实验一:修改上下文类型
文件的上下文不正确,导致进程访问失败
-
启用用户宿主目录 public 目录的访问
-
在严格模式访问失败
-
宽容该模式下访问成功
-
检查默认主页文件的安全上下文
-
修改用户家目录下的文件的安全上下文和默认主页文件一致,即使严格模式下,访问也是成功的
[root@bogon ~]# cat /etc/httpd/conf.d/userdir.conf
UserDir: The name of the directory that is appended onto a user's home
directory if a ~user request is received.
The path to the end user account 'public_html' directory must be
accessible to the webserver userid. This usually means that ~userid
must have permissions of 711, ~userid/public_html must have permissions
of 755, and documents contained therein must be world-readable.
Otherwise, the client will only receive a "403 Forbidden" message.
<IfModule mod_userdir.c> # # UserDir is disabled by default since it can confirm the presence # of a username on the system (depending on home directory # permissions). # # UserDir disabled // 这里 # # To enable requests to /~user/ to serve the user's public_html # directory, remove the "UserDir disabled" line above, and uncomment # the following line instead: # UserDir public// 这里 </IfModule> # # Control access to UserDir directories. The following is an example # for a site where these directories are restricted to read-only. # <Directory "/home/*/public">// 这里 AllowOverride FileInfo AuthConfig Limit Indexes Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec Require method GET POST OPTIONS </Directory> [root@bogon ~]# mkdir /home/student/public [root@bogon ~]# setenforce 0 [root@bogon ~]# echo "bank ID: 1111111 bank password: 111111" > /home/student/public/bank_info [root@bogon ~]# echo "finance informatio Do not show this to anyone but yourself" >> /home/student/public/bank_info [root@bogon ~]# cat /home/student/public/bank_info bank ID: 1111111 bank password: 111111 finance informatio Do not show this to anyone but yourself [root@bogon ~]# systemctl status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2024-04-25 22:59:18 PDT; 2h 1min ago Docs: man:httpd.service(8) Main PID: 1439 (httpd) Status: "Running, listening on: port 443, port 80" Tasks: 213 (limit: 11315) Memory: 35.5M CGroup: /system.slice/httpd.service ├─1439 /usr/sbin/httpd -DFOREGROUND ├─2264 /usr/sbin/httpd -DFOREGROUND ├─2265 /usr/sbin/httpd -DFOREGROUND ├─2266 /usr/sbin/httpd -DFOREGROUND └─2267 /usr/sbin/httpd -DFOREGROUND Apr 25 22:59:02 bogon systemd[1]: Starting The Apache HTTP Server... Apr 25 22:59:18 bogon httpd[1439]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, usi> Apr 25 22:59:18 bogon systemd[1]: Started The Apache HTTP Server. Apr 25 22:59:28 bogon httpd[1439]: Server configured, listening on: port 443, port 80 [root@bogon ~]# systemctl restart httpd [root@bogon ~]# chmod 705 /home/student/ [root@bogon ~]# ll /home/student/public/ -d drwxr-xr-x. 2 root root 23 Apr 26 00:59 /home/student/public/ [root@bogon ~]# curl http://127.0.0.1/~student/bank_info bank ID: 1111111 bank password: 111111 finance informatio Do not show this to anyone but yourself [root@bogon ~]# chmod 000 /home/student/public/bank_info [root@bogon ~]# curl http://127.0.0.1/~student/bank_info <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body>Forbidden
You don't have permission to access /~student/bank_info on this server.
</body></html> [root@bogon ~]# echo "public stuff" >> /home/student/public/index.html [root@bogon ~]# curl http://127.0.0.1/~student/index.html public stuff [root@bogon ~]# chmod -R 755 /home/student/public/ [root@bogon ~]# curl http://127.0.0.1/~student/index.html public stuff [root@bogon ~]# curl http://127.0.0.1/~student/bank_info bank ID: 1111111 bank password: 111111 finance informatio Do not show this to anyone but yourself
打开防火墙
[root@bogon ~]# setenforce 1
[root@bogon ~]# curl http://127.0.0.1/~student/bank_info
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /~student/bank_info
on this server.<br />
</p>
</body></html>
[root@bogon ~]# ps -elfZ | grep httpd | head -1
system_u:system_r:httpd_t:s0 4 S root 5530 1 0 80 0 -
71780 core_s 01:05 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
[root@bogon ~]# ll -Z /var/www/html/index.html
-rw-r--r--. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 26
Apr 24 20:05 /var/www/html/index.html
[root@bogon ~]# ll -Z /home/student/public/index.html
-rw-r--r--. 1 root root unconfined_u:object_r:user_home_t:s0 13 Apr 26
01:09 /home/student/public/index.html
[root@bogon ~]# chcon -t httpd_sys_content_t
/home/student/public/index.html
[root@bogon ~]# ll -Z /home/student/public/index.html
-rw-r--r--. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 13
Apr 26 01:09 /home/student/public/index.html
[root@bogon ~]# curl http://127.0.0.1/~student/index.html
public stuff
永久修改上下文类型
semanage fcontext -a -t httpd_sys_content_t "/path/to/some(/.*)?"
实验二修改端口
- 修改默认端口为 119
- 严格模式启动失败
- 修改端口安全上下文
- 启动成功,且能够访问
ss 显示套接字
-a: 显示所有套接字。-n: 不解析服务名称(即不尝试将端口号转换为服务名)。-p: 显示与每个套接字关联的进程信息。-u: 显示 UDP 套接字(注意:原问题中没有-u选项,但通常在查看套接字信息时,用户可能会想同时查看 TCP 和 UDP 套接字,因此这里提及一下)。-t: 显示 TCP 套接字。-Z: 显示与套接字关联的 SELinux 安全上下文。用于修改SELinux策略以允许
http_port_t类型用于TCP端口119。[root@bogon ~]# semanage port -m -t http_port_t -p tcp 119
semanage: 是SELinux管理工具,用于查询和修改SELinux策略。port: 表示我们正在操作的是端口相关的策略。-m: 这个选项表示我们要修改一个现有的策略规则。-t http_port_t: 指定我们要关联到端口的安全上下文类型为http_port_t。通常,http_port_t用于HTTP服务,默认关联到80端口。-p tcp: 指定我们操作的协议是TCP。
-
119: 是我们要修改的端口号。[root@bogon ~]# vim /etc/httpd/conf/httpd.conf
修改
Listen 119
[root@bogon ~]# ss -anput | grep 119
[root@bogon ~]# systemctl stop httpd
[root@bogon ~]# systemctl start httpd
Job for httpd.service failed because the control process exited with error
code.
See "systemctl status httpd.service" and "journalctl -xe" for details.
[root@bogon ~]# setenforce 0
[root@bogon ~]# systemctl start httpd
[root@bogon ~]# ss -anput | grep 119
tcp LISTEN 0 128 *:119 :
users:(("httpd",pid=6558,fd=4))
[root@bogon ~]# ss -anputZ | grep 119
tcp LISTEN 0 128 *:119 :
users:(("httpd",pid=6584,proc_ctx=system_u:system_r:httpd_t:s0,fd=4),
("httpd",pid=6583,proc_ctx=system_u:system_r:httpd_t:s0,fd=4),
("httpd",pid=6582,proc_ctx=system_u:system_r:httpd_t:s0,fd=4),
("httpd",pid=6558,proc_ctx=system_u:system_r:httpd_t:s0,fd=4))
[root@bogon ~]# setenforce 1
[root@bogon ~]# systemctl restart httpd
Job for httpd.service failed because the control process exited with error
code.
See "systemctl status httpd.service" and "journalctl -xe" for details.
[root@bogon ~]# semanage port -l | grep 80 | grep http
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443,
9000
[root@bogon ~]# semanage port -m -t http_port_t -p tcp 119
[root@bogon ~]# systemctl start httpd
[root@bogon ~]# ss -antup | grep http
tcp LISTEN 0 128 *:119 :
users:(("httpd",pid=7024,fd=4),("httpd",pid=7023,fd=4),
("httpd",pid=7022,fd=4),("httpd",pid=7006,fd=4))
tcp LISTEN 0 128 *:443 :
users:(("httpd",pid=7024,fd=9),("httpd",pid=7023,fd=9),
("httpd",pid=7022,fd=9),("httpd",pid=7006,fd=9))
[root@bogon ~]# curl http://127.0.0.1:119
test for my apache server
Job for httpd.service failed because the control process exited with error
code.
See "systemctl status httpd.service" and "journalctl -xe" for details.
[root@bogon ~]# semanage port -l | grep 80 | grep http
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443,
9000
[root@bogon ~]# semanage port -m -t http_port_t -p tcp 119
[root@bogon ~]# systemctl start httpd
[root@bogon ~]# ss -antup | grep http
tcp LISTEN 0 128 *:119 :
users:(("httpd",pid=7024,fd=4),("httpd",pid=7023,fd=4),
("httpd",pid=7022,fd=4),("httpd",pid=7006,fd=4))
tcp LISTEN 0 128 *:443 :
users:(("httpd",pid=7024,fd=9),("httpd",pid=7023,fd=9),
("httpd",pid=7022,fd=9),("httpd",pid=7006,fd=9))
[root@bogon ~]# curl http://127.0.0.1:119
test for my apache server
查看selinux日志
[root@bogon ~]# vim /etc/httpd/conf/httpd.conf
# 修改
Listen 80
[root@bogon ~]# mkdir -p /aaa/bbb/ccc
[root@bogon ~]# systemctl restart httpd
[root@bogon ~]# ll -Z /aaa/bbb/ccc/
total 0
[root@bogon ~]# ll -Z /aaa/bbb
total 0
drwxr-xr-x. 2 root root unconfined_u:object_r:default_t:s0 6 Apr 26 02:04
ccc
[root@bogon ~]# ll -Z /aaa/
total 0
drwxr-xr-x. 3 root root unconfined_u:object_r:default_t:s0 17 Apr 26 02:04bbb
[root@bogon ~]# ll -dZ /aaa
drwxr-xr-x. 3 root root unconfined_u:object_r:default_t:s0 17 Apr 26 02:04/aaa
[root@bogon ~]# echo "test for web changed root directory" >
/aaa/bbb/ccc/index.html
[root@bogon ~]# ll -Z /aaa/bbb/ccc/
total 4
-rw-r--r--. 1 root root unconfined_u:object_r:default_t:s0 36 Apr 26 02:06index.html
[root@bogon ~]# curl -I http://127.0.0.1
HTTP/1.1 403 Forbidden
Date: Fri, 26 Apr 2024 09:06:52 GMT
Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1c
Last-Modified: Mon, 02 Dec 2019 14:13:26 GMT
ETag: "f91-598b92eda8d80"
Accept-Ranges: bytes
Content-Length: 3985
Content-Type: text/html; charset=UTF-8
日志查找和 httpd 和 /aaa/bbb/ccc/index.html 相关的日志
[root@bogon ~]# grep setroubleshoot /var/log/messages | tail -3
Apr 26 02:07:00 bogon setroubleshoot[7958]: SELinux is preventing httpd
from getattr access on the file /aaa/bbb/ccc/index.html. For complete
SELinux messages run: sealert -l 9ab42520-150a-456e-b665-d4eb2ba8c344
Apr 26 02:07:00 bogon setroubleshoot[7958]: failed to retrieve rpm info
for /aaa/bbb/ccc/index.html
Apr 26 02:07:04 bogon setroubleshoot[7958]: SELinux is preventing httpd
from getattr access on the file /aaa/bbb/ccc/index.html. For complete
SELinux messages run: sealert -l 9ab42520-150a-456e-b665-d4eb2ba8c344
# run 后面的sealert 命令就是直接查看selinux日志的命令 完整复制这条指令,或得全部输出
[root@bogon ~]# sealert -l 9ab42520-150a-456e-b665-d4eb2ba8c344
SELinux is preventing httpd from getattr access on the file
/aaa/bbb/ccc/index.html.
***** Plugin catchall_labels (83.8 confidence) suggests
******************* # 可能性最高
If you want to allow httpd to have getattr access on the index.html file
Then you need to change the label on /aaa/bbb/ccc/index.html
Do
# semanage fcontext -a -t FILE_TYPE '/aaa/bbb/ccc/index.html'
# 此处省略一些标签的输出,需要执行的命令包括上面的semanage 和 下面的restorecon
Then execute:
restorecon -v '/aaa/bbb/ccc/index.html'
***** Plugin catchall (17.1 confidence) suggests
**************************
If you believe that httpd should be allowed getattr access on the
index.html file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -X 300 -i my-httpd.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context unconfined_u:object_r:default_t:s0
Target Objects /aaa/bbb/ccc/index.html [ file ]
Source httpd
Source Path httpd
Port <Unknown>
Host bogon
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.3-41.el8.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name bogon
Platform Linux bogon 4.18.0-193.el8.x86_64 #1 SMP Fri
Mar
27 14:35:58 UTC 2020 x86_64 x86_64
Alert Count 2
First Seen 2024-04-26 02:06:52 PDT
Last Seen 2024-04-26 02:06:52 PDT
Local ID 9ab42520-150a-456e-b665-d4eb2ba8c344
Raw Audit Messages
type=AVC msg=audit(1714122412.579:249): avc: denied { getattr } for
pid=7670 comm="httpd" path="/aaa/bbb/ccc/index.html" dev="nvme0n1p3"
ino=1841676 scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=0
Hash: httpd,httpd_t,default_t,file,getattr
[root@bogon ~]# semanage fcontext -a -t httpd_sys_content_t '/aaa/bbb/ccc(/.*)?' #/aaa/bbb/ccc下所有的文件都具有默认的上下文
httpd_sys_content_t
[root@bogon ~]# restorecon -Rvv /aaa/bbb/ccc/
# 输出省略
[root@bogon ~]# touch /aaa/bbb/ccc/{a,c,b}.html
[root@bogon ~]# ll -Z /aaa/bbb/ccc/
total 4
-rw-r--r--. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 0
Apr 26 02:18 a.html
-rw-r--r--. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 0
Apr 26 02:18 b.html
-rw-r--r--. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 0
Apr 26 02:18 c.html
-rw-r--r--. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 36
Apr 26 02:06 index.html
[root@bogon ~]# curl -I http://127.0.0.1/a.html
HTTP/1.1 200 OK
Date: Fri, 26 Apr 2024 09:20:14 GMT
Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1c
Last-Modified: Fri, 26 Apr 2024 09:18:55 GMT
ETag: "0-616fc64933954"
Accept-Ranges: bytes
Content-Type: text/html; charset=UTF-8
[root@bogon ~]# curl -I http://127.0.0.1/b.html
HTTP/1.1 200 OK
Date: Fri, 26 Apr 2024 09:20:17 GMT
Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1c
Last-Modified: Fri, 26 Apr 2024 09:18:55 GMT
ETag: "0-616fc64933954"
Accept-Ranges: bytes
Content-Type: text/html; charset=UTF-8
[root@bogon ~]# curl -I http://127.0.0.1/c.html
HTTP/1.1 200 OK
Date: Fri, 26 Apr 2024 09:20:20 GMT
Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1c
Last-Modified: Fri, 26 Apr 2024 09:18:55 GMT
ETag: "0-616fc64933954"
Accept-Ranges: bytes
Content-Type: text/html; charset=UTF-8
[root@bogon ~]# semanage fcontext -a -t httpd_sys_content_t '/aaa/bbb/ccc(/.*)?' #/aaa/bbb/ccc下所有的文件都具有默认的上下文
restorecon -Rvv /aaa/bbb/ccc/
恢复文件或目录到它们的默认安全上下文。
实验三:观察smb日志
- 配置 SMB 共享,服务端共享目录的路径是 /smb/public
- 保持 SELinux 严格模式
- 直接运行 Selinux 日志提供的命令
- 从 /var/log/messages 查找和 samba 和 setroubleshoot 相关的日志
- 会提供一个 sealert 命令,通过这个命令的输出,找到可能性最高的解决方案,并运行这个解
决方案中给出的指令