iTop和SE Linux

某些Linux发行版(Fedora,RedHat,CentOS…)默认情况下启用SELinux。这需要先放置其他安全配置,然后才能开始使用iTop。

基本SE Linux配置

// allow Read/Write on itop root and childs folders 
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/itop(/.*)?"                        
//  apply the policy
restorecon -Rv /var/www/html/itop/ 
// view the applied policy                                         
ls -lZ /var/www/html/itop/

此基本配置可与iTop一起使用。您需要具有SE Linux的丰富知识才能应用限制性更强的权利。

写入文件

如果安装程序抱怨iTop的conf文件夹存在但无法写入,并且目录上的访问权利看起来正确,则尝试关闭SE Linux上下文:

设置力 0

这将完全关闭安全上下文检查。绝对不适合生产系统,但可能有助于隔离问题的来源。提供有关安全上下文的更多信息这里 要么那里.

连接到远程MySQL服务器

如果麻烦您将iTop连接到远程MySQL服务器,请使用以下命令检查SELinux设置:

getsebool -a | grep 'httpd'

您应该看到类似以下内容:

allow_httpd_anon_write –> off
allow_httpd_bugzilla_script_anon_write –> off
allow_httpd_cvs_script_anon_write –> off
allow_httpd_mod_auth_pam –> off
allow_httpd_nagios_script_anon_write –> off
allow_httpd_prewikka_script_anon_write –> off
allow_httpd_squid_script_anon_write –> off
allow_httpd_sys_script_anon_write –> off
httpd_builtin_scripting –> on
httpd_can_network_connect –> off
httpd_can_network_connect_db –> off
httpd_can_network_relay –> off
httpd_can_sendmail –> on
httpd_disable_trans –> off
httpd_enable_cgi –> on
httpd_enable_ftp_server –> off
httpd_enable_homedirs –> on
httpd_rotatelogs_disable_trans –> off
httpd_ssi_exec –> off
httpd_suexec_disable_trans –> off
httpd_tty_comm –> on
httpd_unified –> on
httpd_use_cifs –> off
httpd_use_nfs –> off

如果您看到httpd_can_network_connect_db –>行关闭,则表明Web服务器无法与MySQL服务器建立任何网络连接。

要对变更进行此安全设置,请键入以下命令(以root用户身份):

setsebool -P httpd_can_network_connect_db on

远程的连接到iTop

如果只能从计算机本身而不是从远程系统连接到Web服务器,则请检查防火墙(iptables)配置。

firewall-cmd --list-services

命令的输出应该类似于:

dhcp-v6-client http mdns ssh

如果http不在列表中,则将禁止对Web服务器的访问。要解除阻止,请启动(以root用户身份)以下命令:

firewall-cmd --add-service=http

原贴链接:https://www.itophub.io/wiki/page?id=2_7_0%3Ainstall%3Aselinux


iTop and SE Linux

Some Linux distributions (Fedora, RedHat, CentOS…) come with SELinux enabled by default. This requires additional security configuration tobe put in place before you can start using iTop.

Basic SE Linux configuration

// allow Read/Write on itop root and childs folders 
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/itop(/.*)?"                        
//  apply the policy
restorecon -Rv /var/www/html/itop/ 
// view the applied policy                                         
ls -lZ /var/www/html/itop/

This basic configuration works with iTop. You need to have a good knowledge of SE Linux to apply more restrictive rights.

Writing to files

If the installation complains that the conf folder of iTop exists but cannot be written, and if the access rights on the directory look correct, then try to turn-off the SE Linux context:

setenforce 0

This completely turns-off the security context checking. This is defintely not suitable for a production system, but may be helpful to isolate the source of the problem. More information about Security Contexts is available here or there.

Connecting to a remote MySQL server

If you get troubles to have iTop connect to a remote MySQL server, check the SELinux settings with the following command:

getsebool -a | grep 'httpd'

You should see something like:

allow_httpd_anon_write –> off
allow_httpd_bugzilla_script_anon_write –> off
allow_httpd_cvs_script_anon_write –> off
allow_httpd_mod_auth_pam –> off
allow_httpd_nagios_script_anon_write –> off
allow_httpd_prewikka_script_anon_write –> off
allow_httpd_squid_script_anon_write –> off
allow_httpd_sys_script_anon_write –> off
httpd_builtin_scripting –> on
httpd_can_network_connect –> off
httpd_can_network_connect_db –> off
httpd_can_network_relay –> off
httpd_can_sendmail –> on
httpd_disable_trans –> off
httpd_enable_cgi –> on
httpd_enable_ftp_server –> off
httpd_enable_homedirs –> on
httpd_rotatelogs_disable_trans –> off
httpd_ssi_exec –> off
httpd_suexec_disable_trans –> off
httpd_tty_comm –> on
httpd_unified –> on
httpd_use_cifs –> off
httpd_use_nfs –> off

If you see the line httpd_can_network_connect_db –> off, this means that the web server is prevented from doing any network connection to the MySQL server.

To change this security setting, type the following command (as root):

setsebool -P httpd_can_network_connect_db on

Connecting to iTop from remote

If you can connect to the web server only from the machine itself, but not from a remote system, then check the firewall (iptables) configuration.

firewall-cmd --list-services

The output of the command should be something like:

dhcp-v6-client http mdns ssh

If http is not then the list, then the access to the web server will be blocked. To unblock it, launch (as root) the following command:

firewall-cmd --add-service=http
标签:
由 superadmin 在 2020/08/27, 15:54 创建
    

需要帮助?

如果您需要有关XWiki的帮助,可以联系:

深圳市艾拓先锋企业管理咨询有限公司