#
ls -Z file/document 查看 文件或目录 的SElinux上下文。
[root@localhost ~]# ls -Z install.log
-rw-r--r--. root root system_u:object_r:admin_home_t:s0 install.log
[root@localhost ~]# ls -Z hello
-rwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 hello
#
semanage login -l 查看 SElinux用户和Linux用户 的映射关系。
[root@localhost ~]# semanage login -l
登录名 SELinux 用户 MLS/MCS 范围
__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
#
ps -eZ 查看 进程 的SElinux上下文信息。
[root@localhost ~]# ps -eZ
LABEL PID TTY TIME CMD
system_u:system_r:init_t:s0 1 ? 00:00:01 init
system_u:system_r:kernel_t:s0 2 ? 00:00:00 kthreadd
system_u:system_r:kernel_t:s0 3 ? 00:00:00 migration/0
system_u:system_r:kernel_t:s0 4 ? 00:00:00 ksoftirqd/0
system_u:system_r:kernel_t:s0 5 ? 00:00:00 migration/0
system_u:system_r:kernel_t:s0 6 ? 00:00:00 watchdog/0
system_u:system_r:kernel_t:s0 7 ? 00:00:14 events/0
......
#
id -Z 显示与 Linux用户 相关的SElinux上下文信息。
[root@localhost ~]# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
#
sestatus 查看Linux中的SELinux是否运行。
[root@localhost ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
#
/var/log/audit/audit.log SELinux错误日志
#
SELinux主配置文件: /etc/selinux/config
#
SELinux策略目录: /etc/selinux/[policy]/
如:/etc/selinux/targeted/
#
semanage boolean -l 列出和查看系统布尔变量。
[root@localhost ~]# semanage boolean -l
SELinux 布尔值 状态 默认 描述
ftp_home_dir (关 , 关) Allow ftp to read and write files in the user home directories
smartmon_3ware (关 , 关) Enable additional permissions needed to support devices on 3ware controllers.
xdm_sysadm_login (关 , 关) Allow xdm logins as sysadm
xen_use_nfs (关 , 关) Allow xen to manage nfs files
mozilla_read_content (关 , 关) Control mozilla content access
ssh_chroot_rw_homedirs (关 , 关) Allow ssh with chroot env to read and write files in the user home directories
postgresql_can_rsync (关 , 关) Allow postgresql to use ssh and rsync for point-in-time recovery
allow_console_login (开 , 开) Allow direct login to the console device. Required for System 390
spamassassin_can_network (关 , 关) Allow user spamassassin clients to use the network.
#
getsebool -a 仅仅给出布尔变量开关状态,不给出具体描述信息。
[root@localhost ~]# getsebool -a
abrt_anon_write --> off
abrt_handle_event --> off
allow_console_login --> on
allow_cvs_read_shadow --> off
allow_daemons_dump_core --> on
allow_daemons_use_tcp_wrapper --> off
......
#
getsebool 【布尔变量】 查看布尔变量默认状态。
[root@localhost ~]# getsebool httpd_can_network_connect_db
httpd_can_network_connect_db --> off
#
setsebool 【布尔变量】on/off 临时改变布尔变量状态,系统重启后该变量将变回初始状态。
[root@localhost ~]# setsebool httpd_can_network_connect_db on
#
setsebool -P 【布尔变量】on/off 永久改变布尔变量状态。
[root@localhost ~]# setsebool -P httpd_can_network_connect_db on
阅读(2405) | 评论(0) | 转发(0) |
