Selinux

1.开启 Selinux 的作用

>给程序及程序里面的文件一个安全上下文

2.Selinux关闭时的状况

vim /etc/sysconfig/selinux

selinux 的配置文件 SELINUX=enforcing selinux 开启 SELINUX=disabled selinux 关闭

getenforce

查看 selinux 状态

[root@dchxmj linux1]# ls file1 linux1file1 pub [root@dchxmj linux1]# ls -Z -rw-r--r-- root root ? file1 -rw-r--r-- root root ? linux1file1 drwxrwxr-x root root ? pub [root@dchxmj linux1]#

测试：

lftp IP -u username

[kiosk@foundation30 Desktop]$ lftp 172.25.254.130 -u linux1 Password: lftp linux1@172.25.254.130:~> ls -rw-r--r-- 1 0 0 0 Feb 21 08:50 file1 -rw-r--r-- 1 0 0 0 Feb 21 07:40 linux1file1 drwxrwxr-x 2 0 0 6 Feb 21 08:28 pub #所有文件都可以访问到 lftp linux1@172.25.254.130:/> ls -Z -rw-r--r-- 1 0 0 0 Feb 21 08:50 file1 -rw-r--r-- 1 0 0 0 Feb 21 07:40 linux1file1 drwxrwxr-x 2 0 0 6 Feb 21 08:28 pub lftp linux1@172.25.254.130:/> exit [kiosk@foundation30 Desktop]$

3.Selinux 开启时

[root@localhost pub]# ls file1 linux linux1 [root@localhost pub]# ls -Z -rw-r--r--. root root unconfined_u:object_r:mnt_t:s0 file1 drwxr-xr-x. root root unconfined_u:object_r:mnt_t:s0 linux -rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 linux1 #不符合形式的文件访问不到 [root@localhost pub]#

测试：

[kiosk@foundation30 Desktop]$ lftp 172.25.254.130 lftp 172.25.254.130:~> ls drwxr-xr-x 3 0 0 43 Feb 21 09:07 pub lftp 172.25.254.130:/> cd pub/ lftp 172.25.254.130:/pub> ls drwxr-xr-x 2 0 0 6 Feb 21 09:04 linux -rw-r--r-- 1 0 0 0 Feb 21 09:05 linux1 lftp 172.25.254.130:/pub> exit [kiosk@foundation30 Desktop]$

4.Selinux对服务的影响

(1).不符合安全上下文的文件访问不到 (2).默认情况下不安全的功能是关闭的 getsebool -a | grep ftp #查看 ftp 服务功能状态 setsebool -P ftp_home_dir on #开启 -P:表示永久开启 本地用户默认有写权限 [root@localhost ~]# getsebool -a | grep ftp `ftp_home_dir --> off` [root@foundation30 ~]# lftp 172.25.254.130 -u student Password: lftp student@172.25.254.130:~> ls -rw-r--r-- 1 0 0 0 Feb 22 03:17 file2 drwxr-xr-x 2 0 0 6 Feb 22 01:36 linux1 lftp student@172.25.254.130:~> cd linux1/ lftp student@172.25.254.130:~/linux1> put /etc/passwd put: Access failed: 553 Could not create file. (passwd) lftp student@172.25.254.130:~/linux1> exit [root@foundation30 ~]# lftp 172.25.254.130 -u student [root@localhost ~]# setsebool -P ftp_home_dir on [root@localhost ~]# getsebool -a | grep ftp ftp_home_dir --> on [root@foundation30 ~]# lftp 172.25.254.130 -u student Password: lftp student@172.25.254.130:~> ls -rw-r--r-- 1 0 0 0 Feb 22 03:17 file2 drwxr-xr-x 2 0 0 6 Feb 22 01:36 linux1 lftp student@172.25.254.130:~> put /etc/passwd 2367 bytes transferred lftp student@172.25.254.130:~> exit [root@foundation30 ~]#

5.Selinux 日志存放位置

>

cat /var/log/audit/audit.log #默认位置 setroubleshoot-server.x86_64 ###可以将/var/log/audit/audit.log里面的日志经过处理存放到/var/log/messages

>

[root@localhost ~]# yum search setroubleshoot Loaded plugins: langpacks ========================= N/S matched: setroubleshoot ========================== setroubleshoot-plugins.noarch : Analysis plugins for use with setroubleshoot setroubleshoot.x86_64 : Helps troubleshoot SELinux problems setroubleshoot-server.x86_64 : SELinux troubleshoot server Name and summary matches only, use "search all" for everything. [root@localhost ~]# yum install setroubleshoot-server.x86_64 -y cat /var/log/audit/audit.log cat /var/log/messages