临时和永久关闭Selinux及防火墙的设置

了解SELinux

安全增强型 Linux（Security-Enhanced Linux）简称 SELinux，它是一个 Linux 内核模块，也是 Linux 的一个安全子系统

SELinux 的结构及配置非常复杂，而且有大量概念性的东西，要学精难度较大。很多 Linux 系统管理员嫌麻烦都把 SELinux 关闭了

SELinux 主要作用就是最大限度地减小系统中服务进程可访问的资源（最小权限原则）

SELinux 有三种工作模式，分别是：

1. enforcing：强制模式。违反 SELinux 规则的行为将被阻止并记录到日志中。

2. permissive：宽容模式。违反 SELinux 规则的行为只会记录到日志中。一般为调试用。

3. disabled：关闭 SELinux。

SELinux 工作模式可以在 /etc/selinux/config 中设定

[root@localhost ~]# cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
[root@localhost ~]# 

如果想从 disabled 切换到 enforcing 或者 permissive 的话，需要重启系统。反过来也一样。

enforcing 和 permissive 模式可以通过 setenforce 1|0 命令快速切换

SELinux状态设置和查看

setenforce 0|1    permissive|enforcing

getenforce    查看selinux的状态

[root@localhost ~]# getenforce
Enforcing
[root@localhost ~]# setenforce 0
[root@localhost ~]# getenforce
Permissive
[root@localhost ~]# setenforce 1
[root@localhost ~]# getenforce
Enforcing

防火墙状态设置及查看

systemctl status firewalld  ； service firewalld status 查看防火墙状态

firewall-cmd --state    也可查询防火墙运行状态

systemctl disable firewalld  设置开机不再启动防火墙

[root@localhost ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: active (running) since Sun 2019-11-17 17:46:40 CST; 15min ago
     Docs: man:firewalld(1)
 Main PID: 1881 (firewalld)
    Tasks: 2
   CGroup: /system.slice/firewalld.service
           └─1881 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid

Nov 17 17:46:40 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
Nov 17 17:46:40 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
[root@localhost ~]# service firewalld status
Redirecting to /bin/systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: active (running) since Sun 2019-11-17 17:46:40 CST; 19min ago
     Docs: man:firewalld(1)
 Main PID: 1881 (firewalld)
    Tasks: 2
   CGroup: /system.slice/firewalld.service
           └─1881 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid

Nov 17 17:46:40 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
Nov 17 17:46:40 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
[root@localhost ~]# firewall-cmd --state
running
[root@localhost ~]# 

systemctl stop|start|restart|enable|disable firewalld   设置防火墙各种状态

[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# service firewalld status
Redirecting to /bin/systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)

Nov 17 17:46:40 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
Nov 17 17:46:40 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
Nov 17 18:11:44 localhost.localdomain systemd[1]: Stopping firewalld - dynamic firewall daemon...
Nov 17 18:11:45 localhost.localdomain systemd[1]: Stopped firewalld - dynamic firewall daemon.
[root@localhost ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)

Nov 17 17:46:40 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
Nov 17 17:46:40 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
Nov 17 18:11:44 localhost.localdomain systemd[1]: Stopping firewalld - dynamic firewall daemon...
Nov 17 18:11:45 localhost.localdomain systemd[1]: Stopped firewalld - dynamic firewall daemon.
[root@localhost ~]# 

iptables防火墙

# 查看防火墙状态

service iptables status  

# 永久关闭防火墙

chkconfig iptables off  

# 永久关闭后重启

chkconfig iptables on