2.15. 2017-12-28-练习selinux¶
2.15.1. 练习1-selinux¶
2、使用restore修复selinux
[root@centos74 html]$ ll -Z index.html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html
[root@centos74 html]$ cp index.html /root
[root@centos74 html]$ ll -Z /root/index.html index.html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /root/index.html
[root@centos74 html]$ mv /root/index.html .
mv: overwrite ‘./index.html’? y
[root@centos74 html]$ ll -Z
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 index.html
[root@centos74 html]$ restorecon -R /var/www/html/
[root@centos74 html]$ ll -Z
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html
3、查看semanager由那个包提供 ,并查看默认的安全上下文,添加安全上下文,删除安全上下文
[root@centos74 html]$ which semanage
/usr/sbin/semanage
[root@centos74 html]$ rpm -qf /usr/sbin/semanage
policycoreutils-python-2.5-17.1.el7.x86_64
[root@centos74 html]$ semanage fcontext -l
[root@centos74 app]$ semanage fcontext -a -t httpd_sys_content_t '/app(/.*)?'
[root@centos74 app]$ touch /app/11.txt
[root@centos74 app]$ restorecon -Rv /app
[root@centos74 app]$ ll -Z 11.txt
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 11.txt
4、添加ssh的监听端口20022,并测试
[root@centos74 app]$ vim /etc/ssh/ssh_config
[root@centos74 app]$ cat /etc/ssh/ssh_config |grep Port
Port 22
Port 20022
[root@centos74 app]$ systemctl restart sshd
[root@centos74 app]$ netstat -tunlp |grep sshd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 6252/sshd
tcp6 0 0 :::22 :::* LISTEN 6252/sshd
[root@centos74 app]$ semanage port -l |grep ssh
ssh_port_t tcp 22
[root@centos74 app]$ semanage port -a -t ssh_port_t -p tcp 20002
[root@centos74 app]$ semanage port -l |grep ssh
ssh_port_t tcp 20002, 22
[root@centos74 app]$ setenforce 0
[root@centos74 app]$ systemctl status sshd.service
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2017-12-28 12:31:56 CST; 8s ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 6598 (sshd)
CGroup: /system.slice/sshd.service
└─6598 /usr/sbin/sshd -D
Dec 28 12:31:56 centos74.magedu.com systemd[1]: Starting OpenSSH server daemon...
Dec 28 12:31:56 centos74.magedu.com sshd[6598]: Server listening on 0.0.0.0 port 20022.
Dec 28 12:31:56 centos74.magedu.com sshd[6598]: Server listening on :: port 20022.
Dec 28 12:31:56 centos74.magedu.com sshd[6598]: Server listening on 0.0.0.0 port 22.
Dec 28 12:31:56 centos74.magedu.com sshd[6598]: Server listening on :: port 22.
Dec 28 12:31:56 centos74.magedu.com systemd[1]: Started OpenSSH server daemon.
[root@centos74 app]$ setenforce 1
[root@centos74 app]$ systemctl status sshd.service
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2017-12-28 12:31:56 CST; 36s ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 6598 (sshd)
CGroup: /system.slice/sshd.service
└─6598 /usr/sbin/sshd -D
Dec 28 12:31:56 centos74.magedu.com systemd[1]: Starting OpenSSH server daemon...
Dec 28 12:31:56 centos74.magedu.com sshd[6598]: Server listening on 0.0.0.0 port 20022.
Dec 28 12:31:56 centos74.magedu.com sshd[6598]: Server listening on :: port 20022.
Dec 28 12:31:56 centos74.magedu.com sshd[6598]: Server listening on 0.0.0.0 port 22.
Dec 28 12:31:56 centos74.magedu.com sshd[6598]: Server listening on :: port 22.
Dec 28 12:31:56 centos74.magedu.com systemd[1]: Started OpenSSH server daemon.
[root@centos74 app]$ netstat -tunlp |grep ssh
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 6598/sshd
tcp 0 0 0.0.0.0:20022 0.0.0.0:* LISTEN 6598/sshd
tcp6 0 0 :::22 :::* LISTEN 6598/sshd
tcp6 0 0 :::20022 :::* LISTEN 6598/sshd
6、修改selinux的布尔值
[root@centos74 app]$ semanage boolean -l |grep ftp |grep write
tftp_anon_write (off , off) Allow tftp to anon write
ftpd_anon_write (off , off) Allow ftpd to anon write
[root@centos74 app]$ setsebool ftpd_anon_write=1 -P
7、编写一个脚本完成selinux各个状态切换的脚本
#!/bin/bash
#================================================
#FileName :set_selinux.sh
#Author :zhaojiedi
#Description:
#DateTime :2017-12-28 13:39:06
#Version :V1.0
#Other :
#================================================
# show current status
has_disabled=0
#sestatus | grep -q "disabled"
current_status=`sed -rn '/^SELINUX/s@^SELINUX=(.*)@\1@p' /etc/sysconfig/selinux`
if [ "$current_status" -eq "disabled" ] ; then
has_disabled=1
else
has_disabled=0
fi
# case
case $1 in
enforcing)
setenforce 1
sed -i 's@SELINUX=.*@SELINUX=enforcing@' /etc/sysconfig/selinux
;;
permissive)
setenforce 0
sed -i 's@SELINUX=.*@SELINUX=permissive@' /etc/sysconfig/selinux
;;
disabled)
setenforce 0
has_disabled=1
sed -i 's@SELINUX=.*@SELINUX=disabled@' /etc/sysconfig/selinux
;;
*)
echo "Usage: set_selinux [ enforcing | permissive | disabled ]"
exit 1
;;
esac
if [ "$has_disabled" -eq 1 ] ; then
echo -e "\033[31myou need to reboot \033[0m"
fi