selinux的布爾變量
1.作用:
利用布爾變量,在系統運行情況下可以實現:
調整網絡服務的部分SELinux策略,
而不用知道具體的SELinux策略如何編寫,
也不需要重新加載或重新編譯SELinux策略。
2.管理布爾變量
1)查詢布爾變量
[root@localhost ~]# semanage boolean -l ##長格式查看所有布爾變量
SELinux 布爾值 描述
ftp_home_dir -> 關 Allow ftp to read and write files in the user home directories
smartmon_3ware -> 關 Enable additional permissions needed to support devices on 3ware controllers.
xdm_sysadm_login -> 關 Allow xdm logins as sysadm
xen_use_nfs -> 關 Allow xen to manage nfs files
mozilla_read_content -> 關 Control mozilla content access
ssh_chroot_rw_homedirs -> 關 Allow ssh with chroot env to read and write files in the user home directories
[root@localhost ~]# semanage boolean -l |grep ssh ##查看與ssh服務有關的布爾變量
ssh_chroot_rw_homedirs -> 關 Allow ssh with chroot env to read and write files in the user home directories
ssh_sysadm_login -> 關 允許通過 ssh 登錄爲 sysadm_r:sysadm_t
allow_ssh_keysign -> 關 allow host key based authentication
fenced_can_ssh -> 關 Allow fenced domain to execute ssh.
[root@localhost ~]# getsebool -a |grep http ##列出與http有關的布爾設置(off關、on開)
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_read_user_content --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
[root@localhost ~]# getsebool httpd_enable_cgi ##查看某個boolean的具體狀態
httpd_enable_cgi --> on
[root@localhost ~]# getsebool httpd_enable_cgi tftp_anon_write ##查看多個boolean的具體狀態
httpd_enable_cgi --> on
tftp_anon_write --> off
2)設置布爾變量
[root@localhost ~]# getsebool httpd_enable_cgi
httpd_enable_cgi --> on
[root@localhost ~]# setsebool httpd_enable_cgi off ##臨時關閉布爾變量,重啓失效
[root@localhost ~]# getsebool httpd_enable_cgi
httpd_enable_cgi --> off
[root@localhost ~]# getsebool httpd_enable_cgi
httpd_enable_cgi --> on
[root@localhost ~]# setsebool -P httpd_enable_cgi off ##永久關閉布爾變量、使用選項大寫P
[root@localhost ~]# getsebool httpd_enable_cgi
httpd_enable_cgi --> off
3)限制用戶執行應用程序的布爾變量
RHEL6系統中,guest_t和xguest_t域中的linux用戶通常不能執行主目錄或/tmp目錄中的應用程序,
user_t和staff_t域中的linux用戶沒有此限制。
[root@localhost ~]# getsebool allow_guest_exec_content ##guest_t域默認設置
allow_guest_exec_content --> off
[root@localhost ~]# setsebool -P allow_guest_exec_content on ##允許guest_t域中用戶執行應用程序
[root@localhost ~]# getsebool allow_guest_exec_content
allow_guest_exec_content --> on
[root@localhost ~]# setsebool -P allow_user_exec_content off ##禁用user_t用戶在對應目錄執行應用程序
[root@localhost ~]# getsebool allow_user_exec_content
allow_user_exec_content --> off