linux：SElinux的实验之自动检查错误并提出解决方案

linux：SElinux的实验之自动检查错误并提出解决方案

​ 1.设定一台主机的主机名未webserver.timinglee.org
ip: 172.25.254.100
请打开此主机的selinux，并在系统中检测selinux的状态为enforcing（以上内容需要在报告中体现过程）
​ 2.配置nginx服务，要求其默认发布目录为/nginx/html默认发布内容为：webserver.timinglee.org
使用端口为：6666

​ 3.检测上述要求并把检测解决呈现在报告中

[root@server100 ~]# hostnamectl hostname webserver.timinglee.org[root@server100 ~]# hostname
webserver.timinglee.org# 关闭防火墙
[root@webserver ~]# systemctl disable --now firewalld.service
Removed "/etc/systemd/system/multi-user.target.wants/firewalld.service".
Removed "/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service".[root@webserver ~]# ifconfig | tr -s " " | grep broadcast | cut -d " " -f3
172.25.254.100# 永久开启selinux，需要重启系统生效
[root@webserver ~]# grubby --update-kernel ALL --args selinux=1# 重启系统
[root@webserver ~]# reboot# 查看seLinux的状态
[root@webserver ~]# getenforce
Enforcing
# 安装nginx软件并开启服务
[root@webserver ~]# dnf install nginx -y
[root@webserver ~]# systemctl enable --now nginx.service# 修改nginx的主配置文件
[root@webserver ~]# vim /etc/nginx/nginx.conf
server {listen       6666;listen       [::]:80;server_name  _;
#      修改网页默认发布路径root         /nginx/html;# 建立网页存储目录并制作网页文件
[root@webserver ~]# mkdir -p /nginx/html
[root@webserver ~]# echo "webserver.timinglee.org" > /nginx/html/index.html# 语法检查成功，但是重启服务报错
[root@webserver ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@webserver ~]# systemctl restart nginx.service
Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xeu nginx.service" for details.# 查看报错信息
[root@webserver ~]# less /var/log/audit/audit.log | nginx# 查看解决工具日志文件
[root@webserver ~]# less /var/log/messages | grep nginx# 在这里查找到了解决方案
#012# ausearch -c 'nginx' --raw | audit2allow -M my-nginx#012# semodule -X 300 -i my-nginx.pp#012[root@webserver ~]# ausearch -c 'nginx' --raw | audit2allow -M my-nginx
******************** IMPORTANT ***********************
To make this policy package active, execute:semodule -i my-nginx.pp[root@webserver ~]# semodule -X 300 -i my-nginx.pp
[root@webserver ~]# systemctl restart nginx.service
# 重启无报错# 访问测试，访问失败，没有访问到指定内容
[root@webserver ~]# curl 172.25.254.100:6666
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.20.1</center>
</body>
</html># 再次查看解决方法
[root@webserver ~]# less /var/log/messages | grep nginx# 在这里查找到了解决方案
# semanage fcontext -a -t FILE_TYPE '/nginx/html/index.html'#012where FILE_TYPE is one of the following: NetworkManager_exec_t, [root@webserver ~]# semanage fcontext -a -t httpd_sys_content_t  '/nginx/html(/.*)?'
[root@webserver ~]# restorecon -RvvF /nginx/html/
Relabeled /nginx/html from unconfined_u:object_r:default_t:s0 to system_u:object_r:httpd_sys_content_t:s0
Relabeled /nginx/html/index.html from unconfined_u:object_r:default_t:s0 to system_u:object_r:httpd_sys_content_t:s0# 访问测试，访问成功
[root@webserver ~]# curl 172.25.254.100:6666
webserver.timinglee.org