
mv *repo bak
vim base.repo
[base]
baseurl=file:///misc/cd
gpgcheck=0
yum -y install system-config-kickstart 安装kickstart工具
systemctl start vsftpd
scp ks.cfg 10.1.252.213:/var/ftp/pub

重启按esc
boot:linux ks=ftp://10.1.252.213/pub/ks.cfg 半自动安装

 

ksvalidator ks.cfg 检查应答文件格式

 

 

mkdir /testdir/myks
cp /misc/cd/isolinux/ /testdir/myks
tree /testdir/myks/
vim /testdir/myks/isolinux/isolinux.cfg
label ks
 menu label ^kickstart install a system
 menu default
 kernel vmlinuz
 append initrd=initrd.img ks=ftp://10.1.252.213.cfg/pub/ks.cfg
cd /testdir
mkisofs -R -J -T -v --no-emul-boot --boot-load-size 4
--boot-info-table  -V "CentOS 6.8 wanglinux" -b isolinux/isolinux.bin
-c isolinux/boot.cat -o /root/boot.iso myks/
scp boot.iso 10.1.252.213:/root

echo '---' > /sys/class/scsi_host/host2/scan 扫描磁盘增减
dd if=boot.iso of=/dev/sdc 刻录到硬盘
lsblk
partx -a /dev/sdc
lsblk

 

 

 

 

SELinux

 

 

 

cat /etc/sysconfig/selinux
cat /etc/selinux/config

 

 

getenforce
sestatus
setenforce 0
setenforce 1

 

 

vim /boot/grub2/grub.cfg
selinux=0
vim /etc/selinux/config
SELINUX=disabled
reboot 重启才生效
sestatus

 

 

yum -y install setroubleshoot*
yum list setroubleshoot-doc
cat /etc/yum.repos.d/base.repo
df
cd /misc/cd
cd Packages/
ls setroubleshoot-doc*
rpm -ivh setroubleshoot-doc*

 

 

systemctl status httpd
yum -y install httpd
systemctl start httpd
netstat -tnl
iptalbes -F
cd /var/www/html
echo welcome to magedu.com > index.html
cp index.html /root
mv /root/index.html .
ll -Z index.html

 

yum -y install telnet links

 

semanage fcontext -l|grep "/var/www" 期望默认上下文标签
restorecon index.html
restorecon -R /var/www/html
chcon -t default_t index.html
chcon --reference index.html index2.html

 

 

mkdir /website
ll -Z /website/ -d
vim /etc/httpd/conf/httpd.conf
Document Root "/website"
<Directory "/website">
systemctl restart httpd
systemctl status httpd
echo mywebsite > index.html
chcon -R --reference /var/www/html /website/
ll -dZ /website/

 

 

semanage fcontext -l |grep website
semanage fcontext -a -t httpd_sys_content_t "/website(/.*)?"
ll -Z /website/ -d
restorecon -R /website/
semanage fcontext -d -t httpd_sys_content_t "/website(/.*)?"

 

 

ll -d /var/log/cron
crontab -e
* * * * * echo aaa
ll -dZ /var/log/cron
cp /var/log/cron /home/wang
mv /home/wang/cron /var/log/
crontab -e
ll -Z /var/log/cron
cat /var/log/messages
>grep troubleshoot
restorecon /var/log/cron
ll -Z /var/log/cron
crontab -e
* * * * * echo bbb
cat /var/log/cron
service crond restart
ll /var/log/cron
ps aux |grep crond
killall crond
pstree -p |grep crond
reboot

 

 

ll /var/log/messages
logger this is a test log
cat /var/log/messages
chcon -t default_t /var/log/messages
ll /var/log/messages -Z
logger this is another test log
cat /var/log/messages
restorecon /var/log/messages
cat /var/log/messages
tail /var/log/messages
grep setroubleshoot /var/log/messages

 

 

semanager port -l|grep http
vim /etc/httpd/conf/httpd.conf
Listen 9527
semanager port -l|grep 9527
vim /etc/httpd/conf/httpd.conf
netstat -ntl
httpd -t 检查语法
systemctl restart httpd
semanger port -a -t http_port_t -p tcp 9527
iptables -F

links x.x.x.x:9527
semanger port -m -t ssh_port_t -p tcp 9527
semanger port -d -t http_port_t -p tcp 9527

 

 

getsebool -a|grep http
rpm -qf `which semanage`
semanage boolean -l|grep http
setsebool use_nfs_home_dirs=1
setsebool -P use_nfs_home_dirs on
semanage boolean -l -C 显示改过的地方

 

 

在CentOS 7上
vim /etc/httpd/conf.d/usrdir.conf
#UserDir disabled
UserDir public_html
systemctl restart httpd
su -wang
mkdir public_html
echo welcome to wanghome > index.html
links x.x.x.x/~wang 访问wang家目录
ll -d /home/wang
ps aux|grep http
setfacl -m u:apache:x /home/wang

 

在CentOS 6上
vim /etc/httpd/conf/httpd.conf
#UserDir disabled
UserDir public_html
service httpd restart
iptables -F
su -wang
mkdir public_html
cd public html
echo wanghomecentos6 > index.html
cd
chmod 711 /home/wang
ll -d /home/wang/

 

grep setroubleshoot /var/log/messages 简单日志
sealert 调出图标查看
sealert -a /var/log/audit/audit.log  详细日志
getsebool -a |grep home
setsebool -P httpd_enable_homedirs 1|on 永久更改
getsebool -a |grep home\

 

 

 

 

 

 练习

 

1、启用SELinux策略并安装httpd服务，改变网站的默认主目录为/website,添加SELinux文件标签规则，使网站可访问

 

 

vim /etc/selinux/config
SELINUX=disabled
reboot 重启才生效

systemctl status httpd
yum -y install httpd
systemctl start httpd
netstat -tnl
iptalbes -F

mkdir /website
ll -Z /website/ -d
vim /etc/httpd/conf/httpd.conf
Document Root "/website/"
<Directory "/website">
systemctl restart httpd
systemctl status httpd
echo mywebsite > index.html
semanage fcontext -l |grep website
semanage fcontext -a -t httpd_sys_content_t "/website(/.*)?"
ll -Z /website/ -d
restorecon -R /website/

 

 

2、修改上述网站的http端口为9527，增加SELinux端口标签，使网站可访问

 

 

vim /etc/httpd/conf/httpd.conf
Listen 9527
semanager port -l|grep 9527
vim /etc/httpd/conf/httpd.conf
netstat -ntl
httpd -t 检查语法
systemctl restart httpd
semanger port -a -t http_port_t -p tcp 9527
iptables -F

 

 

3、启用相关的SELinux布尔值，使上述网站的用户student的家目录可通过http访问

 

 

在CentOS 7上
vim /etc/httpd/conf.d/usrdir.conf
#UserDir disabled
UserDir public_html
systemctl restart httpd
su -student
mkdir public_html
echo welcome to studenthome > index.html
links x.x.x.x/~student 访问家目录
ll -d /home/student
ps aux|grep http
setfacl -m u:apache:x /home/student

 

在CentOS 6上
vim /etc/httpd/conf/httpd.conf
#UserDir disabled
UserDir public_html
service httpd restart
iptables -F
su -student
mkdir public_html
cd public html
echo studenthomecentos6 > index.html
cd
chmod 711 /home/wang
ll -d /home/wang/