Next: Httpd Port Up: SELinux Previous: 啟動、關閉與觀察 Contents DYWANG_HOME
[root@kvm7 ~]# ls -Z anaconda-ks.cfg
-rw-------. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg
[root@kvm7 ~]# ps auxZ | grep apache
system_u:system_r:httpd_t:s0 apache 15694 0.0 0.2 215320 3040 ? S
Oct14 0:00 /usr/sbin/httpd -DFOREGROUND
[root@kvm7 ~]# chcon --help Usage: chcon [OPTION]... CONTEXT FILE... or: chcon [OPTION]... [-u USER] [-r ROLE] [-l RANGE] [-t TYPE] FILE... -u, --user=USER set user USER in the target security context -r, --role=ROLE set role ROLE in the target security context -t, --type=TYPE set type TYPE in the target security context -l, --range=RANGE set range RANGE in the target security context -R, --recursive operate on files and directories recursively -v, --verbose output a diagnostic for every file processed
[root@kvm7 ~]# ls -Z /etc/resolv.conf -rw-r--r--. root root system_u:object_r:net_conf_t:s0 /etc/resolv.conf [root@kvm7 ~]# cp /etc/resolv.conf . [root@kvm7 ~]# ls -Z resolv.conf -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 resolv.conf [root@kvm7 ~]# chcon -t net_conf_t resolv.conf [root@kvm7 ~]# ls -Z resolv.conf -rw-r--r--. root root unconfined_u:object_r:net_conf_t:s0 resolv.conf
[root@kvm7 ~]# restorecon usage: restorecon [-iFnprRv0] [-e excludedir] pathname... usage: restorecon [-iFnprRv0] [-e excludedir] -f filename
[root@kvm7 ~]# restorecon resolv.conf [root@kvm7 ~]# ls -Z resolv.conf -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 resolv.conf
[root@kvm7 ~]# getsebool usage: getsebool -a or getsebool boolean...
[root@kvm7 ~]# getsebool -a | grep ssh fenced_can_ssh --> off selinuxuser_use_ssh_chroot --> off sftpd_write_ssh_home --> off ssh_chroot_rw_homedirs --> off ssh_keysign --> off ssh_sysadm_login --> off
[root@kvm7 ~]# setsebool Usage: setsebool [ -NPV ] boolean value | bool1=val1 bool2=val2...
[root@kvm7 ~]# setsebool sftpd_write_ssh_home on [root@kvm7 ~]# getsebool -a | grep ssh fenced_can_ssh --> off selinuxuser_use_ssh_chroot --> off sftpd_write_ssh_home --> on ssh_chroot_rw_homedirs --> off ssh_keysign --> off ssh_sysadm_login --> off
[root@kvm7 ~]# semanage
usage: semanage [-h]
{...,port,..,fcontext,...}
...
semanage is used to configure certain elements of SELinux policy with-out
requiring modification to or recompilation from policy source.
port Manage network port type definitions
fcontext Manage file context mapping definitions
boolean Manage booleans to selectively enable functionality
[root@kvm7 ~]# mkdir /usr/share/www [root@kvm7 ~]# ls -Z /usr/share/www [root@kvm7 ~]# ls -Zd /usr/share/www drwxr-xr-x. root root unconfined_u:object_r:usr_t:s0 /usr/share/www [root@kvm7 ~]# semanage fcontext -a -t httpd_sys_content_t "/usr/share/www(/.*)?" [root@kvm7 ~]# ls -Zd /usr/share/www drwxr-xr-x. root root unconfined_u:object_r:usr_t:s0 /usr/share/www [root@kvm7 ~]# restorecon -Rv /usr/share/www restorecon reset /usr/share/www context unconfined_u:object_r:usr_t:s0 ->unconfined_u:object_r:httpd_sys_content_t:s0 [root@kvm7 ~]# ls -Zd /usr/share/www drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 /usr/share/www
[root@kvm7 ~]# semanage port -l | grep ^http_port http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000 [root@kvm7 ~]# semanage port -a -t http_port_t -p tcp 8989 [root@kvm7 ~]# semanage port -l | grep ^http_port http_port_t tcp 8989, 80, 81, 443, 488, 8008, 8009, 8443, 9000
[root@kvm7 html]# semanage port -d -t http_port_t -p tcp 8989 [root@kvm7 html]# semanage port -l | grep ^http_port http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000