解决SELinux对网站目录权限控制的不当的问题--网上摘抄集合,记录使用
1.检查httpd的错误日志。默认情况下日志就存在在/var/log/httpd/目录中。
[root@localhost ~]# grep Permission /var/log/httpd/error_log
[Tue Apr 10 09:07:04 2012] [error] [client 127.0.0.1] (13)Permission denied: access to /start denied
[Tue Apr 10 09:07:50 2012] [error] [client 127.0.0.1] (13)Permission denied: access to /start/ denied
[Tue Apr 10 09:08:07 2012] [error] [client 127.0.0.1] (13)Permission denied: access to /start/ denied
[Tue Apr 10 09:10:06 2012] [error] [client 127.0.0.1] (13)Permission denied: access to /start/ denied
[Tue Apr 10 09:11:08 2012] [error] [client 127.0.0.1] (13)Permission denied: access to /start/ denied
[Tue Apr 10 09:11:17 2012] [error] [client 127.0.0.1] (13)Permission denied: access to /start denied
[Tue Apr 10 09:11:34 2012] [error] [client ::1] (13)Permission denied: access to /start denie
2.再检查网站目录和文件的权限。为方便起见直接用-lZ选项。用于显示详细信息和SELinux权限信息
ls -lZ
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 archive.html
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 blog
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 blog_backup
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 blog.htm
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 blog.html
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 css
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 home_page
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 home_start #问题行
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 images
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.htm
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 info_php.php
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 js
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 log
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 php #以前的遗留问题
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 phpMyAdmin-3.4.10.1-all-languages
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 PSDs
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 readme.txt
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 style.htm
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 style.html
3.再查看selinx的工作状态,判断是不是SELinux引起的。
[root@localhost httpd]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
这就是导致网站权限不正确的原因。
4.所以使用chcon更改SELinux权限以及显示结果如下:
setenforce 0 #必须暂时停止SELinux,否则可能导致操作失败。
chcon -t httpd_sys_content_t -R /var/www/html/home_start/ #R参数是递归操作的意思
经过修改就会发现SELinux的对应权限已经和其他目录相同了!都是httpd_sys_content_t。
[root@localhost html]# setenforce --help
usage: setenforce [ Enforcing | Permissive | 1 | 0 ]
[root@localhost html]# setenforce 0
[root@localhost html]# cd
[root@localhost ~]# ls /var/www/html/ -Z
……
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 home_start
……
[root@localhost ~]# chcon -t httpd_sys_content_t -R /var/www/html/home_start/
[root@localhost ~]# ls /var/www/html/home_start/ -Z
……
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 authorize.php
……
然后,再次打开浏览器输入地址,验证能否访问,如果可以访问就可以进行下一步配置了!
-----------------------------------------------------------------------------------------
# sesearch -A -s httpd_t -b httpd_can_network_relay
Found 10 semantic av rules:
allow httpd_t gopher_port_t : tcp_socket name_connect ;
allow httpd_t http_cache_client_packet_t : packet { send recv } ;
allow httpd_t ftp_port_t : tcp_socket name_connect ;
allow httpd_t ftp_client_packet_t : packet { send recv } ;
allow httpd_t http_client_packet_t : packet { send recv } ;
allow httpd_t squid_port_t : tcp_socket name_connect ;
allow httpd_t http_cache_port_t : tcp_socket name_connect ;
allow httpd_t http_port_t : tcp_socket name_connect ;
allow httpd_t gopher_client_packet_t : packet { send recv } ;
allow httpd_t memcache_port_t : tcp_socket name_connect ;
-------------
# semanage port -l | grep http_port_t
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
--------------
# semanage port -a -t http_port_t -p tcp 8082
-------------
# semanage port -a -t http_port_t -p tcp 8080
/usr/sbin/semanage: Port tcp/8080 already defined
# semanage port -l | grep 8080
http_cache_port_t tcp 3128, 8080, 8118, 8123, 10001-10010
-----------
# sesearch -A -s httpd_t -b httpd_can_network_connect
Found 1 semantic av rules:
allow httpd_t port_type : tcp_socket name_connect ;
----------
# seinfo -aport_type -x
--------------------------------------------------------------------
# chcon -v --type=httpd_sys_content_t /www/t.txt
# semanage fcontext -a -t httpd_sys_content_t /www/t.txt
# restorecon -v /www/t.txt
# semanage fcontext -a -t httpd_sys_content_t /www(/.*)?
# restorecon -Rv /www
# grep nginx /var/log/audit/audit.log | audit2allow -m nginx > nginx.te
# cat nginx.te
module nginx 1.0;
require {
type httpd_t;
type default_t;
type http_cache_port_t;
class tcp_socket name_connect;
class file { read getattr open };
}
#============= httpd_t ==============
allow httpd_t default_t:file { read getattr open };
#!!!! This avc can be allowed using one of the these booleans:
# httpd_can_network_relay, httpd_can_network_connect
allow httpd_t http_cache_port_t:tcp_socket name_connect;
# grep nginx /var/log/audit/audit.log | audit2allow -M nginx
# semodule -i nginx.pp
# semodule -l | grep nginx
nginx 1.0
除特别注明外,本站所有文章均为奇妙伞原创,转载请注明出处来自https://www.qm3.com.cn/post/212.html
