如何解決SELinux問題?
說起SELinux,多數Linux發行版缺省都激活了它,可見它對系統安全的重要性,可惜由于它本身有一定的復雜性,如果不熟悉的話往往會產生一些看似莫名其妙的問題,導致人們常常放棄使用它,為了不因噎廢食,學學如何解決SELinux問題是很有必要的。
我們以CentOS環境為例重現一個非常常見的SELinux問題:
首先需要確認SELinux處于激活狀態,可以使用getenforce或sestatus命令:
- shell> getenforce
- Enforcing
- shell> sestatus
- SELinux status: enabled
- SELinuxfs mount: /selinux
- Current mode: enforcing
- Mode from config file: enforcing
- Policy version: 24
- Policy from config file: targeted
注:關于SELinux的基礎知識介紹請參考鳥哥的Linux私房菜中相關的介紹。
我們還需要確認系統已經安裝并啟動了Apache,沒有的話就YUM裝一個,這很簡單,就不多說了,接著在root目錄創建一個測試文件test.html,如下:
- shell> cat /root/test.html
- hello, world.
然后把這個測試文件拷貝到Apache的DocumentRoot目錄,我的Apache是通過YUM安裝的話,缺省是/var/www/html目錄,如下:
- shell> cp /root/test.html /var/www/html
接著瀏覽一下,如果沒出什么幺蛾子,應該一切都在意料之中,如下:
- shell> curl http://localhost/test.html
- hello, world.
看到這,你可能覺得我廢話連篇,別著急,下面就是見證奇跡的時候了:
同樣還是那個測試文件test.html,不過這次不再是拷貝,而是移動,如下:
- shell> mv /root/test.html /var/www/html
接著瀏覽一下,怎么樣,結果很出人意料吧,竟然提示權限錯誤,如下:
- shell> curl http://localhost/test.html
- <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
- <html><head>
- <title>403 Forbidden</title>
- </head><body>
- <h1>Forbidden</h1>
- <p>You don't have permission to access /test.html
- on this server.</p>
- </body></html>
當然,我們現在知道這個問題是由于SELinux引起的,但還不知其所以然,實際上問題的原因此時已經被audit進程記錄到了相應的日志里,可以這樣查看:
- shell> audit2why < /var/log/audit/audit.log
如果看不懂的話,推薦安裝setroubleshoot套件:
- shell> yum install setroubleshoot
它本身是一個GUI套件,不過其中包含的一個sealert命令對我們命令行用戶很有用:
- shell> sealert -a /var/log/audit/audit.log
- Summary:
- SELinux is preventing /usr/sbin/httpd "getattr" access to
- /var/www/html/test.html.
- Detailed Description:
- SELinux denied access requested by httpd. /var/www/html/test.html may be a
- mislabeled. /var/www/html/test.html default SELinux type is httpd_sys_content_t,
- but its current type is admin_home_t. Changing this file back to the default
- type, may fix your problem.
- File contexts can be assigned to a file in the following ways.
- * Files created in a directory receive the file context of the parent
- directory by default.
- * The SELinux policy might override the default label inherited from the
- parent directory by specifying a process running in context A which creates
- a file in a directory labeled B will instead create the file with label C.
- An example of this would be the dhcp client running with the dhclient_t type
- and creating a file in the directory /etc. This file would normally receive
- the etc_t type due to parental inheritance but instead the file is labeled
- with the net_conf_t type because the SELinux policy specifies this.
- * Users can change the file context on a file using tools such as chcon, or
- restorecon.
- This file could have been mislabeled either by user error, or if an normally
- confined application was run under the wrong domain.
- However, this might also indicate a bug in SELinux because the file should not
- have been labeled with this type.
- If you believe this is a bug, please file a bug report against this package.
- Allowing Access:
- You can restore the default system context to this file by executing the
- restorecon command. restorecon '/var/www/html/test.html', if this file is a
- directory, you can recursively restore using restorecon -R
- '/var/www/html/test.html'.
- Fix Command:
- /sbin/restorecon '/var/www/html/test.html'
這次應該看懂了吧!原因是說Apache下文件上下文類型應該是httpd_sys_content_t,但是現在是admin_home_t,所以權限錯誤,并且在結尾處給出了修復命令。
可httpd_sys_content_t,admin_home_t都怎么看啊?很簡單,借助ls命令的-Z參數即可:
- shell> ls -Z /path
回到問題的開始,拷貝之所以沒出現問題,是因為cp自動修改上下文屬性,而移動之所以出現問題是因為mv保留原文件的上下文屬性。
注:關于SELinux和Apache的詳細介紹,可以參考『man httpd_selinux』。
知道了如何解決SELinux問題,以后如果遇到類似的情況不要急著武斷的關閉SELinux。
