Linux之DNS解析和主从配置及selinux使用超详解

[root@rhce ~]# yum install bind -y
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered with an entitlement server. You can use subscription-manager to register.

Repository AppStream is listed more than once in the configuration
Last metadata expiration check: 1:41:17 ago on Sat 30 Jul 2022 12:30:24 PM CST.
Dependencies resolved.
================================================================================
 Package      Architecture   Version                    Repository         Size
================================================================================
Installing:
 bind         x86_64         32:9.11.26-6.el8           AppStream         2.1 M

Transaction Summary
================================================================================
Install  1 Package

Total download size: 2.1 M
Installed size: 4.5 M
Downloading Packages:
bind-9.11.26-6.el8.x86_64.rpm                   237 kB/s | 2.1 MB     00:09    
--------------------------------------------------------------------------------
Total                                           237 kB/s | 2.1 MB     00:09     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Running scriptlet: bind-32:9.11.26-6.el8.x86_64                           1/1 
  Installing       : bind-32:9.11.26-6.el8.x86_64                           1/1 
  Running scriptlet: bind-32:9.11.26-6.el8.x86_64                           1/1 
[/usr/lib/tmpfiles.d/pesign.conf:1] Line references path below legacy directory /var/run/, updating /var/run/pesign → /run/pesign; please update the tmpfiles.d/ drop-in file accordingly.

  Verifying        : bind-32:9.11.26-6.el8.x86_64                           1/1 
Installed products updated.

Installed:
  bind-32:9.11.26-6.el8.x86_64                                                  

Complete!

3.从服务器进入主配置文件配置

[root@rhce ~]# vim /etc/named.conf

4.在下面添加dns配置文件zone，最后两个为已知文件

5. 在辅助配置文件中添加

[root@rhcsa ~]# vim /var/named/40.168.192.zone

[root@rhcsa ~]# vim /var/named/openlab.zone

6.主服务器和从服务器重启服务

[root@rhcsa ~]# systemctl restart named
[root@rhce slaves]# systemctl restart named

3.使用httpd服务演示安全上下文值的设定(selinux)

1.下载selinux使用环境所需的软件

[root@rhce ~]# yum install setools-console -y
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered with an entitlement server. You can use subscription-manager to register.

Repository AppStream is listed more than once in the configuration
Last metadata expiration check: 3:18:22 ago on Sat 30 Jul 2022 12:30:24 PM CST.
Dependencies resolved.
================================================================================
 Package                 Architecture   Version              Repository    Size
================================================================================
Installing:
 setools-console         x86_64         4.3.0-2.el8          base          42 k

Transaction Summary
================================================================================
Install  1 Package

Total download size: 42 k
Installed size: 122 k
Downloading Packages:
setools-console-4.3.0-2.el8.x86_64.rpm          6.7 kB/s |  42 kB     00:06    
--------------------------------------------------------------------------------
Total                                           6.7 kB/s |  42 kB     00:06     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Installing       : setools-console-4.3.0-2.el8.x86_64                     1/1 
  Running scriptlet: setools-console-4.3.0-2.el8.x86_64                     1/1 
  Verifying        : setools-console-4.3.0-2.el8.x86_64                     1/1 
Installed products updated.

Installed:
  setools-console-4.3.0-2.el8.x86_64                                            

Complete!

2.打开防火墙允许给http添加服务，查看selinux状态

[root@rhcsa ~]# systemctl restart firewalld
[root@rhcsa ~]# firewall-cmd --permanent --add-service=http
success
[root@rhcsa ~]#  firewall-cmd --reload
success
[root@rhcsa ~]# setenforce 1
[root@rhcsa ~]# getenforce
Enforcing
[root@rhcsa ~]# vim /etc/httpd/conf.d/myhosts.conf 
[root@rhcsa ~]# mkdir -pv /www/80
mkdir: created directory '/www/80'
[root@rhcsa ~]# echo this is 80 > /www/80/index.html
[root@rhcsa ~]# systemctl restart httpd

3.访问网站发现是服务器的测试界面

4.修改自定义目录的安全上下文的值：

[root@rhcsa 80]# chcon -t httpd_sys_content_t /www/ -R
[root@rhcsa 80]# ls -Z
system_u:object_r:httpd_sys_content_t:s0 index.html

5.然后访问网站

4.使用web服务端口的改变来演示端口的设定(selinux)

1.创建目录

[root@rhcsa ~]# mkdir /www/8888
[root@rhcsa ~]# echo this is 8888 > /www/8888/index.html

2.编辑主配置文件

[root@rhcsa ~]# vim /etc/httpd/conf.d/myhosts.conf

3.重启httpd服务报错

4.查看网页显示文件的安全上下文

5.在防火墙添加8888端口并修改安全上下文

[root@rhcsa 8888]# firewall-cmd --permanent --add-port=8888/tcp
success
[root@rhcsa 8888]# firewall-cmd --reload
success
[root@rhcsa 8888]# semanage port -a -t http_port_t -p tcp 8888
[root@rhcsa 8888]# systemctl restart httpd