selinux的研究,参考RHEL5中的man文档
setsebool - set SELinux boolean valuesetsebool(8) SELinux Command Line documentation setsebool(8)
NAME
setsebool - set SELinux boolean value
SYNOPSIS命令格式
setsebool [ -P ] boolean value | bool1=val1 bool2=val2 ...
DESCRIPTION 描述
setsebool sets the current state of a particular SELinux
boolean or a list of booleans to a given value. The value may
be 1 or true or on to enable the boolean, or 0 or false or off
to disable it.
setsebool设置特定的SElinux布尔值状态值或者一系列给定布尔值的状态值。
这些状态值可能是1、true和on;或者是0、false以及off
Without the -P option, only the current boolean value is
affected; the boot-time default settings are not changed.
不带-P参数表示设置仅在当前状态起作用,重启后恢复为启动时设置值
If the -P option is given, all pending values are written to
the policy file on disk. So they will be persistant across
reboots.
带-P参数表示设置值将写入磁盘上的策略文件,所以该值将跨越重启永久存在,持续到下一次的永久改变。
SEE ALSO 参考
getsebool(8), booleans(8), togglesebool(8)
setenforce(1) SELinux Command Line documentation setenforce(1)
NAME
setenforce - modify the mode SELinux is running in.改变SElinux的运行模式
SYNOPSIS
setenforce [ Enforcing | Permissive | 1 | 0 ]
DESCRIPTION
Use Enforcing or 1 to put SELinux in enforcing mode. Use Per-
missive or 0 to put SELinux in permissive mode. You need to
modify /etc/grub.conf or /etc/selinux/config to disable
SELinux.
设置为 Enforcing或者1,将使SElinux运行在强制执行模式
设置为 Permissive或者0,将使SElinux运行在警告模式
你需要更改/etc/grub.conf或者/etc/selinux/config来关闭SElinux
FILES
/etc/grub.conf, /etc/selinux/config
getenforce(1) SELinux Command Line documentation getenforce(1)
NAME
getenforce - get the current mode of SELinux
SYNOPSIS
getenforce
DESCRIPTION
getenforce reports whether SELinux is enforcing, permissive, or
disabled.
getenforce报告当前的SElinux状态是enforcing,permissive或disabled
selinuxenabled(1) SELinux Command Line documentation selinuxenabled(1)
NAME
selinuxenabled - tool to be used within shell scripts to deter-
mine if selinux is enabled
SYNOPSIS
selinuxenabled
DESCRIPTION
selinuxenabled Indicates whether SELinux is enabled or dis-
abled. It exits with status 0 if SELinux is enabled and 1 if it
is not enabled.
在shell脚本中查看当前SElinux状态是enabled还是disabled
tips:使用setsebool命令
1.不重新启动系统,实时并永久关闭某一服务的selinux保护
httpd:setsebool -P httpd_disable_trans 1;service httpd restart
samba:setsebool -P smbd_disable_trans 1;service smb restart
bind:
nfs:
setsebool -P nfs_export_all_ro 1 (允许只读共享)
setsebool -P nfs_export_all_rw 1 (允许读写共享)
squid:setsebool -P squid_disable_trans 1;service squid restart
ftp:
setsebool -P ftpd_home_dir 1; service vsftpd restart
setsebool -P ftpd_disable_trans 1
SELinux policy is customizable based on least access required.
So by default SElinux policy does not allow nfs to share files.
If you want to setup this machine to share nfs partitions read
only, you must set the boolean nfs_export_all_ro boolean.
setsebool -P nfs_export_all_ro 1
If you want to share files read/write you must set the
nfs_export_all_rw boolean.
setsebool -P nfs_export_all_rw 1
If you want to use a remote NFS server for the home directories
on this machine, you must set the use_nfs_home_dir boolean.
setsebool -P use_nfs_home_dirs 1
samba_selinux(8) Samba Selinux Policy documentation samba_selinux(8)
NAME
samba_selinux - Security Enhanced Linux Policy for Samba
DESCRIPTION
Security-Enhanced Linux secures the Samba server via flexible
mandatory access control.
FILE_CONTEXTS
SELinux requires files to have an extended attribute to define
the file type. Policy governs the access daemons have to these
files. If you want to share files other than home directories,
those files must be labeled samba_share_t. So if you created a
special directory /var/eng, you would need to label the direc-
tory with the chcon tool.
SElinux需要文件拥有一个声明其类型的扩展属性。
策略管理着针对这些文件的访问进程,(或者翻译为,策略决定你是否能够获得这个文件)
如果你想共享非主目录下的文件,必须为其标记上"samba_share_t"属性。
所以,如果你生成了一个特殊的目录/var/eng,你需要使用"chcon"命令
标记它。
chcon -t samba_share_t /var/eng
If you want to make this permanant, i.e. survive a relabel, you
must add an entry to the file_contexts.local file.
如果你想使它永久生效,你必须添加如下条目至file_contexts.local文件中。
/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
/var/eng(/.*)? system_u:object_r:samba_share_t
SHARING FILES
If you want to share files with multiple domains (Apache, FTP,
rsync, Samba), you can set a file context of public_content_t
and public_content_rw_t. These context allow any of the above
domains to read the content. If you want a particular domain
to write to the public_content_rw_t domain, you must set the
appropriate boolean. allow_DOMAIN_anon_write. So for samba
you would execute:
如果你想在多个服务中(比如apache,ftp,rsysc,samba)对外共享同样的
文件,你可以为该文件设置public_content_t和public_content_rw_t属性。
这些
setsebool -P allow_smbd_anon_write=1
BOOLEANS
SELinux policy is customizable based on least access required.
So by default SElinux policy turns off SELinux sharing of home
directories and the use of Samba shares from a remote machine
as a home directory.
If you are setting up this machine as a Samba server and wish
to share the home directories, you need to set the
samba_enable_home_dirs boolean.
setsebool -P samba_enable_home_dirs 1
如何查看当前系统的SElinux布尔值设置?
answer:getsebool
本文出自 “grant.blog.com” 博客,谢绝转载!
