SELinux 設定檔
# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing – SELinux security policy is enforced.
# permissive – SELinux prints warnings instead of enforcing.
# disabled – No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted – Targeted processes are protected,
# mls – Multi Level Security protection.
SELINUXTYPE=targeted
顯示目前 SELinux 狀態
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
# sestatus
SELinux status: disabled
[@more@]
改變 SELinux 模式
# getenforce
Enforcing
# setenforce 0
# getenforce
Permissive
# setenforce 1
# getenforce
Enforcing
# setenforce –help
usage: setenforce [ Enforcing | Permissive | 1 | 0 ]
Display SELinux Contexts
# ls -Z /root/anaconda-ks.cfg
-rw——-. root root system_u:object_r:admin_home_t:s0 /root/anaconda-ks.cfg
# ls -dZ /var/www/html
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
Set SELinux Contexts
# touch index-1.html
# touch /var/www/html/index.html
# mv index-1.html /var/www/html/
# ls -Z /var/www/html/*.html
-rw-r–r–. root root unconfined_u:object_r:admin_home_t:s0 /var/www/html/index-1.html
-rw-r–r–. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html
# chcon -t httpd_sys_content_t /var/www/html/index-1.html
# ls -Z /var/www/html/*.html
-rw-r–r–. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index-1.html
-rw-r–r–. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html
# touch index-2.html
# mv index-2.html /var/www/html
# ls -Z /var/www/html/*.html
-rw-r–r–. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index-1.html
-rw-r–r–. root root unconfined_u:object_r:admin_home_t:s0 /var/www/html/index-2.html
-rw-r–r–. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html
# restorecon -v /var/www/html/index-2.html
restorecon reset /var/www/html/index-2.html context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
# ls -Z /var/www/html/*.html
-rw-r–r–. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index-1.html
-rw-r–r–. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index-2.html
-rw-r–r–. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html
Get SELinux booleans
# getsebool -a | head -10
abrt_anon_write –> off
abrt_handle_event –> off
allow_console_login –> on
allow_cvs_read_shadow –> off
allow_daemons_dump_core –> on
allow_daemons_use_tcp_wrapper –> off
allow_daemons_use_tty –> on
allow_domain_fd_use –> on
allow_execheap –> off
allow_execmem –> on
# getsebool -a | grep ftp
allow_ftpd_anon_write –> off
allow_ftpd_full_access –> off
allow_ftpd_use_cifs –> off
allow_ftpd_use_nfs –> off
ftp_home_dir –> off
ftpd_connect_db –> off
ftpd_use_fusefs –> off
ftpd_use_passive_mode –> off
httpd_enable_ftp_server –> off
tftp_anon_write –> off
tftp_use_cifs –> off
tftp_use_nfs –> off
# getsebool ftp_home_dir
ftp_home_dir –> off
Set SELinux booleans
# setsebool ftp_home_dir 1
# getsebool ftp_home_dir
ftp_home_dir –> on
# setsebool ftp_home_dir 0
# getsebool ftp_home_dir
ftp_home_dir –> off
讓設定永遠生效
# setsebool -P ftp_home_dir 1
# yum install policycoreutils-python
取得相關資訊
# semanage boolean -l | grep ftp_home_dir
ftp_home_dir (開啟 , 開啟) Allow ftp to read and write files in the user home directories