#vim /etc/selinux/config
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing --->enforcing 有支援selinux --->disabled 關閉 selinux --->permissive 有支援selinux,但不阻擋,只有顯示訊息在log檔中/var/log/messages # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted
修改此設定檔完後,要重新開機才會生效 #reboot
#sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted -------------------------------------------- #顯示Current mode:enforcing 表示目前有支援selinux
#setenforce 0 有支援selinux,但不阻擋。即為permissive #setenforce 1 有支援selinux
#ll -dZ /var/www/html/ drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/ #ls -lZ /tmp/host -rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/host 可以看到不同的檔案被SELINUX 標示Security Content就不一樣 /var/www/html/ :httpd_sys_content_t /tmp/host :user_tmp_t
若要設定/tmp/host與/var/www/html/一樣的Security Content #chcon -t httpd_sys_content_t /tmp/host #ls -lZ /tmp/host -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /tmp/host
除了selinux context 規則外,還有需多以細項規則 off及on來限制。 ex:Apache Web有一項個人用戶網站;以自己的家目錄當個人網站(http:www.xxxx.com/~ali/), 但是SELINUX開啟時,就會把這項功能oFF掉,因此就要動用到SELINUX Boleans
取得家目錄selinux booleans
#getsebool -a|grep -i httpd|grep -i home httpd_enable_homedirs --> off
設定selinux Booleans off為 on
#setsebool -P httpd_enable_homedirs=on
yum install policycoreutils-python