Selinux

1.查看selinux是否开启

SELinux的状态：

- enforcing：强制，每个受限的进程都必然受限
- permissive：允许，每个受限的进程违规操作不会被禁止，但会被记录于审计日志
- disabled：禁用

相关命令：

• - getenforce: 获取selinux当前状态
• - sestatus :查看selinux状态
• - setenforce 0|1 
•   - 0: 设置为permissive ###宽容模式
•   - 1: 设置为enforcing ###强制

[root@localhost html]#getenforce 
Enforcing

如果没有开启可以使用以下命令开启
[root@localhost html]#setenforce 1

永久开启需要修改  此处文件  /etc/selinux/config
vim /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing

2.文件类型 

 3.seinfo

[root@localhost ~]# seinfo -t
bash: seinfo: 未找到命令...
[root@localhost ~]# yum provides seinfo
已加载插件：fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirrors.bfsu.edu.cn
 * extras: mirrors.bfsu.edu.cn
 * updates: mirrors.bfsu.edu.cn
extras/7/x86_64/filelists_db                                                           | 303 kB  00:00:00     
setools-console-3.3.8-4.el7.x86_64 : Policy analysis command-line tools for SELinux
源    ：base
匹配来源：
文件名    ：/usr/bin/seinfo

[root@localhost ~]# yum install setools-console-3.3.8-4.el7.x86_64 -y

[root@localhost ~]# seinfo -a
 
Attributes: 256
   cert_type
   privfd
   file_type
   boinc_domain
   cfengine_domain
   wine_domain

 4.修改文件类型

1.7-2查看httpd进程

[root@localhost html]# ls -Z
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html
[root@localhost html]# 
[root@localhost html]# ps auxZ|grep httpd ###过滤httpd进程
system_u:system_r:httpd_t:s0    root      51859  0.0  0.2 221952  4996 ?        Ss   13:50   0:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0    apache    51860  0.0  0.1 224036  3104 ?        S    13:50   0:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0    apache    51861  0.0  0.1 224036  3104 ?        S    13:50   0:00 /usr/sbin/httpd -DFOREGROUND

2.用7-1curl访问7-2

[root@localhost html]# ls
index.html
[root@localhost html]# 
[root@localhost html]# ls -Z
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html
[root@localhost html]# 

3.在7-2中修改文件类型 

[root@localhost html]# chcon -t var_t /var/www/html/index.html
[root@localhost html]# 
[root@localhost html]# ls -Z
-rw-r--r--. root root unconfined_u:object_r:var_t:s0   index.html
[root@localhost html]# 

4.开一下selinux

[root@localhost html]# getenforce
Permissive
[root@localhost html]# setenforce 1
[root@localhost html]# getenforce
Enforcing
[root@localhost html]# 

5.用7-1再去访问index.html页面

6.把selinux关掉

[root@localhost html]# setenforce 0

7.用7-1再去访问一下

[root@localhost ~]# curl 192.168.91.102
7-2

5.去7-3改端口

1.先把selinux开启

[root@localhost html]# setenforce 1
[root@localhost html]# getenforce
Enforcing
[root@localhost html]#

2.去主配置文件中加端口

[root@localhost html]# vim /etc/httpd/conf/httpd.conf
[root@localhost html]# 
[root@localhost html]# systemctl restart httpd
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
[root@localhost html]# 

3.解决进程与端口绑定问题

[root@localhost html]# semanage port -a -t http_port_t -p tcp 9527
[root@localhost html]# 
[root@localhost html]# systemctl restart httpd
[root@localhost html]# 

6.selinux的配置文件

[root@localhost html]# vim /etc/selinux/config