今天在使用 httpd 做文件服务器的时候,发现 png 图像没有打开,但是原本www/html 文件夹内部的文件就可以打开。后来猜测是selinux 的问题,之前一直想写一篇关于selinux 的博文,现在先在这里提到一点吧。
欲详细解决 (13) Permission Denied 问题, 可以参考apache 官方文档 (13) Permission Denied
我们可以首先使用 setenforce 0 让selinux 暂时关闭,定位到是否是selinux 权限的问题。如果 关闭后,可以正常访问,我们可以进一步来进行解决:
用过 ls -Z 查看 selinux 权限:
root@yaowenxu /v/w/html# ls -alZ
total 176
drwxr-xrwx. 2 root root system_u:object_r:httpd_sys_content_t:s0 4096 Aug 20 13:24 ./
drwxr-xr-x. 4 root root system_u:object_r:httpd_sys_content_t:s0 4096 Jul 20 18:30 ../
-rw-r--r--. 1 xuyaowen xuyaowen unconfined_u:object_r:httpd_sys_content_t:s0 10292 Aug 19 17:51 'Screenshot from 2018-08-19 17-50-59.png'
-rw-r--r--. 1 xuyaowen xuyaowen unconfined_u:object_r:httpd_sys_content_t:s0 68579 Aug 20 11:32 'Screenshot from 2018-08-20 11-32-51.png'
-rw-r--r--. 1 xuyaowen xuyaowen unconfined_u:object_r:httpd_sys_content_t:s0 85378 Aug 20 13:24 'Screenshot from 2018-08-20 13-24-10.png'
-rw----r--. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 9 Aug 20 11:47 xuyaowen
查看是否是 httpd_sys_content_t 权限,如果不是,通过命令进行设置权限,我这里让http 所有文件设置为上述默认权限:
root@yaowenxu /v/w/html# chmod -R -t httpd_sys_content_t html
这样便能保持 selinux 的权限的一致性。不用多次修改了。
当然你也可以禁止 selinux : 暂时禁止使用 setenforce 命令,永久禁止修改配置文件,如下所示:
vi /etc/sysconfig/selinux
SELINUX=enforcing --> SELINUX=disabled
不保护apache:
setsebool -P httpd_disable_trans 1
更多配置相关,请通过man命令,参考 selinux 说明和 selinux/apache 说明。
httpd_selinux(8) httpd Selinux Policy documentation httpd_selinux(8)
NAME
httpd_selinux - Security Enhanced Linux Policy for the httpd daemon
DESCRIPTION
Security-Enhanced Linux secures the httpd server via flexible mandatory
access control.
FILE_CONTEXTS
SELinux requires files to have an extended attribute to define the file
type. Policy governs the access daemons have to these files. SELinux
httpd policy is very flexible allowing users to setup their web ser-
vices in as secure a method as possible.
The following file contexts types are defined for httpd:
httpd_sys_content_t
- Set files with httpd_sys_content_t for content which is avail-
able from all httpd scripts and the daemon.
httpd_sys_script_exec_t
- Set cgi scripts with httpd_sys_script_exec_t to allow them to
run with access to all sys types.
httpd_sys_script_ro_t
- Set files with httpd_sys_script_ro_t if you want
httpd_sys_script_exec_t scripts to read the data, and disallow
other sys scripts from access.
httpd_sys_script_rw_t
- Set files with httpd_sys_script_rw_t if you want
httpd_sys_script_exec_t scripts to read/write the data, and dis-
allow other non sys scripts from access.
httpd_sys_script_ra_t
- Set files with httpd_sys_script_ra_t if you want
httpd_sys_script_exec_t scripts to read/append to the file, and
disallow other non sys scripts from access.
httpd_unconfined_script_exec_t
- Set cgi scripts with httpd_unconfined_script_exec_t to allow
them to run without any SELinux protection. This should only be
used for a very complex httpd scripts, after exhausting all
other options. It is better to use this script rather than
turning off SELinux protection for httpd.
NOTE
With certain policies you can define addional file contexts based on
roles like user or staff. httpd_user_script_exec_t can be defined
where it would only have access to "user" contexts.
SHARING FILES
If you want to share files with multiple domains (Apache, FTP, rsync,
Samba), you can set a file context of public_content_t and public_con-
tent_rw_t. These context allow any of the above domains to read the
content. If you want a particular domain to write to the public_con-
tent_rw_t domain, you must set the appropriate boolean.
allow_DOMAIN_anon_write. So for httpd you would execute:
setsebool -P allow_httpd_anon_write=1
or
setsebool -P allow_httpd_sys_script_anon_write=1
BOOLEANS
SELinux policy is customizable based on least access required. So by
default SElinux prevents certain http scripts from working. httpd pol-
icy is extremely flexible and has several booleans that allow you to
manipulate the policy and run httpd with the tightest access possible.
httpd can be setup to allow cgi scripts to be executed, set
httpd_enable_cgi to allow this
setsebool -P httpd_enable_cgi 1
httpd by default is not allowed to access users home directories. If
you want to allow access to users home directories you need to set the
httpd_enable_homedirs boolean and change the context of the files that
you want people to access off the home dir.
setsebool -P httpd_enable_homedirs 1
chcon -R -t httpd_sys_content_t ~user/public_html
httpd by default is not allowed access to the controling terminal. In
most cases this is prefered, because an intruder might be able to use
the access to the terminal to gain privileges. But in certain situa-
tions httpd needs to prompt for a password to open a certificate file,
in these cases, terminal access is required. Set the httpd_tty_comm
boolean to allow terminal access.
setsebool -P httpd_tty_comm 1
httpd can be configured to not differentiate file controls based on
context, i.e. all files labeled as httpd context can be read/write/exe-
cute. Setting this boolean to false allows you to setup the security
policy such that one httpd service can not interfere with another.
setsebool -P httpd_unified 0
httpd can be configured to turn off internal scripting (PHP). PHP and
other
loadable modules run under the same context as httpd. Therefore
several policy rules allow httpd greater access to the system
then is needed if you only use external cgi scripts.
setsebool -P httpd_builtin_scripting 0
httpd scripts by default are not allowed to connect out to the network.
This would prevent a hacker from breaking into you httpd server
and attacking other machines. If you need scripts to be able to
connect you can set the httpd_can_network_connect boolean on.
setsebool -P httpd_can_network_connect 1
You can disable suexec transition, set httpd_suexec_disable_trans deny
this
setsebool -P httpd_suexec_disable_trans 1
You can disable SELinux protection for the httpd daemon by executing:
setsebool -P httpd_disable_trans 1
service httpd restart
system-config-securitylevel is a GUI tool available to customize
SELinux policy settings.
AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
SEE ALSO
selinux(8), httpd(8), chcon(1), setsebool(8)
dwalsh@redhat.com 17 Jan 2005 httpd_selinux(8)
保持更新,转载请注明出处。如果对你有帮助,请点击右下角推荐。