User Tools
модуль_selinux
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
модуль_selinux [2024/04/26 14:11] val [Управление разрешениями с использованием boolean] |
модуль_selinux [2024/08/23 09:32] (current) val [Конфигурация] |
||
|---|---|---|---|
| Line 8: | Line 8: | ||
| * [[https://habr.com/ru/companies/otus/articles/460387/|Руководство для начинающих по SELinux]] | * [[https://habr.com/ru/companies/otus/articles/460387/|Руководство для начинающих по SELinux]] | ||
| * [[https://www.opennet.ru/base/sec/selinux_setup.txt.html|Настройка и использование SELinux (selinux limit security linux mac acl)]] | * [[https://www.opennet.ru/base/sec/selinux_setup.txt.html|Настройка и использование SELinux (selinux limit security linux mac acl)]] | ||
| - | * [[https://www.ibm.com/developerworks/ru/library/l-se_linux_01/index.html|Часть 1. SELinux - история появления, архитектура и принципы работы]] | + | |
| - | * [[https://wiki.centos.org/TipsAndTricks/SelinuxBooleans|SELinux Booleans]] | + | |
| * [[https://www.server-world.info/en/note?os=CentOS_7&p=selinux&f=11|SELinux : Use sesearch]] | * [[https://www.server-world.info/en/note?os=CentOS_7&p=selinux&f=11|SELinux : Use sesearch]] | ||
| - | * [[http://hansenroy.com/selinux-run-a-command-or-script-in-a-specific-context/|SELinux: Run a command or script in a specific context]] | + | |
| <code> | <code> | ||
| - | # sestatus | + | # sestatus -v |
| # id -Z | # id -Z | ||
| Line 43: | Line 42: | ||
| # restorecon -v /var/www/html/index.html | # restorecon -v /var/www/html/index.html | ||
| + | |||
| + | ### semanage fcontext -a -t httpd_sys_content_t "/mydir(/.*)?" | ||
| + | ### restorecon -R -v /mydir | ||
| </code> | </code> | ||
| Line 48: | Line 50: | ||
| * [[Сервис Firewall#CentOS]] firewalld (для демонстрации темы можно отключить) | * [[Сервис Firewall#CentOS]] firewalld (для демонстрации темы можно отключить) | ||
| + | |||
| + | * [[https://access.redhat.com/documentation/ru-ru/red_hat_enterprise_linux/5/html/deployment_guide/rhlcommon-section-0085|50.2.11. Running a Command in a Specific Security Context]] | ||
| * [[https://blog.tinned-software.net/change-ssh-port-in-centos-with-selinux/|Change SSH port in CentOS with SELinux]] | * [[https://blog.tinned-software.net/change-ssh-port-in-centos-with-selinux/|Change SSH port in CentOS with SELinux]] | ||
| Line 66: | Line 70: | ||
| ===== Управление разрешениями с использованием boolean ===== | ===== Управление разрешениями с использованием boolean ===== | ||
| + | * [[https://wiki.centos.org/TipsAndTricks/SelinuxBooleans|SELinux Booleans]] | ||
| * [[https://serverfault.com/questions/666045/zabbix-server-selinux-policy|Zabbix server SELinux policy]] | * [[https://serverfault.com/questions/666045/zabbix-server-selinux-policy|Zabbix server SELinux policy]] | ||
| Line 79: | Line 84: | ||
| # setsebool -P httpd_can_connect_zabbix on | # setsebool -P httpd_can_connect_zabbix on | ||
| </code> | </code> | ||
| + | |||
| + | ===== Аудит SELinux Policy утилитой sesearch ===== | ||
| + | |||
| + | * [[https://www.lisenet.com/2019/auditing-the-selinux-policy-with-sesearch/|Auditing the SELinux Policy with sesearch]] | ||
| + | |||
| + | <code> | ||
| + | # yum install -y setools-console | ||
| + | |||
| + | # sesearch --allow | tee se_allow.txt | ||
| + | ... | ||
| + | allow sshd_t ssh_port_t:tcp_socket name_bind; | ||
| + | ... | ||
| + | allow httpd_t zabbix_port_t:tcp_socket name_connect; [ httpd_can_connect_zabbix ]:True | ||
| + | ... | ||
| + | </code> | ||
| + | |||
| ===== Разработка модулей ===== | ===== Разработка модулей ===== | ||
модуль_selinux.1714129874.txt.gz · Last modified: 2024/04/26 14:11 by val
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
