Semanage命令详解.docx
- 文档编号:23932703
- 上传时间:2023-05-22
- 格式:DOCX
- 页数:13
- 大小:18.11KB
Semanage命令详解.docx
《Semanage命令详解.docx》由会员分享,可在线阅读,更多相关《Semanage命令详解.docx(13页珍藏版)》请在冰豆网上搜索。
Semanage命令详解
Semanage命令详解
(1)查看登录用户的权限信息
(2)ViewSELinuxusermappings
(3)查看所有OBJECTS的授权端口号
(4)允许apache监听在81端口
(5)查看interface
(6)查看所有的fcontext
(7)为一个目录添加一个新的规则
(8)查看translation
(9)添加规则命令的注意事项
(10)semanage操作的实际文件是哪个文件?
[root@rhdb1files]#semanage-h
semanage{login|user|port|interface|fcontext|translation}-l[-n]
semanagelogin-{a|d|m}[-sr]login_name
semanageuser-{a|d|m}[-LrRP]selinux_name
semanageport-{a|d|m}[-tr][-pprotocol]port|port_range
semanageinterface-{a|d|m}[-tr]interface_spec
semanagefcontext-{a|d|m}[-frst]file_spec
semanagetranslation-{a|d|m}[-T]level
PrimaryOptions:
-a,--addAddaOBJECTrecordNAME
-d,--deleteDeleteaOBJECTrecordNAME
-m,--modifyModifyaOBJECTrecordNAME
-l,--listListtheOBJECTS
-h,--helpDisplaythismessage
-n,--noheadingDonotprintheadingwhenlistingOBJECTS
-S,--storeSelectandalternateSELinuxstoretomanage
Object-specificOptions(seeabove):
-f,--ftypeFileTypeofOBJECT
""(allfiles)
--(regularfile)
-d(directory)
-c(characterdevice)
-b(blockdevice)
-s(socket)
-l(symboliclink)
-p(namedpipe)
-p,--protoPortprotocol(tcporudp)
-P,--prefixPrefixforhomedirectorylabeling
-L,--levelDefaultSELinuxLevel(MLS/MCSSystemsonly)
-R,--rolesSELinuxRoles(ex:
"sysadm_rstaff_r")
-T,--transSELinuxLevelTranslation(MLS/MCSSystemsonly)
-s,--seuserSELinuxUserName
-t,--typeSELinuxTypefortheobject
-r,--rangeMLS/MCSSecurityRange(MLS/MCSSystemsonly)
Requires2ormorearguments
[root@rhdb1files]#
-a,--add
AddaOBJECTrecordNAME
-t,--type
SELinuxTypefortheobject
======================================================
(1)查看登录用户的权限信息
==========================
[root@rhdb1wwwttt]#semanagelogin-l
LoginNameSELinuxUserMLS/MCSRange
__default__user_us0
rootrootSystemLow-SystemHigh
[root@rhdb1wwwttt]#
#semanagelogin-a-suser_utestuser
第一个用户(user_u):
SElinux用户
第二个用户(testuser):
系统用户
测试:
[root@Manager~]#semanagelogin-l
LoginNameSELinuxUserMLS/MCSRange
__default__user_us0
rootrootSystemLow-SystemHigh
[root@Manager~]#
从输出中看到,系统中存在两个selinuxuser(user_u和root)
1)添加一个loginname
注意:
要添加的用户,必须首先为系统帐号,如下所示:
[root@Managerhome]#semanagelogin-a-suser_utestuser
/usr/sbin/semanage:
LinuxUsertestuserdoesnotexist
[root@Managerhome]#useraddtestuser
[root@Managerhome]#semanagelogin-a-suser_utestuser
[root@Managerhome]#
[root@Managerhome]#
[root@Managerhome]#semanagelogin-l
LoginNameSELinuxUserMLS/MCSRange
__default__user_us0
rootrootSystemLow-SystemHigh
testuseruser_us0
[root@Managerhome]#
下面这两条命令等价,不指定-s上,以默认user_u来设置
#semanagelogin-atestuser
#semanagelogin-a-suser_utestuser
2)删除创建的loginname
[root@Managerhome]#semanagelogin-dtestuser
[root@Managerhome]#semanagelogin-l
LoginNameSELinuxUserMLS/MCSRange
__default__user_us0
rootrootSystemLow-SystemHigh
[root@Managerhome]#
3)添加一个loginname,以root来进入
[root@Managerhome]#semanagelogin-a-srootyzhq
[root@Managerhome]#semanagelogin-l
LoginNameSELinuxUserMLS/MCSRange
__default__user_us0
rootrootSystemLow-SystemHigh
testuseruser_us0
yzhqroots0
[root@Managerhome]#
用户:
yzhq登录
[yzhq@Manager~]$id
uid=503(yzhq)gid=504(yzhq)groups=504(yzhq)context=root:
system_r:
unconfined_t
[yzhq@Manager~]$
[yzhq@Manager~]$df>disk.txt
[yzhq@Manager~]$ls-Zdisk.txt
-rw-rw-r--yzhqyzhqroot:
object_r:
user_home_tdisk.txt
[yzhq@Manager~]$
删除login后,用户yzhq登录
[root@Managerhome]#semanagelogin-dyzhq
[root@Managerhome]#semanagelogin-l
LoginNameSELinuxUserMLS/MCSRange
__default__user_us0
rootrootSystemLow-SystemHigh
testuseruser_us0
[root@Managerhome]#
用户:
yzhq登录
[yzhq@Manager~]$id
uid=503(yzhq)gid=504(yzhq)groups=504(yzhq)context=user_u:
system_r:
unconfined_t
[yzhq@Manager~]$df>b.txt
[yzhq@Manager~]$ls-Z
-rw-rw-r--yzhqyzhquser_u:
object_r:
user_home_tb.txt
-rw-rw-r--yzhqyzhqroot:
object_r:
user_home_tdisk.txt
[yzhq@Manager~]$
(2)ViewSELinuxusermappings
===============================
[root@rhdb1wwwttt]#semanageuser-l
LabelingMLS/MLS/
SELinuxUserPrefixMCSLevelMCSRangeSELinuxRoles
rootusers0SystemLow-SystemHighsystem_rsysadm_ruser_r
system_uusers0SystemLow-SystemHighsystem_r
user_uusers0SystemLow-SystemHighsystem_rsysadm_ruser_r
[root@rhdb1wwwttt]#
[root@rhdb1wwwttt]#
(3)查看所有OBJECTS的授权端口号
===============================
[root@rhdb1wwwttt]#semanageport-l|more
SELinuxPortTypeProtoPortNumber
afs_bos_port_tudp7007
afs_fs_port_ttcp2040
afs_fs_port_tudp7000,7005
afs_ka_port_tudp7004
afs_pt_port_tudp7002
afs_vl_port_tudp7003
amanda_port_ttcp10080,10081,10082,10083
amanda_port_tudp10080,10081
amavisd_recv_port_ttcp10024
amavisd_send_port_ttcp10025
apcupsd_port_ttcp3551
apcupsd_port_tudp3551
asterisk_port_ttcp1720
asterisk_port_tudp2427,2727,4569,5060
auth_port_ttcp113
(4)允许apache监听在81端口
==========================
AllowApachetolistenonport81
开启selinux的情况下,改变默认端口(80->81)后,服务将不能启动,解决办法:
[root@rhdb1wwwttt]#servicehttpdrestart
Stoppinghttpd:
[OK]
Startinghttpd:
(13)Permissiondenied:
make_sock:
couldnotbindtoaddress[:
:
]:
81
(13)Permissiondenied:
make_sock:
couldnotbindtoaddress0.0.0.0:
81
nolisteningsocketsavailable,shuttingdown
Unabletoopenlogs
[FAILED]
[root@rhdb1wwwttt]#
[root@rhdb1wwwttt]#semanageport-a-thttp_port_t-ptcp81
[root@rhdb1wwwttt]#servicehttpdrestart
Stoppinghttpd:
[FAILED]
Startinghttpd:
[OK]
[root@rhdb1wwwttt]#servicehttpdrestart
Stoppinghttpd:
[OK]
Startinghttpd:
[OK]
[root@rhdb1wwwttt]#
注意:
变回80后,不需要做设置。
可以从下面的输出中查看到81端口已经授权给了http_port_t类型。
[root@rhdb1wwwttt]#semanageport-l|grephttp_port_t
http_port_ttcp81,80,443,488,8008,8009,8443
pegasus_http_port_ttcp5988
[root@rhdb1wwwttt]#
(5)查看interface
==================
[root@rhdb1wwwttt]#semanageinterface-l
SELinuxInterfaceContext
[root@rhdb1wwwttt]#
(6)查看所有的fcontext
======================
[root@rhdb1wwwttt]#semanagefcontext-l|more
SELinuxfcontexttypeContext
/.*allfilessystem_u:
object_r:
default_t:
s0
/xen(/.*)?
allfilessystem_u:
object_r:
xen_image_t:
s0
/mnt(/[^/]*)symboliclinksystem_u:
object_r:
mnt_t:
s0
/mnt(/[^/]*)?
directorysystem_u:
object_r:
mnt_t:
s0
/lib(64)?
/dbus-1/dbus-daemon-launch-helperregularfilesystem_u:
object_r:
bin_t:
s0
/bin/.*allfilessystem_u:
object_r:
bin_t:
s0
/dev/.*allfilessystem_u:
object_r:
device_t:
s0
/lib/.*allfilessystem_u:
object_r:
lib_t:
s0
/var/.*allfilessystem_u:
object_r:
var_t:
s0
/etc/.*allfilessystem_u:
object_r:
etc_t:
s0
/srv/.*allfilessystem_u:
object_r:
var_t:
s0
/sys/.*allfiles<
/usr/.*allfilessystem_u:
object_r:
usr_t:
s0
/tmp/.*allfiles<
/opt/.*allfilessystem_u:
object_r:
usr_t:
s0
/mnt/[^/]*/.*allfiles<
注意:
semanagefcontext-l的输出和原始的文件file_contexts的内容几乎是相同的
/etc/selinux/targeted/contexts/files/file_contexts
(7)为一个目录添加一个新的规则
=============================
Addfile-contextforeverythingunder/web(usedbyrestorecon)
1)新建一条规则,指定/web目录及其下的所有文件的扩展属性为httpd_sys_content_t
[root@rhdb1~]#semanagefcontext-a-thttpd_sys_content_t"/web(/.*)?
"
2)验证新添加的规则,可以发现已经添加到系统里了。
[root@rhdb1~]#semanagefcontext-l|grepweb
/var/lib/webalizer(/.*)?
allfilessystem_u:
object_r:
webalizer_var_lib_t:
s0
/usr/libexec/evolution-webcal.*regularfilesystem_u:
object_r:
evolution_webcal_exec_t:
s0
/usr/bin/webalizerregularfilesystem_u:
object_r:
webalizer_exec_t:
s0
/usr/share/texmf/web2c/mktexdirregularfilesystem_u:
object_r:
bin_t:
s0
/usr/share/texmf/web2c/mktexnamregularfilesystem_u:
object_r:
bin_t:
s0
/usr/share/texmf/web2c/mktexupdregularfilesystem_u:
object_r:
bin_t:
s0
/web(/.*)?
allfilessystem_u:
object_r:
httpd_sys_content_t:
s0
3)修正文件系统,使其变为规则规定的扩展属性
[root@rhdb1~]#ls-Z/web
-rw-r--r--rootrootroot:
object_r:
default_tindex.html
[root@rhdb1~]#fixfilesrelabel/web
Filesinthe/tmpdirectorymaybelabeledincorrectly,thiscommand
canremoveallfilesin/tmp.Ifyouchoosetoremovefilesfrom/tmp,
arebootwillberequiredaftercompletion.
Doyouwishtocleanoutthe/tmpdirectory[N]?
[root@rhdb1~]#ls-Z/web
-rw-r--r--rootrootsystem_u:
object_r:
httpd_sys_content_tindex.html
[root@rhdb1~]#
(8)查看translation
====================
[root@rhdb1wwwttt]#semanagetranslation-l
LevelTranslation
s0
s0-s0:
c0.c1023SystemLow-SystemHigh
s0:
c0.c1023SystemHigh
[root@rhdb1wwwttt]#
(9)添加规则命令的注意事项
==========================
1)添加规则命令,至少会更新如下文件:
[root@rhdb1files]#pwd
/etc/selinux/targeted/contexts/files
[root@rhdb1files]#ll
total164
-rw-r--r--1rootroot124157Mar2700:
06file_contexts
-rw-r--r--1rootroot1218Mar2700:
06file_contexts.homedirs
-rw-r--r--1rootroot151Mar2700:
06file_contexts.local
-rw-r--r--1rootroot1006Mar2700:
06homedir_template
-rw-r--r--1rootroot139Apr292008media
[root@rhdb1files]#
2)命令【semanagefcontext-a-thttpd_sys_content_t"/web(/.*)?
"】会创建一个新文件,如下所示:
[root@rhdb1files]#catfile_contexts.local
#Thisfileisauto-generatedbylibsemanage
#Pleaseusethesemanagecommandtomakechanges
/web(/.*)?
system_u:
object_r:
httpd_sys_content_t:
s0
[root@rhdb1files]#
3)直接写入文件的规则,在semanage更新时都会被删除:
/etc/selinux/targeted/contexts/files/file_contexts
/etc/selinux/targeted/contexts/files/file_contexts.local
4)对于处在/home下的目录,设置权限时需使用命令semanage或编辑
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- Semanage 命令 详解