Selinux 基于SAMBA 需要修改的内容
[[email protected] pub]# mkdir /ccc
[[email protected] pub]# chmod 777 /ccc
[[email protected] pub]# ls -Z /etc/samba/
-rw-r--r--. root root system_u:object_r:samba_etc_t:s0 lmhosts
-rw-r--r--. root root system_u:object_r:samba_etc_t:s0 smb.conf
-rw-r--r--. root root system_u:object_r:samba_etc_t:s0 smbusers
[[email protected] pub]# ll -Z /ccc/
drwxr-xr-x. nobody nobody unconfined_u:object_r:default_t:s0 /ccc
[[email protected] pub]# chcon -u system_u /ccc/
[[email protected] pub]# chcon -t samba_etc_t /ccc/
[[email protected] pub]# ll -Zd /ccc/
drwxrwxrwx. root root system_u:object_r:samba_etc_t:s0 ccc
同時需要開啟布爾值
[[email protected] /]# getsebool -a | grep samba
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
use_samba_home_dirs --> off
virt_use_samba --> off
[[email protected] /]# setsebool -P
Usage: setsebool [ -P ] boolean value | bool1=val1 bool2=val2...
[[email protected] /]# setsebool -P samba_enable_home_dirs on
[[email protected] /]# setsebool -P samba_export_all_rw 1
SElinux 基于 APACHE 的政策
1. 關閉iptables
# service iptables status
iptables: Firewall is running.
# service iptables stop
2. 啟動Selinux
[[email protected] ~]# cat /etc/sysconfig/selinux | grep “SELINUX=”
SELINUX=enforcing
3. 安裝httpd服務
#yum -y install httpd
4. 修改httpd配置檔案
# cd /etc/httpd/conf/
# cp httpd.conf httpd.conf.bak
# vim httpd.conf
5. 啟動httpd服務
# service httpd start
#修改一行
ServerName localhost:80
6. 測試【1】
7. 建立新的web目錄
#mkdir /www
#cd /www/
# echo '<h1>This is test web</h1>' > index.html
8. 删除apache的歡迎頁面,重新啟動httpd服務
#rm -rf /etc/httpd/conf.d/welcome.conf
#service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
9. 測試【2】
10. 使用新建立的web頁面
# vim /etc/httpd/conf/httpd.conf
#修改一下兩行
DocumentRoot "/www"
<Directory "/www">
11. 重新加載配置檔案
# service httpd reload
12. 測試【3】
13. 為什麼會沒有權限呢?
這個時候我們關閉selinux,在來繼續通路
#setenforce 0
#getenforce
Permissive
14. 測試【4】
看來真是selinux的問題,我們開啟selinux ,然後通過修改selinux對檔案的屬性來通路服務
# setenforce 1
# getenforce
Enforcing
16.檢視檔案對應的selinux屬性值
#ls -Z
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 index.html
17. 通過chcon修改對應的屬性值
# chcon --help |less
Usage: chcon [OPTION]... CONTEXT FILE...
or: chcon [OPTION]... [-u USER] [-r ROLE] [-l RANGE] [-t TYPE] FILE...
or: chcon [OPTION]... --reference=RFILE FILE...
Change the SELinux security context of each FILE to CONTEXT.
[[email protected] www]# ls -Z /var/www/
drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 cgi-bin
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 error
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 icons
[[email protected] www]# chcon -t httpd_sys_content_t index.html
18. 測試【5】
大家也看到了吧 在開啟Selinux的情況下 修改修改文本的屬性值,也可以保證服務的安全!!