Linux——selinux实验

实验一:修改上下文类型

文件的上下文不正确,导致进程访问失败

  1. 启用用户宿主目录 public 目录的访问

  2. 在严格模式访问失败

  3. 宽容该模式下访问成功

  4. 检查默认主页文件的安全上下文

  5. 修改用户家目录下的文件的安全上下文和默认主页文件一致,即使严格模式下,访问也是成功的

    [root@bogon ~]# cat /etc/httpd/conf.d/userdir.conf

    UserDir: The name of the directory that is appended onto a user's home

    directory if a ~user request is received.

    The path to the end user account 'public_html' directory must be

    accessible to the webserver userid. This usually means that ~userid

    must have permissions of 711, ~userid/public_html must have permissions

    of 755, and documents contained therein must be world-readable.

    Otherwise, the client will only receive a "403 Forbidden" message.

    # # UserDir is disabled by default since it can confirm the presence # of a username on the system (depending on home directory # permissions). # # UserDir disabled // 这里 # # To enable requests to /~user/ to serve the user's public_html # directory, remove the "UserDir disabled" line above, and uncomment # the following line instead: # UserDir public// 这里 # # Control access to UserDir directories. The following is an example # for a site where these directories are restricted to read-only. # // 这里 AllowOverride FileInfo AuthConfig Limit Indexes Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec Require method GET POST OPTIONS [root@bogon ~]# mkdir /home/student/public [root@bogon ~]# setenforce 0 [root@bogon ~]# echo "bank ID: 1111111 bank password: 111111" > /home/student/public/bank_info [root@bogon ~]# echo "finance informatio Do not show this to anyone but yourself" >> /home/student/public/bank_info [root@bogon ~]# cat /home/student/public/bank_info bank ID: 1111111 bank password: 111111 finance informatio Do not show this to anyone but yourself [root@bogon ~]# systemctl status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2024-04-25 22:59:18 PDT; 2h 1min ago Docs: man:httpd.service(8) Main PID: 1439 (httpd) Status: "Running, listening on: port 443, port 80" Tasks: 213 (limit: 11315) Memory: 35.5M CGroup: /system.slice/httpd.service ├─1439 /usr/sbin/httpd -DFOREGROUND ├─2264 /usr/sbin/httpd -DFOREGROUND ├─2265 /usr/sbin/httpd -DFOREGROUND ├─2266 /usr/sbin/httpd -DFOREGROUND └─2267 /usr/sbin/httpd -DFOREGROUND Apr 25 22:59:02 bogon systemd[1]: Starting The Apache HTTP Server... Apr 25 22:59:18 bogon httpd[1439]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, usi> Apr 25 22:59:18 bogon systemd[1]: Started The Apache HTTP Server. Apr 25 22:59:28 bogon httpd[1439]: Server configured, listening on: port 443, port 80 [root@bogon ~]# systemctl restart httpd [root@bogon ~]# chmod 705 /home/student/ [root@bogon ~]# ll /home/student/public/ -d drwxr-xr-x. 2 root root 23 Apr 26 00:59 /home/student/public/ [root@bogon ~]# curl http://127.0.0.1/~student/bank_info bank ID: 1111111 bank password: 111111 finance informatio Do not show this to anyone but yourself [root@bogon ~]# chmod 000 /home/student/public/bank_info [root@bogon ~]# curl http://127.0.0.1/~student/bank_info 403 Forbidden

    Forbidden

    You don't have permission to access /~student/bank_info on this server.

    [root@bogon ~]# echo "public stuff" >> /home/student/public/index.html [root@bogon ~]# curl http://127.0.0.1/~student/index.html public stuff [root@bogon ~]# chmod -R 755 /home/student/public/ [root@bogon ~]# curl http://127.0.0.1/~student/index.html public stuff [root@bogon ~]# curl http://127.0.0.1/~student/bank_info bank ID: 1111111 bank password: 111111 finance informatio Do not show this to anyone but yourself

打开防火墙

复制代码
[root@bogon ~]# setenforce 1
[root@bogon ~]# curl http://127.0.0.1/~student/bank_info
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /~student/bank_info
on this server.<br />
</p>
</body></html>
[root@bogon ~]# ps -elfZ | grep httpd | head -1
system_u:system_r:httpd_t:s0 4 S root 5530 1 0 80 0 -
71780 core_s 01:05 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
[root@bogon ~]# ll -Z /var/www/html/index.html
-rw-r--r--. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 26
Apr 24 20:05 /var/www/html/index.html
[root@bogon ~]# ll -Z /home/student/public/index.html
-rw-r--r--. 1 root root unconfined_u:object_r:user_home_t:s0 13 Apr 26
01:09 /home/student/public/index.html
[root@bogon ~]# chcon -t httpd_sys_content_t
/home/student/public/index.html
[root@bogon ~]# ll -Z /home/student/public/index.html
-rw-r--r--. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 13
Apr 26 01:09 /home/student/public/index.html
[root@bogon ~]# curl http://127.0.0.1/~student/index.html
public stuff

永久修改上下文类型
semanage fcontext -a -t httpd_sys_content_t "/path/to/some(/.*)?"

实验二修改端口

  1. 修改默认端口为 119
  2. 严格模式启动失败
  3. 修改端口安全上下文
  4. 启动成功,且能够访问

ss 显示套接字

  • -a: 显示所有套接字。
  • -n: 不解析服务名称(即不尝试将端口号转换为服务名)。
  • -p: 显示与每个套接字关联的进程信息。
  • -u: 显示 UDP 套接字(注意:原问题中没有 -u 选项,但通常在查看套接字信息时,用户可能会想同时查看 TCP 和 UDP 套接字,因此这里提及一下)。
  • -t: 显示 TCP 套接字。
  • -Z: 显示与套接字关联的 SELinux 安全上下文。

用于修改SELinux策略以允许http_port_t类型用于TCP端口119。

root@bogon \~# semanage port -m -t http_port_t -p tcp 119

  • semanage: 是SELinux管理工具,用于查询和修改SELinux策略。
  • port: 表示我们正在操作的是端口相关的策略。
  • -m: 这个选项表示我们要修改一个现有的策略规则。
  • -t http_port_t: 指定我们要关联到端口的安全上下文类型为http_port_t。通常,http_port_t用于HTTP服务,默认关联到80端口。
  • -p tcp: 指定我们操作的协议是TCP。
  • 119: 是我们要修改的端口号。

    [root@bogon ~]# vim /etc/httpd/conf/httpd.conf

    修改

    Listen 119
    [root@bogon ~]# ss -anput | grep 119
    [root@bogon ~]# systemctl stop httpd
    [root@bogon ~]# systemctl start httpd
    Job for httpd.service failed because the control process exited with error
    code.
    See "systemctl status httpd.service" and "journalctl -xe" for details.
    [root@bogon ~]# setenforce 0
    [root@bogon ~]# systemctl start httpd
    [root@bogon ~]# ss -anput | grep 119
    tcp LISTEN 0 128 *:119 :
    users:(("httpd",pid=6558,fd=4))
    [root@bogon ~]# ss -anputZ | grep 119
    tcp LISTEN 0 128 *:119 :
    users:(("httpd",pid=6584,proc_ctx=system_u:system_r:httpd_t:s0,fd=4),
    ("httpd",pid=6583,proc_ctx=system_u:system_r:httpd_t:s0,fd=4),
    ("httpd",pid=6582,proc_ctx=system_u:system_r:httpd_t:s0,fd=4),
    ("httpd",pid=6558,proc_ctx=system_u:system_r:httpd_t:s0,fd=4))
    [root@bogon ~]# setenforce 1
    [root@bogon ~]# systemctl restart httpd
    Job for httpd.service failed because the control process exited with error
    code.
    See "systemctl status httpd.service" and "journalctl -xe" for details.
    [root@bogon ~]# semanage port -l | grep 80 | grep http
    http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
    http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443,
    9000
    [root@bogon ~]# semanage port -m -t http_port_t -p tcp 119
    [root@bogon ~]# systemctl start httpd
    [root@bogon ~]# ss -antup | grep http
    tcp LISTEN 0 128 *:119 :
    users:(("httpd",pid=7024,fd=4),("httpd",pid=7023,fd=4),
    ("httpd",pid=7022,fd=4),("httpd",pid=7006,fd=4))
    tcp LISTEN 0 128 *:443 :
    users:(("httpd",pid=7024,fd=9),("httpd",pid=7023,fd=9),
    ("httpd",pid=7022,fd=9),("httpd",pid=7006,fd=9))
    [root@bogon ~]# curl http://127.0.0.1:119
    test for my apache server
    Job for httpd.service failed because the control process exited with error
    code.
    See "systemctl status httpd.service" and "journalctl -xe" for details.
    [root@bogon ~]# semanage port -l | grep 80 | grep http
    http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
    http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443,
    9000
    [root@bogon ~]# semanage port -m -t http_port_t -p tcp 119
    [root@bogon ~]# systemctl start httpd
    [root@bogon ~]# ss -antup | grep http
    tcp LISTEN 0 128 *:119 :
    users:(("httpd",pid=7024,fd=4),("httpd",pid=7023,fd=4),
    ("httpd",pid=7022,fd=4),("httpd",pid=7006,fd=4))
    tcp LISTEN 0 128 *:443 :
    users:(("httpd",pid=7024,fd=9),("httpd",pid=7023,fd=9),
    ("httpd",pid=7022,fd=9),("httpd",pid=7006,fd=9))
    [root@bogon ~]# curl http://127.0.0.1:119
    test for my apache server

查看selinux日志

复制代码
[root@bogon ~]# vim /etc/httpd/conf/httpd.conf
# 修改
Listen 80
复制代码
[root@bogon ~]# mkdir -p /aaa/bbb/ccc
[root@bogon ~]# systemctl restart httpd
[root@bogon ~]# ll -Z /aaa/bbb/ccc/
total 0
[root@bogon ~]# ll -Z /aaa/bbb
total 0
drwxr-xr-x. 2 root root unconfined_u:object_r:default_t:s0 6 Apr 26 02:04
ccc
[root@bogon ~]# ll -Z /aaa/
total 0
drwxr-xr-x. 3 root root unconfined_u:object_r:default_t:s0 17 Apr 26 02:04bbb
[root@bogon ~]# ll -dZ /aaa
drwxr-xr-x. 3 root root unconfined_u:object_r:default_t:s0 17 Apr 26 02:04/aaa
[root@bogon ~]# echo "test for web changed root directory" >
/aaa/bbb/ccc/index.html
[root@bogon ~]# ll -Z /aaa/bbb/ccc/
total 4
-rw-r--r--. 1 root root unconfined_u:object_r:default_t:s0 36 Apr 26 02:06index.html
[root@bogon ~]# curl -I http://127.0.0.1
HTTP/1.1 403 Forbidden
Date: Fri, 26 Apr 2024 09:06:52 GMT
Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1c
Last-Modified: Mon, 02 Dec 2019 14:13:26 GMT
ETag: "f91-598b92eda8d80"
Accept-Ranges: bytes
Content-Length: 3985
Content-Type: text/html; charset=UTF-8

日志查找和 httpd 和 /aaa/bbb/ccc/index.html 相关的日志

复制代码
[root@bogon ~]# grep setroubleshoot /var/log/messages | tail -3
Apr 26 02:07:00 bogon setroubleshoot[7958]: SELinux is preventing httpd
from getattr access on the file /aaa/bbb/ccc/index.html. For complete
SELinux messages run: sealert -l 9ab42520-150a-456e-b665-d4eb2ba8c344
Apr 26 02:07:00 bogon setroubleshoot[7958]: failed to retrieve rpm info
for /aaa/bbb/ccc/index.html
Apr 26 02:07:04 bogon setroubleshoot[7958]: SELinux is preventing httpd
from getattr access on the file /aaa/bbb/ccc/index.html. For complete
SELinux messages run: sealert -l 9ab42520-150a-456e-b665-d4eb2ba8c344
# run 后面的sealert 命令就是直接查看selinux日志的命令 完整复制这条指令,或得全部输出
[root@bogon ~]# sealert -l 9ab42520-150a-456e-b665-d4eb2ba8c344
SELinux is preventing httpd from getattr access on the file
/aaa/bbb/ccc/index.html.
***** Plugin catchall_labels (83.8 confidence) suggests
******************* # 可能性最高
If you want to allow httpd to have getattr access on the index.html file
Then you need to change the label on /aaa/bbb/ccc/index.html
Do
# semanage fcontext -a -t FILE_TYPE '/aaa/bbb/ccc/index.html'
# 此处省略一些标签的输出,需要执行的命令包括上面的semanage 和 下面的restorecon
Then execute:
restorecon -v '/aaa/bbb/ccc/index.html'
***** Plugin catchall (17.1 confidence) suggests
**************************
If you believe that httpd should be allowed getattr access on the
index.html file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -X 300 -i my-httpd.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context unconfined_u:object_r:default_t:s0
Target Objects /aaa/bbb/ccc/index.html [ file ]
Source httpd
Source Path httpd
Port <Unknown>
Host bogon
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.3-41.el8.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name bogon
Platform Linux bogon 4.18.0-193.el8.x86_64 #1 SMP Fri
Mar
27 14:35:58 UTC 2020 x86_64 x86_64
Alert Count 2
First Seen 2024-04-26 02:06:52 PDT
Last Seen 2024-04-26 02:06:52 PDT
Local ID 9ab42520-150a-456e-b665-d4eb2ba8c344
Raw Audit Messages
type=AVC msg=audit(1714122412.579:249): avc: denied { getattr } for
pid=7670 comm="httpd" path="/aaa/bbb/ccc/index.html" dev="nvme0n1p3"
ino=1841676 scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=0
Hash: httpd,httpd_t,default_t,file,getattr
[root@bogon ~]# semanage fcontext -a -t httpd_sys_content_t '/aaa/bbb/ccc(/.*)?' #/aaa/bbb/ccc下所有的文件都具有默认的上下文
httpd_sys_content_t
[root@bogon ~]# restorecon -Rvv /aaa/bbb/ccc/
# 输出省略
[root@bogon ~]# touch /aaa/bbb/ccc/{a,c,b}.html
[root@bogon ~]# ll -Z /aaa/bbb/ccc/
total 4
-rw-r--r--. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 0
Apr 26 02:18 a.html
-rw-r--r--. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 0
Apr 26 02:18 b.html
-rw-r--r--. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 0
Apr 26 02:18 c.html
-rw-r--r--. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 36
Apr 26 02:06 index.html
[root@bogon ~]# curl -I http://127.0.0.1/a.html
HTTP/1.1 200 OK
Date: Fri, 26 Apr 2024 09:20:14 GMT
Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1c
Last-Modified: Fri, 26 Apr 2024 09:18:55 GMT
ETag: "0-616fc64933954"
Accept-Ranges: bytes
Content-Type: text/html; charset=UTF-8
[root@bogon ~]# curl -I http://127.0.0.1/b.html
HTTP/1.1 200 OK
Date: Fri, 26 Apr 2024 09:20:17 GMT
Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1c
Last-Modified: Fri, 26 Apr 2024 09:18:55 GMT
ETag: "0-616fc64933954"
Accept-Ranges: bytes
Content-Type: text/html; charset=UTF-8
[root@bogon ~]# curl -I http://127.0.0.1/c.html
HTTP/1.1 200 OK
Date: Fri, 26 Apr 2024 09:20:20 GMT
Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1c
Last-Modified: Fri, 26 Apr 2024 09:18:55 GMT
ETag: "0-616fc64933954"
Accept-Ranges: bytes
Content-Type: text/html; charset=UTF-8

root@bogon \~# semanage fcontext -a -t httpd_sys_content_t '/aaa/bbb/ccc(/.*)?' #/aaa/bbb/ccc下所有的文件都具有默认的上下文
restorecon -Rvv /aaa/bbb/ccc/
恢复文件或目录到它们的默认安全上下文。

实验三:观察smb日志

  1. 配置 SMB 共享,服务端共享目录的路径是 /smb/public
  2. 保持 SELinux 严格模式
  3. 直接运行 Selinux 日志提供的命令
  4. 从 /var/log/messages 查找和 samba 和 setroubleshoot 相关的日志
  5. 会提供一个 sealert 命令,通过这个命令的输出,找到可能性最高的解决方案,并运行这个解
    决方案中给出的指令
相关推荐
段一凡-华北理工大学18 分钟前
AI Agent 从入门到封神:24 讲打造你的超级智能体~系列文章23:从Demo到上线:Agent应用的架构设计、性能优化与成本控制实战
运维·网络·人工智能·性能优化·高炉炼铁·工业智能体
L16247627 分钟前
Zabbix 7.0 LTS 完整部署与运维手册(AlmaLinux 9 + MySQL 8.0 + Nginx)
运维·mysql·zabbix
happymade28 分钟前
MSRM3 区域层级嵌套功能深度解析与实操教程
运维·网络拓扑·网络管理·网络运维·msrm3
陈同学xxx1 小时前
Hermes Agent 接入飞书,在手机上随时聊天
linux·python·飞书
网络小白不怕黑1 小时前
14.VSFTP服务相关配置
linux·运维·服务器
是摆烂第一名呀1 小时前
RK3576+GMSL摄像头底层适配与调试
linux·arm开发·驱动开发·嵌入式硬件·数码相机
爱喝水的鱼丶1 小时前
SAP-ABAP:ALV字段布局定制全攻略——快速适配业务端个性化展示需求
运维·性能优化·sap·abap·经验交流·alv报表
qetfw1 小时前
CentOS 7 配置 firewalld 防火墙
linux·运维·centos
留不住的何止是时间1 小时前
关于docker构建镜像build指令的注意事项
运维·docker·容器
Dovis(誓平步青云)2 小时前
《Linux CPU频率为何忽高忽低:cpufreq、idle状态与性能抖动教程》
linux·运维·服务器·spring boot·后端·生成对抗网络