SELinux-semanage命令详解
(2012-06-02 12:06:04)
标签:
selinux
命令
semanage
杂谈
NAMEsemanage − SELinux Policy
Management tool
SYNOPSIS
Output local
customizationssemanage [ -S store ] -o [ output_file |
- ]
Input local
customizationssemanage [ -S store ] -i [ input_file |
- ]
Manage booleans. Booleans allow the
administrator to modify the confinement of processes based on his
configuration.semanage boolean [−S store] −{d|m|l|n|D}
−[−on|−off|1|0] -F boolean | boolean_file
Manage SELinux confined users (Roles and
levels for an SELinux user)semanage user [−S store]
−{a|d|m|l|n|D} [−LrRP] selinux_name
Manage login mappings between linux users and
SELinux confined users.semanage login [−S store]
−{a|d|m|l|n|D} [−sr] login_name | %groupname
Manage policy modules.semanage
module [−S store] −{a|d|l} [-m [--enable | --disable] ]
module_name
Manage network port type
definitionssemanage port [−S store] −{a|d|m|l|n|D}
[−tr] [−p proto] port | port_range
Manage network interface type
definitionssemanage interface [−S store]
−{a|d|m|l|n|D} [−tr] interface_spec
Manage network node type
definitionssemanage node [−S store] -{a|d|m|l|n|D}
[-tr] [ -p protocol ] [-M netmask] address
Manage file context mapping
definitionssemanage fcontext [−S store] −{a|d|m|l|n|D}
[−frst] file_spec
semanage fcontext [−S store] −{a|d|m|l|n|D} −e replacement
target
Manage processes type enforcement
modesemanage permissive [−S store] −{a|d|l|n|D}
type
Disable/Enable dontaudit rules in
policysemanage dontaudit [−S store] [ on | off ]
Execute multiple commands within a single
transaction.semanage [−S store] −i
command-fileOPTIONS−a, −−add
Add a OBJECT record NAME
−d, −−delete
Delete a OBJECT record NAME
−D, −−deleteall
Remove all OBJECTS local customizations
−−disable
Disable a policy module, requires -m option
Currently modules only.
−−enable
Enable a disabled policy module, requires -m option
Currently modules only.
−e, −−equal
Substitute target path with sourcepath when generating default
label. This is used with fcontext.
Requires source and target path arguments. The context labeling for
the target subtree is made
equivalent to that defined for the source.
−f, −−ftype
File Type. This is used with fcontext. Requires a file type as
shown in the mode field by ls, e.g.
use -d to match only directories or -- to match only regular
files.
−F, −−file
Set multiple records from the input file. When used with the −l
−−list, it will output the current
settings to stdout in the proper format.
Currently booleans only.
−h, −−help
display this message
−l, −−list
List the OBJECTS
−C, −−locallist
List only locally defined settings, not base policy settings.
−L, −−level
Default SELinux Level for SELinux use, s0 Default. (MLS/MCS Systems
only)
−m, −−modify
Modify a OBJECT record NAME
−M, −−mask
Network Mask
−n, −−noheading
Do not print heading when listing OBJECTS.
−p, −−proto
Protocol for the specified port (tcp|udp) or internet protocol
version for the specified node
(ipv4|ipv6).
−r, −−range
MLS/MCS Security Range (MLS/MCS Systems only)
−R, −−role
SELinux Roles. You must enclose multiple roles within quotes,
separate by spaces. Or specify −R
multiple times.
−P, −−prefix
SELinux Prefix. Prefix added to home_dir_t and home_t for labeling
users home directories.
−s, −−seuser
SELinux user name
−S, −−store
Select and alternate SELinux store to manage
−t, −−type
SELinux Type for the object
−i, −−input
Take a set of commands from a specified file and load them in a
single transaction.
EXAMPLESELinux user
List SELinux users
# semanage user -l
SELinux login
Change joe to login as staff_u
# semanage login -a -s staff_u joe
Change the group clerks to login as user_u
# semanage login -a -s user_u %clerks
File contexts
Add file-context for everything under /web
# semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
# restorecon -R -v /web
Substitute /home1 with /home when setting file context
# semanage fcontext -a -e /home /home1
# restorecon -R -v /home1
For home directories under top level directory, for example
/disk6/home,
execute the following commands.
# semanage fcontext -a -t home_root_t "/disk6"
# semanage fcontext -a -e /home /disk6/home
# restorecon -R -v /disk6
Port contexts
Allow Apache to listen on tcp port 81
# semanage port -a -t http_port_t -p tcp 81
Change apache to a permissive domain
# semanage permissive -a httpd_t
Turn off dontaudit rules
# semanage dontaudit off
Managing multiple machines
Multiple machines that need the same customizations.
Extract customizations off first machine, copy them
to second and import them.
# semanage -o /tmp/local.selinux
# scp /tmp/local.selinux secondmachine:/tmp
# ssh secondmachine
# semanage -i /tmp/local.selinux
If these customizations include file context, you need to apply
the
context using restorecon.
分享:
喜欢
0
赠金笔
加载中,请稍候......
评论加载中,请稍候...
发评论
登录名: 密码: 找回密码 注册记住登录状态
昵 称:
评论并转载此博文
发评论
以上网友发言只代表其个人观点,不代表新浪网的观点或立场。