XDQ的笔记本

centos

A 21 post collection

selinux 常用命令

 •  Filed under linux, centos, centos7, selinux

查看是否有被selinux阻挡

sudo cat /var/log/audit/audit.log | grep denied

boolean

查看boolean状态

sudo sestatus -b

sudo sestatus -b | grep -i sendmail

设置boolean

sudo setsebool -P $boolean名 $1或0

常用boolean

boolean名 意义
httpd_can_network_connect 允许httpd反向代理
httpd_can_sendmail 允许httpd发送邮件

semanager

安装semanager

sudo yum install -y policycoreutils-python

获取系统中的可用label

sudo semanage fcontext -l |grep {SOMETHING}

给文件设置label

sudo semanage fcontext -a -t httpd_sys_content_t /path/to/file
restorecon -v /path/to/file

给文件夹设置label

sudo semanage fcontext -a -t httpd_sys_content_t "/path/to/dir(/.*)?"
restorecon -R -v /path/to/dir

Centos7 apache使用freeipa pki提供证书

 •  Filed under centos, centos7, linux, selinux, freeipa

安装apache和mod_nss

sudo yum install httpd mod_nss -y

配置mod_nss

sudo sh -c "echo 'Listen 443' >> /etc/httpd/conf.d/nssconfig.conf"
sudo sh -c "echo 'NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha' >> /etc/httpd/conf.d/nssconfig.conf"
sudo sh -c "echo 'NSSCertificateDatabase /etc/httpd/alias' >> /etc/httpd/conf.d/nssconfig.conf"

从/etc/httpd/conf.d/nss.conf中删除默认虚拟主机

获取证书

ipa-getcert request -d /etc/httpd/alias -n 'alianame' -K HTTP/'hostname' -D 'FQDN.com'

配置https虚拟主机

<VirtualHost *:443>
    ServerName FQDN

    NSSEngine on
    NSSNickname alianame

    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/
    RequestHeader set X-Forwarded-Proto "https"
</VirtualHost>

SELinux boolean操作

 •  Filed under centos, centos7, selinux
查询boolean状态
sudo sestatus -b

或者

sudo sestatus -b | grep -i sendmail
设置boolean
sudo setsebool -P $boolean名 $1或0

如允许httpd发送邮件

sudo setsebool -P httpd_can_sendmail 1