首页 > 代码库 > selinux的布尔变量
selinux的布尔变量
selinux的布尔变量
1.作用:
利用布尔变量,在系统运行情况下可以实现:
调整网络服务的部分SELinux策略,
而不用知道具体的SELinux策略如何编写,
也不需要重新加载或重新编译SELinux策略。
2.管理布尔变量
1)查询布尔变量
[root@localhost ~]# semanage boolean -l ##长格式查看所有布尔变量
SELinux 布尔值 描述
ftp_home_dir -> 关 Allow ftp to read and write files in the user home directories
smartmon_3ware -> 关 Enable additional permissions needed to support devices on 3ware controllers.
xdm_sysadm_login -> 关 Allow xdm logins as sysadm
xen_use_nfs -> 关 Allow xen to manage nfs files
mozilla_read_content -> 关 Control mozilla content access
ssh_chroot_rw_homedirs -> 关 Allow ssh with chroot env to read and write files in the user home directories
[root@localhost ~]# semanage boolean -l |grep ssh ##查看与ssh服务有关的布尔变量
ssh_chroot_rw_homedirs -> 关 Allow ssh with chroot env to read and write files in the user home directories
ssh_sysadm_login -> 关 允许通过 ssh 登录为 sysadm_r:sysadm_t
allow_ssh_keysign -> 关 allow host key based authentication
fenced_can_ssh -> 关 Allow fenced domain to execute ssh.
[root@localhost ~]# getsebool -a |grep http ##列出与http有关的布尔设置(off关、on开)
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_read_user_content --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
[root@localhost ~]# getsebool httpd_enable_cgi ##查看某个boolean的具体状态
httpd_enable_cgi --> on
[root@localhost ~]# getsebool httpd_enable_cgi tftp_anon_write ##查看多个boolean的具体状态
httpd_enable_cgi --> on
tftp_anon_write --> off
2)设置布尔变量
[root@localhost ~]# getsebool httpd_enable_cgi
httpd_enable_cgi --> on
[root@localhost ~]# setsebool httpd_enable_cgi off ##临时关闭布尔变量,重启失效
[root@localhost ~]# getsebool httpd_enable_cgi
httpd_enable_cgi --> off
[root@localhost ~]# getsebool httpd_enable_cgi
httpd_enable_cgi --> on
[root@localhost ~]# setsebool -P httpd_enable_cgi off ##永久关闭布尔变量、使用选项大写P
[root@localhost ~]# getsebool httpd_enable_cgi
httpd_enable_cgi --> off
3)限制用户执行应用程序的布尔变量
RHEL6系统中,guest_t和xguest_t域中的linux用户通常不能执行主目录或/tmp目录中的应用程序,
user_t和staff_t域中的linux用户没有此限制。
[root@localhost ~]# getsebool allow_guest_exec_content ##guest_t域默认设置
allow_guest_exec_content --> off
[root@localhost ~]# setsebool -P allow_guest_exec_content on ##允许guest_t域中用户执行应用程序
[root@localhost ~]# getsebool allow_guest_exec_content
allow_guest_exec_content --> on
[root@localhost ~]# setsebool -P allow_user_exec_content off ##禁用user_t用户在对应目录执行应用程序
[root@localhost ~]# getsebool allow_user_exec_content
allow_user_exec_content --> off
本文出自 “为了工作顺利学习好系统” 博客,请务必保留此出处http://stlong.blog.51cto.com/5144113/1565508
selinux的布尔变量