setsebool常用设置
关闭selinux
[root@net named]#/usr/sbin/setenforce 0 //立刻关闭 SELINUX 1为启用
[vi /etc/sysconfig/selinux
把SELINUX=""改成disabled 再重启
在disabled模式下,SELinux内核机制是完全关闭了的,只有系统启动时策略载入前系统才会处于disabled模式,这个模式和 permissive模式有所不同,permissive模式有SELinux内核特征操作,但不会拒绝任何访问,只是进行审核,在disabled模式 下,SELinux将不会有任何动作,只有在极端环境下才使用这个模式,例如,当策略错误阻止你登陆系统时,即使在permissive模式下也有可能发 生这种事情,或我们不想使用SELinux时。
警告:在enforcing和permissive模式或disabled模式之间切换时要小心,当你返回enforcing模式时,通常会导致文件标记不一致,本章后面我们将会讨论如何修复文件标记问题。
===ftp===
//If you want to share files anonymously
chcon -R -t public_content_t /var/ftp
//If you want to setup a directory where you can upload files
chcon -t public_content_rw_t /var/ftp/incoming
You must also turn on the boolean allow_ftpd_anon_write
setsebool -P allow_ftpd_anon_write=1
//If you are setting up this machine as a ftpd server and wish to allow users to access their home directorories
setsebool -P ftp_home_dir 1
//If you want to run ftpd as a daemon
setsebool -P ftpd_is_daemon 1
//You can disable SELinux protection for the ftpd daemon
setsebool -P ftpd_disable_trans 1
===httpd===
//If you want a particular domain to write to the public_content_rw_t domain
setsebool -P allow_httpd_anon_write=1
or
setsebool -P allow_httpd_sys__anon_write=1
//httpd can be setup to allow cgi s to be executed
setsebool -P httpd_enable_cgi 1
//If you want to allow access to users home directories
setsebool -P httpd_enable_homedirs 1
chcon -R -t httpd_sys_content_t ~user/public_html
//httpd is allowed access to the controling terminal
setsebool -P httpd_tty_comm 1
//such that one httpd service can not interfere with another
setsebool -P httpd_unified 0
//loadable modules run under the same context as httpd
setsebool -P httpd_builtin_ing 0
//httpd s are allowed to connect out to the network
setsebool -P httpd_can_network_connect 1
// You can disable suexec transition
setsebool -P httpd_suexec_disable_trans 1
//You can disable SELinux protection for the httpd daemon by executing
setsebool -P httpd_disable_trans 1
service httpd restart
===named===
//If you want to have named update the master zone files
setsebool -P named_write_master_zones 1
//You can disable SELinux protection for the named daemon by executing
setsebool -P named_disable_trans 1
service named restart
===nfs===
//If you want to setup this machine to share nfs partitions read only
setsebool -P nfs_export_all_ro 1
//If you want to share files read/write
setsebool -P nfs_export_all_rw 1
//If you want to use a remote NFS server for the home directories on this machine
setsebool -P use_nfs_home_dirs 1
===samba===
//If you want to share files other than home directorie
chcon -t samba_share_t /directory
//If you want to share files with multiple domains
setsebool -P allow_smbd_anon_write=1
//If you are setting up this machine as a Samba server and wish to share the home directories
setsebool -P samba_enable_home_dirs 1
//If you want to use a remote Samba server for the home directories on this machine
setsebool -P use_samba_home_dirs 1
//You can disable SELinux protection for the samba daemon by executing
setsebool -P smbd_disable_trans 1
service smb restart
===rsync===
//If you want to share files using the rsync daemon
chcon -t public_content_t /directories
//If you want to share files with multiple domains
setsebool -P allow_rsync_anon_write=1
//You can disable SELinux protection for the rsync daemon by executing
setsebool -P rsync_disable_trans 1
===kerberos===
//allow your system to work properly in a Kerberos environment
setsebool -P allow_kerberos 1
//If you are running Kerberos daemons kadmind or krb5kdc
setsebool -P krb5kdc_disable_trans 1
service krb5kdc restart
setsebool -P kadmind_disable_trans 1
service kadmind restart
===nis===
Allow your system to work properly in a NIS environment
setsebool -P allow_ypbind 1
指令「getsebool -a」的画面.
setenforce 指令
这个指令主要是原来暂时将当下的运作状态(Current mode)由 enforcing 模式切换至 permissive 若是遇到短时间不想启用 SELinux 时,这个功能是蛮好用的。使用指令「setenforce 0」(关闭 enforcing)「setenforce 1」(开启 enforcing),可由「sestatus」指令来观察现在的状态.
评论: