推荐一个Fedora的官方文档网站

下面是网站的链接,看过里面的selinux,看了一遍,基本大体都了解了,写的很不错。

http://docs.fedoraproject.org/

关于selinux的使用的大致命令,selinux的管理请参看上面更详细的文档。
1)确保selinux已经打开
可以使用/usr/sbin/getenforce或者/usr/sbin/sestatus命令检查,检查结果如下
[alex@localhost ~]$ /usr/sbin/getenforce 
Enforcing
[alex@localhost ~]$ /usr/sbin/sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
 
如果是enforcing的,是打开的,同时不满足selinux的规则就不允许操作
如果是permissive的,也是打开的,但是如果不满足selinux的规则是允许操作的
2)如果selinux已经打开,可以用ls -Z命令查看文件的selinux属性
[alex@localhost ~]$ ls -Z
-rw-rw-r–. alex alex unconfined_u:object_r:user_home_t:s0 colortheme.sh
drwxr-xr-x. alex alex unconfined_u:object_r:user_home_t:s0 Desktop
drwxr-xr-x. alex alex unconfined_u:object_r:user_home_t:s0 Documents
drwxrwxr-x. alex alex unconfined_u:object_r:user_home_t:s0 sim
-rw-rw-r–. alex alex unconfined_u:object_r:user_home_t:s0 test2file
-rw-rw-r–. alex alex unconfined_u:object_r:user_home_t:s0 testfile
drwxr-xr-x. alex alex unconfined_u:object_r:user_home_t:s0 Videos
3)如果selinux已经打开,可以使用ps -eZ 检查进程号的selinux信息
[root@localhost alex]# ps -eZ
LABEL                             PID TTY          TIME CMD
system_u:system_r:init_t:s0         1 ?        00:00:00 init
system_u:system_r:kernel_t:s0       2 ?        00:00:00 kthreadd
system_u:system_r:udev_t:s0-s0:c0.c1023 593 ?  00:00:00 udevd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1738 tty1 00:00:00 bash
unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 4705 ? 00:02:20 chrome
4)使用id -Z命令检查该用户的selinux信息
[alex@localhost ~]$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
5)使用semanage可以检查linux账户核selinux间的映射关系(必须以root用户运行)
[root@localhost alex]# semanage login -l
Login Name                SELinux User              MLS/MCS Range            
__default__               unconfined_u              s0-s0:c0.c1023           
root                      unconfined_u              s0-s0:c0.c1023           
system_u                  system_u                  s0-s0:c0.c1023 
6)默认在文件夹下创建的文件的selinux属性相同
[root@localhost www]# ls -Z
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html
[root@localhost www]# touch html/hello.html
[root@localhost www]# ls -Z html/
-rw-r–r–. root root unconfined_u:object_r:httpd_sys_content_t:s0 hello.html
这个时候如果apache服务器打开,客户端是可以下载该文件的
[root@localhost www]# /etc/init.d/httpd start
Starting httpd:                                            [  OK  ]
[alex@localhost ~]$ wget http://localhost/html/hello.html
–2010-03-12 22:00:07–  http://localhost/html/hello.html
Resolving localhost… 127.0.0.1
Connecting to localhost|127.0.0.1|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 0 [text/html]
Saving to: “hello.html”
    [ <=>                                   ] 0           –.-K/s   in 0s      
2010-03-12 22:00:07 (0.00 B/s) – “hello.html” saved [0/0]
7)如果需要修改该文件的selinux类型,使用chcon命令
[root@localhost www]# chcon -t samba_share_t html/hello.html 
[root@localhost www]# ls -Z html/
-rw-r–r–. root root unconfined_u:object_r:samba_share_t:s0 hello.html
这个时候如果apache服务器打开,客户端是不可以下载该文件的
[alex@localhost ~]$ wget http://localhost/html/hello.html
–2010-03-12 21:59:26–  http://localhost/html/hello.html
Resolving localhost… 127.0.0.1
Connecting to localhost|127.0.0.1|:80… connected.
HTTP request sent, awaiting response… 403 Forbidden
2010-03-12 21:59:26 ERROR 403: Forbidden.
8)恢复该文件原来selinux属性使用restorecon命令
[root@localhost www]# restorecon -v html/hello.html 
restorecon reset /var/www/html/hello.html context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0
[root@localhost www]# ls -Z html/
-rw-r–r–. root root system_u:object_r:httpd_sys_content_t:s0 hello.html
9)可执行命令默认只能在其selinux域中活动,也就是获得其域相关的文件,其他文件无法读取(如上面所示)
如果将可执行命令改成unconfined_exec_t类型,则该可执行文件不受selinux约束,可以读取其他域文件
[root@localhost www]# ls -Z /usr/sbin/httpd
-rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd
[root@localhost www]# chcon -t unconfined_exec_t /usr/sbin/httpd
[root@localhost www]# ls -Z /usr/sbin/httpd
-rwxr-xr-x. root root system_u:object_r:unconfined_exec_t:s0 /usr/sbin/httpd
[root@localhost www]#  chcon -t samba_share_t html/hello.html 
[root@localhost www]# ls -Z html/
-rw-r–r–. root root system_u:object_r:samba_share_t:s0 hello.html
[root@localhost www]# /etc/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
[alex@localhost ~]$ wget http://localhost/html/hello.html
–2010-03-12 22:08:46–  http://localhost/html/hello.html
Resolving localhost… 127.0.0.1
Connecting to localhost|127.0.0.1|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 0 [text/html]
Saving to: “hello.html.1”
    [ <=>                                   ] 0           –.-K/s   in 0s      
2010-03-12 22:08:46 (0.00 B/s) – “hello.html.1” saved [0/0]
通过restorecon将该可执行文件改成默认类型
restorecon -v /usr/sbin/httpd
10)使用semanage开启或关闭selinux一些规则
[root@localhost www]# /usr/sbin/semanage boolean -l
SELinux boolean                          Description
ftp_home_dir                   -> off   Allow ftp to read and write files in the user home directories
privoxy_connect_any            -> on    Allow privoxy to connect to all ports, not just HTTP, FTP, and Gopher ports.
xen_use_nfs                    -> off   Allow xen to manage nfs files
使用setsebool打开相应的规则
[root@localhost www]# setsebool ftp_home_dir on
[root@localhost www]# /usr/sbin/semanage boolean -l 
SELinux boolean                          Description
ftp_home_dir                   -> on    Allow ftp to read and write files in the user home directories
使用setsebool关闭相应的规则
[root@localhost www]# setsebool ftp_home_dir off
[root@localhost www]# /usr/sbin/semanage boolean -l 
SELinux boolean                          Description
ftp_home_dir                   -> off   Allow ftp to read and write files in the user home directories
如果需要将该操作保留,下次重启后还是同样的状态,使用-P参数
[root@localhost www]# setsebool -P ftp_home_dir on
11)不加-R参数只修改当前文件夹和文件,使用-R参数可以将文件夹及文件夹下所有的文件修改
[root@localhost www]# ls -RZ perl/
perl/:
drwxrwxr-x. alex alex system_u:object_r:httpd_sys_script_exec_t:s0 Book
-rw-rw-r–. alex alex system_u:object_r:httpd_sys_script_exec_t:s0 cgi.pl
-rw-rw-r–. alex alex system_u:object_r:httpd_sys_script_exec_t:s0 count1.pl
-rw-rw-r–. alex alex system_u:object_r:httpd_sys_script_exec_t:s0 counter2.pl
-rwxr-xr-x. alex alex system_u:object_r:httpd_sys_script_exec_t:s0 count.pl
-rw-rw-r–. alex alex system_u:object_r:httpd_sys_script_exec_t:s0 mylib.pl
-rw-r–r–. root root system_u:object_r:httpd_sys_script_exec_t:s0 startup.pl
-rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 test.pl
-rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 tmp.pl
perl/Book:
-rw-rw-r–. alex alex system_u:object_r:httpd_sys_script_exec_t:s0 Counter.pm
[root@localhost www]# chcon -t samba_share_t perl/count1.pl 
[root@localhost www]# ls -RZ perl/
perl/:
drwxrwxr-x. alex alex system_u:object_r:httpd_sys_script_exec_t:s0 Book
-rw-rw-r–. alex alex system_u:object_r:httpd_sys_script_exec_t:s0 cgi.pl
-rw-rw-r–. alex alex system_u:object_r:samba_share_t:s0 count1.pl
-rw-rw-r–. alex alex system_u:object_r:httpd_sys_script_exec_t:s0 counter2.pl
-rwxr-xr-x. alex alex system_u:object_r:httpd_sys_script_exec_t:s0 count.pl
-rw-rw-r–. alex alex system_u:object_r:httpd_sys_script_exec_t:s0 mylib.pl
-rw-r–r–. root root system_u:object_r:httpd_sys_script_exec_t:s0 startup.pl
-rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 test.pl
-rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 tmp.pl
perl/Book:
-rw-rw-r–. alex alex system_u:object_r:httpd_sys_script_exec_t:s0 Counter.pm
[root@localhost www]# chcon -R -t samba_share_t perl
[root@localhost www]# ls -RZ perl/
perl/:
drwxrwxr-x. alex alex system_u:object_r:samba_share_t:s0 Book
-rw-rw-r–. alex alex system_u:object_r:samba_share_t:s0 cgi.pl
-rw-rw-r–. alex alex system_u:object_r:samba_share_t:s0 count1.pl
-rw-rw-r–. alex alex system_u:object_r:samba_share_t:s0 counter2.pl
-rwxr-xr-x. alex alex system_u:object_r:samba_share_t:s0 count.pl
-rw-rw-r–. alex alex system_u:object_r:samba_share_t:s0 mylib.pl
-rw-r–r–. root root system_u:object_r:samba_share_t:s0 startup.pl
-rwxr-xr-x. root root system_u:object_r:samba_share_t:s0 test.pl
-rwxr-xr-x. root root system_u:object_r:samba_share_t:s0 tmp.pl
perl/Book:
-rw-rw-r–. alex alex system_u:object_r:samba_share_t:s0 Counter.pm
12)使用restorecon -R -v命令回复文件夹及文件夹下所有文件原有的属性
[root@localhost www]# /sbin/restorecon -R -v perl/
/sbin/restorecon reset /var/www/perl context system_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_script_exec_t:s0
/sbin/restorecon reset /var/www/perl/Book context system_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_script_exec_t:s0
/sbin/restorecon reset /var/www/perl/Book/Counter.pm context system_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_script_exec_t:s0
/sbin/restorecon reset /var/www/perl/count1.pl context system_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_script_exec_t:s0
/sbin/restorecon reset /var/www/perl/tmp.pl context system_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_script_exec_t:s0
/sbin/restorecon reset /var/www/perl/cgi.pl context system_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_script_exec_t:s0
/sbin/restorecon reset /var/www/perl/test.pl context system_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_script_exec_t:s0
/sbin/restorecon reset /var/www/perl/mylib.pl context system_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_script_exec_t:s0
/sbin/restorecon reset /var/www/perl/count.pl context system_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_script_exec_t:s0
/sbin/restorecon reset /var/www/perl/startup.pl context system_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_script_exec_t:s0
/sbin/restorecon reset /var/www/perl/counter2.pl context system_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_script_exec_t:s0
[root@localhost www]# ls -RZ perl/
perl/:
drwxrwxr-x. alex alex system_u:object_r:httpd_sys_script_exec_t:s0 Book
-rw-rw-r–. alex alex system_u:object_r:httpd_sys_script_exec_t:s0 cgi.pl
-rw-rw-r–. alex alex system_u:object_r:httpd_sys_script_exec_t:s0 count1.pl
-rw-rw-r–. alex alex system_u:object_r:httpd_sys_script_exec_t:s0 counter2.pl
-rwxr-xr-x. alex alex system_u:object_r:httpd_sys_script_exec_t:s0 count.pl
-rw-rw-r–. alex alex system_u:object_r:httpd_sys_script_exec_t:s0 mylib.pl
-rw-r–r–. root root system_u:object_r:httpd_sys_script_exec_t:s0 startup.pl
-rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 test.pl
-rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 tmp.pl
perl/Book:
-rw-rw-r–. alex alex system_u:object_r:httpd_sys_script_exec_t:s0 Counter.pm
13)使用usr/sbin/semanage fcontext -a options file-name|directory-name命令(要使用文件或目录的决定路径)
/usr/sbin/semanage fcontext -a -t samba_share_t /etc/file1
14)使用/sbin/restorecon -v file-name|directory-name命令回复文件或目录的原有selinux属性
The /usr/sbin/semanage fcontext -a -t samba_share_t /etc/file1 command adds the following entry to /etc/selinux/targeted/contexts/files/file_contexts.local:
If the context is part of a regular expression, for example, /web(/.*)?, use quotation marks around the regular expression:
/usr/sbin/semanage fcontext -d "/web(/.*)?"
15)加载盘符时确定文件夹的selinux属性
# mount server:/export /local/mount/point -o\
context="system_u:object_r:httpd_sys_content_t:s0"
16)the defcontext option defines that system_u:object_r:samba_share_t:s0 is "the default security context for unlabeled files"[12].
# mount /dev/sda2 /test/ -o defcontext="system_u:object_r:samba_share_t:s0"
17)To mount multiple mounts from a single NFS export, with each mount having a different context, use the -o nosharecache,context options. The following example mounts multiple mounts from a single NFS export, with a different context for each mount (allowing a single service access to each one):
# mount server:/export/web /local/web -o\
nosharecache,context="system_u:object_r:httpd_sys_content_t:s0"
# mount server:/export/database /local/database -o\
nosharecache,context="system_u:object_r:mysqld_db_t:s0"
18)为了使重启后,挂载的盘符仍有该属性,需要在/etc/fstab中添加
To make context mounts persistent across remounting and reboots, add entries for the file systems in /etc/fstab or an automounter map, and use the desired context as a mount option. The following example adds an entry to /etc/fstab for an NFS context mount:
server:/export /local/mount/ nfs context="system_u:object_r:httpd_sys_content_t:s0" 0 0
19)复制文件或文件夹时,默认是不会复制selinux属性的,如果需要保留原selinux属性,需要使用–preserve=context属性
cp –preserve=context
20)移动文件时,默认是会保留原selinux属性
As the Linux root user, run the mv file1 /var/www/html/ command to move file1 to the /var/www/html/ directory. Since this file is moved, it keeps its current user_home_t type:
21)使用/usr/sbin/matchpathcon命令检查文件或文件夹selinux属性核数据库的原始记录一致
[root@localhost www]# ls -RZ perl/
perl/:
drwxrwxr-x. alex alex system_u:object_r:httpd_sys_script_exec_t:s0 Book
-rw-rw-r–. alex alex system_u:object_r:samba_share_t:s0 cgi.pl
-rw-rw-r–. alex alex system_u:object_r:httpd_sys_script_exec_t:s0 count1.pl
-rw-rw-r–. alex alex system_u:object_r:httpd_sys_script_exec_t:s0 counter2.pl
-rwxr-xr-x. alex alex system_u:object_r:httpd_sys_script_exec_t:s0 count.pl
-rw-rw-r–. alex alex system_u:object_r:httpd_sys_script_exec_t:s0 mylib.pl
-rw-r–r–. root root system_u:object_r:httpd_sys_script_exec_t:s0 startup.pl
-rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 test.pl
-rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 tmp.pl
perl/Book:
-rw-rw-r–. alex alex system_u:object_r:httpd_sys_script_exec_t:s0 Counter.pm
[root@localhost www]# /usr/sbin/matchpathcon  -V perl/
perl has context system_u:object_r:httpd_sys_script_exec_t:s0, should be <<none>>
22)tar默认不会保留selinux属性,如果需要保留selinux,在用tar压缩时,使用–selinux参数
[root@localhost Desktop]# ls -Z learn/
drwxr-xr-x. alex alex unconfined_u:object_r:user_home_t:s0 Cyclic_redundancy_check_files
-rw-rw-r–. alex alex unconfined_u:object_r:user_home_t:s0 Cyclic_redundancy_check.html
-rw——-. alex alex unconfined_u:object_r:user_home_t:s0 xapp209.pdf
[root@localhost Desktop]# tar –selinux -jcvf learn.tbz2 learn/
learn/
learn/Cyclic_redundancy_check.html
learn/xapp209.pdf
learn/Cyclic_redundancy_check_files/
learn/Cyclic_redundancy_check_files/poweredby_mediawiki_88x31.png
learn/Cyclic_redundancy_check_files/wikimedia-button.png
learn/Cyclic_redundancy_check_files/index_003.css
learn/Cyclic_redundancy_check_files/commonPrint.css
learn/Cyclic_redundancy_check_files/index.css
learn/Cyclic_redundancy_check_files/ajax.js
learn/Cyclic_redundancy_check_files/main_002.css
learn/Cyclic_redundancy_check_files/shared.css
learn/Cyclic_redundancy_check_files/index.js
learn/Cyclic_redundancy_check_files/centralnotice.js
learn/Cyclic_redundancy_check_files/wikibits.js
learn/Cyclic_redundancy_check_files/index_005.css
learn/Cyclic_redundancy_check_files/index_002.css
learn/Cyclic_redundancy_check_files/index_004.css
learn/Cyclic_redundancy_check_files/main.css
learn/Cyclic_redundancy_check_files/mwsuggest.js
learn/Cyclic_redundancy_check_files/index_002.js
[root@localhost /]# tar -jxvf learn.tbz2 
learn/
learn/Cyclic_redundancy_check.html
learn/xapp209.pdf
learn/Cyclic_redundancy_check_files/
learn/Cyclic_redundancy_check_files/poweredby_mediawiki_88x31.png
learn/Cyclic_redundancy_check_files/wikimedia-button.png
learn/Cyclic_redundancy_check_files/index_003.css
learn/Cyclic_redundancy_check_files/commonPrint.css
learn/Cyclic_redundancy_check_files/index.css
learn/Cyclic_redundancy_check_files/ajax.js
learn/Cyclic_redundancy_check_files/main_002.css
learn/Cyclic_redundancy_check_files/shared.css
learn/Cyclic_redundancy_check_files/index.js
learn/Cyclic_redundancy_check_files/centralnotice.js
learn/Cyclic_redundancy_check_files/wikibits.js
learn/Cyclic_redundancy_check_files/index_005.css
learn/Cyclic_redundancy_check_files/index_002.css
learn/Cyclic_redundancy_check_files/index_004.css
learn/Cyclic_redundancy_check_files/main.css
learn/Cyclic_redundancy_check_files/mwsuggest.js
learn/Cyclic_redundancy_check_files/index_002.js
[root@localhost /]# ls -Z learn
drwxr-xr-x. alex alex unconfined_u:object_r:user_home_t:s0 Cyclic_redundancy_check_files
-rw-rw-r–. alex alex unconfined_u:object_r:user_home_t:s0 Cyclic_redundancy_check.html
-rw——-. alex alex unconfined_u:object_r:user_home_t:s0 xapp209.pdf
如果使用tar解压时,不需要selinux属性,或者需要保持其在解压路径下一样的selinux属性,解压时使用/sbin/restorecon -f命令
[root@localhost /]# tar -jxvf learn.tbz2  | /sbin/restorecon -f –
[root@localhost /]# ls -Z learn
drwxr-xr-x. alex alex system_u:object_r:default_t:s0   Cyclic_redundancy_check_files
-rw-rw-r–. alex alex system_u:object_r:default_t:s0   Cyclic_redundancy_check.html
-rw——-. alex alex system_u:object_r:default_t:s0   xapp209.pdf
23)为了将Linux用户映射到其他的selinux用户上,使用/usr/sbin/semanage login -a -s命令
/usr/sbin/semanage login -a -s user_u newuser
/usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r\
s0-s0:c0.c1023 __default__
24)当由于selinux导致操作被拒的记录进日志时,使用audit2allow -w -a命令可以产生一个易读的信息说明为什么被拒。-a选项使所有的audit信息都可读,-w选项产生一个易读的信息。audit2allow工具访问/var/log/audit/audit.log时必须以Linux root用户:
# audit2allow -w -a
type=AVC msg=audit(1226270358.848:238): avc:  denied  { write } for  pid=13349 comm="certwatch" name="cache" dev=dm-0 ino=218171 scontext=system_u:system_r:certwatch_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
从上面的可以看出,由于缺失Type Enforcement规则导致操作被拒。
运行audit2allow -a命令查看可以操作上面被拒操作的Type Enforcement规则:
# audit2allow -a
#============= certwatch_t ==============
allow certwatch_t var_t:dir write;
To use the rule displayed by audit2allow -a, run the audit2allow -a -M mycertwatch command as the Linux root user to create custom module. The -M option creates a Type Enforcement file (.te) with the name specified with -M, in your current working directory:
# audit2allow -a -M mycertwatch
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i mycertwatch.pp
# ls
mycertwatch.pp  mycertwatch.te
Also, audit2allow compiles the Type Enforcement rule into a policy package (.pp). To install the module, run the /usr/sbin/semodule -i mycertwatch.pp command as the Linux root user.
If you have multiple denials from multiple processes, but only want to create a custom policy for a single process, use the grep command to narrow down the input for audit2allow. The following example demonstrates using grep to only send denials related to certwatch through audit2allow:
# grep certwatch /var/log/audit/audit.log | audit2allow -M mycertwatch2
******************** IMPORTANT ***********************
为了使该规则生效,运行下面的命令:
# /usr/sbin/semodule -i mycertwatch2.pp
Advertisements
This entry was posted in Computers and Internet. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s