开发人员编写SELinux目标策略来定义目标应用程序允许的行为。
开发人员可以在SELinux策略中包含可选的应用程序行为,当特定系统允许该行为时,可以启用该策略。
SELinux布尔值 用来 启用或禁用SELinux策略的可选行为。
常用有关命令:getsebool、setsebool、semanage。
getsebool:查询SElinux策略内各项规则的布尔值
使用方法
getsebool -a :展示所以SElinux布尔值
[student@workstation ~]$ getsebool -a
abrt_anon_write --> off
abrt_handle_event --> off
abrt_upload_watch_anon_write --> on
antivirus_can_scan_system --> off
antivirus_use_jit --> off
auditadm_exec_content --> on
authlogin_nsswitch_use_ldap --> off
authlogin_radius --> off
authlogin_yubikey --> off
awstats_purge_apache_log_files --> off
boinc_execmem --> on
cdrecord_read_content --> off
........
zebra_write_config --> off
zoneminder_anon_write --> off
zoneminder_run_sudo --> off
getsebool 服务策略:展示有服务策略的SE布尔值
例如httpd服务的策略中的【httpd_enable_homedirs】,如果启动,远程用户可以直接访问服务机的http主目录
setsebool:设置SElinux布尔值
是用来修改SElinux策略内各项规则的布尔值。setsebool命令和getsebool命令是SELinux修改和查询布尔值的一套工具组。
setsebool [-P] 布尔值=[0|1]
e.
setsebool -P allow_ftpd_anon_write=1 #允许vsftp匿名用户写入权限
setsebool -P ftp_home_dir 1 #ftp用户可以访问自己的家目录
semanage boolean:管理SElinux布尔值
semanage boolean -l 查看所有
[student@workstation ~]$ semanage boolean -l
ValueError: SELinux policy is not managed or store cannot be accessed.
[student@workstation ~]$ sudo semanage boolean -l
[sudo] password for student:
SELinux boolean State Default Description
abrt_anon_write (off , off) Allow abrt to anon write
abrt_handle_event (off , off) Allow abrt to handle event
abrt_upload_watch_anon_write (on , on) Allow abrt to upload watch anon write
antivirus_can_scan_system (off , off) Allow antivirus to can scan system
antivirus_use_jit (off , off) Allow antivirus to use jit
auditadm_exec_content (on , on) Allow auditadm to exec content
authlogin_nsswitch_use_ldap (off , off) Allow authlogin to nsswitch use ldap
authlogin_radius (off , off) Allow authlogin to radius
authlogin_yubikey (off , off) Allow authlogin to yubikey
awstats_purge_apache_log_files (off , off) Allow awstats to purge apache log files
boinc_execmem (on , on) Allow boinc to execmem
cdrecord_read_content (off , off) Allow cdrecord to read content
cluster_can_network_connect (off , off) Allow cluster to can network connect
cluster_manage_all_files (off , off) Allow cluster to manage all files
semanage boolean -l -C 查看与缺省值不同的(改过的)
[student@workstation ~]$ sudo semanage boolean -l -C
SELinux boolean State Default Description
httpd_enable_homedirs (on , on) Allow httpd to enable homedirs
http服务案例
1.在服务器a启动httpd服务
systemctl enable --now httpd
2.检查httpd_enable_homedirs布尔值
[student@workstation ~]$ getsebool -a | grep home
...
httpd_enable_homedirs --> off
...
3.其他主机访问服务器a主目录:由于权限问题会访问失败
4.设置selinux的httpd_enable_homedirs布尔值为on
[root@servera ~]# setsebool -P httpd_enable_homedirs on
[root@servera ~]# getsebool httpd_enable_homedirs
httpd_enable_homedirs --> on
5.再次尝试