- 查看SELinux狀態
1.1 getenforce
getenforce 命令是單詞get(獲取)和enforce(執行)連寫,可查看selinux狀態,與setenforce命令相反。
setenforce 命令則是單詞set(設置)和enforce(執行)連寫,用於設置selinux防火牆狀態,如: setenforce 0用於關閉selinux防火牆,但重啓後失效
[root@localhost ~]# getenforce
Enforcing
1.2 /usr/sbin/sestatus
Current mode表示當前selinux防火牆的安全策略
[root@localhost ~]# /usr/sbin/sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
SELinux status:selinux防火牆的狀態,enabled表示啓用selinux防火牆
Current mode: selinux防火牆當前的安全策略,enforcing 表示強
- 關閉SELinux
2.1 臨時關閉
setenforce 0 :用於關閉selinux防火牆,但重啓後失效。
[root@localhost ~]# setenforce 0
[root@localhost ~]# /usr/sbin/sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
2.1 永久關閉
修改selinux的配置文件,重啓後生效。
打開 selinux 配置文件
[root@localhost ~]# vim /etc/selinux/config
修改 selinux 配置文件
將SELINUX=enforcing改爲SELINUX=disabled,保存後退出
This file controls the state of SELinux on the system.
SELINUX= can take one of these three values:
enforcing - SELinux security policy is enforced.
permissive - SELinux prints warnings instead of enforcing.
disabled - No SELinux policy is loaded.
SELINUX=enforcing
SELINUXTYPE= can take one of three two values:
targeted - Targeted processes are protected,
minimum - Modification of targeted policy. Only selected processes are protected.
mls - Multi Level Security protection.
SELINUXTYPE=targeted
此時獲取當前selinux防火牆的安全策略仍爲Enforcing,配置文件並未生效。
[root@localhost ~]# getenforce
Enforcing
重啓
[root@localhost ~]# reboot
驗證
[root@localhost ~]# /usr/sbin/sestatus
SELinux status: disabled
[root@localhost ~]# getenforce
Disabled