centos:开启和关闭selinux
2013-07-10 11:03
330 查看
5.4. Enabling and Disabling SELinux
Use the
The
The
/usr/sbin/getenforceor
/usr/sbin/sestatuscommands to check the status of SELinux. The
getenforcecommand returns
Enforcing,
Permissive, or
Disabled. The
getenforcecommand returns
Enforcingwhen SELinux is enabled (SELinux policy rules are enforced):
$ /usr/sbin/getenforce Enforcing
The
getenforcecommand returns
Permissivewhen SELinux is enabled, but SELinux policy rules are not enforced, and only DAC rules are used. The
getenforcecommand returns
Disabledif SELinux is disabled.
The
sestatuscommand returns the SELinux status and the SELinux policy being used:
$ /usr/sbin/sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 23 Policy from config file: targeted
SELinux status: enabledis returned when SELinux is enabled.
Current mode: enforcingis returned when SELinux is running in enforcing mode.
Policy from config file: targetedis returned when the SELinux targeted policy is used.
5.4.1. Enabling SELinux
On systems with SELinux disabled, the
SELINUX=disabledoption is configured in
/etc/selinux/config:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted
Also, the
getenforcecommand returns
Disabled:
$ /usr/sbin/getenforce Disabled
To enable SELinux:
Use the
rpm -qa | grep selinux,
rpm -q policycoreutils, and
rpm -qa | grep setroubleshootcommands to confirm that the SELinux packages are installed. This guide assumes the following packages are installed: selinux-policy-targeted, selinux-policy, libselinux, libselinux-python, libselinux-utils, policycoreutils,setroubleshoot, setroubleshoot-server, setroubleshoot-plugins. If these packages are not installed, as the Linux root user, install them via the
yum installinpackage-namecommand. The following packages are optional:policycoreutils-gui, setroubleshoot, selinux-policy-devel, and mcstrans.
Before SELinux is enabled, each file on the file system must be labeled with an SELinux context. Before this happens, confined domains may be denied access, preventing your system from booting correctly. To prevent this, configure [code]SELINUX=permissive
/etc/selinux/config:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted
As the Linux root user, run the
rebootcommand to restart the system. During the next boot, file systems are labeled. The label process labels all files with an SELinux context:
*** Warning -- SELinux targeted policy relabel is required. *** Relabeling could take a very long time, depending on file *** system size and speed of hard drives. ****
Each
*character on the bottom line represents 1000 files that have been labeled. In the above example, four
*characters represent 4000 files have been labeled. The time it takes to label all files depends upon the number of files on the system, and the speed of the hard disk drives. On modern systems, this process can take as little as 10 minutes.
In permissive mode, SELinux policy is not enforced, but denials are still logged for actions that would have been denied if running in enforcing mode. Before changing to enforcing mode, as the Linux root user, run the
grep "SELinux is preventing" /var/log/messagescommand as the Linux root user to confirm that SELinux did not deny actions during the last boot. If SELinux did not deny actions during the last boot, this command does not return any output. Refer to Chapter 7, Troubleshooting for troubleshooting information if SELinux denied access during boot.
If there were no denial messages in
/var/log/messages, configure
SELINUX=enforcingin
/etc/selinux/config:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted
Reboot your system. After reboot, confirm that the
getenforcecommand returns
Enforcing:
$ /usr/sbin/getenforce Enforcing
As the Linux root user, run the
/usr/sbin/semanage login -lcommand to view the mapping between SELinux and Linux users. The output should be as follows:
Login Name SELinux User MLS/MCS Range __default__ unconfined_u s0-s0:c0.c1023 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023
If this is not the case, run the following commands as the Linux root user to fix the user mappings. It is safe to ignore the
SELinux-userwarnings if they occur, whereusernameis already defined
usernamecan be
unconfined_u,
guest_u, or
xguest_u:
/usr/sbin/semanage user -a -S targeted -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u
/usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 __default__
/usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 root
/usr/sbin/semanage user -a -S targeted -P user -R guest_r guest_u
/usr/sbin/semanage user -a -S targeted -P user -R xguest_r xguest_u
5.4.2. Disabling SELinux
To disable SELinux, configure
SELINUX=disabledin
/etc/selinux/config:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted
Reboot your system. After reboot, confirm that the
getenforcecommand returns
Disabled:
$ /usr/sbin/getenforce Disabled
注:本文来自:http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html
相关文章推荐
- centos 7.0 查看selinux状态|关闭|开启
- centos 7.0 查看selinux状态|关闭|开启
- centos:开启和关闭selinux
- SELinux 的开启和关闭
- Centos7 关闭防火墙和selinux
- CentOS防火墙开启、关闭以及开放指定端口
- 【转】CentOS图形界面的开启与关闭
- 针对 CentOS 的 SELinux 拦截 vsftpd 问题(不关闭SELinux)
- centos 开启 关闭 ping(icmp) 响应
- CentOS 7关闭图形桌面开启文本界面
- CentOS 7.0关闭默认防火墙启用iptables防火墙及关闭selinux
- centos防火墙开启、关闭、查看状态
- centos7 关闭默认firewalld,开启iptables
- CentOS 7关闭防火墙开启
- centos关闭selinux和iptables
- centos中iptables和firewall防火墙开启、关闭、查看状态、基本设置等
- SELinux开启与关闭各参数说明
- SELinux 的开启和关闭
- CentOS 7 配置NTP、关闭防火墙、关闭selinux
- 由于SELinux开启造成的Apache 2 Test Page powered by CentOS