In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-03-31 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >
Share
Shulou(Shulou.com)06/02 Report--
1. When is Selinux?
Selinux, kernel-level enhanced firewall
SElinux is a mandatory access control (MAC) security system, and it is the most outstanding new security system in the history of linux. For the linux security module, the function of SElinux is the most comprehensive, and the testing is the most thorough. It is a kernel-based security system.
Three modes of Selinux
Enforcing Enforcement (Enforcement Mode)-SELinux policy enforcement that grants or denies principal access to the target based on SELinux policy rules
Permissive tolerance (warning mode)-the SELinux policy is not enforced and access is not actually denied, but denied information is written to the log
Disabled disabled (off mode)-completely disable SELinux
two。 How to manage selinux levels
Selinux on or off
Change "SELINUX=enforcing" to "SELINUX=disabled" under the configuration file "/ etc/sysconfig/selinux". Because SElinux is a kernel-based security system, you need to restart the kernel after setup, that is, you need to restart the computer to take effect.
Vim / etc/sysconfig/selinux
Selinux=disabled # # off status
Selinux=Enforcing # # mandatory status
Selinux=Permissive # # warning status
Selinux on or off
Getenforce # # View status
When selinux is turned on, "setenforce" can set the state of SElinux, but only 0 and 1 can be set, that is, warning mode or enforcement mode.
Setenforce 0 | 1 # # change the running level of selinux
3. How to change the file security context
View security context): SElinux leaves context identifiers on directories and files
Ls-Z
Temporary changes)
Chcon-t security context file
Chcon-t public_content_t / publicftp-R
Permanent change)
Semanage fcontext-l # # list the contents of kernel security context list
Semanage fcontext-a-t public_content_t'/ publicftp (/. *)?'
Restorecon-FvvR / publicftp/
4. How to control the switch of selinux to service function
Getsebool-a | grep service name
Getsebool-a | grep ftp
Setsebool-P function Bool value on | off
Setsebool-P ftpd_anon_write on
The impact of SElinux on servic
SElinux is the most comprehensive security system, so there are certain restrictions on files and services. The following services take ftp as an example. SElinux will make a context identification on the file, as shown in the following figure, create the file "file" under "/ mnt" and "/ var/ftp/pub" respectively, and enter "ls-Z" to view the file identity. As you can see, "/ mnt/file" is "mnt_t" and "/ var/ftp/pub/file" is marked "public_content_t", which causes "/ mnt/file" to be moved into the "/ var/ftp/pub" directory, and the connection lftp cannot see the file.
SElinux forbids the use of some dangerous functions for the security of the system. You can type "getsebool-a | grep ftp" to see which functions of the ftp service are disabled. As shown in the following figure, enter "setsebool-P function on | off" to control the switch of these functions.
5. Monitor error messages for selinux
Setroubleshoot-server
Project case 1: management of httpd Service shared File Security context
* * do experiments with selinux on
Yum install httpd-y
Systemctl start httpd
Systemctl enable httpd
Systemctl stop firewalld
Systemctl disable firewalld
Hostname > / var/www/html/hello.html
Date +% F > / mnt/westos.html
Mv / mnt/westos.html / var/www/html/
Phenomenon 1: users can access hello.html files through browsers, but can not access westos.html files. How to solve the problem? Because the security context of the file is different.
Ls-Z / var/www/html/
Chcon-t httpd_sys_content_t / var/www/html/westos.html # temporarily modifies the security context and expires after restart
Semanage fcontext-l # View the default security context information of the system
Semanage fcontext-a-t httpd_sys_content_t / var/www/html/westos.html # permanently modify the security context of the file to the system
Restorecon-FvvR / var/www/html/ # refresh directory and reread security context
Project case 2: management of vsftpd Service shared File Security context
Project case 3: management of files uploaded by vsftpd service (when selinux is enabled)
Vim / etc/vsftpd/vsftpd.conf
Anon_upload_enable=YES
Turn on the switch of selinux to service function
Setsebool-P ftpd_anon_write on
Setsebool-P ftpd_full_access on
Restart the service
Systemctl restart vsftpd
Project case 4: how to manage / handle error messages in Selinux
1)。 Warning log information file for Selinux: / var/log/audit/audit.log
Selinux's warning log letter analyzes the storage location of the solution: / var/log/messages
2)。 Implement selinux warning analysis and give the software name of the solution: rpm-qa | grep setroubleshoot-server
3)。 Test procedure
1 > / var/log/messages
2 > / var/log/audit/audit.log
3 ifconfig | less
4 setsebool-a | grep ftp
5 getsebool-a | grep ftp
6 less / var/log/audit/audit.log View Log File
7 rpm-qa | grep setroubleshoot-server
8 less / var/log/messages
9 yum install httpd-y
10 systemctl start httpd
11 systemctl enable httpd
12 rpm-qc httpd
13 vim / etc/httpd/conf/httpd.conf@@br/ > @ @
@ @
14 systemctl restart httpd
15 less / var/log/messages
16 semanage port-a-t http_port_t-p tcp 6666
17 semanage port-l | grep http
18 systemctl restart httpd
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.