鳥哥也有更新這部份的資料了
所以我就補充這段!!!
- 了解 SELinux 的 security Context
- 環境確認:
- 確認 SELinux 打開為 Enforcing mode ,如果沒有請執行 system-config-securitylevel 並把 SELinux: Enforcing(強制) 及 Firewall stop(停用)
- 要有student帳號,如果沒有請建立帳號 student 密碼 linux
# useradd -g users -m student # echo 'student:linux' | chpasswd
- 安裝 httpd 套件並啟動,然後測試 webserver ,yum setup
# yum install httpd # service httpd restart * elink http://127.0.0.1
- 以 root 身份,建立兩個檔案
- /home/student/home.html 內容為 「home directory」
- /tmp/tmp.html 內容為 「tmp directory」
- 把這兩個檔案搬移到 /var/www/html (httpd 預設根目錄),並使用 ls -lZ 觀看 selinux content
# mv /tmp/tmp.html /var/www/html # mv /home/student/home.html /var/www/html # ls /var/www/html -lZ -rw-r--r-- root root root:object_r:user_home_t home.html -rw-r--r-- root root root:object_r:tmp_t tmp.html
- 使用 elinks 觀看這兩個檔案 http://127.0.0.1/home.html 及 http://127.0.0.1/tmp.html
- 會產生 SELinux 錯誤,請觀看 /var/log/messages 及 /var/log/audit/audit.log 的錯誤紀錄,系統會伴隨錯誤發生,可以用文字命令 sealert 指令來觀看參考訊息提供錯誤的修正參考資訊,圖形介面也會有相關的提示星星。
[root@localhost html]# sealert -l 45ff7c2f-1b79-4746-8280-f7ef6fd06d5d (看log有寫怎麼下) Summary: SELinux is preventing the httpd from using potentially mislabeled files (/var/www/html/tmp.html). Detailed Description: SELinux has denied httpd access to potentially mislabeled file(s) (/var/www/html/tmp.html). This means that SELinux will not allow httpd to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want httpd to access this files, you need to relabel them using restorecon -v '/var/www/html/tmp.html'. You might want to relabel the entire directory using restorecon -R -v '/var/www/html'. Additional Information: Source Context root:system_r:httpd_t Target Context root:object_r:tmp_t Target Objects /var/www/html/tmp.html [ file ] Source httpd Source Path /usr/sbin/httpd PortHost localhost.localdomain Source RPM Packages httpd-2.2.3-31.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-255.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:54 EDT 2009 i686 i686 Alert Count 2 First Seen Sat Jan 16 05:28:13 2010 Last Seen Sat Jan 16 05:28:13 2010 Local ID 45ff7c2f-1b79-4746-8280-f7ef6fd06d5d Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1263590893.105:76): avc: denied { getattr } for pid=4486 comm="httpd" path="/var/www/html/tmp.html" dev=hda5 ino=100522 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:tmp_t:s0 tclass=file host=localhost.localdomain type=SYSCALL msg=audit(1263590893.105:76): arch=40000003 syscall=196 success=no exit=-13 a0=92c5218 a1=bf9e14cc a2=943ff4 a3=2008171 items=0 ppid=4483 pid=4486 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=2 comm="httpd" exe="/usr /sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)
- 使用 restorecon 或是 chcon 修正這些錯誤。讓網頁可正常顯示。
# restorecon /var/www/html/home.html 或是 # chcon -u system_u -r object_r -t httpd_sys_content_t /var/www/html/tmp.html 結果 # ls -lZ -rw-r--r-- root root system_u:object_r:httpd_sys_content_t home.html -rw-r--r-- root root system_u:object_r:httpd_sys_content_t tmp.html
- 在使用 elinks 測試看看應該就可以了!!!
沒有留言:
張貼留言