centos:开启和关闭selinux
5.4. Enabling and Disabling SELinux
Use the
/usr/sbin/getenforce
or/usr/sbin/sestatus
commands to check the status of SELinux. Thegetenforce
command returnsEnforcing
,Permissive
, orDisabled
. Thegetenforce
command returnsEnforcing
when SELinux is enabled (SELinux policy rules are enforced):$ /usr/sbin/getenforce
EnforcingThe
getenforce
command returnsPermissive
when SELinux is enabled, but SELinux policy rules are not enforced, and only DAC rules are used. Thegetenforce
command returnsDisabled
if SELinux is disabled.The
sestatus
command returns the SELinux status and the SELinux policy being used:$ /usr/sbin/sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 23
Policy from config file: targeted
SELinux status: enabled
is returned when SELinux is enabled.Current mode: enforcing
is returned when SELinux is running in enforcing mode.Policy from config file: targeted
is returned when the SELinux targeted policy is used.
5.4.1. Enabling SELinux
On systems with SELinux disabled, the
SELINUX=disabled
option is configured in/etc/selinux/config
:# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targetedAlso, the
getenforce
command returnsDisabled
:$ /usr/sbin/getenforce
Disabled
To enable SELinux:
Use the
rpm -qa | grep selinux
,rpm -q policycoreutils
, andrpm -qa | grep setroubleshoot
commands to confirm that the SELinux packages are installed. This guide assumes the following packages are installed: selinux-policy-targeted, selinux-policy, libselinux, libselinux-python, libselinux-utils, policycoreutils,setroubleshoot, setroubleshoot-server, setroubleshoot-plugins. If these packages are not installed, as the Linux root user, install them via theyum install
command. The following packages are optional:policycoreutils-gui, setroubleshoot, selinux-policy-devel, and mcstrans.package-name
Before SELinux is enabled, each file on the file system must be labeled with an SELinux context. Before this happens, confined domains may be denied access, preventing your system from booting correctly. To prevent this, configure
SELINUX=permissive
in/etc/selinux/config
:# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targetedAs the Linux root user, run the
reboot
command to restart the system. During the next boot, file systems are labeled. The label process labels all files with an SELinux context:*** Warning -- SELinux targeted policy relabel is required.
*** Relabeling could take a very long time, depending on file
*** system size and speed of hard drives.
****Each
*
character on the bottom line represents 1000 files that have been labeled. In the above example, four*
characters represent 4000 files have been labeled. The time it takes to label all files depends upon the number of files on the system, and the speed of the hard disk drives. On modern systems, this process can take as little as 10 minutes.In permissive mode, SELinux policy is not enforced, but denials are still logged for actions that would have been denied if running in enforcing mode. Before changing to enforcing mode, as the Linux root user, run the
grep "SELinux is preventing" /var/log/messages
command as the Linux root user to confirm that SELinux did not deny actions during the last boot. If SELinux did not deny actions during the last boot, this command does not return any output. Refer to Chapter 7, Troubleshooting for troubleshooting information if SELinux denied access during boot.If there were no denial messages in
/var/log/messages
, configureSELINUX=enforcing
in/etc/selinux/config
:# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targetedReboot your system. After reboot, confirm that the
getenforce
command returnsEnforcing
:$ /usr/sbin/getenforce
EnforcingAs the Linux root user, run the
/usr/sbin/semanage login -l
command to view the mapping between SELinux and Linux users. The output should be as follows:Login Name SELinux User MLS/MCS Range __default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
If this is not the case, run the following commands as the Linux root user to fix the user mappings. It is safe to ignore the SELinux-user
warnings if they occur, where username
is already definedusername
can beunconfined_u
, guest_u
, or xguest_u
:
/usr/sbin/semanage user -a -S targeted -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u
/usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 __default__
/usr/sbin/semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 root
/usr/sbin/semanage user -a -S targeted -P user -R guest_r guest_u
- /usr/sbin/semanage user -a -S targeted -P user -R xguest_r xguest_u
5.4.2. Disabling SELinux
To disable SELinux, configure
SELINUX=disabled
in/etc/selinux/config
:# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targetedReboot your system. After reboot, confirm that the
getenforce
command returnsDisabled
:$ /usr/sbin/getenforce
Disabled
centos:开启和关闭selinux的更多相关文章
- CentOS 7.X 关闭SELinux
1.查看 [root@dev-server ~]# getenforce Disabled [root@dev-server ~]# /usr/sbin/sestatus -v SELinux sta ...
- centos 6.X 关闭selinux
SELinux(Security-Enhanced Linux) 是美国国家安全局(NSA)对于强制访问控制的实现,是 Linux历史上最杰出的新安全子系统.在这种访问控制体系的限制下,进程只能访问那 ...
- CentOS开启和关闭防火墙
CentOS Linux开启和关闭防火墙命令有两种,一种是临时的,重启即复原:另外一种是永久性的,重启不会复原. 1) 临时生效,重启后复原 开启: service iptables start ...
- Centos 7.6关闭selinux
查看selinux状态 [root@localhost ~]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SE ...
- Linux下开启关闭SeLinux
SELinux (Security-Enhanced Linux) in Fedora is an implementation of mandatory access control in the ...
- 查看/关闭SElinux (原创帖,转载请注明出处)
查看SELinux状态: 1 /usr/sbin/sestatus -v | grep "SELinux status:" ##如果SELinux status参数为enabl ...
- centos7防火墙以设置以及关闭selinux
一.CentOS 7.X 关闭SELinux 1.查看 getenforce permissive 或者 enforcing模式 2.临时设置 setenforce 1 成为permissive模式 ...
- 查看SELinux状态及关闭SELinux
查看SELinux状态: 输入:/usr/sbin/sestatus -v SELinux status: enabled ##开启状态 关闭SELinux 修改vi /etc/s ...
- centos 7.0 查看selinux状态|关闭|开启
Linux在安装好之后通常SELinux都是出于默认开启的状态,开启的情况下会导致一些服务的安装不成功. 在不需要的情况下完全可以关闭掉,下面是在centos 7.0里面如何查看,关闭selinux. ...
随机推荐
- 转)ubuntu安装clang
主要参考:http://blog.csdn.net/firebird321/article/details/48528569 1.下载源码 去http://llvm.org/releases/down ...
- Bom对象介绍
1.windows对象 1.windows对象 1_1.alert:显示一段消息和确认按钮的弹出的警告框 我们平时用的alert的全称就是 window.alert("hahah" ...
- Broadcast总结 service
有时候离开应用就会接收不到系统的广播是因为系统默认发送的广播都会有一个参数 ntent startIntent = new Intent();startIntent.putExtra("pk ...
- 解决ios手机页面overflow scroll滑动很卡的问题
在移动端html中经常出现横向/纵向滚动的效果,但是在iPhone中滚动速度很慢,感觉不流畅,有种卡卡的感觉,但是在安卓设备上没有这种感觉; 要解决这个问题很简单: 一行代码搞定 -webkit-ov ...
- mRemoteNG
mRemoteNG 1.摆脱了mstsc那种一个程序一个界面的模式,采用了左边树+右边Tab页的显示形式,让你在一个mRemote界面中,可以连接多个远程桌面,再也不用为切来切去而烦恼了(如上图). ...
- 面向对象设计模式纵横谈:Factory Method 工厂方法模式(笔记记录)
从耦合关系谈起 耦合关系直接决定着软件面对变化时的行为 -模块与模块之间的紧耦合使得软件面对变化时,相关模块都要随之更改 -模块与模块之间的松耦合使得软件面对变化时,一些模块更容易被替换或者更改,但其 ...
- Linux动态共享库
Linux操作系统上面的动态共享库大致分为三类: 一.操作系统级别的共享库和基础的系统工具库 libc.so, libz.so, libpthread.so等等,这些系统库会被放在/lib和/us ...
- vue路由组件传参
在组件中使用 $route 会使之与其对应路由形成高度耦合,从而使组件只能在某些特定的 URL 上使用,限制了其灵活性. 使用 props 将组件和路由解耦: 取代与 $route 的耦合 const ...
- part1:2-嵌入式系统简单概念
1.3个特点+1个性质:以应用为中心.软硬件可裁剪.对功能-体积-功耗等有严格要求:专用的计算机系统. 应用领域: 软硬件可裁剪,是什么结构让嵌入式系统具备了这样的特点? 嵌入式系统的体系结构:硬件: ...
- for() 和$.each()的用法区别
一.对于数组 var arr=['姚明','易建联','张继科']; $.each(arr,function(index,value){ document.write(index+"=&qu ...