linux安全---SElinux

[root@py ~]# ps -Z  #查看进程的域
LABEL                              PID TTY          TIME CMD
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3294 pts/0 00:00:00 su
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3302 pts/0 00:00:00 bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3954 pts/0 00:00:00 ps
[root@py ~]# ls !$  #查看文件的上下文
ls -Z
-rw-------. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg
-rw-r--r--. root root system_u:object_r:admin_home_t:s0 install.log
-rw-r--r--. root root system_u:object_r:admin_home_t:s0 install.log.syslog
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 mysql-5.7.17-linux-glibc2.5-x86_64.tar.gz
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 zq

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing           #工作模式
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted　　　　　　#策略，默认是目标策略
                                                                                                                           
"/etc/sysconfig/selinux" 13L, 458C                            1,0-

chcon --reference=定义参照文件 要修改的文件

[root@py ~]# cd /var/www/html/
[root@py html]# ls
[root@py html]# cd ..
[root@py www]# ls -Z
drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 cgi-bin
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 error
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 icons
[root@py www]# cd
[root@py ~]# service httpd start
Starting httpd: httpd: apr_sockaddr_info_get() failed for py
httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
                                                           [  OK  ]
[root@py ~]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd: httpd: apr_sockaddr_info_get() failed for py
httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
                                                           [  OK  ]
[root@py ~]# vim index.html
[root@py ~]# mv index.html /var/www/html/
[root@py ~]# cd /var/www/html/
[root@py html]# ls
index.html
[root@py html]# cd /var/log/audit/
[root@py audit]# ls
audit.log
[root@py audit]# tail audit.log 
type=AVC msg=audit(1495619324.973:211): avc:  denied  { getattr } for  pid=4490 comm="httpd" path="/var/www/html/index.html" dev=sda2 ino=2097174 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
type=SYSCALL msg=audit(1495619324.973:211): arch=c000003e syscall=4 success=no exit=-13 a0=7f0b302ffd58 a1=7fffeddc5880 a2=7fffeddc5880 a3=7f0b302fc858 items=0 ppid=4480 pid=4490 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1495619324.973:212): avc:  denied  { getattr } for  pid=4490 comm="httpd" path="/var/www/html/index.html" dev=sda2 ino=2097174 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
type=SYSCALL msg=audit(1495619324.973:212): arch=c000003e syscall=6 success=no exit=-13 a0=7f0b302ffe28 a1=7fffeddc5880 a2=7fffeddc5880 a3=1 items=0 ppid=4480 pid=4490 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=USER_ACCT msg=audit(1495619401.485:213): user pid=4641 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1495619401.485:214): user pid=4641 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=LOGIN msg=audit(1495619401.494:215): pid=4641 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old auid=4294967295 new auid=0 old ses=4294967295 new ses=34
type=USER_START msg=audit(1495619401.495:216): user pid=4641 uid=0 auid=0 ses=34 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1495619401.586:217): user pid=4641 uid=0 auid=0 ses=34 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1495619401.586:218): user pid=4641 uid=0 auid=0 ses=34 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
[root@py audit]# cd /var/www/html/
[root@py html]# ls -Z
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 index.html
[root@py html]# cd ..
[root@py www]# restorecon -R html
[root@py www]# cd html/
[root@py html]# ls -Z
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html