page counter next up previous contents
Next: 自訂 SELinux 政策一 Up: SELinux Previous: SELinux Contexts   Contents

Manage SELinux Booleans

  1. get SELinux booleans 
    [root@deyu ~]# getsebool -a
abrt_anon_write --> off
allow_console_login --> on
allow_corosync_rw_tmpfs --> off
.......
xserver_object_manager --> off

[root@deyu ~]# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_connect_db --> off
httpd_enable_ftp_server --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
tftp_anon_write --> off

[root@deyu ~]# getsebool ftp_home_dir
ftp_home_dir --> off

  2. set SELinux booleans 
    [root@deyu ~]# mkdir /var/ftp/pub/sel
[root@deyu ~]# touch /var/ftp/pub/sel/a.txt

# 開啟另一終端機,登入kvm4進行測試
[root@deyu ~]# ssh root@kvm4.deyu.wang
root@kvm4.deyu.wang's password: 
Last login: Fri Dec 30 12:14:06 2011
[root@kvm4 ~]# wget ftp://deyu.wang/pub/sel/a.txt
--2011-12-30 17:27:25--  ftp://deyu.wang/pub/sel/a.txt
           => “a.txt”
Resolving deyu.wang... 192.168.122.1
Connecting to deyu.wang|192.168.122.1|:21... failed: No route to host.

[root@deyu ~]# setsebool ftp_home_dir 1
[root@deyu ~]# getsebool ftp_home_dir 
ftp_home_dir --> on

# 再以kvm4進行測試,若還有問題請檢查iptables
[root@kvm4 ~]# wget ftp://deyu.wang/pub/sel/a.txt
--2011-12-30 17:32:51--  ftp://deyu.wang/pub/sel/a.txt
           => “a.txt”
Resolving deyu.wang... 192.168.122.1
Connecting to deyu.wang|192.168.122.1|:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD (1) /pub/sel ... done.
==> SIZE a.txt ... done.
==> PASV ... done.    ==> RETR a.txt ... done.

    [ <=>                                   ] 0           --.-K/s   in 0s      

2011-12-30 17:32:51 (0.00 B/s) - “a.txt” saved [0]
[root@kvm4 ~]# ll a.txt
-rw-r--r--. 1 root root 0 Dec 30 17:32 a.txt
  3. set SELinux booleans as boot-time default 
    [root@deyu ~]# setsebool -P ftp_home_dir 1
[root@deyu ~]# getsebool ftp_home_dir 
ftp_home_dir --> on
[root@deyu ~]# setsebool -P ftp_home_dir 0
ftp_home_dir --> off
  4. get more detailed information 
    [root@deyu ~]# semanage boolean -l | grep ftp_home_dir
ftp_home_dir                   -> off   Allow ftp to read and write files in the user home directories


2015-04-13