linux没有semanage命令,SELinux-semanage命令详解

SELinux-semanage命令详解

(2012-06-02 12:06:04)

标签：

selinux

命令

semanage

杂谈

NAMEsemanage − SELinux Policy

Management tool

SYNOPSIS

Output local

customizationssemanage [ -S store ] -o [ output_file |

- ]

Input local

customizationssemanage [ -S store ] -i [ input_file |

- ]

Manage booleans. Booleans allow the

administrator to modify the confinement of processes based on his

configuration.semanage boolean [−S store] −{d|m|l|n|D}

−[−on|−off|1|0] -F boolean | boolean_file

Manage SELinux confined users (Roles and

levels for an SELinux user)semanage user [−S store]

−{a|d|m|l|n|D} [−LrRP] selinux_name

Manage login mappings between linux users and

SELinux confined users.semanage login [−S store]

−{a|d|m|l|n|D} [−sr] login_name | %groupname

Manage policy modules.semanage

module [−S store] −{a|d|l} [-m [--enable | --disable] ]

module_name

Manage network port type

definitionssemanage port [−S store] −{a|d|m|l|n|D}

[−tr] [−p proto] port | port_range

Manage network interface type

definitionssemanage interface [−S store]

−{a|d|m|l|n|D} [−tr] interface_spec

Manage network node type

definitionssemanage node [−S store] -{a|d|m|l|n|D}

[-tr] [ -p protocol ] [-M netmask] address

Manage file context mapping

definitionssemanage fcontext [−S store] −{a|d|m|l|n|D}

[−frst] file_spec

semanage fcontext [−S store] −{a|d|m|l|n|D} −e replacement

target

Manage processes type enforcement

modesemanage permissive [−S store] −{a|d|l|n|D}

type

Disable/Enable dontaudit rules in

policysemanage dontaudit [−S store] [ on | off ]

Execute multiple commands within a single

transaction.semanage [−S store] −i

command-fileOPTIONS−a, −−add

Add a OBJECT record NAME

−d, −−delete

Delete a OBJECT record NAME

−D, −−deleteall

Remove all OBJECTS local customizations

−−disable

Disable a policy module, requires -m option

Currently modules only.

−−enable

Enable a disabled policy module, requires -m option

Currently modules only.

−e, −−equal

Substitute target path with sourcepath when generating default

label. This is used with fcontext.

Requires source and target path arguments. The context labeling for

the target subtree is made

equivalent to that defined for the source.

−f, −−ftype

File Type. This is used with fcontext. Requires a file type as

shown in the mode field by ls, e.g.

use -d to match only directories or -- to match only regular

files.

−F, −−file

Set multiple records from the input file. When used with the −l

−−list, it will output the current

settings to stdout in the proper format.

Currently booleans only.

−h, −−help

display this message

−l, −−list

List the OBJECTS

−C, −−locallist

List only locally defined settings, not base policy settings.

−L, −−level

Default SELinux Level for SELinux use, s0 Default. (MLS/MCS Systems

only)

−m, −−modify

Modify a OBJECT record NAME

−M, −−mask

Network Mask

−n, −−noheading

Do not print heading when listing OBJECTS.

−p, −−proto

Protocol for the specified port (tcp|udp) or internet protocol

version for the specified node

(ipv4|ipv6).

−r, −−range

MLS/MCS Security Range (MLS/MCS Systems only)

−R, −−role

SELinux Roles. You must enclose multiple roles within quotes,

separate by spaces. Or specify −R

multiple times.

−P, −−prefix

SELinux Prefix. Prefix added to home_dir_t and home_t for labeling

users home directories.

−s, −−seuser

SELinux user name

−S, −−store

Select and alternate SELinux store to manage

−t, −−type

SELinux Type for the object

−i, −−input

Take a set of commands from a specified file and load them in a

single transaction.

EXAMPLESELinux user

List SELinux users

# semanage user -l

SELinux login

Change joe to login as staff_u

# semanage login -a -s staff_u joe

Change the group clerks to login as user_u

# semanage login -a -s user_u %clerks

File contexts

Add file-context for everything under /web

# semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"

# restorecon -R -v /web

Substitute /home1 with /home when setting file context

# semanage fcontext -a -e /home /home1

# restorecon -R -v /home1

For home directories under top level directory, for example

/disk6/home,

execute the following commands.

# semanage fcontext -a -t home_root_t "/disk6"

# semanage fcontext -a -e /home /disk6/home

# restorecon -R -v /disk6

Port contexts

Allow Apache to listen on tcp port 81

# semanage port -a -t http_port_t -p tcp 81

Change apache to a permissive domain

# semanage permissive -a httpd_t

Turn off dontaudit rules

# semanage dontaudit off

Managing multiple machines

Multiple machines that need the same customizations.

Extract customizations off first machine, copy them

to second and import them.

# semanage -o /tmp/local.selinux

# scp /tmp/local.selinux secondmachine:/tmp

# ssh secondmachine

# semanage -i /tmp/local.selinux

If these customizations include file context, you need to apply

the

context using restorecon.

分享：

喜欢

0

赠金笔

加载中，请稍候......

评论加载中，请稍候...

发评论

登录名： 密码： 找回密码 注册记住登录状态

昵   称：

评论并转载此博文

发评论

以上网友发言只代表其个人观点，不代表新浪网的观点或立场。