-
Subject - 系统中运行的程序,每个Subject都有安全属性通过Security Context表示 -
Object - 系统中各种资源,如文件、网络等,每个Object都有安全属性通过Security Context表示 -
Policy & Rule - 进程主体需要如何管制以及如何管制都有Policy定义 -
Security Context - SeLinux核心。运行在Linux系统内核中。根据Selinux策略,检查Subjects的安全属性与Objects的安全属性是否匹配,从而决定Subjects是否能够访问objects
-
enforcing - 强制模式 -违反规则的行为被阻止将被记录到日志中 -
permissive - 宽容模式- 违反规则的行为只会记录到日志中去 -
disabled - 关闭SELinux
$ sestatus 
5.2 测试SeLinux是否生效
$ yum -y httpd
#允许防火墙 访问web服务
$ firewall-cmd --permanent --add-service=http
$ firewall-cmd --reload
$ mkdir /home/wwwroot
$ ehoc "This is SELinux" > /home/wwwroot/index.html
#启动httpd服务器
$ systemctl start httpd
DocumentRoot "/home/wwwroot"
<Directory "/home/wwwroot">
....
</Directory>
$ setenforce 0 
5.3 设置安全上下文
$ ls -Zd /var/www/html
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html
$ ls -Zd /home/wwwroot/
drwxr-xr-x. root root unconfined_u:object_r:home_root_t:s0 /home/wwwroot/
-
system_u -> 系统进程身份 -
object_r -> 文件目录角色 -
httpd_sys_content_t -> 网站服务系统文件
$ yum -y install policycoreutils-python.x86_64
$ semanage fcontext -a -t httpd_sys_content_t /home/wwwroot
$ semanage fcontext -a -t httpd_sys_content_T /home/wwwroot/*
$ restorecon -Rv /home/wwwroot/
restorecon reset /home/wwwroot context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/wwwroot/index.html context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
5.4 SELinux域生效
5.4.1 开启HTTPD服务个人用户主页功能
#
# UserDir: The name of the directory that is appended onto a user's home
# directory if a ~user request is received.
#
# The path to the end user account 'public_html' directory must be
# accessible to the webserver userid. This usually means that ~userid
# must have permissions of 711, ~userid/public_html must have permissions
# of 755, and documents contained therein must be world-readable.
# Otherwise, the client will only receive a "403 Forbidden" message.
#
<IfModule mod_userdir.c>
#
# UserDir is disabled by default since it can confirm the presence
# of a username on the system (depending on home directory
# permissions).
#
# UserDir disabled
#
# To enable requests to /~user/ to serve the user's public_html
# directory, remove the "UserDir disabled" line above, and uncomment
# the following line instead:
#
UserDir public_html
</IfModule>
#
# Control access to UserDir directories. The following is an example
# for a site where these directories are restricted to read-only.
#
<Directory "/home/*/public_html">
AllowOverride FileInfo AuthConfig Limit Indexes
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require method GET POST OPTIONS
</Directory>
$ getsebool -a | grep http
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> on
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_ipa --> off
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off
named_tcp_bind_http_port --> off
prosody_bind_http_port --> off
$ setsebool -P httpd_enable_homedirs=on 
5.4.2 配置基于端口号的多站点
$ mkdir -p /home/wwwroot/7777
$ mkdir -p /home/wwwroot/8888
$ echo "Test Port:7777" > /home/wwwroot/7777/index.html
$ echo "Test Port:8888" > /home/wwwroot/8888/index.html
<VirtualHost 192.168.24.128:7777>
DocumentRoot /home/wwwroot/7777
ServerName www.neuron.com
<Directory "/home/wwwroot/7777">
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
<VirtualHost 192.168.24.128:8888>
DocumentRoot /home/wwwroot/8888
ServerName bbs.neuron.com
<Directory "/home/wwwroot/8888">
AllowOverride None
Require all granted
</Directory>
</Virtual>
$ semanage port -l | grep http
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
$ semanage port -a -t http_port_t -p tcp 7777
$ semanage port -a -t http_port_t -p tcp 8888
$ firewall-cmd --permanent --add-port=7777/tcp
$ firewall-cmd --permanent --add-port=8888/tcp
$ firewall-cmd --reload
$ firewall-cmd --list-ports
$ systemctl restart httpd
原文始发于微信公众号(山石网科安全技术研究院):Linux内核的SELinux安全机制分析
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论