您的位置:首页 > 运维架构 > Linux

centos:开启和关闭selinux

2013-07-10 11:03 330 查看

5.4. Enabling and Disabling SELinux

Use the 
/usr/sbin/getenforce
or 
/usr/sbin/sestatus
commands to check the status of SELinux. The
getenforce
command returns 
Enforcing
, 
Permissive
, or 
Disabled
. The 
getenforce
command returns
Enforcing
when SELinux is enabled (SELinux policy rules are enforced):

$ /usr/sbin/getenforce
Enforcing


The 
getenforce
command returns 
Permissive
when SELinux is enabled, but SELinux policy rules are not enforced, and only DAC rules are used. The 
getenforce
command returns 
Disabled
if SELinux is disabled.

The 
sestatus
command returns the SELinux status and the SELinux policy being used:

$ /usr/sbin/sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 23
Policy from config file:        targeted


SELinux status: enabled
is returned when SELinux is enabled. 
Current mode: enforcing
is returned when SELinux is running in enforcing mode. 
Policy from config file: targeted
is returned when the SELinux targeted policy is used.



5.4.1. Enabling SELinux


On systems with SELinux disabled, the 
SELINUX=disabled
option is configured in 
/etc/selinux/config
:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted


Also, the 
getenforce
command returns 
Disabled
:

$ /usr/sbin/getenforce
Disabled



To enable SELinux:

Use the 
rpm -qa | grep selinux
, 
rpm -q policycoreutils
, and 
rpm -qa | grep setroubleshoot
commands to confirm that the SELinux packages are installed. This guide assumes the following packages are installed: selinux-policy-targeted, selinux-policy, libselinux, libselinux-python, libselinux-utils, policycoreutils,setroubleshoot, setroubleshoot-server, setroubleshoot-plugins. If these packages are not installed, as the Linux root user, install them via the 
yum install 
package-name
 command. The following packages are optional:policycoreutils-gui, setroubleshoot, selinux-policy-devel, and mcstrans.

Before SELinux is enabled, each file on the file system must be labeled with an SELinux context. Before this happens, confined domains may be denied access, preventing your system from booting correctly. To prevent this, configure [code]SELINUX=permissive
in 
/etc/selinux/config
:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted


As the Linux root user, run the 
reboot
command to restart the system. During the next boot, file systems are labeled. The label process labels all files with an SELinux context:

*** Warning -- SELinux targeted policy relabel is required.
*** Relabeling could take a very long time, depending on file
*** system size and speed of hard drives.
****


Each 
*
character on the bottom line represents 1000 files that have been labeled. In the above example, four
*
characters represent 4000 files have been labeled. The time it takes to label all files depends upon the number of files on the system, and the speed of the hard disk drives. On modern systems, this process can take as little as 10 minutes.

In permissive mode, SELinux policy is not enforced, but denials are still logged for actions that would have been denied if running in enforcing mode. Before changing to enforcing mode, as the Linux root user, run the
grep "SELinux is preventing" /var/log/messages
command as the Linux root user to confirm that SELinux did not deny actions during the last boot. If SELinux did not deny actions during the last boot, this command does not return any output. Refer to Chapter 7, Troubleshooting for troubleshooting information if SELinux denied access during boot.

If there were no denial messages in 
/var/log/messages
, configure 
SELINUX=enforcing
in
/etc/selinux/config
:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted


Reboot your system. After reboot, confirm that the 
getenforce
command returns 
Enforcing
:

$ /usr/sbin/getenforce
Enforcing


As the Linux root user, run the 
/usr/sbin/semanage login -l
command to view the mapping between SELinux and Linux users. The output should be as follows:

Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              s0-s0:c0.c1023
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023


If this is not the case, run the following commands as the Linux root user to fix the user mappings. It is safe to ignore the 
SELinux-user
 username
 is already defined
warnings if they occur, where 
username
can be
unconfined_u
, 
guest_u
, or 
xguest_u
:

/usr/sbin/semanage user -a -S targeted -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u


/usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 __default__


/usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 root


/usr/sbin/semanage user -a -S targeted -P user -R guest_r guest_u


/usr/sbin/semanage user -a -S targeted -P user -R xguest_r xguest_u

5.4.2. Disabling SELinux


To disable SELinux, configure 
SELINUX=disabled
in 
/etc/selinux/config
:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted


Reboot your system. After reboot, confirm that the 
getenforce
command returns 
Disabled
:

$ /usr/sbin/getenforce
Disabled


注:本文来自:http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签: 
相关文章推荐
新的分享
章节导航