RHCE:semanage fcontext 修改默认上下文,更改SELinux布尔值,故障排除semanage fcontext 修改目录默认的安全上下文:
semanage fcontext -{a|d|m} [-frst] file_spec
-l:列出某对象的上下文类型
-a:为某对象添加上下文类型,增加,你可以增加一些目录的默认安全上下文类型设置到系统里面。
-t:定义对象的上下文类型
-l:查询。 查看系统所有的目录和文件的上下文:
-m:修改。
-d:删除。
[root@foundation0 html]# semanage fcontext -l | more
SELinux fcontext type Context
/ directory system_u:object_r:root_t:s0
/.* all files system_u:object_r:default_t:s0
/[^/]+ regular file system_u:object_r:etc_runtime_t:s0
/\.autofsck regular file system_u:object_r:etc_runtime_t:s0
/\.autorelabel regular file system_u:object_r:etc_runtime_t:s0
/\.ismount-test-file regular file system_u:object_r:sosreport_tmp_t:s0
查询一下/var/www/html的默认安全性本文的设置
[root@foundation0 var]# semanage fcontext -l | grep "/var/www(/.*)?"
/var/www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
/var/www(/.*)?/logs(/.*)? all files system_u:object_r:httpd_log_t:s0
删除文件的上下文规则:
[root@foundation0 files]# semanage fcontext -l | grep "/srv/samba"
/srv/samba(/.*)? all files system_u:object_r:public_content_t:s0
[root@foundation0 files]# semanage fcontext -d -t public_content_t '/srv/samba(/.*)?'
[root@foundation0 files]# semanage fcontext -l | grep "/srv/samba"
[root@foundation0 files]# cat /etc/selinux/targeted/contexts/files/file_contexts.local#配置文件的配置已删除
# This file is auto-generated by libsemanage
# Do not edit directly.
/content(/.*)? system_u:object_r:public_content_t:s0
实例:
查询一下/var/www/html的默认安全性本文的设置:
semanage fcontext -l
SELinux fcontext type Context
....(前面省略)....
/var/www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 ....
(後面省略)....
如上面例子所示,我们可以查询的到每个目录的安全性本文!而目录的设定可以使用正则表达式去指定一个范围。那么如果我们想要增加某些自定义目录的安全性本文呢?举例来说,我想要色设置/srv/samba成为 public_content_t的类型时,应该如何设置呢?
用semanage命令设置/srv/samba目录的默认安全性本文为public_content_t:
mkdir /srv/samba
ll -Zd /srv/samba
drwxr-xr-x root root root:object_r:var_t /srv/samba
如上所示,默认的情况应该是var_t这个咚咚的!
semanage fcontext -l | grep '/srv'
/srv/.* all files system_u:object_r:var_t:s0
/srv/([^/]*/)?ftp(/.*)? all files system_u:object_r:public_content_t:s0
/srv/([^/]*/)?www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
/srv/([^/]*/)?rsync(/.*)? all files system_u:object_r:public_content_t:s0
/srv/gallery2(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
/srv directory system_u:object_r:var_t:s0 //看这里!
上面则是默认的/srv底下的安全性本文资料,不过,并没有指定到/srv/samba。
semanage fcontext -a -t public_content_t "/srv/samba(/.*)?" #将目录/srv/samba新添加public_content_t 上下文标签
semanage fcontext -l | grep '/srv/samba'
/srv/samba(/.*)? all files system_u:object_r:public_content_t:s0
修改后在配置文件下加一条记录:
cat /etc/selinux/targeted/contexts/files/file_contexts.local
# This file is auto-generated by libsemanage
# Please use the semanage command to make changes
/srv/samba(/.*)? system_u:object_r:public_content_t:s0 #写入这个档案
restorecon -Rv /srv/samba* #恢复父目录的默认值
ll -Zd /srv/samba
drwxr-xr-x root root system_u:object_r:public_content_t /srv/samba/ #有默认值,以后用restorecon命令来修改比较简单!
更改SELinux布尔值
SELinux布尔值
SELinux布尔值是更改SELinux策略行为的开关。SELinux布尔值是可以启用或禁用的规则。安全管理员可以使用SELinux布尔值来有选择的调整策略
getsebool命令用于显示SELinux布尔值及其当前值。
-a选项可使此命令列出所有布尔值
[root@foundation0 files]# getsebool -a
abrt_anon_write --> off
abrt_handle_event --> off
abrt_upload_watch_anon_write --> on
antivirus_can_scan_system --> off
antivirus_use_jit --> off
auditadm_exec_content --> on
authlogin_nsswitch_use_ldap --> on
authlogin_radius --> off
authlogin_yubikey --> off
更改SELinux布尔值
getsebool:用于显示SELinux布尔值;
setsebool:修改SELinux布尔值。
setsebool -P:修改SELinux策略,并使修改永久保留。
semanage boolean -l:显示布尔值是否为永久值,并提供该布尔值的
简短描述
semanage boolean -l -C:要仅列出经过本地修改的SELinux布尔值状
态(与策略中默认值不同的任何设置)
查看系统的boolean
[root@foundation0 files]# semanage boolean -l | grep httpd
httpd_can_network_relay (off , off) Allow httpd to can network relay
httpd_can_connect_mythtv (off , off) Allow httpd to can connect mythtv
httpd_can_network_connect_db (off , off) Allow httpd to can network connect db
httpd_use_gpg (off , off) Allow httpd to use gpg
httpd_dbus_sssd (off , off) Allow httpd to dbus sssd
httpd_enable_cgi (on , on) Allow httpd to enable cgi
httpd_verify_dns (off , off) Allow httpd to verify dns
httpd_dontaudit_search_dirs (off , off) Allow httpd to dontaudit search dirs
(off , off) 第一个off表示当前值,第二个off表示永久值(重启后不会改变)
修改boolean的值:
[root@foundation0 files]# semanage boolean -l | grep ftp_home_dir
ftp_home_dir (off , off) Allow ftp to home dir
tftp_home_dir (off , off) Allow tftp to home dir
[root@foundation0 files]# setsebool -P ftp_home_dir 1|on#永久生效
[root@foundation0 files]# setsebool ftp_home_dir 1|on #临时生效
[root@foundation0 files]# semanage boolean -l | grep ftp_home_dir
ftp_home_dir (on , on) Allow ftp to home dir
tftp_home_dir (off , off) Allow tftp to home dir
[root@foundation0 files]# getsebool -a | grep ftp_home_dir
ftp_home_dir --> on
tftp_home_dir --> off
要仅列出经过本地修改的SELinux布尔值状态
[root@foundation0 files]# semanage boolean -l -C
SELinux boolean State Default Description
ftp_home_dir (on , on) Allow ftp to home dir
authlogin_nsswitch_use_ldap (on , on) Allow authlogin to nsswitch use ldap
四、对SELinux进行故障排除
对SELinux问题进行故障排除
当SELinux阻止访问服务器上的文件时,应执行什么操作?如
果发生此情况,应该采取一系列的步骤
1)思考访问受限与授权是否有关,如已授权进入下列步骤
2)最常见的SELinux问题是使用不正确的文件上下文。
3)对于严苛限制性访问的另一个补救措施可以是调整布尔值。
4)SELinux策略可能存在阻止合法访问的漏洞。由于SELinux技术
已经成熟,这种情况极少发生。一旦明确了某个策略漏洞,请联系
红帽支持并汇报此漏洞,以便问题得到解决。
监控SELinux冲突
必须安装setroubleshoot -server包,以便将SELinux消息发送到/var/log/messages。setroubleshoot -server侦听
/var/log/audit/audit.log中的审核消息,并发送简短摘要到/var/logmessages。该摘要包括SELinux冲突的唯一标识符
(UUID),可用于收集更多信息。
sealert -l UUID可用于生成特定事件的报告。
sealert -a /var/log/audit/audit.log用于生成该文件中的
所有时间的报告
[root@foundation0 files]# yum install setroubleshoot-server
查看selinux日志 :
[root@foundation0 RHCE]# tail /var/log/audit/audit.log
[root@foundation0 RHCE]# grep -i sealert /var/log/messages
Nov 27 17:57:41 foundation0 setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from read access on the lnk_file . For complete SELinux messages. run sealert -l 1a4544c5-d9a5-4d50-a2cf-2a22ebc3e843
k_file,read
查看具体的解决方法:
[root@foundation0 RHCE]# sealert -l 1a4544c5-d9a5-4d50-a2cf-2a22ebc3e843
SELinux is preventing /usr/libexec/accounts-daemon from read access on the lnk_file .
***** Plugin catchall (100. confidence) suggests **************************
If you believe that accounts-daemon should be allowed read access on the lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep accounts-daemon /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:accountsd_t:s0
Target Context system_u:object_r:xdm_etc_t:s0
Target Objects [ lnk_file ]
Source accounts-daemon
Source Path /usr/libexec/accounts-daemon
Port <Unknown>
Host foundation0.ilt.example.com
Source RPM Packages accountsservice-0.6.35-7.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-153.el7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name foundation0.ilt.example.com
Platform Linux foundation0.ilt.example.com
3.10.0-123.el7.x86_64 #1 SMP Mon May 5 11:16:57
EDT 2014 x86_64 x86_64
Alert Count 12
First Seen 2014-09-28 15:07:28 CST
Last Seen 2017-11-27 17:57:35 CST
Local ID 1a4544c5-d9a5-4d50-a2cf-2a22ebc3e843
Raw Audit Messages
type=AVC msg=audit(1511776655.760:98): avc: denied { read } for pid=1436 comm="accounts-daemon" name="custom.conf" dev="sda1" ino=137134642 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:xdm_etc_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1511776655.760:98): arch=x86_64 syscall=open success=no exit=EACCES a0=7fd98f40b2dd a1=0 a2=0 a3=7fd98e3a5410 items=0 ppid=1 pid=1436 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=accounts-daemon exe=/usr/libexec/accounts-daemon subj=system_u:system_r:accountsd_t:s0 key=(null)
Hash: accounts-daemon,accountsd_t,xdm_etc_t,lnk_file,read
