SELinux

SELinux

1. 系统资源是通过init来管理的

主配置文件：/etc/inittab

co:23:respawn:/sbin/agetty -f /etc/issue.serial 19200 ttyS1

2. 服务是通过调用/etc/init.d/下的脚本执行的

ldd `whichxinetd`用于查看xinetd所有链接的文件

[root@station116 ~]# ldd `which xinetd`

linux-gate.so.1 => (0x00f23000)

libselinux.so.1 => /lib/libselinux.so.1 (0x00110000)

libwrap.so.0 => /lib/libwrap.so.0 (0x0056c000)

libnsl.so.1 => /lib/libnsl.so.1 (0x00c3d000)

libm.so.6 => /lib/libm.so.6 (0x00a36000)

libcrypt.so.1 => /lib/libcrypt.so.1 (0x00942000)

libc.so.6 => /lib/libc.so.6 (0x001b4000)

libdl.so.2 => /lib/libdl.so.2 (0x00580000)

libsepol.so.1 => /lib/libsepol.so.1 (0x009d9000)

/lib/ld-linux.so.2 (0x00d87000)

[root@station116 ~]#

可以看到xinetd 链接到libwrap.so中

重启服务：

/etc/init.d/network status

service network status

3.chkconfig查询，更改运行级别信息

chkconfig --list [name] 列出某个服务，若没有服务名，则列举所有

chkconfig --add [name] 添加某项服务

chkconfig --del [name] 删除某项服务

chkconfig --list | grep “y”列举出以y开头的服务

chkconfig --level LEVEL[2-5] on|start|reset(恢复默认设置)

独立守护进程中，chkconfig的默认级别为2345

非独立守护进程中,不可指定级别

/etc/init.d下的服务，默认并没有添加到chkconfig列表中

另外：也可通过system-config-services打开图形窗口指定级别，开启服务

ntsysv 也可设置开机时即开启某项服务

4. /etc/sysconfig文件配置某些服务是如何运行的

named

sendmail

dhcpd

samba

init

syslog

5. 1）独立守护进程是通过/etc/xinetd.conf（默认配置文件）/etc/xinetd.d/services运行的，在默认文件规定过的，在/etc/xinetd.d/services中仍能指定，若冲突时，以/etc/xinetd.d/services中规定的为准。

/etc/xinetd.conf的默认配置：

defaults

{

# The next two items are intended to be a quick access place to

# temporarily enable or disable services.

#

# enabled =

# disabled =

# Define general logging characteristics.

log_type = SYSLOG daemon info

log_on_failure = HOST

log_on_success = PID HOST DURATION EXIT

# Define access restriction defaults

#

# no_access =

# only_from =

# max_load = 0

cps = 50 10

instances = 50

per_source = 10

cps 单位时间内并发访问数，相当于软限制。限制时默认等待10秒钟，每秒的最大连接数为50

instance定义某个服务最多允许的并发连接数，相当于硬限制，超过了则不允许其他用户再访问。

per_source某个ip最多能发起几个连接到主机上来，及并发连接数

only_from后的地址类型：

网络地址 (192.168.1.0)

网络名 (from /etc/networks)

ip地址/子网掩码 (192.168.0.0/24)

vim /etc/xinetd.d/tftp

service tftp

{

disable = no

socket_type = dgram

protocol = udp

wait = yes

user = root

server = /usr/sbin/in.tftpd

server_args = -s /tftpboot

per_source = 11

cps = 100 2

flags = IPv4

}

2.）非独立守护进程

chkconfig SERVICE on/off 添加某项服务

service xinetd restart

********************************************************

在telnet前，需要确定/etc/sysconfig/network和/etc/hosts中的名字一致。

例子：【1.】若将/etc/xinetd.d/telnet中添加127.0.0.1，则无法telnet，只允许本机登录。（注意：telnet不支持root用户登录，普通用户登录后可切换到root用户）

yum install telnet-server

会在/etc/xinet.d/下出现telnet

chkconfig telnet on

service xinetd restart

*************************

chkconfig xinetd on（必须开启）

chkconfig --level 35 xinetd on

telnet 192.168.0.116

Red Hat Enterprise Linux Server release 5.4 (Tikanga)

Kernel 2.6.18-164.el5 on an i686

login: zhuying

Password:

Last login: Tue Feb 23 22:47:46 from server19

若将/etc/xinetd.d/telnet中添加bind =127.0.0.1，即只允许本地登录。

vim /etc/xinetd.d/telnet

# default: on

# description: The telnet server serves telnet sessions; it uses /

# unencrypted username/password pairs for authentication.

service telnet

{

disable = no

flags = REUSE

socket_type = stream

wait = no

user = root

server = /usr/sbin/in.telnetd

log_on_failure += USERID

bind =127.0.0.1

}

Service xinetd restart（重启服务）

C:/>telnet 192.168.0.116

正在连接到192.168.0.116...不能打开到主机的连接， 在端口 23: 连接失败

【2.】基于ip地址拒绝访问

only_from=192.168.0.0/24

no_access=192.168.0.111

vim /etc/xinetd.d/telnet

# default: on

# description: The telnet server serves telnet sessions; it uses /

# unencrypted username/password pairs for authentication.

service telnet

{

disable = no

flags = REUSE

socket_type = stream

wait = no

user = root

server = /usr/sbin/in.telnetd

log_on_failure += USERID

only_from=192.168.0.0/24

no_access=192.168.0.111

}

~

Service xinetd restart （每次修改过后，重启服务）

(实现最佳匹配,拒绝192.168.0.111)

显示登录失败的信息：

[zhuying@station30 ~]$ telnet 192.168.0.116

Trying 192.168.0.116...

telnet: connect to address 192.168.0.116: Connection refused

telnet: Unable to connect to remote host: Connection refused

[zhuying@station30 ~]$

【3.】基于访问时间拒绝服务

若不在这个时间段内，则被拒绝访问

vim /etc/xinetd.d/telnet

# default: on

# description: The telnet server serves telnet sessions; it uses /

# unencrypted username/password pairs for authentication.

service telnet

{

disable = no

flags = REUSE

socket_type = stream

wait = no

user = root

server = /usr/sbin/in.telnetd

log_on_failure += USERID

access_times=9:00-12:00

}

Service xinetd restart （每次修改过后，不要忘了重启服务）

显示登录失败的信息：

[zhuying@station30 ~]$ telnet 192.168.0.116

Trying 192.168.0.116...

telnet: connect to address 192.168.0.116: Connection refused

telnet: Unable to connect to remote host: Connection refused

[zhuying@station30 ~]$

【4.】基于并发连接数

instance=2（该服务的并发连接数最多为2）

per_source=1(在某台主机上只能打开一个终端访问远程主机)

vim /etc/xinetd.d/telnet

# default: on

# description: The telnet server serves telnet sessions; it uses /

# unencrypted username/password pairs for authentication.

service telnet

{

disable = no

flags = REUSE

socket_type = stream

wait = no

user = root

server = /usr/sbin/in.telnetd

log_on_failure += USERID

instances=2

per_source=1

}

Service xinetd restart （每次修改过后，不要忘了重启服务）

当在station30上第一次远程登录时，登录成功。

[zhuying@station30 ~]$ telnet 192.168.0.116

Trying 192.168.0.116...

Connected to server16.example.com (192.168.0.116).

Escape character is '^]'.

Red Hat Enterprise Linux Server release 5.4 (Tikanga)

Kernel 2.6.18-164.el5 on an i686

login: zhuying

Password:

Last login: Tue Feb 23 23:35:41 from server11

[zhuying@station116 ~]$

在不关闭第一个窗口的情况下再另外打开一个窗口，这时将会被拒绝。

[root@station30 ~]# telnet 192.168.0.116

Trying 192.168.0.116...

Connected to server16.example.com (192.168.0.116).

Escape character is '^]'.

Connection closed by foreign host.

[root@station30 ~]#

[root@station30 ~]#

【5.】banner：当登录时，将某个文件的内容显示给用户

cd /usr/share

vim telnet.banner

**************************

Welcome to my station!!!

Hoho,bye...

**************************

保存退出~ .

vim /etc/xinetd.d/telnet

# default: on

# description: The telnet server serves telnet sessions; it uses /

# unencrypted username/password pairs for authentication.

service telnet

{

disable = no

flags = REUSE

socket_type = stream

wait = no

user = root

server = /usr/sbin/in.telnetd

log_on_failure += USERID

banner =/usr/share/telnet.banner

}

~

Service xinetd restart （每次修改过后，不要忘了重启服务）

[root@station30 ~]# telnet 192.168.0.116

Trying 192.168.0.116...

Connected to server16.example.com (192.168.0.116).

Escape character is '^]'.

**************************

Welcome to my station!!!

Hoho,bye...

**************************

Red Hat Enterprise Linux Server release 5.4 (Tikanga)login: zhuying

Password:

Last login: Wed Feb 24 00:02:06 from server11

[zhuying@station116 ~]$

6.TCP_Wrapper

语法规则：daemon_list: client_list [:opt1 :opt2...]

通过控制某些规则来限制主机的访问

允许规则：/etc/hosts.allow

拒绝规则：/etc/hosts.deny

IP address (192.168.0.1, 10.0.0.)

name (www.redhat.com, .example.com)

netmask (192.168.0.0/255.255.255.0)

network name

例子：

【1.】分别在两个文件中定义规则，通常会先去匹配/etc/hosts.allow中的内容，若不匹配再去匹配/etc/hosts.deny中的内容

vim /etc/hosts.allow

#

# hosts.allow This file describes the names of the hosts which are

# allowed to use the local INET services, as decided

# by the '/usr/sbin/tcpd' server.

#

in.telnetd:192.168.0.0/255.255.255.0 EXCEPT 192.168.0.111

vim /etc/hosts.deny

#

# hosts.deny This file describes the names of the hosts which are

# *not* allowed to use the local INET services, as decided

# by the '/usr/sbin/tcpd' server.

#

# The portmap line is redundant, but it is left to remind you that

# the new secure portmap uses hosts.deny and hosts.allow. In particular

# you should know that NFS uses portmap!

in.telnetd:ALL

service xinetd restart（重启服务）

登录将被拒绝：

[root@station30 ~]# telnet 192.168.0.116

Trying 192.168.0.116...

Connected to server16.example.com (192.168.0.116).

Escape character is '^]'.

**************************

Welcome to my station!!!

Hoho,bye...

**************************

Connection closed by foreign host.

[root@station30 ~]#

若将/etc/hosts.allow中的规则替换成：

in.telnetd:ALL EXCEPT 192.168.0.0/255.255.255.0 EXCEPT 192.168.0.111

/etc/hosts.deny中的规则不变，则192.168.0.111则能登录，另外除了192.168.0.0网段的其他所有主机也都能登录成功。

【2.】发送邮件：

vim /etc/hosts.allow

#

# hosts.allow This file describes the names of the hosts which are

# allowed to use the local INET services, as decided

# by the '/usr/sbin/tcpd' server.

#

in.telnetd:192.168.0.0/255.255.255.0:spawn /bin/echo `date` %c %d | bin/mail -s "Somebody has telnetd our server." root

vim /etc/hosts.deny

# hosts.deny This file describes the names of the hosts which are

# *not* allowed to use the local INET services, as decided

# by the '/usr/sbin/tcpd' server.

#

# The portmap line is redundant, but it is left to remind you that

# the new secure portmap uses hosts.deny and hosts.allow. In particular

# you should know that NFS uses portmap!

in.telnetd:ALL:spawn /bin/echo `date` %c %d | /bin/mail -s "Somebody has telnetd our server." root

service xinetd restart（重启服务）

此时192.168.0.网段内的主机都能登录成功：

[root@station30 ~]# telnet 192.168.0.116

Trying 192.168.0.116...

Connected to server16.example.com (192.168.0.116).

Escape character is '^]'.

**************************

Welcome to my station!!!

Hoho,bye...

**************************

Red Hat Enterprise Linux Server release 5.4 (Tikanga)

Kernel 2.6.18-164.el5 on an i686

login: zhuying

Password:

Last login: Wed Feb 24 02:01:49 from server11

登录上后还可以切换到root用户，看是否有邮件：

[zhuying@station116 ~]$ su -

Password:

[root@station116 ~]# mail

Mail version 8.1 6/6/93. Type ? for help.

"/var/spool/mail/root": 1 message 1 new

>N 1 root@station116.exam Wed Feb 24 02:12 16/733 "Somebody has telnetd "

& 1

Message 1:

From root@station116.example.com Wed Feb 24 02:12:25 2010

Date: Wed, 24 Feb 2010 02:12:25 +0800

From: root <root@station116.example.com>

To: root@station116.example.com

Subject: Somebody has telnetd our server.

Wed Feb 24 02:12:25 CST 2010 192.168.0.111 in.telnetd

&

【3.】在一个文件中编辑，实现访问控制：

1.）vim /etc/hosts.allow

#

# hosts.allow This file describes the names of the hosts which are

# allowed to use the local INET services, as decided

# by the '/usr/sbin/tcpd' server.

#

in.telnetd:192.168.0.111:spawn /bin/echo `date` %c to %s is denied by %A > /var/log/tcpwrapper.log:DENY

in.telnet:192.168.0. 192.168.1. :ALLOW

service xinetd restart（重启服务）

此时，192.168.0.111登录失败：

[root@station30 ~]# telnet 192.168.0.116

Trying 192.168.0.116...

Connected to server16.example.com (192.168.0.116).

Escape character is '^]'.

**************************

Welcome to my station!!!

Hoho,bye...

**************************

Connection closed by foreign host.

[root@station30 ~]#

2.)twist的作用:移花接木，将会被拒绝登录。

vim /etc/hosts.allow

#

# hosts.allow This file describes the names of the hosts which are

# allowed to use the local INET services, as decided

# by the '/usr/sbin/tcpd' server.

#

in.telnetd:192.168.0.0/255.255.255.0:twist /bin/echo `date` connection refused by %s

service xinetd restart（重启服务）

[root@station30 ~]# telnet 192.168.0.116

Trying 192.168.0.116...

Connected to server16.example.com (192.168.0.116).

Escape character is '^]'.

**************************

Welcome to my station!!!

Hoho,bye...

**************************

Wed Feb 24 02:47:36 CST 2010 connection refused by in.telnetd@192.168.0.116

Connection closed by foreign host.

[root@station30 ~]#

3.)结合上面两个例子：

vim /etc/hosts.allow

#

# hosts.allow This file describes the names of the hosts which are

# allowed to use the local INET services, as decided

# by the '/usr/sbin/tcpd' server.

#

in.telnetd:192.168.0.111:pawn /bin/echo `date` %c to %s is denied.>> /var/log/tcpwrapper.log ;twist /bin/echo `date` Attemp log to %s failed.

in.telnetd:192.168.0. 192.168.1.:ALLOW

service xinetd restart（重启服务）

此时，192.168.0.111登录失败：

[root@station30 ~]# telnet 192.168.0.116

Trying 192.168.0.116...

Connected to server16.example.com (192.168.0.116).

Escape character is '^]'.

**************************

Welcome to my station!!!

Hoho,bye...

**************************

Connection closed by foreign host.

[root@station30 ~]

************************************

+++++++++++++++++++++++++++++++++

+++++++++++++++++++++++++

*****************************

1. 选项“-Z”可对文件安全上下文进行特殊处理。如：ls -Z可以显示文件的安全上下文，ps -Z可以查看进程的安全上下文

[root@station116 ~]# ls -Z

-rw------- root root system_u:object_r:user_home_t:s0 anaconda-ks.cfg

drwxr-xr-x root root bin

drwxr-xr-x root root Desktop

-rwxr--r-- root root getid.sh

-rw-r--r-- root root root:object_r:user_home_t:s0 install.log

-rw-r--r-- root root root:object_r:user_home_t:s0 install.log.syslog

drwxr-xr-x root root lvm1snap

-rw-r--r-- root root nano-1.3.12-1.1.1.gls.i386.rpm

[root@station116 ~]#

显示标签：

[root@station116 ~]# ps -Z

LABEL PID TTY TIME CMD

- 12181 pts/2 00:00:00 bash

- 15897 pts/2 00:00:00 ps

[root@station116 ~]#

2.getsebool

[root@station116 ~]# getsebool -a|grep ftp

allow_ftpd_anon_write --> off

allow_ftpd_full_access --> off

allow_ftpd_use_cifs --> off

allow_ftpd_use_nfs --> off

allow_tftp_anon_write --> off

ftp_home_dir --> off

ftpd_connect_db --> off

ftpd_disable_trans --> off

ftpd_is_daemon --> on

httpd_enable_ftp_server --> off

tftpd_disable_trans --> off

[root@station116 ~]#

修改标签：chcon

查看标签：

[root@station116 home]# ls -Z

-rw------- root root system_u:object_r:file_t aquota.user

drwx------ cracker cracker user_u:object_r:user_home_dir_t cracker

drwxr-xr-x root root system_u:object_r:autofs_t guests

drwx------ root root system_u:object_r:lost_found_t lost+found

drwx------ natasha natasha user_u:object_r:user_home_dir_t natasha

drwx------ wendy wendy user_u:object_r:user_home_dir_t wendy

drwx------ zhuying zhuying user_u:object_r:user_home_dir_t zhuying

修改标签，并查看之：

[root@station116 home]# chcon -t file_t zhuying

[root@station116 home]# ls -Z

-rw------- root root system_u:object_r:file_t aquota.user

drwx------ cracker cracker user_u:object_r:user_home_dir_t cracker

drwxr-xr-x root root system_u:object_r:autofs_t guests

drwx------ root root system_u:object_r:lost_found_t lost+found

drwx------ natasha natasha user_u:object_r:user_home_dir_t natasha

drwx------ wendy wendy user_u:object_r:user_home_dir_t wendy

drwx------ zhuying zhuying user_u:object_r:file_t zhuying

[root@station116 home]#

撤销修改：restorecon

[root@station116 home]# restorecon zhuying

[root@station116 home]# ls -Z

-rw------- root root system_u:object_r:file_t aquota.user

drwx------ cracker cracker user_u:object_r:user_home_dir_t cracker

drwxr-xr-x root root system_u:object_r:autofs_t guests

drwx------ root root system_u:object_r:lost_found_t lost+found

drwx------ natasha natasha user_u:object_r:user_home_dir_t natasha

drwx------ wendy wendy user_u:object_r:user_home_dir_t wendy

drwx------ zhuying zhuying user_u:object_r:user_home_dir_t zhuying

[root@station116 home]#

[root@station116 home]# cd zhuying/

[root@station116 zhuying]# ls -Z

drwxr-xr-x root root root:object_r:file_t file1

drwxr-xr-x root root root:object_r:file_t file2

drwxr-xr-x root root root:object_r:file_t test

可以发现-R可以将其目录下的所有文件的标签都递归改变：

[root@station116 home]# chcon -R -t user_home_dir_t zhuying

[root@station116 home]#

[root@station116 home]# cd zhuying/

[root@station116 zhuying]# ls -Z

drwxr-xr-x root root user_u:object_r:user_home_t file1

drwxr-xr-x root root user_u:object_r:user_home_t file2

drwxr-xr-x root root user_u:object_r:user_home_t test

[root@station116 zhuying]#