Chinaunix首页 | 论坛 | 博客
  • 博客访问: 10705586
  • 博文数量: 2905
  • 博客积分: 20098
  • 博客等级: 上将
  • 技术积分: 36298
  • 用 户 组: 普通用户
  • 注册时间: 2009-03-23 05:00
文章存档

2012年(1)

2011年(3)

2009年(2901)

分类: LINUX

2009-03-23 11:13:47

selinux的研究,参考RHEL5中的man文档
setsebool - set SELinux boolean valuesetsebool(8)          SELinux Command Line documentation          setsebool(8)
NAME
       setsebool - set SELinux boolean value
SYNOPSIS命令格式
       setsebool [ -P ] boolean value | bool1=val1 bool2=val2 ...
DESCRIPTION 描述
       setsebool  sets  the  current  state  of  a  particular SELinux
       boolean or a list of booleans to a given value. The  value  may
       be  1 or true or on to enable the boolean, or 0 or false or off
       to disable it.
 
       setsebool设置特定的SElinux布尔值状态值或者一系列给定布尔值的状态值。
       这些状态值可能是1、true和on;或者是0、false以及off
      
       Without the -P  option,  only  the  current  boolean  value  is
       affected; the boot-time default settings are not changed.
      
       不带-P参数表示设置仅在当前状态起作用,重启后恢复为启动时设置值
       If  the  -P  option is given, all pending values are written to
       the policy file on disk. So  they  will  be  persistant  across
       reboots.
       带-P参数表示设置值将写入磁盘上的策略文件,所以该值将跨越重启永久存在,持续到下一次的永久改变。 
SEE ALSO 参考
       getsebool(8), booleans(8), togglesebool(8)
 
setenforce(1)         SELinux Command Line documentation         setenforce(1)
NAME
       setenforce - modify the mode SELinux is running in.改变SElinux的运行模式
SYNOPSIS
       setenforce [ Enforcing | Permissive | 1 | 0 ]
DESCRIPTION
       Use  Enforcing or 1 to put SELinux in enforcing mode.  Use Per-
       missive or 0 to put SELinux in permissive mode.   You  need  to
       modify   /etc/grub.conf   or   /etc/selinux/config  to  disable
       SELinux.
       设置为 Enforcing或者1,将使SElinux运行在强制执行模式
       设置为 Permissive或者0,将使SElinux运行在警告模式
       你需要更改/etc/grub.conf或者/etc/selinux/config来关闭SElinux
FILES
       /etc/grub.conf, /etc/selinux/config
getenforce(1)         SELinux Command Line documentation         getenforce(1)
NAME
       getenforce - get the current mode of SELinux
SYNOPSIS
       getenforce
DESCRIPTION
       getenforce reports whether SELinux is enforcing, permissive, or
       disabled.
       getenforce报告当前的SElinux状态是enforcing,permissive或disabled
selinuxenabled(1)     SELinux Command Line documentation     selinuxenabled(1)
NAME
       selinuxenabled - tool to be used within shell scripts to deter-
       mine if selinux is enabled
SYNOPSIS
       selinuxenabled
DESCRIPTION
       selinuxenabled Indicates whether SELinux  is  enabled  or  dis-
       abled. It exits with status 0 if SELinux is enabled and 1 if it
       is not enabled.
       在shell脚本中查看当前SElinux状态是enabled还是disabled

tips:使用setsebool命令
1.不重新启动系统,实时并永久关闭某一服务的selinux保护
httpd:setsebool -P httpd_disable_trans 1;service httpd restart
samba:setsebool -P smbd_disable_trans 1;service smb restart
bind:
nfs:
setsebool -P nfs_export_all_ro 1  (允许只读共享)
setsebool -P nfs_export_all_rw 1 (允许读写共享)
squid:setsebool -P squid_disable_trans 1;service squid restart
ftp:
setsebool -P ftpd_home_dir 1; service vsftpd restart
setsebool -P ftpd_disable_trans 1
SELinux policy is customizable based on least access  required.
       So by default SElinux policy does not allow nfs to share files.
       If you want to setup this machine to share nfs partitions  read
       only, you must set the boolean nfs_export_all_ro boolean.
       setsebool -P nfs_export_all_ro 1
       If  you  want  to  share  files  read/write  you  must  set the
       nfs_export_all_rw boolean.
       setsebool -P nfs_export_all_rw 1
       If you want to use a remote NFS server for the home directories
       on this machine, you must set the use_nfs_home_dir boolean.
       setsebool -P use_nfs_home_dirs 1
samba_selinux(8)      Samba Selinux Policy documentation      samba_selinux(8)
NAME
       samba_selinux - Security Enhanced Linux Policy for Samba
DESCRIPTION
       Security-Enhanced  Linux  secures the Samba server via flexible
       mandatory access control.
FILE_CONTEXTS
       SELinux requires files to have an extended attribute to  define
       the file type.  Policy governs the access daemons have to these
       files.  If you want to share files other than home directories,
       those files must be labeled samba_share_t.  So if you created a
       special directory /var/eng, you would need to label the  direc-
       tory with the chcon tool.
       SElinux需要文件拥有一个声明其类型的扩展属性。
       策略管理着针对这些文件的访问进程,(或者翻译为,策略决定你是否能够获得这个文件)
       如果你想共享非主目录下的文件,必须为其标记上"samba_share_t"属性。
       所以,如果你生成了一个特殊的目录/var/eng,你需要使用"chcon"命令
       标记它。
       chcon -t samba_share_t /var/eng
       If you want to make this permanant, i.e. survive a relabel, you
       must add an entry to the file_contexts.local file.
       如果你想使它永久生效,你必须添加如下条目至file_contexts.local文件中。
       /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
              /var/eng(/.*)? system_u:object_r:samba_share_t
SHARING FILES
       If  you want to share files with multiple domains (Apache, FTP,
       rsync, Samba), you can set a file context  of  public_content_t
       and  public_content_rw_t.  These context allow any of the above
       domains to read the content.  If you want a  particular  domain
       to  write  to  the public_content_rw_t domain, you must set the
       appropriate boolean.  allow_DOMAIN_anon_write.   So  for  samba
       you would execute:
       如果你想在多个服务中(比如apache,ftp,rsysc,samba)对外共享同样的
       文件,你可以为该文件设置public_content_t和public_content_rw_t属性。
       这些
       setsebool -P allow_smbd_anon_write=1
BOOLEANS
       SELinux  policy is customizable based on least access required.
       So by default SElinux policy turns off SELinux sharing of  home
       directories  and  the use of Samba shares from a remote machine
       as a home directory.
       If you are setting up this machine as a Samba server  and  wish
       to   share   the   home   directories,  you  need  to  set  the
       samba_enable_home_dirs boolean.
              setsebool -P samba_enable_home_dirs 1
如何查看当前系统的SElinux布尔值设置?
answer:getsebool

本文出自 “grant.blog.com” 博客,谢绝转载!

阅读(1554) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~