标签:
selinux 相关命令
1.sestatus 查询系统的selinux目前的狀态
#sestatus -v
2. selinuxenabled 查询系统的selinux支 援是否有启用
3.setenforce 和 getenforce 设定/显示selinux运 作狀态
4.getsebool 列出所有selinux bool数值清单列表与内容
5.setsebool 设定selinux bool数值内容
6.restorecon 恢復档案目录的预设的security context (-R 可针对整过目录做递归修复)
7.chcon 变更档案目录security context
8.fixfiles 修正档案目录的预设的security context
9.secon 检视行程、档案等等项目的SELinux context
10.semanage SELiux policy管理程式
11.audit2why 检视SELinux audit讯息内容
12.sealert SELinux 讯息诊断用户端程式
selinux的配置目录和相关文件:/etc/selinux/config 其中重启后selinux不失效 改其中的permissive 为 enforce
selinux 日志的组件 setroubleshoot, setroubleshoot.plugins.noarch, setroubleshoot-server 包,可以用 yum list installed | grep setroubleshoot 查看一下。
平常工作中经常碰到selinux问题,首先查的就是日志。
selinux 日志:/var/log/audit.log 中带有 avc 关键字的日志,方便它们从其它信息中过滤出来。
#grep AVC audit.log | tail -l
也可用sealert -b 非图形界面显示
sealert -a /var/log/audit/audit.log > /tmp/sealert.txt 查看
********************************************************************************************************************
chcon 用法实例 (转)
chcon命令:修改对象(文件)的安全上下文。比如:用户:角色:类型:安全级别。
命令格式:
Chcon [OPTIONS…] CONTEXT FILES…..
Chcon [OPTIONS…] –reference=PEF_FILES FILES…
说明:
CONTEXT 为要设置的安全上下文
FILES 对象(文件)
--reference 参照的对象
PEF_FILES 参照文件上下文
FILES 应用参照文件上下文为我的上下文。
OPTIONS 如下:
-f 强迫执行
-R 递归地修改对象的安全上下文
-r ROLE 修改安全上下文角色的配置
-t TYPE 修改安全上下文类型的配置
-u USER 修改安全上下文用户的配置
-v 显示冗长的信息
-l, --range=RANGE 修改安全上下文中的安全级别
范例:
1、ftp
//If you want to share files anonymously
<如果你想把这个共享给匿名的话,需要开启以下>
chcon -R -t public_content_t /var/ftp
//If you want to setup a directory where you can
upload files
<如果你想让你设置的FTP目录可以上传文件的话,SELINUX需要设置>
chcon -t public_content_rw_t /var/ftp/incoming
//You must also turn on the boolean
allow_ftpd_anon_write <允许匿名用户写入权限>
setsebool -P allow_ftpd_anon_write=1
//If you are setting up this machine as a ftpd
server and wish to allow users to access their home
directorories<如果你希望你的FTP用户可以访问自己的家目录的话,需要开启>
setsebool -P ftp_home_dir 1
//If you want to run ftpd as a
daemon<如果你希望将vsftpd以daemon的方式运行的话,需要开启>
setsebool -P ftpd_is_daemon 1
//You can disable SELinux protection for the ftpd
daemon<你可以让SElinux停止保护vsftpd的daemon方式动行>
setsebool -P ftpd_disable_trans 1
2、httpd
//If you want a particular domain
to write to the public_content_rw_t domain
<如果希望具体个doman具有可写权限的话,需要设置>
setsebool -P allow_httpd_anon_write=1
or
setsebool -P allow_httpd_sys__anon_write=1
//httpd can be setup to allow cgi s to be
executed <HTTP被设置允许cgi的设置>
setsebool -P httpd_enable_cgi 1
//If you want to allow access to users home
directories<允许用户HHTP访问其家目录,该设定限仅于用户的家目录主页>
setsebool -P httpd_enable_homedirs 1
chcon -R -t httpd_sys_content_t ~user/public_html
//httpd is allowed access to the controling
terminal<允许httpd访问终端>
setsebool -P httpd_tty_comm 1
//such that one httpd service can not interfere
with another
setsebool -P httpd_unified 0
//loadable modules run under the same context as
httpd
setsebool -P httpd_builtin_ing 0
//httpd s are allowed to connect out to the
network
setsebool -P httpd_can_network_connect 1
// You can disable suexec transition
setsebool -P httpd_suexec_disable_trans 1
//You can disable SELinux protection for the
httpd daemon by executing
<关闭Selinux的关于httpd进程守护的保护>
setsebool -P httpd_disable_trans 1
service httpd restart
3、named
//If you want to have named update the master zone files
<关于named,master更新selinux设定>
setsebool -P named_write_master_zones 1
//You can disable SELinux protection for the
named daemon by executing
<关闭named的进程守护保护>
setsebool -P named_disable_trans 1
service named restart
4、nfs
//If you want to setup this machine to share nfs partitions read
only
<Selinux将本机的NFS共享设置成只读>
setsebool -P nfs_export_all_ro 1
//If you want to share files
read/write<Selinux将本机的NFS共享设置成可读可写>
setsebool -P nfs_export_all_rw 1
//If you want to use a remote NFS server for the
home directories on this machine
<如果你想要将远程NFS的家目录共享到本机,需要开启>
setsebool -P use_nfs_home_dirs 1
5、samba
//If you want to share files other than home directorie
<如果你希望将目录共享给其他用户,你需要设置>
chcon -t samba_share_t /directory
//If you want to share files with multiple
domains
如果samba服务器共享目录给多个域,则需要:
setsebool -P allow_smbd_anon_write=1
//If you are setting up this machine as a Samba
server and wish to share the home directories
samba服务器要共享家目录时:
setsebool -P samba_enable_home_dirs 1
//If you want to use a remote Samba server for
the home directories on this machine
如果你需在本机上使用远程samba服务器的家目录
setsebool -P use_samba_home_dirs 1
//You can disable SELinux protection for the
samba daemon by executing
关闭selinux关于samba的进程守护的保护
setsebool -P smbd_disable_trans 1
service smb restart
6、rsync
//If you want to share files using the rsync daemon
共享rsync目录时:
chcon -t public_content_t /directories
//If you want to share files with multiple
domains
允许其他用户写入时
setsebool -P allow_rsync_anon_write=1
//You can disable SELinux protection for the
rsync daemon by executing
停止rsync的进程保护
setsebool -P rsync_disable_trans 1
7、kerberos
//allow your system to work properly in a Kerberos
environment
允许系统使用kerberos
setsebool -P allow_kerberos 1
//If you are running Kerberos daemons kadmind or
krb5kdc
setsebool -P krb5kdc_disable_trans 1
service krb5kdc restart
setsebool -P kadmind_disable_trans 1
service kadmind restart
8、nis
Allow your system to work properly in a NIS environment
系统工作在nis环境时
setsebool -P allow_ypbind 1
标签:
原文地址:http://www.cnblogs.com/samhugh/p/4386536.html