Linux基礎教程之系統自動化安裝和SELinux簡介
一、知識整理
1、anaconda系統安裝程序:默認圖形啟動;
使用光盤啟動,在選擇模式界面tab鍵在后面增加text或按下ESC鍵,輸入lnux text進入字符界面安裝。
2、創建kickstart文件:
直接手動編輯:依據模板修改,/root目錄下的anaconda.cfg
使用創建工具創建:system-config-kickstart,圖形化工具:也可以使用模板修改
檢查ks文件語法錯誤:ksvalidator
3、SELinux是美國國家安全局NSA(the National Security Agency)和SCC(Secure Computing Corporation)開發的Linux的一個強制訪問控制的安全模塊。2000年以GNU GPL發布,Linux內核2.6版本后集成在內核中。模型有兩種:
DAC:Discretionary Access Control自由訪問控制
MAC:Mandatory Access Control?強制訪問控制
工作類型有四種:strict:centos5,每個進程都收到selLinux的控制;
targeted:用來保護常見的網絡服務,僅有限進程受到seLinux控制,只監控容易被入侵的進程,rhel4只保護13個服務,rhel5保護88個服務。
minimum:centos7,修改過的targeted,只對選擇的網絡服務;
mls:提供MLS(多級安全)機制的安全性
后兩者穩定性不足,未加以應用。
4、傳統Linux一切皆文件,由用戶,組,權限控制訪問在SELinux中,一切皆對象,由存放在Inode的擴展屬性域的安全元素所控制其訪問。所有文件和端口資源和進程都具備安全標簽:安全上下文(security context)。安全上下文有五個元素組成:
user:role:type:sensitivity:category
user_u:object_r:tmp_t:s0:c0
實際上下文:存放在文件系統中,ls -Z可以查看文件的元素;ps -Z查看進程的。
期望上下文:存放在二進制的SELinux策略庫(映射目錄和期望安全上下文)中
semanage fcontext -l查看所有期望上下文
五個安全元素:User:指示登錄系統的用戶類型,如root,user_u,system_u,多數本地進程都屬于自由(unconfined)進程;
Role:定義文件、進程和用戶的用途:文件:object_r,進程和用戶:system_r
Type:指定數據類型,規則中定義何種進程類型訪問何種文件;
Target策略基于type實現,多服務公用:public_content_t
sensitivity:限制訪問的需要,由組織定義的分層安全級別,如unclassified,secret,top,secret,一個對象有且只有一個sensitivity,分0-15級,s0最低,Target策略默認使用s0。
Category:對于特定組織劃分不分層的分類,如FBI Secret,NSA secret,一個對象可以有多個category,c0-c1023共1024個分類,Target策略不是用category。
5、SELinux策略:對象:所有可以讀取的對象,包括文件、目錄和進程、端口等
主體,進程稱為主體
SELinux中對所有的文件都賦予一個type的文件類型便簽,對于多有的進程也賦予各自的一個domain的標簽。Domain標簽能夠執行的操作由安全策略里定義。
當一個subject試圖訪問一個object,kernel中的策略執行服務器將建成AVC(訪問矢量緩存Access Vector Cache),在AVC中,subject和object的權限被緩存(cached),查找“應用+文件”的安全環境。然后根據查詢結果允許或拒絕訪問。
安全策略:定義主體讀取對象的規則數據庫,規則中記錄了哪個類型的主體使用哪個方法讀取哪一個對象是允許還是的,并且定義了哪種行為是允許或拒絕。
6、SELinux幫助:yum -y install seLinux-policy-devel
在centos6中使用makewhatis同步數據庫;在centos7中使用mandb同步數據庫。
二、命令詳解和事例
1、SELinux的狀態:enforcing:強制,每個受限的進程都必然受限;
permissive:允許,每個受限的進程違規操作不會被禁止,但會被記錄于審計日志;
disabled:禁用。
2、getenforce?獲取selLinux當前狀態
sestatus?查看seLinux狀態
setenforce 0|1?設置為permissive或enforcing
[root@centos68?usb]#?getenforce?
Enforcing
[root@centos68?usb]#?sestatus
SELinux?status:?????????????????enabled
SELinuxfs?mount:????????????????/seLinux
Current?mode:???????????????????enforcing
Mode?from?config?file:??????????enforcing
Policy?version:?????????????????24
Policy?from?config?file:????????targeted
[root@centos68?usb]#?setenforce?0
[root@centos68?usb]#?sestatus
SELinux?status:?????????????????enabled
SELinuxfs?mount:????????????????/seLinux
Current?mode:???????????????????permissive
Mode?from?config?file:??????????enforcing
Policy?version:?????????????????24
Policy?from?config?file:????????targeted
[root@centos68?usb]#?getenforce?
Permissive
配置文件:
/boot/grub/grub.conf使用seLinux=0禁用seLinux
/etc/sysconfig/seLinux
/etc/seLinux/config
所有的修改都無法直接生效,都必須重啟之后生效。
3、給文件重新打安全標簽:chcon [opt] [-u USER] [-r ROLE] [-t TYPE] FILE
-R遞歸設置
–reference=FILE?與此文件相同設置
[root@centos68?tmp]#?ll?-Z
-rw-r--r--.?root?root?unconfined_u:object_r:user_tmp_t:s0?f1
-rw-r--r--.?root?root?unconfined_u:object_r:user_tmp_t:s0?f2
-rw-r--r--.?root?root?unconfined_u:object_r:user_tmp_t:s0?f3
[root@centos68?tmp]#?chcon?-u?unconfined_u?-r?object_r?-t?default_t?f1
[root@centos68?tmp]#?ll?-Z
-rw-r--r--.?root?root?unconfined_u:object_r:default_t:s0?f1
-rw-r--r--.?root?root?unconfined_u:object_r:user_tmp_t:s0?f2
-rw-r--r--.?root?root?unconfined_u:object_r:user_tmp_t:s0?f3
[root@centos68?tmp]#?chcon?--reference=f2?f1
[root@centos68?tmp]#?ll?-Z?
-rw-r--r--.?root?root?unconfined_u:object_r:user_tmp_t:s0?f1
-rw-r--r--.?root?root?unconfined_u:object_r:user_tmp_t:s0?f2
-rw-r--r--.?root?root?unconfined_u:object_r:user_tmp_t:s0?f3
恢復目錄或文件默認的安全上下文:restorecon /PATH/FILE
查看默認的安全上下文,若沒有默認安全上下文則無法設置:semanage fcontext -l
semanage來自policycoreutils-Python包
添加安全上下文:semanage scontext -a -t httpd_sys_content_t?‘/testdir(/.*)?’
restorecon -Rv /testdir
刪除安全上下文:semanage fcontext -d -t httpd_sys_content_t ?‘/testdir(/.*)?’
[root@centos68?tmp]#?semanage?fcontext?-a?-t?default_t?'/tmp(/.*)?'
[root@centos68?tmp]#?ll?-Z
-rw-r--r--.?root?root?unconfined_u:object_r:default_t:s0?f1
-rw-r--r--.?root?root?unconfined_u:object_r:user_tmp_t:s0?f2
-rw-r--r--.?root?root?unconfined_u:object_r:user_tmp_t:s0?f3
[root@centos68?tmp]#?semanage?fcontext?-l?|?grep?"/tmp(/.*)?"
/tmp(/.*)??????all?files??????????system_u:object_r:default_t:s0?
[root@centos68?tmp]#?restorecon?-Rv?/tmp
restorecon?reset?/tmp/f3?context?unconfined_u:object_r:user_tmp_t:s0->unconfined_u:object_r:default_t:s0
restorecon?reset?/tmp/.ICE-unix?context?system_u:object_r:xdm_tmp_t:s0->system_u:object_r:default_t:s0
restorecon?reset?/tmp/f2?context?unconfined_u:object_r:user_tmp_t:s0->unconfined_u:object_r:default_t:s0
[root@centos68?tmp]#?ll?-Z
-rw-r--r--.?root?root?unconfined_u:object_r:default_t:s0?f1
-rw-r--r--.?root?root?unconfined_u:object_r:default_t:s0?f2
-rw-r--r--.?root?root?unconfined_u:object_r:default_t:s0?f3
[root@centos68?tmp]#?semanage?fcontext?-d?-t?default_t?'/tmp(/.*)?'
[root@centos68?tmp]#?semanage?fcontext?-l?|?grep?"/tmp(/.*)?"
對文件進行移動不改變安全標簽;復制文件則改變便簽。
4、端口便簽:查看端口標簽:semanage port -l
添加端口:semanage port -a -t port_label -p tcp|udp PORT
刪除端口:semanage port -d -t port_label -p tcp|udp PORT
[root@centos68?tmp]#?semanage?port?-a?-t?tftp_port_t?-p?udp??9527
[root@centos68?tmp]#?semanage?port?-l?|?grep?"tftp_port_t"
tftp_port_t????????????????????udp??????9527,?69
[root@centos68?tmp]#?semanage?port?-d?-t?tftp_port_t?-p?udp?9527
[root@centos68?tmp]#?semanage?port?-l?|?grep?"tftp_port_t"
tftp_port_t????????????????????udp??????69
修改端口:semanage port -m -t port_label -p tcp|udp PORT
5、SELinux的布爾值:
查看bool值:getsebool -a
查看bool值,包括說明semanage boolean -l
查看修改過的布爾值:semanage boolean -l -C
設置bool值的命令:
setsebool BOOLEAN VALUE
0為開啟,1為關閉;選項-P永久生效
[root@centos68?~]#?semanage?boolean?-l?|?grep?virt_use_samba
virt_use_samba?????????????????(關????,????關)??Allow?virt?to?manage?cifs?files
[root@centos68?~]#?setsebool?virt_use_samba?1
[root@centos68?~]#?semanage?boolean?-l?|?grep?virt_use_samba
virt_use_samba?????????????????(開????,????關)??Allow?virt?to?manage?cifs?files
6、SELinux日志管理:yum install setroublesshoot*(重啟生效)
將錯誤的信息寫入/var/log/message
[root@centos68?~]#?grep?setroubleshoot?/var/log/messages
Sep?11?03:50:45?centos68?yum[4947]:?Installed:?setroubleshoot-server-3.0.47-11.el6.x86_64
Sep?11?03:50:47?centos68?yum[4947]:?Installed:?setroubleshoot-plugins-3.0.40-2.el6.noarch
Sep?11?03:50:48?centos68?yum[4947]:?Installed:?setroubleshoot-3.0.47-11.el6.x86_64
查看安全日志說明:
[root@centos68?~]#?sealert?-l?0
Error
query_alerts?error?(1003):?id?(0)?not?found
掃描并分析日志:sealert?-a?/var/log/audit/audit.log
[root@centos68?~]#?sealert?-a?/var/log/audit/audit.log?
100%?donefound?0?alerts?in?/var/log/audit/audit.log
三、課后練習
1、制作光盤或U盤引導盤。
創建引導光盤:
步驟一:復制光盤目錄下的isoLinux目錄至/tmp/myiso目錄下
[root@centos68?tmp]#?mkdir?myiso
[root@centos68?tmp]#?cp?-rf?/media/cdrom/isoLinux?./myiso/
步驟二:編輯isoLinux.cfg
[root@centos68?tmp]#?vim?myiso/isoLinux/isoLinux.cfg?
label?Linux
??menu?label?^Install?or?upgrade?an?existing?system
??menu?default
??kernel?vmlinuz
??append?initrd=initrd.img?text?ks=cdrom:/myks.cfg
步驟三:生成kickstart文件myks.cfg并將其放入isoLinux目錄中,此處使用在圖形界面下創建的kickstart文件:
[root@centos68?tmp]#?cp?/root/myks.cfg?./myiso/
[root@centos68?tmp]#?vim?myiso/myks.cfg
步驟四:生成引導文件,光盤鏡像boot.iso
[root@centos68?tmp]#?cd?myiso/
[root@centos68?myiso]#?mkisofs?-R?-J?-T?-v?--no-emul-boot?--boot-load-size?4?--boot-info-table?-V?"CentOS?6.8?x86_64?boot"?-b?isoLinux/isoLinux.bin?-c?isoLinux/boot.cat?-o?/root/boot.iso??./
I:?-input-charset?not?specified,?using?utf-8?(detected?in?locale?settings)
genisoimage?1.1.9?(Linux)
Scanning?./
Scanning?./isoLinux
Excluded?by?match:?./isoLinux/boot.cat
Excluded:?./isoLinux/TRANS.TBL
Writing:???Initial?Padblock????????????????????????Start?Block?0
Done?with:?Initial?Padblock????????????????????????Block(s)????16
Writing:???Primary?Volume?Descriptor???????????????Start?Block?16
Done?with:?Primary?Volume?Descriptor???????????????Block(s)????1
Writing:???Eltorito?Volume?Descriptor??????????????Start?Block?17
Size?of?boot?image?is?4?sectors?->?No?emulation
Done?with:?Eltorito?Volume?Descriptor??????????????Block(s)????1
Writing:???Joliet?Volume?Descriptor????????????????Start?Block?18
Done?with:?Joliet?Volume?Descriptor????????????????Block(s)????1
Writing:???End?Volume?Descriptor???????????????????Start?Block?19
Done?with:?End?Volume?Descriptor???????????????????Block(s)????1
Writing:???Version?block???????????????????????????Start?Block?20
Done?with:?Version?block???????????????????????????Block(s)????1
Writing:???Path?table??????????????????????????????Start?Block?21
Done?with:?Path?table??????????????????????????????Block(s)????4
Writing:???Joliet?path?table???????????????????????Start?Block?25
Done?with:?Joliet?path?table???????????????????????Block(s)????4
Writing:???Directory?tree??????????????????????????Start?Block?29
Done?with:?Directory?tree??????????????????????????Block(s)????2
Writing:???Joliet?directory?tree???????????????????Start?Block?31
Done?with:?Joliet?directory?tree???????????????????Block(s)????2
Writing:???Directory?tree?cleanup??????????????????Start?Block?33
Done?with:?Directory?tree?cleanup??????????????????Block(s)????0
Writing:???Extension?record????????????????????????Start?Block?33
Done?with:?Extension?record????????????????????????Block(s)????1
Writing:???The?File(s)?????????????????????????????Start?Block?34
?22.37%?done,?estimate?finish?Sun?Sep?11?12:10:41?2016
?44.66%?done,?estimate?finish?Sun?Sep?11?12:10:41?2016
?67.02%?done,?estimate?finish?Sun?Sep?11?12:10:41?2016
?89.29%?done,?estimate?finish?Sun?Sep?11?12:10:41?2016
Total?translation?table?size:?4703
Total?rockridge?attributes?bytes:?1440
Total?directory?bytes:?2048
Path?table?size(bytes):?26
Done?with:?The?File(s)?????????????????????????????Block(s)????22215
Writing:???Ending?Padblock?????????????????????????Start?Block?22249
Done?with:?Ending?Padblock?????????????????????????Block(s)????150
Max?brk?space?used?0
22399?extents?written?(43?MB)
步驟五:測試使用
使用光盤鏡像:
開機使用光盤啟動:
注意:添加虛擬機的時候給的空間不能少于ks模板中給定的數值,否則報錯。
創建引導U盤
方法一:直接將光盤內容寫入U盤使用;
[root@centos68?~]#?dd?if=/dev/sr0?of=/dev/sdb
記錄了7649280+0?的讀入
記錄了7649280+0?的寫出
3916431360字節(3.9 GB)已復制,160.877?秒,24.3 MB/秒
2、安裝http服務,改變網站的默認主目錄為/website,添加SELinux文件標簽規則,設置http_sys_content_t到/website及目錄下所有文件,使網站可訪問。
步驟一:更改配置文件,改變默認主目錄:
[root@centos68?~]#?vim?/etc/httpd/conf/httpd.conf
#?This?should?be?changed?to?whatever?you?set?DocumentRoot?to.
<Directory?"/var/www/website">
#?symbolic?links?and?aliases?may?be?used?to?point?to?other?locations.
DocumentRoot?"/var/www/website"
更改兩行,將目錄設置為website。
步驟二:重啟服務,添加網頁文件
[root@centos68?website]#?service?httpd?restart
停止?httpd:??????????????????????????[確定]
正在啟動?httpd:httpd:?apr_sockaddr_info_get()?failed?for?centos68
httpd:?Could?not?reliably?determine?the?server's?fully?qualified?domain?name,?using?127.0.0.1?for?ServerName?????[確定]
[root@centos68?website]#?echo?"hello?man"?>?index.html
[root@centos68?website]#?ls
index.html
步驟三:關閉seLinux訪問限制,關閉防火墻,訪問檢驗
1、修改網站端口為9527,增加SELinux端口標簽,使網站可訪問。
修改http監聽的端口:
[root@centos68?~]#?semanage?port?-l??|?grep?http
http_cache_port_t??????????????tcp??????3128,?8080,?8118,?8123,?10001-10010
http_cache_port_t??????????????udp??????3130
http_port_t????????????????????tcp??????80,?81,?443,?488,?8008,?8009,?8443,?9000
pegasus_http_port_t????????????tcp??????5988
pegasus_https_port_t???????????tcp??????5989
[root@centos68?~]#?semanage?port?-a?-t?http_port_t?-p?tcp?9527
[root@centos68?~]#?semanage?port?-l??|?grep?http
http_cache_port_t??????????????tcp??????3128,?8080,?8118,?8123,?10001-10010
http_cache_port_t??????????????udp??????3130
http_port_t????????????????????tcp??????9527,?80,?81,?443,?488,?8008,?8009,?8443,?9000
pegasus_http_port_t????????????tcp??????5988
pegasus_https_port_t???????????tcp??????5989
修改文件:
#Listen 12.34.56.78:80
Listen 80
Listen 9527
使用windows瀏覽器檢驗是否能夠訪問:
3、啟動SELinux布爾值,使用戶student的家目錄可通過http訪問。
[root@centos68?~]#?semanage?boolean?-l?|?grep?http
httpd_enable_homedirs?????(關?,?關)??Allow?httpd?to?read?home?directories
[root@centos68?~]#?setsebool?httpd_enable_homedirs?1
[root@centos68?~]#?semanage?boolean?-l?|?grep?httpd_enable_homedirs
httpd_enable_homedirs??????(開????,????關)??Allow?httpd?to?read?home?directories
更改配置文件:
<IfModule mod_userdir.c>
????#UserDir disabled
????UserDir public_html
</IfModule>
<Directory /home/*/public_html>
????AllowOverride FileInfo AuthConfig Limit
????Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
????<Limit GET POST OPTIONS>
????????Order allow,deny
????????Allow from all
????</Limit>
????<LimitExcept GET POST OPTIONS>
????????Order deny,allow
????????Deny from all
????</LimitExcept>
</Directory>
按配置文件的格式來看,需要家目錄中的文件名如下
[root@centos68?user1]#?echo?43123123?>?public_html
