Linux：SElinux導(dǎo)致網(wǎng)站無法訪問

通過更改SElinux狀態(tài)可以判斷出，當(dāng)SElinux處于關(guān)閉狀態(tài)時，網(wǎng)站內(nèi)容訪問正常。
[root@master1-192-168-117-18 ~]# setenforce 0
[root@master1-192-168-117-18 ~]# getenforce
Permissive
[root@master1-192-168-117-18 ~]# setenforce 1
[root@master1-192-168-117-18 ~]# getenforce 0
Enforcing

創(chuàng)新互聯(lián)專注于企業(yè)成都營銷網(wǎng)站建設(shè)、網(wǎng)站重做改版、西塞山網(wǎng)站定制設(shè)計、自適應(yīng)品牌網(wǎng)站建設(shè)、H5響應(yīng)式網(wǎng)站、商城網(wǎng)站建設(shè)、集團(tuán)公司官網(wǎng)建設(shè)、外貿(mào)網(wǎng)站制作、高端網(wǎng)站制作、響應(yīng)式網(wǎng)頁設(shè)計等建站業(yè)務(wù)，價格優(yōu)惠性價比高，為西塞山等各大城市提供網(wǎng)站開發(fā)制作服務(wù)。

查看網(wǎng)站的主目錄的SElinux安全上下文值：
[root@master1-192-168-117-18 ~]# ls -Zd /var/www/html/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
[root@master1-192-168-117-18 ~]# ls -Zd /home/wwwroot/
drwxr-xr-x. root root system_u:object_r:user_home_dir_t:s0 /home/wwwroot/

將新添加的主目錄SElinux上下文值與系統(tǒng)默認(rèn)主目錄保持一致：
[root@master1-192-168-117-18 ~]# semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/*

注意，執(zhí)行上述設(shè)置之后，還無法立即訪問網(wǎng)站，還需要使用restorecon命令將設(shè)置好的SELinux安全上下文立即生效。在使用restorecon命令時，可以加上-Rv參數(shù)對指定的目錄進(jìn)行遞歸操作，以及顯示SELinux安全上下文的修改過程。

[root@master1-192-168-117-18 ~]# restorecon -Rv /home/wwwroot/
restorecon reset /home/wwwroot context system_u:object_r:user_home_dir_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /home/wwwroot/index.html context system_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
[root@master1-192-168-117-18 ~]# ls -Zd /home/wwwroot/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /home/wwwroot/
[root@master1-192-168-117-18 ~]# ^C

---

個人用戶主頁功能

第1步：在httpd服務(wù)程序中，默認(rèn)沒有開啟個人用戶主頁功能。為此，我們需要編輯下面的配置文件，然后在第17行的UserDir disabled參數(shù)前面加上井號（#），表示讓httpd服務(wù)程序開啟個人用戶主頁功能；同時再把第24行的UserDir public_html參數(shù)前面的井號（#）去掉（UserDir參數(shù)表示網(wǎng)站數(shù)據(jù)在用戶家目錄中的保存目錄名稱，即public_html目錄）。最后，在修改完畢后記得保存。
[root@master1-192-168-117-18 ~]# vim /etc/httpd/conf.d/userdir.conf
1 #
2 # UserDir: The name of the directory that is appended onto a user's home
3 # directory if a ~user request is received.
4 #
5 # The path to the end user account 'public_html' directory must be
6 # accessible to the webserver userid. This usually means that ~userid
7 # must have permissions of 711, ~userid/public_html must have permissions
8 # of 755, and documents contained therein must be world-readable.
9 # Otherwise, the client will only receive a "403 Forbidden" message.
10 #
11 <IfModule mod_userdir.c>
12 #
13 # UserDir is disabled by default since it can confirm the presence
14 # of a username on the system (depending on home directory
15 # permissions).
16 #
17 # UserDir disabled
18
19 #
20 # To enable requests to /~user/ to serve the user's public_html
21 # directory, remove the "UserDir disabled" line above, and uncomment
22 # the following line instead:
23 #
24 UserDir public_html
25 </IfModule>
26
27 #
28 # Control access to UserDir directories. The following is an example
29 # for a site where these directories are restricted to read-only.
30 #
31 <Directory "/home/*/public_html">
32 AllowOverride FileInfo AuthConfig Limit Indexes
33 Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
34 Require method GET POST OPTIONS
35 </Directory>

"/etc/httpd/conf.d/userdir.conf" 36L, 1254C 已寫入

第2步：在用戶家目錄中建立用于保存網(wǎng)站數(shù)據(jù)的目錄及首頁面文件。另外，還需要把家目錄的權(quán)限修改為755，保證其他人也有權(quán)限讀取里面的內(nèi)容。
[aa@master1-192-168-117-18 ~]$ mkdir public_html
[aa@master1-192-168-117-18 ~]$ echo "世界那么大，我出去看看！" > public_html/index.html
[aa@master1-192-168-117-18 ~]$ chmod -Rf 755 /home/aa/

第3步：重新啟動httpd服務(wù)程序，在瀏覽器的地址欄中輸入網(wǎng)址，其格式為“網(wǎng)址/~用戶名”（其中的波浪號是必需的，而且網(wǎng)址、波浪號、用戶名之間沒有空格），從理論上來講就可以看到用戶的個人網(wǎng)站了。不出所料的是，系統(tǒng)顯示報錯頁面，如圖10-9所示。這一定還是SELinux惹的禍。

第4步：使用getsebool命令查詢并過濾出所有與HTTP協(xié)議相關(guān)的安全策略。其中，off為禁止?fàn)顟B(tài)，on為允許狀態(tài)。
[root@master1-192-168-117-18 ~]# getsebool -a | grep http
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> on
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_ipa --> off
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_DNS --> off
named_tcp_bind_http_port --> off
prosody_bind_http_port --> off

[root@master1-192-168-117-18 ~]# setsebool -P httpd_enable_homedirs=on

---

通過身份驗證訪問網(wǎng)頁

第1步：先使用htpasswd命令生成密碼數(shù)據(jù)庫。-c參數(shù)表示第一次生成；后面再分別添加密碼數(shù)據(jù)庫的存放文件，以及驗證要用到的用戶名稱（該用戶不必是系統(tǒng)中已有的本地賬戶）。
[root@master1-192-168-117-18 ~]# htpasswd -c /etc/httpd/passwd aa
New password:
Re-type new password:
Adding password for user aa
第2步：第2步：編輯個人用戶主頁功能的配置文件。隨后保存并退出配置文件，重啟httpd服務(wù)程序即可生效。
[root@master1-192-168-117-18 ~]# vim /etc/httpd/conf.d/userdir.conf

1 #
2 # UserDir: The name of the directory that is appended onto a user's home
3 # directory if a ~user request is received.
4 #
5 # The path to the end user account 'public_html' directory must be
6 # accessible to the webserver userid. This usually means that ~userid
7 # must have permissions of 711, ~userid/public_html must have permissions
8 # of 755, and documents contained therein must be world-readable.
9 # Otherwise, the client will only receive a "403 Forbidden" message.
10 #
11 <IfModule mod_userdir.c>
12 #
13 # UserDir is disabled by default since it can confirm the presence
14 # of a username on the system (depending on home directory
15 # permissions).
16 #
17 # UserDir disabled
18
19 #
20 # To enable requests to /~user/ to serve the user's public_html
21 # directory, remove the "UserDir disabled" line above, and uncomment
22 # the following line instead:
23 #
24 UserDir public_html
25 </IfModule>
26
27 #
28 # Control access to UserDir directories. The following is an example
29 # for a site where these directories are restricted to read-only.
30 #
31 <Directory "/home/*/public_html">
32 AllowOverride all
33 authuserfile "/etc/httpd/passwd"
34 authname "My privately website"
35 authtype basic
36 require user aa
37 </Directory>
38

"/etc/httpd/conf.d/userdir.conf" 38L, 1217C 已寫入

網(wǎng)站欄目：Linux：SElinux導(dǎo)致網(wǎng)站無法訪問
本文地址：http://bm7419.com/article0/gejeoo.html

成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián)，為您提供網(wǎng)站建設(shè)、響應(yīng)式網(wǎng)站、企業(yè)網(wǎng)站制作、動態(tài)網(wǎng)站、電子商務(wù)、軟件開發(fā)

廣告

聲明：本網(wǎng)站發(fā)布的內(nèi)容（圖片、視頻和文字）以用戶投稿、用戶轉(zhuǎn)載內(nèi)容為主，如果涉及侵權(quán)請盡快告知，我們將會在第一時間刪除。文章觀點(diǎn)不代表本網(wǎng)站立場，如需處理請聯(lián)系客服。電話：028-86922220；郵箱：631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載，或轉(zhuǎn)載時需注明來源： 創(chuàng)新互聯(lián)