首页 > Linux Usage > SELinux使用初探

SELinux使用初探

2012-07-01 12:18 星期日    浏览: 1,769    绿 发表评论 阅读评论

查看selinux总体状态:sestatus

获取selinux模式:getenforce

设置工作模式:setenforce  0 或1

临时关闭selinux: echo 0 >/selinux/enforce

检查是否打开:cat /selinux/enforce

永久关闭:修改配置文件/etc/selinux/config

httpd开关

获取selinux的bool变量,即控制开关。如获取httd相关的开关:

getsebool -a |grep httpd

allow_httpd_anon_write –> off
allow_httpd_mod_auth_ntlm_winbind –> off
allow_httpd_mod_auth_pam –> off
allow_httpd_sys_script_anon_write –> off
httpd_builtin_scripting –> on #允许执行脚本,如php
httpd_can_check_spam –> off
httpd_can_network_connect –> off #允许连接到外面网络的开关
httpd_can_network_connect_cobbler –> off #允许网络安装操作系统的开关
httpd_can_network_connect_db –> off #允许连接远程数据库的开关
httpd_can_network_relay –> off # 作为代理服务器或反向代理服务器时,需要打开它
httpd_can_sendmail –> off #需要发送邮件,也就是在php脚本程序中需要发送邮件时打开它
httpd_dbus_avahi –> off #
httpd_enable_cgi –> on#需要执行cgi时打开它
httpd_enable_ftp_server –> off#需要扮演ftp server的角色,需打开它
httpd_enable_homedirs –> off #是否允许用户访问home目录
httpd_execmem –> off #允许执行内存程序代码,建议不打开
httpd_read_user_content –> off #读取用户内容
httpd_setrlimit –> off#允许设置资源限制
httpd_ssi_exec –> off#是否需执行网页中内嵌的SSI(Server Side Include))脚本
httpd_tmp_exec –> off
httpd_tty_comm –> off #是否允许访问tty终端,当httpd需要打开SSL证书时,要打开它
httpd_unified –> on #参考链接2的解释如下:“httpd can be configured to not differentiate file controls based on context, i.e. all files labeled as httpd context can be read/write/execute. Setting this boolean to false allows you to setup the security policy such that one httpd service can not interfere with another.”

参考链接7的解释:When enabled, this Boolean allows httpd_t complete access to all of the httpd types (i.e. to execute, read, or write sys_content_t). When disabled, there is separation in place between web content that is read-only, writeable or executable. Disabling this Boolean ensures an extra level of security but adds the administrative overhead of having to individually label scripts and other web content based on the file access that each should have.

关闭它,将导致后台上传文件失败;但曾经因为打开它,后台短信不能发送,后关闭它,短信可以发送;后再打开它,仍可发送。可能短信问题是其它原因导致?

httpd_use_cifs –> off#需要访问cifs文件系统时打开它
httpd_use_gpg –> off
httpd_use_nfs –> off#需要访问nfs文件系统时打开它

日志/var/log/audit/audit.log,  /var/log/httpd/error_log,  /var/log/messages中也许会有selinux限制访问的蛛丝马迹。用命令查找拒绝:cat /var/log/audit/audit.log |grep denied (参见参考链接6如何分析)

其它

xguest_use_bluetooth off #XWindow 用户使用蓝牙功能
virt_use_usb off #虚拟机用户使用usb

#qemu虚拟机
qemu_full_network off
qemu_use_nfs off
qemu_use_usb off|
qemu_use_cifs off

#nfs网络文件系统
nfs_export_all_ro off
nfs_export_all_rw off
allow_zebra_write_config off #zebra实现路由功能

squid_connect_any off #squid 缓存代理服务器
use_nfs_home_dirs off #使用nfs网络文件系统
privoxy_connect_any off #客户端带来服务器,安全隐私保护,广告拦截等

 

设置它们,如:

setsebool -P httpd_enable_homedirs=on

后面的值可为off|on, 或0|1, 或false|true

参考链接:

(1) SELinux 环境下网络服务设置  http://www.ibm.com/developerworks/cn/linux/l-cn-selinux-services1/index.html#resources

(2)httpd_selinux(8) – Linux man page  http://linux.die.net/man/8/httpd_selinux

(3)httpd_selinux – KDE Man Page Viewer http://dwalsh.fedorapeople.org/SELinux/httpd_selinux.html

(4). 4 Effective Methods to Disable SELinux Temporarily or Permanently http://www.thegeekstuff.com/2009/06/how-to-disable-selinux-redhat-fedora-debian-unix/

(5) Security Enhanced Linux Reference Policy  http://oss.tresys.com/docs/refpolicy/api/

(6) Raw Audit Messages http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html

(7)Apache httpd sebool http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_Services/sect-Managing_Confined_Services-The_Apache_HTTP_Server-Booleans.html

本文链接地址: http://blog.redwolf-soft.com/?p=1657

原创文章,版权©红狼博客所有, 转载随意,但请注明出处。

    分享到:

相关文章:

  • 无相关文章
  1. 本文目前尚无任何评论.
  1. 本文目前尚无任何 trackbacks 和 pingbacks.
订阅评论
  欢迎参与讨论,请在这里发表您的看法、交流您的观点。