7--SElinux--实验文档--my version
role
Part of SELinux is the Role-Based Access Control (RBAC) security model. The role is an attribute of RBAC. SELinux users are authorized for roles, and roles are authorized for domains. The role serves as an intermediary between domains and SELinux users. The roles that can be entered determine which domains can be entered; ultimately, this controls which object types can be accessed. This helps reduce vulnerability to privilege escalation attacks.
type
The type is an attribute of Type Enforcement. The type defines a domain for processes, and a type for files. SELinux policy rules define how types can access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it.
level
The level is an attribute of MLS and MCS. An MLS range is a pair of levels, written as lowlevel-highlevel if the levels differ, or lowlevel if the levels are identical (s0-s0 is the same as s0). Each level is a sensitivity-category pair, with categories being optional. If there are categories, the level is written as sensitivity:category-set. If there are no categories, it is written as sensitivity.
If the category set is a contiguous series, it can be abbreviated. For example, c0.c3 is the same as c0,c1,c2,c3. The /etc/selinux/targeted/setrans.conf file maps levels (s0:c0) to human-readable form (that is CompanyConfidential). In Red Hat Enterprise Linux, targeted policy enforces MCS, and in MCS, there is just one sensitivity, s0. MCS in Red Hat Enterprise Linux supports 1024 different categories: c0 through to c1023. s0-s0:c0.c1023 is sensitivity s0 and authorized for all categories.
MLS enforces the Bell-La Padula Mandatory Access Model, and is used in Labeled Security Protection Profile (LSPP) environments. To use MLS restrictions, install the selinux-policy-mls package, and configure MLS to be the default SELinux policy. The MLS policy shipped with Red Hat Enterprise Linux omits many program domains that were not part of the evaluated configuration, and therefore, MLS on a desktop workstation is unusable (nosupport for the X Window System); however, an MLS policy from the upstream SELinux Reference Policy can be built that includes all program domains. For more information on MLS configuration, see Section 4.11, “Multi-Level Security (MLS)”.
| Element | Use |
|---|---|
| Policy | A collection of rules that define which source has access to which target. |
| Source domain | The object that is trying to access a target. Typically a user or a process. |
| Target domain | The thing that a source domain is trying to access. Typically a file or port. |
| Context | A security label that is used to categorize objects in SELinux. |
| Rule | A specific part of the policy that determines which source domain has which access permissions to which target domain. |
| Labels | Same as context label, defined to determine which source domain has access to which target domain. |
1、Selinux状态查看与配置
SElinux配置文件位置
[root@selinux ~]# ls /etc/selinux/config -l
-rw-r--r--. 1 root root 547 Jul 10 08:39 /etc/selinux/config
SElinux配置文件内容
[root@selinux ~]# vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
selinux工作状态
[root@selinux ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
[root@selinux ~]#
setenforce设定selinux运行状态,1开启(Enforcing),0关闭(Permissive)
[root@selinux ~]# setenforce 0
[root@selinux ~]# getenforce
Permissive
[root@selinux ~]# setenforce 1
[root@selinux ~]# getenforce
Enforcing
2、查看安全上下文相关命令
查看文件上下文可以通过ls -Z
[root@selinux ~]# ls /home/ -lZ
drwx------. jason jason unconfined_u:object_r:user_home_dir_t:s0 jason
[root@selinux ~]#
查看进程上下文可以使用 ps Z
[root@selinux ~]# ps auxZ | grep httpd
system_u:system_r:httpd_t:s0 root 13668 0.0 0.5 226128 5056 ? Ss 11:06 0:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0 apache 13677 0.0 0.3 228212 3140 ? S 11:07 0:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0 apache 13678 0.0 0.3 228212 3140 ? S 11:07 0:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0 apache 13679 0.0 0.3 228212 3140 ? S 11:07 0:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0 apache 13680 0.0 0.3 228212 3140 ? S 11:07 0:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0 apache 13681 0.0 0.3 228212 3140 ? S 11:07 0:00 /usr/sbin/httpd -DFOREGROUND
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 13770 0.0 0.0 112644 948 pts/1 S+ 11:09 0:00 grep --color=auto httpd
[root@selinux ~]#
查看用户上下文可以用id –Z
[root@selinux ~]# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
3、以下是复制和移动文件时安全上下文的变化:
以httpd为例,这个httpd的进程可以访问/var/www/html下的文档对象
在/root目录下创建两个测试页文件(如test1.html、test2.html)
[root@selinux ~]# ls -ldZ /root/
dr-xr-x---. root root system_u:object_r:admin_home_t:s0 /root/
[root@selinux ~]# echo "this is test for test1.html" > /root/test1.html
[root@selinux ~]# echo "this is test for test2.html" > /root/test2.html
[root@selinux ~]# ls -lZ /root/test*html
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /root/test1.html
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /root/test2.html
[root@selinux ~]#
复制test2.html文件到/var/www/html目录下,剪切test1.html文件到/var/www/html目录下
[root@selinux ~]# mv /root/test1.html /var/www/html/
[root@selinux ~]# cp /root/test2.html /var/www/html/
查看html目录下文件的安全上下文
[root@selinux ~]# ls -lZ /var/www/html/
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 test1.html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 test2.html
[root@selinux ~]#
可以看到剪切操作时文件(test1.html)的上下文没有发生改变,仍然是原上下文,而复制操作时文件(test2.html)的上下文继承了目标目录的上下文。
通过浏览器访问这两个网页文件
可以看到test2.html页面能访问而test1.html却被拒绝访问
查看权限发现apache用户对这两个文件都具有r权限,但test2.html文件却拒绝访问。
[root@selinux ~]# ls /var/www/html/ -l
total 8
-rw-r--r--. 1 root root 28 Jul 19 11:11 test1.html
-rw-r--r--. 1 root root 28 Jul 19 11:13 test2.html
[root@selinux ~]#
原因就是因为httpd进程不能访问域类型标签是admin_home_t的资源,被selinux将访问拒绝了。
查看日志/var/log/audit/audit.log
[root@selinux ~]# ps aux | grep httpd
root 13668 0.0 0.5 226128 5056 ? Ss 11:06 0:00 /usr/sbin/httpd -DFOREGROUND
apache 13677 0.0 0.3 228348 3884 ? S 11:07 0:00 /usr/sbin/httpd -DFOREGROUND
apache 13678 0.0 0.3 228212 3368 ? S 11:07 0:00 /usr/sbin/httpd -DFOREGROUND
apache 13679 0.0 0.3 228348 3628 ? S 11:07 0:00 /usr/sbin/httpd -DFOREGROUND
apache 13680 0.0 0.3 228348 3628 ? S 11:07 0:00 /usr/sbin/httpd -DFOREGROUND
apache 13681 0.0 0.3 228212 3368 ? S 11:07 0:00 /usr/sbin/httpd -DFOREGROUND
apache 14248 0.0 0.3 228212 3136 ? S 11:16 0:00 /usr/sbin/httpd -DFOREGROUND
root 14432 0.0 0.0 112644 948 pts/1 R+ 11:26 0:00 grep --color=auto httpd
[root@selinux ~]#
通过日志记录也能看到test2.html文件拒绝httpd进程访问。
[root@selinux ~]# tail /var/log/audit/audit.log | grep httpd
type=AVC msg=audit(1468898414.527:903): avc: denied { getattr } for pid=13679 comm="httpd" path="/var/www/html/test1.html" dev="dm-0" ino=201327593 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
type=SYSCALL msg=audit(1468898414.527:903): arch=c000003e syscall=4 success=no exit=-13 a0=7f7e478af2c8 a1=7fff0e662070 a2=7fff0e662070 a3=7f7e3cd31792 items=0 ppid=13668 pid=13679 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1468898414.527:904): avc: denied { getattr } for pid=13679 comm="httpd" path="/var/www/html/test1.html" dev="dm-0" ino=201327593 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
type=SYSCALL msg=audit(1468898414.527:904): arch=c000003e syscall=6 success=no exit=-13 a0=7f7e478af3a8 a1=7fff0e662070 a2=7fff0e662070 a3=0 items=0 ppid=13668 pid=13679 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
[root@selinux ~]#
由于此文件记录的信息很多不宜直接查看,可以借助audit2why和audit2allow
#audit2why[root@selinux ~]# audit2why < /var/log/audit/audit.log
type=AVC msg=audit(1468079955.708:417): avc: denied { create } for pid=12318 comm="gdm-session-wor" name=".cache" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
Was caused by:
The boolean polyinstantiation_enabled was set incorrectly.
Description:
Allow polyinstantiation to enabled
Allow access by executing:
# setsebool -P polyinstantiation_enabled 1
type=AVC msg=audit(1468290595.971:435): avc: denied { read } for pid=13078 comm="ifconfig" path="/run/vmware-active-nics" dev="tmpfs" ino=46486 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1468290595.979:436): avc: denied { read } for pid=13082 comm="ifconfig" path="/run/vmware-active-nics" dev="tmpfs" ino=46486 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
...//中间省略
type=AVC msg=audit(1468898414.527:903): avc: denied { getattr } for pid=13679 comm="httpd" path="/var/www/html/test1.html" dev="dm-0" ino=201327593 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
[root@selinux ~]#
提供audit2why和audit2allow工具软件包
[root@selinux ~]# rpm -qf /bin/audit2why
policycoreutils-python-2.2.5-20.el7.x86_64
[root@selinux ~]# rpm -qf /bin/audit2allow
policycoreutils-python-2.2.5-20.el7.x86_64
[root@selinux ~]#
收集Selinux产生的日志,另一个工具是setroubleshoot,对应的软件包为
[root@selinux ~]# rpm -qf /sbin/setroubleshootd
setroubleshoot-server-3.2.24-1.1.el7.x86_64
[root@selinux ~]#
Setroubleshoot将错误信息写入/var/log/messages中
#tail /var/log/messages | grep setroubleshoot
[root@selinux ~]# tail /var/log/messages | grep setroubleshoot
Jul 19 11:36:01 localhost setroubleshoot: failed to retrieve rpm info for /var/www/html/test1.html
Jul 19 11:36:01 localhost setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/test1.html. For complete SELinux messages. run sealert -l 5dfbbffe-6d2b-4945-93d8-0cc3ff229a38
Jul 19 11:36:06 localhost setroubleshoot: failed to retrieve rpm info for /var/www/html/test1.html
Jul 19 11:36:06 localhost setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/test1.html. For complete SELinux messages. run sealert -l 5dfbbffe-6d2b-4945-93d8-0cc3ff229a38
Jul 19 11:36:06 localhost setroubleshoot: failed to retrieve rpm info for /var/www/html/test1.html
Jul 19 11:36:06 localhost setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/test1.html. For complete SELinux messages. run sealert -l 5dfbbffe-6d2b-4945-93d8-0cc3ff229a38
[root@selinux ~]#
上面的错误信息大概说的是”selinux阻止httpd访问这个文件,要查看完整的信息,请执行sealert命令”
[root@selinux ~]# sealert -l 5dfbbffe-6d2b-4945-93d8-0cc3ff229a38
SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/test1.html.
***** Plugin restorecon (99.5 confidence) suggests ************************
If you want to fix the label.
/var/www/html/test1.html default label should be httpd_sys_content_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /var/www/html/test1.html
***** Plugin catchall (1.49 confidence) suggests **************************
If you believe that httpd should be allowed getattr access on the test1.html file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context unconfined_u:object_r:admin_home_t:s0
Target Objects /var/www/html/test1.html [ file ]
Source httpd
Source Path /usr/sbin/httpd
Port
Host localhost.localdomain
Source RPM Packages httpd-2.4.6-40.el7.centos.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-60.el7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name selinux
Platform Linux selinux 3.10.0-327.el7.x86_64 #1 SMP Thu Nov
19 22:10:57 UTC 2015 x86_64 x86_64
Alert Count 5
First Seen 2016-07-19 11:20:14 CST
Last Seen 2016-07-19 11:36:06 CST
Local ID 5dfbbffe-6d2b-4945-93d8-0cc3ff229a38
Raw Audit Messages
type=AVC msg=audit(1468899366.426:925): avc: denied { getattr } for pid=13678 comm="httpd" path="/var/www/html/test1.html" dev="dm-0" ino=201327593 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
type=SYSCALL msg=audit(1468899366.426:925): arch=x86_64 syscall=lstat success=no exit=EACCES a0=7f7e478af3a8 a1=7fff0e662070 a2=7fff0e662070 a3=0 items=0 ppid=13668 pid=13678 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: httpd,httpd_t,admin_home_t,file,getattr
[root@selinux ~]#
可以用sesearch [–allow] [-s 主体类别] [-t 目标类别] [-b]查询详细规则
sesearch命令由下列软件包提供
[root@selinux ~]# rpm -qf /bin/sesearch
setools-console-3.3.7-46.el7.x86_64
[root@selinux ~]#
找出目标资源类别为httpd_sys_content_t的相关信息
[root@selinux ~]# sesearch --allow -t httpd_sys_content_t
Found 684 semantic av rules:
allow restorecond_t non_auth_file_type : file { ioctl read getattr lock relabelfrom relabelto open } ;
allow restorecond_t non_auth_file_type : dir { ioctl read getattr lock relabelfrom relabelto search open } ;
allow restorecond_t non_auth_file_type : lnk_file { getattr relabelfrom relabelto } ;
allow restorecond_t non_auth_file_type : chr_file { getattr relabelfrom } ;
allow restorecond_t non_auth_file_type : blk_file { getattr relabelfrom } ;
allow restorecond_t non_auth_file_type : sock_file { getattr relabelfrom relabelto } ;
allow restorecond_t non_auth_file_type : fifo_file { getattr relabelfrom relabelto } ;
allow openshift_domain httpd_sys_content_t : file { ioctl read getattr lock open } ;
allow openshift_domain httpd_sys_content_t : dir { ioctl read getattr lock search open } ;
allow munin_t httpd_sys_content_t : dir { getattr search open } ;
allow openshift_domain httpd_sys_content_t : lnk_file { read getattr } ;
...//中间省略
allow cluster_t file_type : lnk_file getattr ;
allow smbd_t non_security_file_type : file { ioctl read getattr lock open } ;
allow smbd_t non_security_file_type : file { ioctl read write create getattr setattr lock append unlink link rename open } ;
allow smbd_t non_security_file_type : dir { ioctl read getattr lock search open } ;
allow smbd_t non_security_file_type : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ;
allow smbd_t non_security_file_type : lnk_file { read getattr } ;
allow smbd_t non_security_file_type : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ;
allow rsync_t non_auth_file_type : file { ioctl read write create getattr setattr lock append unlink link rename open } ;
allow rsync_t non_auth_file_type : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ;
allow rsync_t non_auth_file_type : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ;
allow rsync_t non_auth_file_type : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ;
allow rsync_t non_auth_file_type : fifo_file { ioctl read write create getattr setattr lock append unlink link rename open } ;
allow httpd_suexec_t httpdcontent : file { read getattr execute open } ;
allow guest_t httpdcontent : file { read getattr execute open } ;
allow rsync_t non_security_file_type : file { ioctl read getattr lock open } ;
allow rsync_t non_security_file_type : dir { ioctl read getattr lock search open } ;
allow rsync_t non_security_file_type : lnk_file { read getattr } ;
[root@selinux ~]#
从上图显示信息表示[allow 主体程序安全上下文类别 目标资源安全上下文类别],说明这个资源类别可以被哪个主体程序类别所读取。
找出主体程序为httpd_t相关的所有信息
[root@selinux ~]# sesearch -s httpd_t --allow
...//省略
allow httpd_t nfs_t : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ;
allow httpd_t node_t : tcp_socket node_bind ;
allow httpd_t node_t : udp_socket node_bind ;
allow httpd_t node_t : node { tcp_recv tcp_send udp_recv udp_send recvfrom sendto } ;
allow httpd_t saslauthd_var_run_t : dir { getattr search open } ;
allow httpd_t saslauthd_var_run_t : sock_file { write getattr append open } ;
allow nsswitch_domain dirsrv_var_run_t : dir { getattr search open } ;
allow nsswitch_domain dirsrv_var_run_t : sock_file { write getattr append open } ;
allow httpd_t spamc_t : process transition ;
allow httpd_t sysfs_t : filesystem getattr ;
allow httpd_t sysfs_t : dir { getattr search open } ;
allow httpd_t tmpfs_t : dir { getattr search open } ;
allow httpd_t tmpfs_t : dir { getattr search open } ;
allow httpd_t zoneminder_script_t : process transition ;
allow httpd_t dirsrvadmin_ra_content_t : file { ioctl read create getattr lock append open } ;
allow httpd_t dirsrvadmin_ra_content_t : dir { ioctl write getattr lock add_name search open } ;
allow httpd_t dirsrvadmin_ra_content_t : lnk_file { read getattr } ;
allow httpd_t dirsrvadmin_rw_content_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;
allow httpd_t dirsrvadmin_rw_content_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ;
allow httpd_t zoneminder_script_t : unix_dgram_socket sendto ;
allow httpd_t dirsrvadmin_rw_content_t : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ;
allow httpd_t dirsrvadmin_rw_content_t : sock_file { read write getattr append open } ;
allow domain device_t : dir { getattr search open } ;
allow httpd_t gopher_port_t : tcp_socket name_connect ;
allow domain sysadm_t : process sigchld ;
allow httpd_t postfix_spool_t : file { ioctl read write getattr lock append open } ;
allow httpd_t postfix_spool_t : dir { getattr search open } ;
allow httpd_t smokeping_cgi_script_t : process transition ;
allow httpd_t smokeping_cgi_script_t : unix_dgram_socket sendto ;
allow nsswitch_domain init_var_run_t : dir { getattr search open } ;
allow nsswitch_domain init_var_run_t : dir { getattr search open } ;
allow httpd_t webalizer_script_exec_t : file { read getattr execute open } ;
allow httpd_t squid_client_packet_t : packet { send recv } ;
allow httpd_t nutups_cgi_script_t : process transition ;
allow httpd_t man2html_script_exec_t : file { read getattr execute open } ;
allow httpd_t passenger_exec_t : file { read getattr execute open } ;
allow httpd_t nutups_cgi_script_t : unix_dgram_socket sendto ;
allow nsswitch_domain nscd_var_run_t : dir { getattr search open } ;
allow nsswitch_domain nscd_var_run_t : dir { ioctl read getattr lock search open } ;
allow nsswitch_domain nscd_var_run_t : sock_file { write getattr append open } ;
allow nsswitch_domain nscd_var_run_t : sock_file { read write getattr append open } ;
allow nsswitch_domain pcscd_var_run_t : dir { getattr search open } ;
allow domain proc_t : dir { getattr search open } ;
allow httpd_t httpd_user_ra_content_t : file { ioctl read create getattr lock append open } ;
allow httpd_t httpd_user_ra_content_t : dir { ioctl write getattr lock add_name search open } ;
allow nsswitch_domain pcscd_var_run_t : sock_file { write getattr append open } ;
allow httpd_t httpd_user_ra_content_t : lnk_file { read getattr } ;
allow httpd_t httpd_user_rw_content_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;
allow httpd_t httpd_user_rw_content_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ;
allow httpd_t httpd_user_rw_content_t : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ;
allow httpd_t httpd_user_rw_content_t : sock_file { read write getattr append open } ;
allow httpd_t w3c_validator_ra_content_t : file { ioctl read create getattr lock append open } ;
allow httpd_t w3c_validator_ra_content_t : dir { ioctl write getattr lock add_name search open } ;
allow httpd_t w3c_validator_ra_content_t : lnk_file { read getattr } ;
allow httpd_t w3c_validator_rw_content_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;
allow httpd_t w3c_validator_rw_content_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ;
allow httpd_t w3c_validator_rw_content_t : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ;
allow httpd_t w3c_validator_rw_content_t : sock_file { read write getattr append open } ;
allow nsswitch_domain slapd_var_run_t : dir { getattr search open } ;
allow nsswitch_domain slapd_var_run_t : sock_file { write getattr append open } ;
allow httpd_t keystone_cgi_ra_content_t : file { ioctl read create getattr lock append open } ;
allow httpd_t keystone_cgi_ra_content_t : dir { ioctl write getattr lock add_name search open } ;
allow httpd_t keystone_cgi_ra_content_t : lnk_file { read getattr } ;
allow httpd_t keystone_cgi_rw_content_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;
allow httpd_t keystone_cgi_rw_content_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ;
allow httpd_t keystone_cgi_rw_content_t : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ;
allow httpd_t keystone_cgi_rw_content_t : sock_file { read write getattr append open } ;
allow daemon daemon : unix_stream_socket connectto ;
allow httpd_t bugzilla_script_exec_t : file { read getattr execute open } ;
allow httpd_t mythtv_port_t : tcp_socket name_connect ;
allow nsswitch_domain ephemeral_port_t : tcp_socket { name_bind name_connect } ;
allow nsswitch_domain ephemeral_port_t : udp_socket name_bind ;
allow httpd_t squid_script_t : process transition ;
从上面的数据就可以看出程序httpd_t为个类别可以访问的哪些资源类别。
如何解决上述问题呢?
解决方法就是更改test1.html文件的上下文。 有两种方式,
* 一种是通过restorerecon( restore context) 修复继承当前目录默认的上下文;
* 一种是通过chcon (change context) 修改当前的上下文。
a.使用restorerecon( restore context) 修复继承当前目录默认的上下文 分两步实现:
首先为 /var/www/html 这个目录下的所有文件添加默认标签类型:
semanage fcontext -a -t httpd_sys_content_t ‘/var/www/html(/.*)?’
因为html目录的默认标签类型就是httpd_sys_content_t,所以此步可以省略
然后用新的标签类型标注已有文件:
restorecon -Rv /var/www/html/
之后 httpd就可以访问该目录下的文件了。
[root@selinux ~]# restorecon -Rv /var/www/html/
restorecon reset /var/www/html/test1.html context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
[root@selinux ~]#
[root@selinux ~]# ls /var/www/html/* -Z
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/test1.html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/test2.html
[root@selinux ~]#
semanage和restorecon命令是由下列软件包提供的
[root@selinux ~]# rpm -qf /sbin/semanage
policycoreutils-python-2.2.5-20.el7.x86_64
[root@selinux ~]# rpm -qf /sbin/restorecon
policycoreutils-2.2.5-20.el7.x86_64
b.使用chcon (change context) 修改当前的上下文
[root@selinux ~]# chcon -t admin_home_t /var/www/html/test2.html
[root@selinux ~]# ls /var/www/html/test2.html
/var/www/html/test2.html
[root@selinux ~]# ls /var/www/html/test2.html -Z
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /var/www/html/test2.html
[root@selinux ~]# chcon -t httpd_sys_content_t /var/www/html/test2.html
[root@selinux ~]# ls /var/www/html/test2.html -Z
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/test2.html
[root@selinux ~]#
注:
* chcon 意思是change context
* -t type 类型
* -R recursive 递归(特别适用于改变某个目录下所有文件的context)
* -u user
* -r role
或
* –reference表示用test1.html文件的上下文修改test2.html文件的上下文。
[root@selinux ~]# chcon -t admin_home_t /var/www/html/test2.html
[root@selinux ~]# ls /var/www/html/test2.html -Z
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /var/www/html/test2.html
[root@selinux ~]# chcon --reference=/var/www/html/test1.html /var/www/html/test2.html
[root@selinux ~]# ls /var/www/html/test2.html -Z
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/test2.html
[root@selinux ~]#
4.布尔值
最后再看一个概念,SELinux的布尔值。这个布尔值类似一个开关,打开的话,他对应的一些服务就允许执行,否则的话就拒绝执行。
看看有哪些布尔值
[root@selinux ~]# getsebool -a
abrt_anon_write --> off
abrt_handle_event --> off
abrt_upload_watch_anon_write --> on
antivirus_can_scan_system --> off
antivirus_use_jit --> off
auditadm_exec_content --> on
authlogin_nsswitch_use_ldap --> off
authlogin_radius --> off
authlogin_yubikey --> off
awstats_purge_apache_log_files --> off
boinc_execmem --> on
cdrecord_read_content --> off
cluster_can_network_connect --> off
....//中间省略
xguest_connect_network --> on
xguest_exec_content --> on
xguest_mount_media --> on
xguest_use_bluetooth --> on
xserver_clients_write_xshm --> off
xserver_execmem --> off
xserver_object_manager --> off
zabbix_can_network --> off
zarafa_setrlimit --> off
zebra_write_config --> off
zoneminder_anon_write --> off
zoneminder_run_sudo --> off
[root@selinux ~]#
semanage boolean –l
[root@selinux ~]# semanage boolean -l
SELinux boolean State Default Description
ftp_home_dir (off , off) Allow ftp to home dir
smartmon_3ware (off , off) Allow smartmon to 3ware
mpd_enable_homedirs (off , off) Allow mpd to enable homedirs
xdm_sysadm_login (off , off) Allow xdm to sysadm login
xen_use_nfs (off , off) Allow xen to use nfs
mozilla_read_content (off , off) Allow mozilla to read content
ssh_chroot_rw_homedirs (off , off) Allow ssh to chroot rw homedirs
mount_anyfile (on , on) Allow mount to anyfile
cron_userdomain_transition (on , on) Allow cron to userdomain transition
icecast_use_any_tcp_ports (off , off) Allow icecast to use any tcp ports
openvpn_can_network_connect (on , on) Allow openvpn to can network connect
zoneminder_anon_write (off , off) Allow zoneminder to anon write
minidlna_read_generic_user_content (off , off) Allow minidlna to read generic user content
spamassassin_can_network (off , off) Allow spamassassin to can network
gluster_anon_write (off , off) Allow gluster to anon write
deny_ptrace (off , off) Allow deny to ptrace
selinuxuser_execmod (on , on) Allow selinuxuser to execmod
httpd_can_network_relay (off , off) Allow httpd to can network relay
...//中间省略
domain_fd_use (on , on) Allow domain to fd use
virt_read_qemu_ga_data (off , off) Allow virt to read qemu ga data
virt_use_samba (off , off) Allow virt to use samba
cluster_use_execmem (off , off) Allow cluster to use execmem
nfs_export_all_ro (on , on) Allow nfs to export all ro
cron_can_relabel (off , off) Allow cron to can relabel
sftpd_anon_write (off , off) Allow sftpd to anon write
[root@selinux ~]#
知道了布尔值的名字,可以通过sesearch 来确认他关联了哪些服务的域,比如httpd_enable_homedir允许下列规则,如果设置为off的话,那么他们都是无法访问的。
[root@selinux ~]# sesearch -b httpd_enable_homedirs --allow
Found 43 semantic av rules:
allow httpd_sys_script_t user_home_dir_t : dir { getattr search open } ;
allow httpd_sys_script_t user_home_dir_t : lnk_file { read getattr } ;
allow httpd_user_script_t home_root_t : dir { ioctl read getattr lock search open } ;
allow httpd_user_script_t home_root_t : lnk_file { read getattr } ;
allow httpd_user_script_t user_home_type : dir { getattr search open } ;
allow httpd_user_script_t user_home_type : lnk_file { read getattr } ;
allow httpd_sys_script_t autofs_t : dir { ioctl read getattr lock search open } ;
allow httpd_sys_script_t cifs_t : file { ioctl read getattr lock open } ;
allow httpd_sys_script_t cifs_t : dir { ioctl read getattr lock search open } ;
allow httpd_sys_script_t cifs_t : lnk_file { read getattr } ;
allow httpd_sys_script_t nfs_t : file { ioctl read getattr lock open } ;
allow httpd_sys_script_t nfs_t : dir { ioctl read getattr lock search open } ;
allow httpd_sys_script_t nfs_t : lnk_file { read getattr } ;
allow httpd_user_script_t user_home_dir_t : dir { getattr search open } ;
allow httpd_user_script_t user_home_dir_t : lnk_file { read getattr } ;
allow httpd_suexec_t home_root_t : dir { ioctl read getattr lock search open } ;
allow httpd_suexec_t home_root_t : lnk_file { read getattr } ;
allow httpd_suexec_t user_home_type : dir { getattr search open } ;
allow httpd_suexec_t user_home_type : lnk_file { read getattr } ;
allow httpd_t home_root_t : dir { ioctl read getattr lock search open } ;
allow httpd_t home_root_t : lnk_file { read getattr } ;
allow httpd_suexec_t user_home_dir_t : dir { getattr search open } ;
allow httpd_suexec_t user_home_dir_t : lnk_file { read getattr } ;
allow httpd_t user_home_type : dir { getattr search open } ;
allow httpd_t user_home_type : lnk_file { read getattr } ;
allow httpd_t user_home_dir_t : dir { getattr search open } ;
allow httpd_t user_home_dir_t : lnk_file { read getattr } ;
allow httpd_suexec_t autofs_t : dir { ioctl read getattr lock search open } ;
allow httpd_suexec_t cifs_t : file { ioctl read getattr lock execute execute_no_trans open } ;
allow httpd_suexec_t cifs_t : dir { ioctl read getattr lock search open } ;
allow httpd_suexec_t cifs_t : lnk_file { read getattr } ;
allow httpd_suexec_t nfs_t : file { ioctl read getattr lock execute execute_no_trans open } ;
allow httpd_suexec_t nfs_t : dir { ioctl read getattr lock search open } ;
allow httpd_suexec_t nfs_t : lnk_file { read getattr } ;
allow httpd_t autofs_t : dir { ioctl read getattr lock search open } ;
allow httpd_t cifs_t : file { ioctl read getattr lock open } ;
allow httpd_t cifs_t : dir { ioctl read getattr lock search open } ;
allow httpd_t cifs_t : lnk_file { read getattr } ;
allow httpd_t nfs_t : file { ioctl read getattr lock open } ;
allow httpd_t nfs_t : dir { ioctl read getattr lock search open } ;
allow httpd_t nfs_t : lnk_file { read getattr } ;
allow httpd_sys_script_t home_root_t : dir { getattr search open } ;
allow httpd_sys_script_t home_root_t : lnk_file { read getattr } ;
[root@selinux ~]#
设置boolean值,-P为设置永久生效.
#setsebool [-P] 布尔值 on/off
下面看一个与布尔值有关的例子
确认已经启用了 Selinux、启动 FTP:
[root@selinux ~]# ps -efZ | grep vsftpd
system_u:system_r:ftpd_t:s0-s0:c0.c1023 root 52106 1 0 12:02 ? 00:00:00 /usr/sbin/vsftpd /etcvsftpd/vsftpd.conf
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 52557 51580 0 12:04 pts/2 00:00:00 grep --color=auto vsftpd
[root@selinux ~]#
在匿名访问目录下创建 2 个文件进行测试,一个是在该目录下手动创建,该文件会自动继承/var/ftp/pub 下的目录上下文的值,一个用 mv 命令从 root 目录下移动过来,这样的文件会保留 root 目录下的安全上下文,如下
[root@selinux ftp]# cd pub
[root@selinux pub]# echo "this test is test boolean" > test1.txt
[root@selinux pub]# cd /root
[root@selinux ~]# echo "this text is from root" > test2.txt
[root@selinux ~]# which ftp
/usr/bin/which: no ftp in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
[root@selinux ~]#
[root@selinux ~]# mv test2.txt /var/ftp/pub
[root@selinux pub]# ls -Z
-rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 test1.txt
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 test2.txt
[root@selinux pub]#
使用匿名登录测试:
[root@selinux pub]# ftp 192.168.142.161
Connected to 192.168.142.161 (192.168.142.161).
220 (vsFTPd 3.0.2)
Name (192.168.142.161:root): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd pub
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (192,168,142,161,140,54).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 26 Jul 19 04:05 test1.txt
226 Directory send OK.
ftp>
发现这里看不到 root.txt 文件
已知系统启动了 Selinux,先查看系统日志,有两个工具可以收集到 Selinux 产生的 日志,一个是 setroubleshoot,一个是 audit,先使用 audit 工具,使用方法 如下: 系统中提供了 audit 相关的命令,常用的有 audit2why 和 audit2allow,audit 产生的日志
[root@selinux pub]# audit2why < /var/log/audit/audit.log
...//省略
type=AVC msg=audit(1468929713.186:1569): avc: denied { getattr } for pid=53302 comm="vsftpd" path="/pub/test2.txt" dev="dm-0" ino=201346124 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
Was caused by:
The boolean ftpd_full_access was set incorrectly.
Description:
Allow ftpd to full access
Allow access by executing:
# setsebool -P ftpd_full_access 1
[root@selinux pub]#
从上面可以看出解决办法是
setsebool -P ftpd_full_access 1
audit2allow
[root@selinux pub]# audit2allow < /var/log/audit/audit.log
#============= ftpd_t ==============
#!!!! This avc can be allowed using the boolean 'ftpd_full_access'
allow ftpd_t admin_home_t:file getattr;
#============= httpd_t ==============
allow httpd_t admin_home_t:file getattr;
#============= ifconfig_t ==============
allow ifconfig_t var_run_t:file read;
#============= unconfined_t ==============
allow unconfined_t self:capability2 mac_admin;
#============= xdm_t ==============
#!!!! This avc can be allowed using the boolean 'polyinstantiation_enabled'
allow xdm_t admin_home_t:dir create;
[root@selinux pub]#
这里也能看出来"is avc can be allowed using the boolean 'ftpd_full_access' allow ftpd_t admin_home_t:file getattr"
证布尔值中有关 FTP 的定义
[root@selinux pub]# getsebool -a | grep ftp
ftp_home_dir --> off
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
tftp_anon_write --> off
tftp_home_dir --> off
[root@selinux pub]#
这里可以看出来"ftpd_full_access --> off"
设置ftpd_full_access为永久开启
[root@selinux pub]# setsebool -P ftpd_full_access 1
[root@selinux pub]# getsebool -a | grep ftp
ftp_home_dir --> on
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> on
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
tftp_anon_write --> off
tftp_home_dir --> off
[root@selinux pub]#
验证修改的结果
[root@selinux pub]# ftp 192.168.142.161
Connected to 192.168.142.161 (192.168.142.161).
220 (vsFTPd 3.0.2)
Name (192.168.142.161:root): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd pub
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (192,168,142,161,25,5).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 26 Jul 19 04:05 test1.txt
-rw-r--r-- 1 0 0 23 Jul 19 04:05 test2.txt
226 Directory send OK.
ftp>
这个时候发现可以访问test2.txt
(-P 是把该修改写到文件,下次启动仍然有效)
总结一下,如果搭配了某个服务器,然后客户端无法正常访问,应该按照下面的顺序进行排错:
* 1.该服务的配置文件中是否开启了相关的权限 ,比如是否允许匿名用户写入等等;
* 2.文件系统的权限,比如是否需要使用chmod修改权限
* 3.SELinux的上下文和布尔值