svn签出后的SELinux fcontext_Svn_Selinux

svn签出后的SELinux fcontext

svn

svn签出后的SELinux fcontext,svn,selinux,Svn,Selinux,首先，我想告诉大家，没有真正的问题，一切都如我所期望的那样工作，但是我遇到了一种奇怪的行为，我无法解释，所以我想从更熟练的工程师那里获得一些见解 SELinux如何应用fcontext映射定义可以观察到这种奇怪的行为首先，让我打印适用于我的案例的SELinux fcontext策略： [root@ip-10-0-0-40 wp-content]# semanage fcontext -l | grep "^/var/www.*httpd_sys_rw_content_t:s0\s$" /var

首先，我想告诉大家，没有真正的问题，一切都如我所期望的那样工作，但是我遇到了一种奇怪的行为，我无法解释，所以我想从更熟练的工程师那里获得一些见解

SELinux如何应用fcontext映射定义可以观察到这种奇怪的行为

首先，让我打印适用于我的案例的SELinux fcontext策略：

[root@ip-10-0-0-40 wp-content]# semanage fcontext -l | grep "^/var/www.*httpd_sys_rw_content_t:s0\s$"
/var/www/svn(/.*)?                                 all files          system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/html(/.*)?/uploads(/.*)?                  all files          system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/html(/.*)?/wp-content(/.*)?               all files          system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/html(/.*)?/sites/default/files(/.*)?      all files          system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/html(/.*)?/sites/default/settings\.php    regular file       system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/moodledata(/.*)?                          all files          system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/moodle/data(/.*)?                         all files          system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/gallery/albums(/.*)?                      all files          system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/html/owncloud/data(/.*)?                  all files          system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/html/configuration\.php                   all files          system_u:object_r:httpd_sys_rw_content_t:s0

正如您从命令中看到的，我对fcontext策略感兴趣，该策略使httpd能够在/var/www中写入

我正在安装WordPress，因此我的目光锁定在以下策略上：

/var/www/html(/.*)?/uploads(/.*)?                  all files          system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/html(/.*)?/wp-content(/.*)?               all files          system_u:object_r:httpd_sys_rw_content_t:s0

从策略RegExp中，我可以设计需要的目录结构。让我们为项目和签出创建一个目录

[root@ip-10-0-0-40 /]# mkdir -p /var/www/html/sun
[root@ip-10-0-0-40 /]# cd /var/www/html/sun
[root@ip-10-0-0-40 sun]# svn co http://server/ .

[root@ip-10-0-0-40 wp-content]# mkdir -p /var/www/sun
[root@ip-10-0-0-40 wp-content]# cd /var/www/sun/
[root@ip-10-0-0-40 sun]# svn co http://server/ .

让我们检查是否应用了正确的fcontext：

[root@ip-10-0-0-40 sun]# cd /var/www/html/sun/public/wp-content
[root@ip-10-0-0-40 wp-content]# ls -Z
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 index.php
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 languages
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 mu-plugins
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 plugins
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 themes
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 uploads

[root@ip-10-0-0-40 sun]# cd /var/www/sun/public/wp-content/
[root@ip-10-0-0-40 wp-content]# ls –Z
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.php
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 languages
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 mu-plugins
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 plugins
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 themes
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 uploads

太好了！出于兴趣和反复检查，让我们尝试恢复fcontext，看看会发生什么：

[root@ip-10-0-0-40 wp-content]# restorecon -Rv /var/www/html/sun/
[root@ip-10-0-0-40 wp-content]# ls -Z
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 index.php
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 languages
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 mu-plugins
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 plugins
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 themes
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 uploads

太好了！一切正常

为了完成测试，让我们模拟一个预期的失败。让我们在/html/之外创建一个项目目录，如下所示：/var/www/sun并签出

[root@ip-10-0-0-40 /]# mkdir -p /var/www/html/sun
[root@ip-10-0-0-40 /]# cd /var/www/html/sun
[root@ip-10-0-0-40 sun]# svn co http://server/ .

[root@ip-10-0-0-40 wp-content]# mkdir -p /var/www/sun
[root@ip-10-0-0-40 wp-content]# cd /var/www/sun/
[root@ip-10-0-0-40 sun]# svn co http://server/ .

让我们检查是否应用了正确的fcontext：

[root@ip-10-0-0-40 sun]# cd /var/www/html/sun/public/wp-content
[root@ip-10-0-0-40 wp-content]# ls -Z
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 index.php
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 languages
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 mu-plugins
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 plugins
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 themes
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 uploads

[root@ip-10-0-0-40 sun]# cd /var/www/sun/public/wp-content/
[root@ip-10-0-0-40 wp-content]# ls –Z
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.php
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 languages
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 mu-plugins
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 plugins
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 themes
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 uploads

奇怪的是，我希望看到httpd\u sys\u content\t（默认fcontext），让我们尝试恢复到默认值：

[root@ip-10-0-0-40 wp-content]# restorecon -Rv /var/www/sun
...Output omitted
[root@ip-10-0-0-40 wp-content]# ls -Z
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.php
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 languages
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 mu-plugins
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 plugins
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 themes
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 uploads

为/var/www/sun使用restorecon的效果与预期一样，但是…难题是：

为什么svn公司内部/var/www/sun使用了不存在的策略？策略匹配fcontext，但不匹配此的位置：

/var/www/html(/.*)?/wp-content(/.*)?               all files          system_u:object_r:httpd_sys_rw_content_t:s0

同样index.php也有不同的fcontext，但目录有相同的：httpd\u sys\u rw\u content\u t我有同样的问题，“为什么wp内容目录会自动标记为httpd\u sys\u rw\u content\u t，甚至在/var/www/html的fcontext规则之外？”。然而，我现在已经找到了答案，我想我会把它贴在这里

这是由SELinux的一个名为Filename Transitions的特性引起的，它是一种策略机制，可以帮助创建正确标记的文件和目录

在您的示例中，目录/var/www/sun/public从/var/www继承了httpd\u sys\u content\u t

通常，在a/var/www/sun/public中创建的名为wp content的目录也会继承httpd\u sys\u content\t

但是在apache.if中，如果有一个文件名转换规则，该规则规定任何名为“wp content”的目录都应该创建为httpd\u sys\u content\u t

在CentOS 7中，安装selinux policy-devel包，您可以在/usr/share/selinux/devel/include/contrib/apache.if中看到定义

您可以按如下方式测试该理论：

[root@dt-laptop-centos7 /]# mkdir junk
[root@dt-laptop-centos7 /]# ls -aldZ junk
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 junk
[root@dt-laptop-centos7 /]# chcon -t httpd_sys_content_t junk
[root@dt-laptop-centos7 /]# ls -aldZ junk
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 junk
[root@dt-laptop-centos7 /]# cd junk
[root@dt-laptop-centos7 junk]# mkdir wp-otherdir
[root@dt-laptop-centos7 junk]# mkdir wp-content
[root@dt-laptop-centos7 junk]# ls -alZ
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 .
dr-xr-xr-x. root root system_u:object_r:root_t:s0      ..
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 wp-content
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 wp-otherdir

您可以看到，wp content的上下文自动设置为httpd\u sys\u rw\u content\u t，而wp otherdir只继承httpd\u sys\u content\u t

我有同样的问题，“为什么wp内容目录会自动标记为httpd\u sys\u rw\u content\u t，甚至在/var/www/html的fcontext规则之外？”然而，我现在找到了答案，并想将其发布在这里