日拱一卒
0%

RHCSA (EX200) - 调试 SELinux

Posted on

调试 SELinux

非标准端口 82 上运行的 Web 服务器在提供内容时遇到问题。根据需要调试并解决问题,使其满足以下条件:

系统上的 Web 服务器能够提供 /var/www/html 中所有现有的 HTML 文件(注:不要删除或以其他方式改动现有的文件内容)

Web 服务器在端口 82 上提供此内容

Web 服务器在系统启动时 自动启动

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
[root@node1 ~]# systemctl is-active httpd.service 
failed
[root@node1 ~]# systemctl status httpd.service 
...
clear.domain250.example.com httpd[821]: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:82
clear.domain250.example.com httpd[821]: (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:82
clear.domain250.example.com httpd[821]: no listening sockets available, shutting down
...
[root@node1 ~]# sealert -a /var/log/audit/audit.log 
100% done
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing httpd from name_bind access on the tcp_socket port 82.

*****  Plugin bind_ports (99.5 confidence) suggests   ************************

If you want to allow httpd to bind to network port 82
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 82
    where PORT_TYPE is one of the following: http_cache_port_t, http_port_t, jboss_management_port_t, jboss_messaging_port_t, ntop_port_t, puppet_port_t.
...
[root@node1 ~]# semanage port -l | grep "http"
http_cache_port_t              tcp      8080, 8118, 8123, 10001-10010
http_cache_port_t              udp      3130
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t            tcp      5988
pegasus_https_port_t           tcp      5989
[root@node1 ~]# semanage port -a -t http_port_t -p tcp 82
[root@node1 ~]# semanage port -l | grep "http_port_t"
http_port_t                    tcp      82, 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t            tcp      5988
[root@node1 ~]# systemctl enable --now httpd.service
[root@node1 ~]# systemctl is-active httpd.service; systemctl is-enabled httpd.service 
active
enabled
[root@node1 ~]# ss -ntlp | grep ":82"
LISTEN    0         128                      *:82                     *:*        users:(("httpd",pid=25751,fd=4),("httpd",pid=25750,fd=4),("httpd",pid=25749,fd=4),("httpd",pid=25747,fd=4))
[root@node1 ~]# curl http://localhost:82
...
		<title>Test Page for the Apache HTTP Server on Red Hat Enterprise Linux</title>
...
1
2
[kiosk@foundation0 ~]$ curl http://172.25.250.100:82
curl: (7) Failed to connect to 172.25.250.100 port 82: No route to host
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
[root@node1 ~]# firewall-cmd --get-default-zone 
public
[root@node1 ~]# firewall-cmd --permanent --zone=public --list-all 
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

[root@node1 ~]# firewall-cmd --permanent --zone=public --add-port=82/tcp
success
[root@node1 ~]# firewall-cmd --reload 
success
[root@node1 ~]# firewall-cmd --permanent --zone=public --list-all 
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 82/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

1
2
3
4
[kiosk@foundation0 ~]$ curl http://172.25.250.100:82
...
		<title>Test Page for the Apache HTTP Server on Red Hat Enterprise Linux</title>
...
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
[root@node1 ~]# ls /var/www/html/
file1  file2  file3
[root@node1 ~]# curl http://localhost:82/file1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /file1
on this server.<br />
</p>
</body></html>
[root@node1 ~]# curl http://localhost:82/file2
EX200 Testing
[root@node1 ~]# curl http://localhost:82/file3
EX200 Testing
[root@node1 ~]# ls -lZ /var/www/html/
total 12
-rw-r--r--. 1 root root system_u:object_r:default_t:s0           14 Feb 19 11:56 file1
-rw-r--r--. 1 root root system_u:object_r:httpd_sys_content_t:s0 14 Feb 19 11:56 file2
-rw-r--r--. 1 root root system_u:object_r:httpd_sys_content_t:s0 14 Feb 19 11:56 file3
[root@node1 ~]# semanage fcontext -l | grep "/var/www"
/var/www(/.*)?                                     all files          system_u:object_r:httpd_sys_content_t:s0 
...
/var/www/html/file1                                all files          system_u:object_r:default_t:s0 
...
[root@node1 ~]# semanage fcontext -d /var/www/html/file1
[root@node1 ~]# restorecon -Rv /var/www/html/
Relabeled /var/www/html/file1 from system_u:object_r:default_t:s0 to system_u:object_r:httpd_sys_content_t:s0
[root@node1 ~]# ls -lZ /var/www/html/
total 12
-rw-r--r--. 1 root root system_u:object_r:httpd_sys_content_t:s0 14 Feb 19 11:56 file1
-rw-r--r--. 1 root root system_u:object_r:httpd_sys_content_t:s0 14 Feb 19 11:56 file2
-rw-r--r--. 1 root root system_u:object_r:httpd_sys_content_t:s0 14 Feb 19 11:56 file3
[root@node1 ~]# curl http://localhost:82/file1
EX200 Testing