centos中selinux功能及常用服务配置
SELinux: Secure Enhenced Linux
# getenforce
临时启用或禁用:
# setenfoce 0|1
永久性启用,需要修改配置文件
/etc/sysconfig/selinux
设置:SELINUX=permissive
/etc/selinux/config
找到其中的一项:
SELINUX={enforcing|permissive|disabled}
如果本身selinux的状态是disabled需要设置后重启生效
# yum install -y httpd
# ls -ldZ /var/www/html/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
# ls -lZ /var/www/html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html
# touch /tmp/a.txt
# ls -lZ /tmp/a.txt
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/a.txt
2.编辑相关的配置文件
# mkdir /web/htdocs -pv
vim /etc/httpd/conf/httpd.conf
DocumentRoot "/web/htdocs"
<Directory "/web/htdocs">
删除默认的主页
# cd /etc/httpd/conf.d/
# rm welcome.conf
此时网站无法访问,查看文件属性
# ls -ldZ /web/htdocs
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /web/htdocs
# ls -lZ /web/htdocs/
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 index.html
3.使用chcon命令设置文件属性
将新的web目录下的文件参考原web目录属性
# chcon -R --reference=/var/www/html /web/htdocs/
设置后发现网站可以正常访问
还原原有文件属性
# restorecon -R /web/htdocs/
1.安装ftp服务
# setenforce 0
# yum install -y vsftpd
启动服务
# service vsftpd start
selinux中查找ftp相关的属性
# getsebool -a | grep ftp
2.添加用户
# useradd hadoop
# passwd hadoop
客户端连接ftp服务可以使用ls命令
# lftp -u hadoop,hadoop 192.168.8.40
开启selinux
# setenforce 1
# lftp -u hadoop,hadoop 192.168.8.40
lftp hadoop@192.168.8.40:~> ls
ls: 登录失败: 500 OOPS: cannot change directory:/home/hadoop
说明selinux阻止了用户的访问
# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_connect_db --> off
ftpd_use_fusefs --> off
ftpd_use_passive_mode --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
tftp_use_cifs --> off
tftp_use_nfs --> off
3.开启匿名upload权限# vim /etc/vsftpd/vsftpd.conf
anon_upload_enable=YES
anon_other_write_enable=YES
# cd /var/ftp
# mkdir incoming
# setfacl -m u:ftp:rwx /var/ftp/incoming/
# setenforce 0
此时可以上传文件
# setenforce 1 不能上传文件
4.通过setsebool开启匿名上传权限
allow_ftpd_anon_write --> on
allow_ftpd_full_access --> on
# setsebool allow_ftpd_anon_write=1
# setsebool allow_ftpd_full_access=1
# getsebool -a | grep ftp
allow_ftpd_anon_write --> on
allow_ftpd_full_access --> on
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_connect_db --> off
ftpd_use_fusefs --> off
ftpd_use_passive_mode --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
tftp_use_cifs --> off
tftp_use_nfs --> off
1.安装samba服务
# yum install -y samba
启动服务
# service smb start
# service nmb start
新建samba用户
# smbpasswd -a hadoop
# smbclient -L 192.168.8.40 -U hadoop
连接samba服务
# smbclient //192.168.8.40/hadoop -U hadoop
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
共享home目录(可参考/etc/samba/smb.conf文件)
# setsebool -P samba_enable_home_dirs=1
重新访问共享目录
# smbclient //192.168.8.40/hadoop -U hadoop
Enter hadoop's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.23-24.el6_7]
smb: \> ls
. D 0 Mon Mar 7 20:51:44 2016
.. D 0 Mon Mar 7 20:35:12 2016
.bash_profile H 176 Thu Jul 18 21:19:03 2013
inittab 884 Mon Mar 7 20:52:27 2016
.bash_logout H 18 Thu Jul 18 21:19:03 2013
.bashrc H 124 Thu Jul 18 21:19:03 2013
issue 47 Mon Mar 7 20:46:44 2016
51175 blocks of size 524288. 47761 blocks available
加入配置myshared
[myshared]
comment = something
path = /samba/shared
public = yes
browseable = yes
write list = hadoop
语法检查# testparm
重启samba服务
# for i in smb nmb; do service $i restart ; done
访问samba共享,无法列出目录
# smbclient //192.168.8.40/myshared -U hadoop
Enter hadoop's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.23-24.el6_7]
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
改变目录的属性
# chcon -R -t samba_share_t /samba/shared/
再次访问samba共享,可以正常列出目录
# smbclient //192.168.8.40/myshared -U hadoop
Enter hadoop's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.23-24.el6_7]
smb: \> ls
. D 0 Mon Mar 7 21:27:32 2016
.. D 0 Mon Mar 7 21:27:17 2016
fstab 921 Mon Mar 7 21:27:32 2016
51175 blocks of size 524288. 47761 blocks available
常用命令
获取selinux的当前状态:# getenforce
临时启用或禁用:
# setenfoce 0|1
永久性启用,需要修改配置文件
/etc/sysconfig/selinux
设置:SELINUX=permissive
/etc/selinux/config
找到其中的一项:
SELINUX={enforcing|permissive|disabled}
如果本身selinux的状态是disabled需要设置后重启生效
对apache服务的设置
1.安装配置apache软件# yum install -y httpd
# ls -ldZ /var/www/html/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
# ls -lZ /var/www/html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html
# touch /tmp/a.txt
# ls -lZ /tmp/a.txt
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/a.txt
2.编辑相关的配置文件
# mkdir /web/htdocs -pv
vim /etc/httpd/conf/httpd.conf
DocumentRoot "/web/htdocs"
<Directory "/web/htdocs">
删除默认的主页
# cd /etc/httpd/conf.d/
# rm welcome.conf
此时网站无法访问,查看文件属性
# ls -ldZ /web/htdocs
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /web/htdocs
# ls -lZ /web/htdocs/
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 index.html
3.使用chcon命令设置文件属性
将新的web目录下的文件参考原web目录属性
# chcon -R --reference=/var/www/html /web/htdocs/
设置后发现网站可以正常访问
还原原有文件属性
# restorecon -R /web/htdocs/
vsftp服务
1.安装ftp服务
# setenforce 0
# yum install -y vsftpd
启动服务
# service vsftpd start
selinux中查找ftp相关的属性
# getsebool -a | grep ftp
2.添加用户
# useradd hadoop
# passwd hadoop
客户端连接ftp服务可以使用ls命令
# lftp -u hadoop,hadoop 192.168.8.40
开启selinux
# setenforce 1
# lftp -u hadoop,hadoop 192.168.8.40
lftp hadoop@192.168.8.40:~> ls
ls: 登录失败: 500 OOPS: cannot change directory:/home/hadoop
说明selinux阻止了用户的访问
# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_connect_db --> off
ftpd_use_fusefs --> off
ftpd_use_passive_mode --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
tftp_use_cifs --> off
tftp_use_nfs --> off
3.开启匿名upload权限# vim /etc/vsftpd/vsftpd.conf
anon_upload_enable=YES
anon_other_write_enable=YES
# cd /var/ftp
# mkdir incoming
# setfacl -m u:ftp:rwx /var/ftp/incoming/
# setenforce 0
此时可以上传文件
# setenforce 1 不能上传文件
4.通过setsebool开启匿名上传权限
allow_ftpd_anon_write --> on
allow_ftpd_full_access --> on
# setsebool allow_ftpd_anon_write=1
# setsebool allow_ftpd_full_access=1
# getsebool -a | grep ftp
allow_ftpd_anon_write --> on
allow_ftpd_full_access --> on
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_connect_db --> off
ftpd_use_fusefs --> off
ftpd_use_passive_mode --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
tftp_use_cifs --> off
tftp_use_nfs --> off
samba服务
1.安装samba服务
# yum install -y samba
启动服务
# service smb start
# service nmb start
新建samba用户
# smbpasswd -a hadoop
# smbclient -L 192.168.8.40 -U hadoop
连接samba服务
# smbclient //192.168.8.40/hadoop -U hadoop
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
共享home目录(可参考/etc/samba/smb.conf文件)
# setsebool -P samba_enable_home_dirs=1
重新访问共享目录
# smbclient //192.168.8.40/hadoop -U hadoop
Enter hadoop's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.23-24.el6_7]
smb: \> ls
. D 0 Mon Mar 7 20:51:44 2016
.. D 0 Mon Mar 7 20:35:12 2016
.bash_profile H 176 Thu Jul 18 21:19:03 2013
inittab 884 Mon Mar 7 20:52:27 2016
.bash_logout H 18 Thu Jul 18 21:19:03 2013
.bashrc H 124 Thu Jul 18 21:19:03 2013
issue 47 Mon Mar 7 20:46:44 2016
51175 blocks of size 524288. 47761 blocks available
加入配置myshared
[myshared]
comment = something
path = /samba/shared
public = yes
browseable = yes
write list = hadoop
语法检查# testparm
重启samba服务
# for i in smb nmb; do service $i restart ; done
访问samba共享,无法列出目录
# smbclient //192.168.8.40/myshared -U hadoop
Enter hadoop's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.23-24.el6_7]
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
改变目录的属性
# chcon -R -t samba_share_t /samba/shared/
再次访问samba共享,可以正常列出目录
# smbclient //192.168.8.40/myshared -U hadoop
Enter hadoop's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.23-24.el6_7]
smb: \> ls
. D 0 Mon Mar 7 21:27:32 2016
.. D 0 Mon Mar 7 21:27:17 2016
fstab 921 Mon Mar 7 21:27:32 2016
51175 blocks of size 524288. 47761 blocks available