Linux基礎教程之系統自動化安裝和SELinux簡介

一、知識整理

1、anaconda系統安裝程序:默認圖形啟動;

使用光盤啟動,在選擇模式界面tab鍵在后面增加text或按下ESC鍵,輸入lnux text進入字符界面安裝。

2、創建kickstart文件:

直接手動編輯:依據模板修改,/root目錄下的anaconda.cfg

使用創建工具創建:system-config-kickstart,圖形化工具:也可以使用模板修改

檢查ks文件語法錯誤:ksvalidator

3、SELinux是美國國家安全局NSA(the National Security Agency)和SCC(Secure Computing Corporation)開發的linux的一個強制訪問控制的安全模塊。2000年以GNU GPL發布,linux內核2.6版本后集成在內核中。模型有兩種:

DAC:Discretionary Access Control自由訪問控制

MAC:Mandatory Access Control?強制訪問控制

工作類型有四種:strict:centos5,每個進程都收到sellinux的控制;

targeted:用來保護常見的網絡服務,僅有限進程受到selinux控制,只監控容易被入侵的進程,rhel4只保護13個服務,rhel5保護88個服務。

minimum:centos7,修改過的targeted,只對選擇的網絡服務;

mls:提供MLS(多級安全)機制的安全性

后兩者穩定性不足,未加以應用。

4、傳統Linux一切皆文件,由用戶,組,權限控制訪問在SElinux中,一切皆對象,由存放在Inode的擴展屬性域的安全元素所控制其訪問。所有文件和端口資源和進程都具備安全標簽:安全上下文(security context)。安全上下文有五個元素組成:

user:role:type:sensitivity:category

user_u:object_r:tmp_t:s0:c0

實際上下文:存放在文件系統中,ls -Z可以查看文件的元素;ps -Z查看進程的。

期望上下文:存放在二進制的SELinux策略庫(映射目錄和期望安全上下文)中

semanage fcontext -l查看所有期望上下文

五個安全元素:User:指示登錄系統的用戶類型,如root,user_u,system_u,多數本地進程都屬于自由(unconfined)進程;

Role:定義文件、進程和用戶的用途:文件:object_r,進程和用戶:system_r

Type:指定數據類型,規則中定義何種進程類型訪問何種文件;

Target策略基于type實現,多服務公用:public_content_t

sensitivity:限制訪問的需要,由組織定義的分層安全級別,如unclassified,secret,top,secret,一個對象有且只有一個sensitivity,分0-15級,s0最低,Target策略默認使用s0。

Category:對于特定組織劃分不分層的分類,如FBI Secret,NSA secret,一個對象可以有多個category,c0-c1023共1024個分類,Target策略不是用category。

5、SElinux策略:對象:所有可以讀取的對象,包括文件、目錄和進程、端口等

主體,進程稱為主體

SELinux中對所有的文件都賦予一個type的文件類型便簽,對于多有的進程也賦予各自的一個domain的標簽。Domain標簽能夠執行的操作由安全策略里定義。

當一個subject試圖訪問一個object,kernel中的策略執行服務器將建成AVC(訪問矢量緩存Access Vector Cache),在AVC中,subject和object的權限被緩存(cached),查找“應用+文件”的安全環境。然后根據查詢結果允許或拒絕訪問。

安全策略:定義主體讀取對象的規則數據庫,規則中記錄了哪個類型的主體使用哪個方法讀取哪一個對象是允許還是的,并且定義了哪種行為是允許或拒絕。

6、SELinux幫助:yum -y install selinux-policy-devel

在centos6中使用makewhatis同步數據庫;在centos7中使用mandb同步數據庫。

 

二、命令詳解和事例

1、SELinux的狀態:enforcing:強制,每個受限的進程都必然受限;

permissive:允許,每個受限的進程違規操作不會被禁止,但會被記錄于審計日志;

disabled:禁用。

2、getenforce?獲取sellinux當前狀態

sestatus?查看selinux狀態

setenforce 0|1?設置為permissive或enforcing

[[email protected]?usb]#?getenforce?
Enforcing
[[email protected]?usb]#?sestatus
SELinux?status:?????????????????enabled
SELinuxfs?mount:????????????????/selinux
Current?mode:???????????????????enforcing
Mode?from?config?file:??????????enforcing
Policy?version:?????????????????24
Policy?from?config?file:????????targeted
[[email protected]?usb]#?setenforce?0
[[email protected]?usb]#?sestatus
SELinux?status:?????????????????enabled
SELinuxfs?mount:????????????????/selinux
Current?mode:???????????????????permissive
Mode?from?config?file:??????????enforcing
Policy?version:?????????????????24
Policy?from?config?file:????????targeted
[[email protected]?usb]#?getenforce?
Permissive

配置文件:

/boot/grub/grub.conf使用selinux=0禁用selinux

/etc/sysconfig/selinux

/etc/selinux/config

所有的修改都無法直接生效,都必須重啟之后生效。

3、給文件重新打安全標簽:chcon [opt] [-u USER] [-r ROLE] [-t TYPE] FILE

-R遞歸設置

–reference=FILE?與此文件相同設置

[[email protected]?tmp]#?ll?-Z
-rw-r--r--.?root?root?unconfined_u:object_r:user_tmp_t:s0?f1
-rw-r--r--.?root?root?unconfined_u:object_r:user_tmp_t:s0?f2
-rw-r--r--.?root?root?unconfined_u:object_r:user_tmp_t:s0?f3
[[email protected]?tmp]#?chcon?-u?unconfined_u?-r?object_r?-t?default_t?f1
[[email protected]?tmp]#?ll?-Z
-rw-r--r--.?root?root?unconfined_u:object_r:default_t:s0?f1
-rw-r--r--.?root?root?unconfined_u:object_r:user_tmp_t:s0?f2
-rw-r--r--.?root?root?unconfined_u:object_r:user_tmp_t:s0?f3
[[email protected]?tmp]#?chcon?--reference=f2?f1
[[email protected]?tmp]#?ll?-Z?
-rw-r--r--.?root?root?unconfined_u:object_r:user_tmp_t:s0?f1
-rw-r--r--.?root?root?unconfined_u:object_r:user_tmp_t:s0?f2
-rw-r--r--.?root?root?unconfined_u:object_r:user_tmp_t:s0?f3

恢復目錄或文件默認的安全上下文:restorecon /PATH/FILE

查看默認的安全上下文,若沒有默認安全上下文則無法設置:semanage fcontext -l

semanage來自policycoreutils-python包

添加安全上下文:semanage scontext -a -t httpd_sys_content_t?‘/testdir(/.*)?’

restorecon -Rv /testdir

刪除安全上下文:semanage fcontext -d -t httpd_sys_content_t ?‘/testdir(/.*)?’

[[email protected]?tmp]#?semanage?fcontext?-a?-t?default_t?'/tmp(/.*)?'
[[email protected]?tmp]#?ll?-Z
-rw-r--r--.?root?root?unconfined_u:object_r:default_t:s0?f1
-rw-r--r--.?root?root?unconfined_u:object_r:user_tmp_t:s0?f2
-rw-r--r--.?root?root?unconfined_u:object_r:user_tmp_t:s0?f3
[[email protected]?tmp]#?semanage?fcontext?-l?|?grep?"/tmp(/.*)?"
/tmp(/.*)??????all?files??????????system_u:object_r:default_t:s0?
[[email protected]?tmp]#?restorecon?-Rv?/tmp
restorecon?reset?/tmp/f3?context?unconfined_u:object_r:user_tmp_t:s0->unconfined_u:object_r:default_t:s0
restorecon?reset?/tmp/.ICE-unix?context?system_u:object_r:xdm_tmp_t:s0->system_u:object_r:default_t:s0
restorecon?reset?/tmp/f2?context?unconfined_u:object_r:user_tmp_t:s0->unconfined_u:object_r:default_t:s0
[[email protected]?tmp]#?ll?-Z
-rw-r--r--.?root?root?unconfined_u:object_r:default_t:s0?f1
-rw-r--r--.?root?root?unconfined_u:object_r:default_t:s0?f2
-rw-r--r--.?root?root?unconfined_u:object_r:default_t:s0?f3
[[email protected]?tmp]#?semanage?fcontext?-d?-t?default_t?'/tmp(/.*)?'
[[email protected]?tmp]#?semanage?fcontext?-l?|?grep?"/tmp(/.*)?"

對文件進行移動不改變安全標簽;復制文件則改變便簽。

4、端口便簽:查看端口標簽:semanage port -l

添加端口:semanage port -a -t port_label -p tcp|udp PORT

刪除端口:semanage port -d -t port_label -p tcp|udp PORT

[[email protected]?tmp]#?semanage?port?-a?-t?tftp_port_t?-p?udp??9527
[[email protected]?tmp]#?semanage?port?-l?|?grep?"tftp_port_t"
tftp_port_t????????????????????udp??????9527,?69
[[email protected]?tmp]#?semanage?port?-d?-t?tftp_port_t?-p?udp?9527
[[email protected]?tmp]#?semanage?port?-l?|?grep?"tftp_port_t"
tftp_port_t????????????????????udp??????69

修改端口:semanage port -m -t port_label -p tcp|udp PORT

5、SElinux的布爾值:

查看bool值:getsebool -a

查看bool值,包括說明semanage boolean -l

查看修改過的布爾值:semanage boolean -l -C

設置bool值的命令:

setsebool BOOLEAN VALUE

0為開啟,1為關閉;選項-P永久生效

[[email protected]?~]#?semanage?boolean?-l?|?grep?virt_use_samba
virt_use_samba?????????????????(關????,????關)??Allow?virt?to?manage?cifs?files
[[email protected]?~]#?setsebool?virt_use_samba?1
[[email protected]?~]#?semanage?boolean?-l?|?grep?virt_use_samba
virt_use_samba?????????????????(開????,????關)??Allow?virt?to?manage?cifs?files

6、SELinux日志管理:yum install setroublesshoot*(重啟生效)

將錯誤的信息寫入/var/log/message

[[email protected]?~]#?grep?setroubleshoot?/var/log/messages
Sep?11?03:50:45?centos68?yum[4947]:?Installed:?setroubleshoot-server-3.0.47-11.el6.x86_64
Sep?11?03:50:47?centos68?yum[4947]:?Installed:?setroubleshoot-plugins-3.0.40-2.el6.noarch
Sep?11?03:50:48?centos68?yum[4947]:?Installed:?setroubleshoot-3.0.47-11.el6.x86_64

查看安全日志說明:

[[email protected]?~]#?sealert?-l?0
Error
query_alerts?error?(1003):?id?(0)?not?found
掃描并分析日志:sealert?-a?/var/log/audit/audit.log
[[email protected]?~]#?sealert?-a?/var/log/audit/audit.log?
100%?donefound?0?alerts?in?/var/log/audit/audit.log

三、課后練習

1、制作光盤或U盤引導盤。

創建引導光盤:

步驟一:復制光盤目錄下的isolinux目錄至/tmp/myiso目錄下

[[email protected]?tmp]#?mkdir?myiso
[[email protected]?tmp]#?cp?-rf?/media/cdrom/isolinux?./myiso/

步驟二:編輯isolinux.cfg

[[email protected]?tmp]#?vim?myiso/isolinux/isolinux.cfg?
label?linux
??menu?label?^Install?or?upgrade?an?existing?system
??menu?default
??kernel?vmlinuz
??append?initrd=initrd.img?text?ks=cdrom:/myks.cfg

步驟三:生成kickstart文件myks.cfg并將其放入isolinux目錄中,此處使用在圖形界面下創建的kickstart文件:

[[email protected]?tmp]#?cp?/root/myks.cfg?./myiso/
[[email protected]s68?tmp]#?vim?myiso/myks.cfg

步驟四:生成引導文件,光盤鏡像boot.iso

[[email protected]?tmp]#?cd?myiso/
[[email protected]?myiso]#?mkisofs?-R?-J?-T?-v?--no-emul-boot?--boot-load-size?4?--boot-info-table?-V?"CentOS?6.8?x86_64?boot"?-b?isolinux/isolinux.bin?-c?isolinux/boot.cat?-o?/root/boot.iso??./
I:?-input-charset?not?specified,?using?utf-8?(detected?in?locale?settings)
genisoimage?1.1.9?(Linux)
Scanning?./
Scanning?./isolinux
Excluded?by?match:?./isolinux/boot.cat
Excluded:?./isolinux/TRANS.TBL
Writing:???Initial?Padblock????????????????????????Start?Block?0
Done?with:?Initial?Padblock????????????????????????Block(s)????16
Writing:???Primary?Volume?Descriptor???????????????Start?Block?16
Done?with:?Primary?Volume?Descriptor???????????????Block(s)????1
Writing:???Eltorito?Volume?Descriptor??????????????Start?Block?17
Size?of?boot?image?is?4?sectors?->?No?emulation
Done?with:?Eltorito?Volume?Descriptor??????????????Block(s)????1
Writing:???Joliet?Volume?Descriptor????????????????Start?Block?18
Done?with:?Joliet?Volume?Descriptor????????????????Block(s)????1
Writing:???End?Volume?Descriptor???????????????????Start?Block?19
Done?with:?End?Volume?Descriptor???????????????????Block(s)????1
Writing:???Version?block???????????????????????????Start?Block?20
Done?with:?Version?block???????????????????????????Block(s)????1
Writing:???Path?table??????????????????????????????Start?Block?21
Done?with:?Path?table??????????????????????????????Block(s)????4
Writing:???Joliet?path?table???????????????????????Start?Block?25
Done?with:?Joliet?path?table???????????????????????Block(s)????4
Writing:???Directory?tree??????????????????????????Start?Block?29
Done?with:?Directory?tree??????????????????????????Block(s)????2
Writing:???Joliet?directory?tree???????????????????Start?Block?31
Done?with:?Joliet?directory?tree???????????????????Block(s)????2
Writing:???Directory?tree?cleanup??????????????????Start?Block?33
Done?with:?Directory?tree?cleanup??????????????????Block(s)????0
Writing:???Extension?record????????????????????????Start?Block?33
Done?with:?Extension?record????????????????????????Block(s)????1
Writing:???The?File(s)?????????????????????????????Start?Block?34
?22.37%?done,?estimate?finish?Sun?Sep?11?12:10:41?2016
?44.66%?done,?estimate?finish?Sun?Sep?11?12:10:41?2016
?67.02%?done,?estimate?finish?Sun?Sep?11?12:10:41?2016
?89.29%?done,?estimate?finish?Sun?Sep?11?12:10:41?2016
Total?translation?table?size:?4703
Total?rockridge?attributes?bytes:?1440
Total?directory?bytes:?2048
Path?table?size(bytes):?26
Done?with:?The?File(s)?????????????????????????????Block(s)????22215
Writing:???Ending?Padblock?????????????????????????Start?Block?22249
Done?with:?Ending?Padblock?????????????????????????Block(s)????150
Max?brk?space?used?0
22399?extents?written?(43?MB)

步驟五:測試使用

使用光盤鏡像:

blob.png

開機使用光盤啟動:

注意:添加虛擬機的時候給的空間不能少于ks模板中給定的數值,否則報錯。

blob.png

創建引導U盤

方法一:直接將光盤內容寫入U盤使用;

[[email protected]?~]#?dd?if=/dev/sr0?of=/dev/sdb

記錄了7649280+0?的讀入

記錄了7649280+0?的寫出

3916431360字節(3.9 GB)已復制,160.877?秒,24.3 MB/秒

 

2、安裝http服務,改變網站的默認主目錄為/website,添加SELinux文件標簽規則,設置http_sys_content_t到/website及目錄下所有文件,使網站可訪問。

步驟一:更改配置文件,改變默認主目錄:

[[email protected]?~]#?vim?/etc/httpd/conf/httpd.conf
#?This?should?be?changed?to?whatever?you?set?DocumentRoot?to.
<Directory?"/var/www/website">
#?symbolic?links?and?aliases?may?be?used?to?point?to?other?locations.
DocumentRoot?"/var/www/website"

更改兩行,將目錄設置為website。

步驟二:重啟服務,添加網頁文件

[[email protected]?website]#?service?httpd?restart
停止?httpd:??????????????????????????[確定]
正在啟動?httpd:httpd:?apr_sockaddr_info_get()?failed?for?centos68
httpd:?Could?not?reliably?determine?the?server's?fully?qualified?domain?name,?using?127.0.0.1?for?ServerName?????[確定]
[[email protected]?website]#?echo?"hello?man"?>?index.html
[[email protected]?website]#?ls
index.html

步驟三:關閉selinux訪問限制,關閉防火墻,訪問檢驗

blob.png

1、修改網站端口為9527,增加SELinux端口標簽,使網站可訪問。

修改http監聽的端口:

[[email protected]?~]#?semanage?port?-l??|?grep?http
http_cache_port_t??????????????tcp??????3128,?8080,?8118,?8123,?10001-10010
http_cache_port_t??????????????udp??????3130
http_port_t????????????????????tcp??????80,?81,?443,?488,?8008,?8009,?8443,?9000
pegasus_http_port_t????????????tcp??????5988
pegasus_https_port_t???????????tcp??????5989
[[email protected]?~]#?semanage?port?-a?-t?http_port_t?-p?tcp?9527
[[email protected]?~]#?semanage?port?-l??|?grep?http
http_cache_port_t??????????????tcp??????3128,?8080,?8118,?8123,?10001-10010
http_cache_port_t??????????????udp??????3130
http_port_t????????????????????tcp??????9527,?80,?81,?443,?488,?8008,?8009,?8443,?9000
pegasus_http_port_t????????????tcp??????5988
pegasus_https_port_t???????????tcp??????5989

修改文件:

#Listen 12.34.56.78:80

Listen 80

Listen 9527

使用windows瀏覽器檢驗是否能夠訪問:

blob.png

3、啟動SELinux布爾值,使用戶student的家目錄可通過http訪問。

[[email protected]?~]#?semanage?boolean?-l?|?grep?http
httpd_enable_homedirs?????(關?,?關)??Allow?httpd?to?read?home?directories
[[email protected]?~]#?setsebool?httpd_enable_homedirs?1
[[email protected]?~]#?semanage?boolean?-l?|?grep?httpd_enable_homedirs
httpd_enable_homedirs??????(開????,????關)??Allow?httpd?to?read?home?directories

更改配置文件:

<IfModule mod_userdir.c>

????#UserDir disabled

????UserDir public_html

</IfModule>

<Directory /home/*/public_html>

????AllowOverride FileInfo AuthConfig Limit

????Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec

????<Limit GET POST OPTIONS>

????????Order allow,deny

????????Allow from all

????</Limit>

????<LimitExcept GET POST OPTIONS>

????????Order deny,allow

????????Deny from all

????</LimitExcept>

</Directory>

按配置文件的格式來看,需要家目錄中的文件名如下

[[email protected]?user1]#?echo?43123123?>?public_html

blob.png

相關新聞

聯系我們

400-080-6560

在線咨詢:點擊這里給我發消息

郵件:[email protected]

工作時間:周一至周日,09:00-18:30

QR code
云南快乐10分开奖直播