{"id":2682,"date":"2019-02-10T14:00:25","date_gmt":"2019-02-10T05:00:25","guid":{"rendered":"https:\/\/east19-mikas.com\/?page_id=2682"},"modified":"2019-02-10T14:00:25","modified_gmt":"2019-02-10T05:00:25","slug":"set-selinux","status":"publish","type":"page","link":"https:\/\/east19-mikas.com\/mpat\/?page_id=2682","title":{"rendered":"SELINUX\u306e\u8a2d\u5b9a"},"content":{"rendered":"<div class=\"main2\">SELinux\u306b\u3088\u308b\u30a2\u30af\u30bb\u30b9\u5236\u5fa1<\/div>\n<p>&nbsp;<\/p>\n<h2>\u6982\u8981<\/h2>\n<p>\u5f53\u30b5\u30a4\u30c8\u3067CentOS7.1 64bit\u3078\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u65b9\u6cd5\u3092\u7d39\u4ecb\u3057\u3066\u3044\u308b\u30d1\u30c3\u30b1\u30fc\u30b8\u306b\u95a2\u3059\u308bSELinux\u306e\u8a2d\u5b9a\u3092\u3001\u4ee5\u4e0b\u306b\u793a\u3057\u307e\u3059\u3002<br \/>\n\u5c1a\u3001\u3053\u3053\u3067\u306fSELinux\u306e\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u300c\/etc\/selinux\/config\u300d\u3067\u3001\u30dd\u30ea\u30b7\u30fc\u306e\u8a2d\u5b9a\u3092\u300cSELINUXTYPE=targeted\u300d\u3068\u3057\u305f\u72b6\u614b\u3067\u306eSELinux\u306e\u52d5\u4f5c\u3092\u5143\u306b\u3057\u3066\u3044\u307e\u3059\u3002<br \/>\n\u203b\u300ctargeted\u300d\u306f\u3001\u30c7\u30d5\u30a9\u30eb\u30c8\u306e\u8a2d\u5b9a\u3068\u306a\u308a\u307e\u3059\u3002\u4ed6\u306b\u300cmls\u300d\u304c\u6307\u5b9a\u53ef\u80fd\u3068\u306a\u3063\u3066\u3044\u307e\u3059\u3002<br \/>\n\u3053\u3053\u3067\u306f\u3001Apache\u304b\u3089\u306e\u30d5\u30a1\u30a4\u30eb\u306e\u8aad\u307f\u8fbc\u307f\u3092\u8a31\u53ef\u3059\u308b\u5834\u5408\u3092\u5143\u306b\u3001\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b\u8a2d\u5b9a\u3055\u308c\u3066\u3044\u308bSELinux\u306e\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u306b\u3064\u3044\u3066\u8aac\u660e\u3057\u3066\u3044\u304d\u307e\u3059\u3002<\/p>\n<h2>Apache\u304b\u3089\u306e\u30d5\u30a1\u30a4\u30eb\u306e\u8aad\u307f\u8fbc\u307f\u3092\u8a31\u53ef<\/h2>\n<p>\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8\u30eb\u30fc\u30c8\u306e\u5909\u66f4\u3084\u30a8\u30a4\u30ea\u30a2\u30b9\u306e\u4f7f\u7528\u3067\u3001\u72ec\u81ea\u306b\u4f5c\u6210\u3057\u305f\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3092\u516c\u958b\u3057\u305f\u3044\u5834\u5408\u3084\u3001SSL\u4f7f\u7528\u6642\u306e\u79d8\u5bc6\u9375\u3084\u8a3c\u660e\u66f8\u3068\u3044\u3063\u305f\u8a2d\u5b9a\u95a2\u9023\u306e\u30d5\u30a1\u30a4\u30eb\u3092\u72ec\u81ea\u306b\u4f5c\u6210\u3057\u305f\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b\u7f6e\u304d\u305f\u3044\u5834\u5408\u306b\u3001chown\u3084chmod\u3092\u4f7f\u7528\u3057\u3066\u30a2\u30af\u30bb\u30b9\u6a29\u306e\u8a2d\u5b9a\u3092\u884c\u3063\u3066\u3082\u30a2\u30af\u30bb\u30b9\u304c\u62d2\u5426\u3055\u308c\u3066\u3057\u307e\u3046\u3068\u304d\u306f\u3001SELinux\u306b\u3088\u308b\u30a2\u30af\u30bb\u30b9\u5236\u5fa1\u304c\u6709\u52b9\u306b\u306a\u3063\u3066\u3044\u308b\u3053\u3068\u304c\u539f\u56e0\u306e\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n<p class=\"pMarginTop\">\u516c\u958b\u3057\u305f\u3044\u72ec\u81ea\u306b\u4f5c\u6210\u3057\u305f\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306e\u30d5\u30a1\u30a4\u30eb\u3078\u306e\u30a2\u30af\u30bb\u30b9\u304c\u62d2\u5426\u3055\u308c\u305f\u5834\u5408\u3001Apache\u306e\u30a8\u30e9\u30fc\u30ed\u30b0\u300c\/var\/log\/httpd\/error_log\u300d\u306b\u306f\u4ee5\u4e0b\u306e\u3088\u3046\u306a\u30ed\u30b0\u304c\u51fa\u529b\u3055\u308c\u3066\u3044\u308b\u304b\u3068\u601d\u3044\u307e\u3059\u3002<\/p>\n<pre class=\"d2\">[core:error] [pid 3008:tid 139956904216320] (13)Permission denied: [client xxx.xxx.xxx.xxx:xxxxx] AH00035: access to \/xxx\/aaa.html denied (filesystem path '\/xxx\/html\/aaa.html') because search permissions are missing on a component of the path<\/pre>\n<p>\u203b\u300c\/xxx\/html\/aaa.html\u300d\u306f\u3001\u5b9f\u969b\u306b\u30a2\u30af\u30bb\u30b9\u3057\u3088\u3046\u3068\u3057\u305f\u30b5\u30fc\u30d0\u30fc\u4e0a\u306e\u30d5\u30a1\u30a4\u30eb\u306e\u30d1\u30b9\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n<p class=\"pMarginTop\">\u307e\u305f\u3001SSL\u3067\u4f7f\u7528\u3059\u308b\u79d8\u5bc6\u9375\u3084\u8a3c\u660e\u66f8\u3092\u72ec\u81ea\u306b\u4f5c\u6210\u3057\u305f\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b\u7f6e\u3044\u3066Apache\u3092\u8d77\u52d5\u3057\u305f\u3068\u304d\u306b\u30a2\u30af\u30bb\u30b9\u304c\u62d2\u5426\u3055\u308c\u305f\u5834\u5408\u3001\u30b3\u30de\u30f3\u30c9\u300csystemctl -l status httpd.service\u300d\u3092\u5b9f\u884c\u3059\u308b\u3068\u3001\u4ee5\u4e0b\u306e\u3088\u3046\u306a\u30a8\u30e9\u30fc\u30e1\u30c3\u30bb\u30fc\u30b8\u304c\u8868\u793a\u3055\u308c\u3066\u3044\u308b\u304b\u3068\u601d\u3044\u307e\u3059\u3002<\/p>\n<pre class=\"d2\"># <span class=\"cylo\">systemctl -l status httpd.service<\/span>\n\uff1a\uff08\u7565\uff09\nStarting httpd: AH00526: Syntax error on line 147 of \/etc\/httpd\/conf\/extra\/httpd-ssl.conf:\nSSLCertificateFile: file '\/xxx\/ssl\/server.crt' does not exist or is empty\n[\u5931\u6557]\n\uff1a\uff08\u7565\uff09<\/pre>\n<p>\u203b\u300c\/xxx\/ssl\/server.crt\u300d\u306f\u3001\u5b9f\u969b\u306bSSL\u306e\u8a3c\u660e\u66f8\u304c\u914d\u7f6e\u3055\u308c\u3066\u3044\u308b\u30b5\u30fc\u30d0\u30fc\u4e0a\u306e\u30d5\u30a1\u30a4\u30eb\u306e\u30d1\u30b9\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n<h3>SELinux\u306b\u3088\u308b\u30a2\u30af\u30bb\u30b9\u5236\u5fa1\u306e\u6709\u52b9\u3001\u7121\u52b9\u306e\u8a2d\u5b9a<\/h3>\n<p>SELinux\u306e\u8a2d\u5b9a\u72b6\u614b\u306f\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3067\u78ba\u8a8d\u3067\u304d\u3001\u30a2\u30af\u30bb\u30b9\u5236\u5fa1\u304c\u6709\u52b9\u306b\u306a\u3063\u3066\u3044\u308b\u5834\u5408\u306f\u300cEnforcing\u300d\u3068\u306a\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n<pre class=\"d2\"># <span class=\"cylo\">getenforce<\/span>\nEnforcing<\/pre>\n<p>\u203b\u7121\u52b9\u306b\u306a\u3063\u3066\u3044\u308b\u5834\u5408\u306f\u3001\u300cPermissive\u300d\u3001\u307e\u305f\u306f\u300cDisabled\u300d\u3068\u306a\u308a\u307e\u3059\u3002<br \/>\n\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3067\u3001SELinux\u306b\u3088\u308b\u30a2\u30af\u30bb\u30b9\u5236\u5fa1\u3092\u7121\u52b9\u306b\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002<\/p>\n<pre class=\"d2\"># <span class=\"cylo\">setenforce Permissive<\/span><\/pre>\n<p>\u307e\u305f\u306f<\/p>\n<pre class=\"d2\"># <span class=\"cylo\">setenforce 0<\/span><\/pre>\n<p>\u3053\u308c\u306b\u3088\u308a\u72ec\u81ea\u306b\u4f5c\u6210\u3057\u305f\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3078\u306e\u30a2\u30af\u30bb\u30b9\u304c\u53ef\u80fd\u3068\u306a\u3063\u305f\u5834\u5408\u3001SELinux\u304c\u539f\u56e0\u3068\u306a\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>SELinux\u306b\u3088\u308b\u30a2\u30af\u30bb\u30b9\u5236\u5fa1\u3092\u5168\u3066\u306b\u7121\u52b9\u306b\u3057\u3066\u3088\u3044\u5834\u5408\u3001setenforce\u306b\u3088\u308b\u8a2d\u5b9a\u306f\u30b5\u30fc\u30d0\u30fc\u306e\u518d\u8d77\u52d5\u5f8c\u306b\u306f\u5143\u306b\u623b\u3063\u3066\u3057\u307e\u3044\u307e\u3059\u306e\u3067\u3001SELinux\u306e\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u300c\/etc\/selinux\/config\u300d\u3092\u4ee5\u4e0b\u306e\u3088\u3046\u306b\u7de8\u96c6\u3057\u30b5\u30fc\u30d0\u30fc\u3092\u518d\u8d77\u52d5\u3057\u307e\u3059\u3002<\/p>\n<pre class=\"d2\">\uff1a\uff08\u7565\uff09\nSELINUX=enforcing\n\u2193\u5909\u66f4\nSELINUX=disabled<\/pre>\n<p>\u203b\u300cSELINUX=disabled\u300d\u3068\u8a2d\u5b9a\u3057SELinux\u3092\u7121\u52b9\u5316\u3059\u308b\u3068\u3001\u305d\u306e\u9593\u306b\u4f5c\u6210\u3055\u308c\u305f\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3084\u30d5\u30a1\u30a4\u30eb\u306b\u306f\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u306e\u8a2d\u5b9a\u304c\u884c\u308f\u308c\u307e\u305b\u3093\u304c\u3001\u518d\u5ea6\u300cSELINUX=enforcing\u300d\u3068\u8a2d\u5b9a\u3057\u3066SELinux\u3092\u6709\u52b9\u5316\u3057\u305f\u969b\u306b\u306f\u3001\u81ea\u52d5\u7684\u306b\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u306e\u8a2d\u5b9a\u304c\u884c\u308f\u308c\u308b\u3088\u3046\u306b\u306a\u3063\u3066\u3044\u307e\u3059\u3002\u4f46\u3057OS\u8d77\u52d5\u6642\u306b\u30e9\u30d9\u30ea\u30f3\u30b0\u304c\u884c\u308f\u308c\u308b\u969b\u306b\u30b7\u30b9\u30c6\u30e0\u304c\u8d77\u52d5\u3059\u308b\u307e\u3067\u6642\u9593\u304c\u304b\u304b\u308a\u307e\u3059\u3002<\/p>\n<p>\u203b\u300cSELINUX=permissive\u300d\u3068\u8a2d\u5b9a\u3057\u30a2\u30af\u30bb\u30b9\u5236\u5fa1\u306f\u884c\u308f\u305a\u3001\u30a2\u30af\u30bb\u30b9\u62d2\u5426\u306e\u30ed\u30b0\u306f\u6b8b\u3059\u3088\u3046\u306b\u3059\u308b\u3053\u3068\u3082\u3067\u304d\u307e\u3059\u3002<\/p>\n<h3>SELinux\u306b\u3088\u308b\u30a2\u30af\u30bb\u30b9\u62d2\u5426\u306e\u30ed\u30b0\u306e\u78ba\u8a8d<\/h3>\n<p>SELinux\u3092\u7121\u52b9\u306b\u3057\u305f\u304f\u306a\u3044\u5834\u5408\u3001\u539f\u56e0\u3068\u306a\u3063\u3066\u3044\u308bSELinux\u306e\u8a2d\u5b9a\u3092\u8abf\u3079\u3066\u3044\u304d\u307e\u3059\u3002SELinux\u306e\u30ed\u30b0\u306f\u300c\/var\/log\/audit\/audit.log\u300d\u306b\u51fa\u529b\u3055\u308c\u3001\u516c\u958b\u3057\u305f\u3044\u72ec\u81ea\u306b\u4f5c\u6210\u3057\u305f\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306e\u30d5\u30a1\u30a4\u30eb\u3078\u306e\u30a2\u30af\u30bb\u30b9\u304c\u62d2\u5426\u3055\u308c\u305f\u5834\u5408\u306f\u3001\u4ee5\u4e0b\u306e\u3088\u3046\u306a\u30ed\u30b0\u304c\u51fa\u529b\u3055\u308c\u3066\u3044\u308b\u304b\u3068\u601d\u3044\u307e\u3059\u3002<\/p>\n<p>\u203b\u30ed\u30b0\u306e\u51fa\u529b\u306b\u4f7f\u7528\u3055\u308c\u308baudit\u306f\u3001\u30c7\u30d5\u30a9\u30eb\u30c8\u3067\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<pre class=\"d2\">type=AVC msg=audit(1438526471.103:394): avc:  denied  { getattr } for  pid=3014 comm=\"httpd\" path=\"\/xxx\/html\/aaa.html\" dev=\"dm-0\" ino=101440840 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file<\/pre>\n<p>\u203b\u300c\/xxx\/html\/aaa.html\u300d\u306f\u3001\u5b9f\u969b\u306b\u30a2\u30af\u30bb\u30b9\u3057\u3088\u3046\u3068\u3057\u305f\u30b5\u30fc\u30d0\u30fc\u4e0a\u306e\u30d5\u30a1\u30a4\u30eb\u306e\u30d1\u30b9\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n<p class=\"pMarginTop\">\u3053\u306e\u30ed\u30b0\u306b\u3088\u308a\u3001\u30bf\u30a4\u30d7\u300chttpd_t\u300d\u306e\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u304c\u8a2d\u5b9a\u3055\u308c\u305f\uff08scontext\uff09\u3001\u30d7\u30ed\u30bb\u30b9\u300chttpd\u300d\uff08comm\uff09\u304b\u3089\u3001\u30bf\u30a4\u30d7\u300cdefault_t\u300d\u306e\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u304c\u8a2d\u5b9a\u3055\u308c\u305f\uff08tcontext\uff09\u3001\u30d5\u30a1\u30a4\u30eb\u300c\/xxx\/html\/aaa.html\u300d\uff08path\uff09\u3078\u306e\u3001\u30af\u30e9\u30b9\u300cfile\u300d\uff08tclass\uff09\u306e\u64cd\u4f5c\u300c{ getattr }\u300d\u304c\u62d2\u5426\uff08denied\uff09\u3055\u308c\u305f\u3053\u3068\u304c\u5206\u304b\u308a\u307e\u3059\u3002<\/p>\n<p class=\"pMarginTop\">\u307e\u305f\u3001SSL\u3067\u4f7f\u7528\u3059\u308b\u79d8\u5bc6\u9375\u3084\u8a3c\u660e\u66f8\u3092\u72ec\u81ea\u306b\u4f5c\u6210\u3057\u305f\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b\u7f6e\u3044\u3066\u3001Apache\u3092\u8d77\u52d5\u3057\u305f\u3068\u304d\u306b\u30a2\u30af\u30bb\u30b9\u304c\u62d2\u5426\u3055\u308c\u305f\u5834\u5408\u306f\u3001\u4ee5\u4e0b\u306e\u3088\u3046\u306a\u30ed\u30b0\u304c\u51fa\u529b\u3055\u308c\u3066\u3044\u308b\u304b\u3068\u601d\u3044\u307e\u3059\u3002<\/p>\n<pre class=\"d2\">type=AVC msg=audit(1441211704.629:38): avc:  denied  { getattr } for  pid=1571 comm=\"httpd\" path=\"\/xxx\/ssl\/server.crt\" dev=dm-0 ino=130351 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file<\/pre>\n<p>\u203b\u300c\/xxx\/ssl\/server.crt\u300d\u306f\u3001\u5b9f\u969b\u306bSSL\u306e\u8a3c\u660e\u66f8\u304c\u914d\u7f6e\u3055\u308c\u3066\u3044\u308b\u30b5\u30fc\u30d0\u30fc\u4e0a\u306e\u30d5\u30a1\u30a4\u30eb\u306e\u30d1\u30b9\u3067\u3059\u3002<\/p>\n<p>\u3053\u306e\u30ed\u30b0\u306b\u3088\u308a\u3001\u30bf\u30a4\u30d7\u300chttpd_t\u300d\u306e\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u304c\u8a2d\u5b9a\u3055\u308c\u305f\uff08scontext\uff09\u3001\u30d7\u30ed\u30bb\u30b9\u300chttpd\u300d\uff08comm\uff09\u304b\u3089\u3001\u30bf\u30a4\u30d7\u300cdefault_t\u300d\u306e\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u304c\u8a2d\u5b9a\u3055\u308c\u305f\uff08tcontext\uff09\u3001\u30d5\u30a1\u30a4\u30eb\u300c\/xxx\/ssl\/server.crt\u300d\uff08path\uff09\u3078\u306e\u3001\u30af\u30e9\u30b9\u300cfile\u300d\uff08tclass\uff09\u306e\u64cd\u4f5c\u300c{ getattr }\u300d\u304c\u62d2\u5426\uff08denied\uff09\u3055\u308c\u305f\u3053\u3068\u304c\u5206\u304b\u308a\u307e\u3059\u3002<\/p>\n<h3>\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b\u8a2d\u5b9a\u3055\u308c\u3066\u3044\u308bSELinux\u306e\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u306e\u78ba\u8a8d<\/h3>\n<p>\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3092\u4f7f\u7528\u3057\u3066\u3001\u30a2\u30af\u30bb\u30b9\u304c\u62d2\u5426\u3055\u308c\u3066\u3044\u308b\u72ec\u81ea\u306b\u4f5c\u6210\u3057\u305f\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u306e\u8a2d\u5b9a\u3092\u78ba\u8a8d\u3057\u3066\u307f\u307e\u3059\u3002<\/p>\n<pre class=\"d2\"># <span class=\"cylo\">ls -Z \/xxx\/<\/span>\ndrwxr-xr-x. root root unconfined_u:object_r:default_t:s0 html\ndrwxr-xr-x. root root unconfined_u:object_r:default_t:s0 ssl<\/pre>\n<p>\u203b\u300c\/xxx\/\u300d\u306b\u306f\u3001\u78ba\u8a8d\u3057\u305f\u3044\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306e\u30d1\u30b9\u3092\u6307\u5b9a\u3057\u307e\u3059\u3002<\/p>\n<p>\u3053\u306e\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b\u306f\u3001\u30bf\u30a4\u30d7\u300cdefault_t\u300d\u306e\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u304c\u8a2d\u5b9a\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p class=\"pMarginTop\">\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3092\u4f7f\u7528\u3057\u3066\u3001Apache\u306e\u30c7\u30d5\u30a9\u30eb\u30c8\u306e\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8\u30eb\u30fc\u30c8\u306e\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u306e\u8a2d\u5b9a\u3092\u78ba\u8a8d\u3057\u3066\u307f\u307e\u3059\u3002<\/p>\n<pre class=\"d2\"># <span class=\"cylo\">ls -Z \/var\/www\/ | grep html<\/span>\ndrwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html<\/pre>\n<p>\u3053\u306e\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b\u306f\u3001\u30bf\u30a4\u30d7\u300chttpd_sys_content_t\u300d\u306e\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u304c\u8a2d\u5b9a\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p class=\"pMarginTop\">\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3092\u4f7f\u7528\u3057\u3066\u3001Apache\u306e\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u304c\u7f6e\u304b\u308c\u3066\u3044\u308b\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u306e\u8a2d\u5b9a\u3092\u78ba\u8a8d\u3057\u3066\u307f\u307e\u3059\u3002<\/p>\n<pre class=\"d2\"># <span class=\"cylo\">ls -Z \/etc\/ | grep httpd<\/span>\ndrwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 httpd<\/pre>\n<p>\u3053\u306e\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b\u306f\u3001\u30bf\u30a4\u30d7\u300chttpd_config_t\u300d\u306e\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u304c\u8a2d\u5b9a\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<h3>SELinux\u306e\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u306b\u8a2d\u5b9a\u3055\u308c\u3066\u3044\u308b\u30a2\u30af\u30bb\u30b9\u5236\u5fa1\u306e\u78ba\u8a8d<\/h3>\n<p>SELinux\u306e\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u306b\u8a2d\u5b9a\u3055\u308c\u3066\u3044\u308b\u30a2\u30af\u30bb\u30b9\u5236\u5fa1\u306e\u78ba\u8a8d\u3092\u3059\u308b\u306b\u306f\u3001\u300csesearch\u300d\u30b3\u30de\u30f3\u30c9\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002<\/p>\n<p class=\"pMarginTop\">\u300csesearch\u300d\u30b3\u30de\u30f3\u30c9\u304c\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3055\u308c\u3066\u3044\u306a\u3044\u5834\u5408\u3001\u3053\u306e\u30b3\u30de\u30f3\u30c9\u306f\u30d1\u30c3\u30b1\u30fc\u30b8setools-console\u306b\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u3053\u308c\u306f\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3067\u78ba\u8a8d\u3067\u304d\u307e\u3059\u3002<\/p>\n<pre class=\"d2\"># <span class=\"cylo\">yum provides *\/sesearch<\/span>\n\uff1a\uff08\u7565\uff09\nsetools-console-3.3.7-46.el7.x86_64 : Policy analysis command-line tools for SELinux\n\u30ea\u30dd\u30b8\u30c8\u30ea\u30fc        : base\n\u4e00\u81f4          :\n\u30d5\u30a1\u30a4\u30eb\u540d    : \/usr\/bin\/sesearch<\/pre>\n<p class=\"pMarginTop\">\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u3066\u3001setools-console\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3092\u884c\u3044\u307e\u3059\u3002<\/p>\n<pre class=\"d2\"># <span class=\"cylo\">yum install setools-console<\/span><\/pre>\n<p class=\"pMarginTop\">\u30bf\u30a4\u30d7\u300chttpd_t\u300d\u306e\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u304b\u3089\u3001\u30bf\u30a4\u30d7\u300chttpd_sys_content_t\u300d\u306e\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u3078\u3069\u306e\u3088\u3046\u306a\u30a2\u30af\u30bb\u30b9\u5236\u5fa1\u304c\u8a2d\u5b9a\u3055\u308c\u3066\u3044\u308b\u304b\u306f\u3001\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3067\u78ba\u8a8d\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002<\/p>\n<pre class=\"d2\"># <span id=\"yelo\">sesearch -A -s httpd_t -t httpd_sys_content_t<\/span>\nFound 15 semantic av rules:\n   allow httpd_t file_type : filesystem getattr ;\n   allow httpd_t file_type : dir { getattr search open } ;\n   allow httpd_t httpd_sys_content_t : file { ioctl read getattr lock open } ;\n   allow httpd_t httpd_sys_content_t : dir { ioctl read getattr lock search open } ;\n   allow httpd_t httpd_sys_content_t : lnk_file { read getattr } ;\n   allow httpd_t httpd_content_type : file { ioctl read getattr lock open } ;\n   allow httpd_t httpd_content_type : dir { getattr search open } ;\n   allow daemon httpd_sys_content_t : dir { getattr search open } ;\nDT allow httpd_t httpd_sys_content_t : dir { ioctl read write getattr lock add_name remove_name search open } ; [ httpd_enable_cgi httpd_unified &amp;&amp; httpd_builtin_scripting &amp;&amp; ]\nET allow httpd_t httpd_content_type : file { ioctl read getattr lock open } ; [ httpd_builtin_scripting ]\nET allow httpd_t httpd_content_type : dir { ioctl read getattr lock search open } ; [ httpd_builtin_scripting ]\nET allow httpd_t httpd_content_type : lnk_file { read getattr } ; [ httpd_builtin_scripting ]\nDT allow httpd_t httpdcontent : file { ioctl read write create getattr setattr lock append unlink link rename execute open } ; [ httpd_enable_cgi httpd_unified &amp;&amp; httpd_builtin_scripting &amp;&amp; ]\nDT allow httpd_t httpdcontent : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; [ httpd_enable_cgi httpd_unified &amp;&amp; httpd_builtin_scripting &amp;&amp; ]\nDT allow httpd_t httpdcontent : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ; [ httpd_enable_cgi httpd_unified &amp;&amp; httpd_builtin_scripting &amp;&amp; ]<\/pre>\n<p class=\"pMarginTop\">\u30bf\u30a4\u30d7\u300chttpd_t\u300d\u306e\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u304b\u3089\u3001\u30bf\u30a4\u30d7\u300chttpd_config_t\u300d\u306e\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u3078\u3069\u306e\u3088\u3046\u306a\u30a2\u30af\u30bb\u30b9\u5236\u5fa1\u304c\u8a2d\u5b9a\u3055\u308c\u3066\u3044\u308b\u304b\u306f\u3001\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3067\u78ba\u8a8d\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002<\/p>\n<pre class=\"d2\"># <span id=\"yelo\">sesearch -A -s httpd_t -t httpd_config_t<\/span>\nFound 5 semantic av rules:\n   allow httpd_t file_type : filesystem getattr ;\n   allow httpd_t file_type : dir { getattr search open } ;\n   allow httpd_t httpd_config_t : file { ioctl read getattr lock open } ;\n   allow httpd_t httpd_config_t : dir { ioctl read getattr lock search open } ;\n   allow httpd_t httpd_config_t : lnk_file { read getattr } ;<\/pre>\n<p class=\"pMarginTop\">\u3053\u306e\u78ba\u8a8d\u7d50\u679c\u304b\u3089\u3001\u3069\u3061\u3089\u3082\u30d5\u30a1\u30a4\u30eb\u306e\u8aad\u307f\u8fbc\u307f\u7cfb\u306e\u64cd\u4f5c\u304c\u8a31\u53ef\u3055\u308c\u3066\u304a\u308a\u3001\u30bf\u30a4\u30d7\u300chttpd_sys_content_t\u300d\u306e\u307b\u3046\u306f\u3001\u30d6\u30fc\u30eb\u5024\u306b\u3088\u308b\u30a2\u30af\u30bb\u30b9\u8a31\u53ef\u3082\u6307\u5b9a\u3067\u304d\u308b\u3088\u3046\u306b\u306a\u3063\u3066\u3044\u308b\u3053\u3068\u304c\u5206\u304b\u308a\u307e\u3059\u3002<\/p>\n<p>\u203b\u300csesearch\u300d\u30b3\u30de\u30f3\u30c9\u306e\u30aa\u30d7\u30b7\u30e7\u30f3\u306b\u300c-C\u300d\u3092\u6307\u5b9a\u3059\u308b\u3068\u3001\u51fa\u529b\u7d50\u679c\u306e\u300c[\u300d\u3001\u300c]\u300d\u3067\u56f2\u307e\u308c\u305f\u4e2d\u306b\u30d6\u30fc\u30eb\u5024\u306b\u3088\u308b\u8a2d\u5b9a\u304c\u8868\u793a\u3055\u308c\u307e\u3059\u3002<\/p>\n<p>\u203b\u30d6\u30fc\u30eb\u5024\u306b\u3088\u308b\u8a2d\u5b9a\u306f\u3001\u300csetsebool\u300d\u30b3\u30de\u30f3\u30c9\u3092\u4f7f\u7528\u3057\u3066\u30aa\u30f3\u3001\u30aa\u30d5\u3092\u5207\u308a\u66ff\u3048\u308b\u3053\u3068\u3067\u30a2\u30af\u30bb\u30b9\u8a31\u53ef\u306e\u8a2d\u5b9a\u304c\u884c\u3048\u308b\u3082\u306e\u3068\u306a\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n<section>\n<h3>\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306bSELinux\u306e\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u3092\u8a2d\u5b9a<\/h3>\n<p>\u30d5\u30a1\u30a4\u30eb\u3084\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u306e\u8a2d\u5b9a\u3092\u884c\u3046\u306b\u306f\u3001\u300csemanage\u300d\u30b3\u30de\u30f3\u30c9\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002<\/p>\n<p class=\"pMarginTop\">\u300csemanage\u300d\u30b3\u30de\u30f3\u30c9\u304c\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3055\u308c\u3066\u3044\u306a\u3044\u5834\u5408\u3001\u3053\u306e\u30b3\u30de\u30f3\u30c9\u306f\u30d1\u30c3\u30b1\u30fc\u30b8policycoreutils-python\u306b\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u3053\u308c\u306f\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3067\u78ba\u8a8d\u3067\u304d\u307e\u3059\u3002<\/p>\n<pre class=\"d2\"># <span class=\"cylo\">yum provides *\/semanage<\/span>\n\uff1a\uff08\u7565\uff09\nlibsemanage-devel-2.1.10-16.el7.i686 : Header files and libraries used to build policy manipulation tools\n\u30ea\u30dd\u30b8\u30c8\u30ea\u30fc        : base\n\u4e00\u81f4          :\n\u30d5\u30a1\u30a4\u30eb\u540d    : \/usr\/include\/semanage\n\n\n\nlibsemanage-devel-2.1.10-16.el7.x86_64 : Header files and libraries used to build policy manipulation tools\n\u30ea\u30dd\u30b8\u30c8\u30ea\u30fc        : base\n\u4e00\u81f4          :\n\u30d5\u30a1\u30a4\u30eb\u540d    : \/usr\/include\/semanage\n\n\n\npolicycoreutils-python-2.2.5-15.el7.x86_64 : SELinux policy core python utilities\n\u30ea\u30dd\u30b8\u30c8\u30ea\u30fc        : base\n\u4e00\u81f4          :\n\u30d5\u30a1\u30a4\u30eb\u540d    : \/usr\/sbin\/semanage\n\u30d5\u30a1\u30a4\u30eb\u540d    : \/usr\/share\/bash-completion\/completions\/semanage<\/pre>\n<p class=\"pMarginTop\">\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u3066\u3001policycoreutils-python\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3092\u884c\u3044\u307e\u3059\u3002<\/p>\n<pre class=\"d2\"># <span class=\"cylo\">yum install policycoreutils-python<\/span><\/pre>\n<p class=\"pMarginTop\">\u65b0\u898f\u306b\u4f5c\u6210\u3057\u305f\u30d5\u30a1\u30a4\u30eb\u3084\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u306e\u8a2d\u5b9a\u3092\u884c\u3046\u306b\u306f\u3001\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u306e\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u300c\/etc\/selinux\/targeted\/contexts\/files\/file_contexts.local\u300d\u306b\u8a2d\u5b9a\u3092\u884c\u3044\u307e\u3059\u3002<\/p>\n<p>\u3053\u306e\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u306b\u306f\u3001\u300csemanage\u300d\u30b3\u30de\u30f3\u30c9\u3092\u4f7f\u7528\u3057\u3066\u8a2d\u5b9a\u3092\u8ffd\u52a0\u3057\u3066\u3044\u304d\u307e\u3059\u3002<\/p>\n<p>\u203bSELinux\u306e\u30c7\u30d5\u30a9\u30eb\u30c8\u306e\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u306e\u8a2d\u5b9a\u306f\u3001\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u300c\/etc\/selinux\/targeted\/contexts\/files\/\u300d\u306b\u3042\u308b\u5225\u306e\u30d5\u30a1\u30a4\u30eb\u3067\u884c\u308f\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p class=\"pMarginTop\">\u30b5\u30a4\u30c8\u3092\u516c\u958b\u3059\u308b\u5834\u5408\u3001\u30c7\u30d5\u30a9\u30eb\u30c8\u30eb\u30fc\u30c8\u306e\u5834\u5408(\/var\/www\/html)\u306f\u3001\u65e2\u306b\u8a2d\u5b9a\u3055\u308c\u3066\u3044\u308bSELINUX\u306e\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u3067\u554f\u984c\u6709\u308a\u307e\u305b\u3093\u3002<\/p>\n<p>\u72ec\u81ea\u306b\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8\u30eb\u30fc\u30c8\u3092\u8a2d\u5b9a\u3057\u305f\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3092\u516c\u958b\u3059\u308b\u5834\u5408\u306f\u3001\u30bf\u30a4\u30d7\u300chttpd_sys_content_t\u300d\u306e\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u3092\u8a2d\u5b9a\u3059\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002<br \/>\n\u8a2d\u5b9a\u5185\u5bb9\u306f\u3001\u4ee5\u4e0b\u306e\u3088\u3046\u306a\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/p>\n<pre class=\"d2\"># <span class=\"cylo\">semanage fcontext -a -t httpd_sys_content_t \"\/xxx\/html(\/.*)?\"<\/span>\n\u21d2WordPress\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u6642\u306b\u306f\u30c7\u30d5\u30a9\u30eb\u30c8\u306e\u4e0a\u8a18\u8a2d\u5b9a\u3067\u306fwp-config.php\u306e\u751f\u6210\u304c\u51fa\u6765\u306a\u3044\u305f\u3081\u3001\u4e0b\u8a18\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u3092\u8a2d\u5b9a\u3057\u307e\u3059\n# <span class=\"cylo\">semanage fcontext -a -t httpd_sys_rw_content_t \"\/xxx\/html(\/.*)?\"<\/span>\n<\/pre>\n<ul class=\"textlist\">\n<li>\u300c-a\u300d\u30aa\u30d7\u30b7\u30e7\u30f3\u3092\u6307\u5b9a\u3057\u3066\u3001\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u306e\u8a2d\u5b9a\u306e\u8ffd\u52a0\u3092\u884c\u3046\u3088\u3046\u306b\u3057\u3066\u3044\u307e\u3059\u3002<\/li>\n<li>\u300c-t\u300d\u30aa\u30d7\u30b7\u30e7\u30f3\u3067\u3001\u30bf\u30a4\u30d7\u300chttpd_sys_content_t\u300d\u306e\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u3092\u8a2d\u5b9a\u3059\u308b\u3088\u3046\u306b\u3057\u3066\u3044\u307e\u3059\u3002<\/li>\n<li>\u300c\/xxx\/html\u300d\u306f\u3001\u8a2d\u5b9a\u5bfe\u8c61\u306e\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3067\u3059\u3002<\/li>\n<\/ul>\n<p>\u3053\u306e\u6bb5\u968e\u3067\u306f\u3001\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u306e\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u300c\/etc\/selinux\/targeted\/contexts\/files\/file_contexts.local\u300d\u3078\u306e\u8a2d\u5b9a\u306e\u8ffd\u52a0\u304c\u884c\u308f\u308c\u307e\u3059\u304c\u3001\u5b9f\u969b\u306e\u30d5\u30a1\u30a4\u30eb\u3078\u306e\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u306e\u53cd\u6620\u306f\u307e\u3060\u884c\u308f\u308c\u3066\u3044\u307e\u305b\u3093\u3002<\/p>\n<p class=\"pMarginTop\">\u4ee5\u4e0b\u306e\u3088\u3046\u306a\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u3066\u3001\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u306e\u8a2d\u5b9a\u3092\u30d5\u30a1\u30a4\u30eb\u306b\u53cd\u6620\u3055\u305b\u307e\u3059\u3002<\/p>\n<pre class=\"d2\"># <span class=\"cylo\">restorecon -R -v \/xxx\/html\/<\/span>\n\u21d2\u66f4\u306b\u3001WordPress\u306e\u81ea\u52d5\u66f4\u65b0\u3084\u3001\u30c6\u30fc\u30de\u306e\u8ffd\u52a0\u7b49\u3092\u5b9f\u884c\u51fa\u6765\u308b\u305f\u3081\u306b\u306f\u4e0b\u8a18\u306e\u8ffd\u52a0\u8a2d\u5b9a\u3092\u3057\u307e\u3059\n# <span class=\"cylo\">setsebool -P httpd_graceful_shutdown on<\/span>\n<\/pre>\n<ul class=\"textlist\">\n<li>\u300c-R\u300d\u30aa\u30d7\u30b7\u30e7\u30f3\u3092\u6307\u5b9a\u3057\u3066\u3001\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306e\u4e0b\u5c64\u306b\u3082\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u306e\u8a2d\u5b9a\u304c\u884c\u308f\u308c\u308b\u3088\u3046\u306b\u3057\u307e\u3059\u3002<\/li>\n<li>\u300c-v\u300d\u30aa\u30d7\u30b7\u30e7\u30f3\u3092\u6307\u5b9a\u3057\u3066\u3001\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u306e\u5909\u66f4\u5185\u5bb9\u304c\u30b3\u30de\u30f3\u30c9\u5b9f\u884c\u7d50\u679c\u306b\u8868\u793a\u3055\u308c\u308b\u307e\u3059\u3002<\/li>\n<li>\u300c\/xxx\/html\/\u300d\u306f\u3001\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u306e\u8a2d\u5b9a\u3092\u53cd\u6620\u3055\u305b\u308b\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3067\u3059\u3002<\/li>\n<\/ul>\n<p class=\"pMarginTop\">\u3053\u308c\u306b\u3088\u308a\u3001\u516c\u958b\u7528\u306e\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3078\u306e\u30a2\u30af\u30bb\u30b9\u304c\u53ef\u80fd\u3068\u306a\u308a\u307e\u3059\u3002<\/p>\n<p class=\"pMarginTop\">\u540c\u69d8\u306b\u3001SSL\u3067\u4f7f\u7528\u3059\u308b\u79d8\u5bc6\u9375\u3084\u8a3c\u660e\u66f8\u306e\u7f6e\u304d\u5834\u6240\u7528\u306e\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b\u3001Apache\u306e\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u304c\u7f6e\u304b\u308c\u3066\u3044\u308b\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3068\u540c\u3058\u30bf\u30a4\u30d7\u300chttpd_config_t\u300d\u306e\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u3092\u8a2d\u5b9a\u3059\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002\u4ee5\u4e0b\u306e\u3088\u3046\u306a\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/p>\n<pre class=\"d2\"># <span class=\"cylo\">semanage fcontext -a -t httpd_config_t \"\/etc\/pki\/xxx\/ssl(\/.*)?\"<\/span>\n<\/pre>\n<ul class=\"textlist\">\n<li>\u300c-a\u300d\u30aa\u30d7\u30b7\u30e7\u30f3\u3092\u6307\u5b9a\u3057\u3066\u3001\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u306e\u8a2d\u5b9a\u306e\u8ffd\u52a0\u3092\u884c\u3046\u3088\u3046\u306b\u3057\u3066\u3044\u307e\u3059\u3002<\/li>\n<li>\u300c-t\u300d\u30aa\u30d7\u30b7\u30e7\u30f3\u3067\u3001\u30bf\u30a4\u30d7\u300chttpd_config_t\u300d\u306e\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u3092\u8a2d\u5b9a\u3059\u308b\u3088\u3046\u306b\u3057\u3066\u3044\u307e\u3059\u3002<\/li>\n<li>\u300c\/etc\/pki\/xxx\/ssl\u300d\u306f\u3001\u8a2d\u5b9a\u5bfe\u8c61\u306e\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b\u306a\u308a\u307e\u3059\u3002<\/li>\n<\/ul>\n<p class=\"pMarginTop\">\u4ee5\u4e0b\u306e\u3088\u3046\u306a\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u3066\u3001\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u306e\u8a2d\u5b9a\u3092\u30d5\u30a1\u30a4\u30eb\u306b\u53cd\u6620\u3055\u305b\u307e\u3059\u3002<\/p>\n<pre class=\"d2\"># <span class=\"cylo\">restorecon -R -v \/xxx\/ssl\/<\/span><\/pre>\n<ul class=\"textlist\">\n<li>\u300c-R\u300d\u30aa\u30d7\u30b7\u30e7\u30f3\u3092\u6307\u5b9a\u3057\u3066\u3001\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306e\u4e0b\u5c64\u306b\u3082\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u306e\u8a2d\u5b9a\u304c\u884c\u308f\u308c\u308b\u3088\u3046\u306b\u3057\u307e\u3059\u3002<\/li>\n<li>\u300c-v\u300d\u30aa\u30d7\u30b7\u30e7\u30f3\u3092\u6307\u5b9a\u3057\u3066\u3001\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u306e\u5909\u66f4\u5185\u5bb9\u304c\u30b3\u30de\u30f3\u30c9\u5b9f\u884c\u7d50\u679c\u306b\u8868\u793a\u3055\u308c\u308b\u3088\u3046\u306b\u3057\u307e\u3059\u3002<\/li>\n<li>\u300c\/xxx\/ssl\/\u300d\u306f\u3001\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u306e\u8a2d\u5b9a\u3092\u53cd\u6620\u3055\u305b\u308b\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b\u306a\u308a\u307e\u3059\u3002<\/li>\n<\/ul>\n<p class=\"pMarginTop\">\u3053\u308c\u306b\u3088\u308a\u3001SSL\u3067\u4f7f\u7528\u3059\u308b\u79d8\u5bc6\u9375\u3084\u8a3c\u660e\u66f8\u306e\u7f6e\u304d\u5834\u6240\u7528\u306b\u3001\u72ec\u81ea\u306b\u4f5c\u6210\u3057\u305f\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3078\u306e\u30a2\u30af\u30bb\u30b9\u304c\u53ef\u80fd\u3068\u306a\u308a\u307e\u3059\u3002<\/p>\n<p class=\"pMarginTop\">\u5c1a\u3001\u8ffd\u52a0\u3057\u305f\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u306e\u8a2d\u5b9a\u3092\u524a\u9664\u3059\u308b\u306b\u306f\u3001\u4ee5\u4e0b\u306e\u3088\u3046\u306a\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/p>\n<pre class=\"d2\"># <span class=\"cylo\">semanage fcontext -d \"\/xxx\/html(\/.*)?\"<\/span><\/pre>\n<ul class=\"textlist\">\n<li>\u300c-d\u300d\u30aa\u30d7\u30b7\u30e7\u30f3\u3092\u6307\u5b9a\u3057\u3066\u3001\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u306e\u8a2d\u5b9a\u306e\u524a\u9664\u3092\u884c\u3046\u3088\u3046\u306b\u3057\u3066\u3044\u307e\u3059\u3002<\/li>\n<li>\u300c\/xxx\/html\u300d\u306f\u3001\u524a\u9664\u5bfe\u8c61\u306e\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b\u306a\u308a\u307e\u3059\u3002<\/li>\n<\/ul>\n<p>\u3053\u308c\u306b\u3088\u308a\u3001\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u306e\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u300c\/etc\/selinux\/targeted\/contexts\/files\/file_contexts.local\u300d\u304b\u3089\u8a2d\u5b9a\u304c\u524a\u9664\u3055\u308c\u307e\u3059\u3002<\/p>\n<p class=\"pMarginTop\">\u8a2d\u5b9a\u306e\u524a\u9664\u3092\u30d5\u30a1\u30a4\u30eb\u306b\u53cd\u6620\u3055\u305b\u308b\u306b\u306f\u3001\u4ee5\u4e0b\u306e\u3088\u3046\u306a\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/p>\n<pre class=\"d2\"># <span class=\"cylo\">restorecon -R -v \/xxx\/html\/<\/span><\/pre>\n<ul class=\"textlist\">\n<li>\u300c-R\u300d\u30aa\u30d7\u30b7\u30e7\u30f3\u3092\u6307\u5b9a\u3057\u3066\u3001\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306e\u4e0b\u5c64\u306b\u3082\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u306e\u8a2d\u5b9a\u304c\u884c\u308f\u308c\u308b\u3088\u3046\u306b\u3057\u307e\u3059\u3002<\/li>\n<li>\u300c-v\u300d\u30aa\u30d7\u30b7\u30e7\u30f3\u3092\u6307\u5b9a\u3057\u3066\u3001\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u306e\u5909\u66f4\u5185\u5bb9\u304c\u30b3\u30de\u30f3\u30c9\u5b9f\u884c\u7d50\u679c\u306b\u8868\u793a\u3055\u308c\u308b\u3088\u3046\u306b\u3057\u307e\u3059\u3002<\/li>\n<li>\u300c\/xxx\/html\/\u300d\u306f\u3001\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u306e\u8a2d\u5b9a\u3092\u53cd\u6620\u3055\u305b\u308b\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b\u306a\u308a\u307e\u3059\u3002<\/li>\n<\/ul>\n<h2>SELinux\u306e\u7121\u52b9\u5316<\/h2>\n<p>SELinux\u306f\u3001Windows\u3067\u3044\u3046\u3068\u3053\u308d\u306eUAC\u306e\u3088\u3046\u306a\u6a5f\u80fd\u3060\u304c\u3001\u30b5\u30fc\u30d0\u30fc\u3068\u3057\u3066\u52d5\u4f5c\u3055\u305b\u308b\u969b\u306b\u3001\u4e88\u671f\u305b\u306c\u5236\u7d04\u304c\u304b\u304b\u308b\u3053\u3068\u304c\u591a\u3044\u306e\u3067\u7121\u52b9\u5316\u3057\u3066\u304a\u304f\u3002<\/p>\n<h3>\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u306e\u4fee\u6b63<\/h3>\n<p>\u73fe\u72b6\u306e\u8a2d\u5b9a\u3092\u78ba\u8a8d\u3059\u308b\u3002\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3067\u3001\u73fe\u5728\u306e\u8a2d\u5b9a\u3092\u78ba\u8a8d\u3059\u308b\u3002<br \/>\nCentOS7 (1511) Minimal\u306e\u5c0e\u5165\u76f4\u5f8c\u3067\u3042\u308c\u3070\u3001\u300cEnforcing\u300d\u3068\u306a\u3063\u3066\u3044\u308b\u3002<\/p>\n<pre class=\"d2\"># <span class=\"cylo\">getenforce<\/span>\nEnforcing\n#\n<\/pre>\n<p>\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3067\u3001\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u3092\u30d0\u30c3\u30af\u30a2\u30c3\u30d7\u3059\u308b\u3002<\/p>\n<pre class=\"d2\"># <span class=\"cylo\">cp -pi \/etc\/selinux\/config \/etc\/selinux\/config.`date \"+%Y%m%d_%H%M%S\"`<\/span>\n#\n<\/pre>\n<p>\u4ee5\u4e0b\u306e\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u3092\u4fee\u6b63\u3059\u308b\u3002<\/p>\n<div class=\"code-frame\">\n<div class=\"code-lang\"><span class=\"bold\"> \/etc\/selinux\/config <\/span><\/div>\n<p>&nbsp;<\/p>\n<div class=\"highlight\">\n<pre class=\"d2\"># This file controls the state of SELinux on the system.\n# SELINUX= can take one of these three values:\n#     enforcing - SELinux security policy is enforced.\n#     permissive - SELinux prints warnings instead of enforcing.\n#     disabled - No SELinux policy is loaded.\n### Disalbe SELINUX begin\n##SELINUX=enforcing\nSELINUX=disabled\n### Disalbe SELINUX end\n# SELINUXTYPE= can take one of three two values:\n#     targeted - Targeted processes are protected,\n#     minimum - Modification of targeted policy. Only selected processes are protected.\n#     mls - Multi Level Security protection.\nSELINUXTYPE=targeted\n<\/pre>\n<\/div>\n<\/div>\n<h3>\u518d\u8d77\u52d5<\/h3>\n<p>\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3067\u518d\u8d77\u52d5\u3059\u308b\u3002<\/p>\n<pre class=\"d2\"># <span class=\"cylo\">shutdown -r now<\/span>\n#<\/pre>\n<h3>\u7d50\u679c\u306e\u78ba\u8a8d<\/h3>\n<p>\u518d\u8d77\u52d5\u5f8c\u306b\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3067\u3001\u72b6\u614b\u3092\u78ba\u8a8d\u3059\u308b\u3002<br \/>\n\u300cDisabled\u300d\u306b\u306a\u3063\u3066\u3044\u308c\u3070\u826f\u3044\u3002<\/p>\n<pre class=\"d2\"># <span class=\"cylo\">getenforce<\/span>\nDisabled\n#<\/pre>\n<p>\u53c2\u8003\u30b5\u30a4\u30c8\uff1aurl = http:\/\/www.kakiro-web.com\/linux\/selinux.html<\/p>\n<p>&nbsp;<\/p>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>SELinux\u306b\u3088\u308b\u30a2\u30af\u30bb\u30b9\u5236\u5fa1 &nbsp; \u6982\u8981 \u5f53\u30b5\u30a4\u30c8\u3067CentOS7.1 64bit\u3078\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u65b9\u6cd5\u3092\u7d39\u4ecb\u3057\u3066\u3044\u308b\u30d1\u30c3\u30b1\u30fc\u30b8\u306b\u95a2\u3059\u308bSELinux\u306e\u8a2d\u5b9a\u3092\u3001\u4ee5\u4e0b\u306b\u793a\u3057\u307e\u3059\u3002 \u5c1a\u3001\u3053\u3053\u3067\u306fSELinux\u306e\u8a2d\u5b9a [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":1824,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"class_list":["post-2682","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/east19-mikas.com\/mpat\/index.php?rest_route=\/wp\/v2\/pages\/2682","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/east19-mikas.com\/mpat\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/east19-mikas.com\/mpat\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/east19-mikas.com\/mpat\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/east19-mikas.com\/mpat\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2682"}],"version-history":[{"count":0,"href":"https:\/\/east19-mikas.com\/mpat\/index.php?rest_route=\/wp\/v2\/pages\/2682\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/east19-mikas.com\/mpat\/index.php?rest_route=\/wp\/v2\/pages\/1824"}],"wp:attachment":[{"href":"https:\/\/east19-mikas.com\/mpat\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2682"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}