您的位置:360文档中心› Semanage命令详解

Semanage命令详解

Semanage命令详解
Semanage命令详解

Semanage命令详解(1)查看登录用户的权限信息

(2)View SELinux user mappings

(3)查看所有OBJECTS的授权端口号

(4)允许apache监听在81端口

(5)查看interface

(6)查看所有的fcontext

(7)为一个目录添加一个新的规则

(8)查看translation

(9)添加规则命令的注意事项

(10) semanage操作的实际文件是哪个文件?

[root@rhdb1 files]# semanage -h

semanage {login|user|port|interface|fcontext|translation} -l [-n] semanage login -{a|d|m} [-sr] login_name

semanage user -{a|d|m} [-LrRP] selinux_name

semanage port -{a|d|m} [-tr] [ -p protocol ] port | port_range semanage interface -{a|d|m} [-tr] interface_spec

semanage fcontext -{a|d|m} [-frst] file_spec

semanage translation -{a|d|m} [-T] level

Primary Options:

-a, --add Add a OBJECT record NAME

-d, --delete Delete a OBJECT record NAME

-m, --modify Modify a OBJECT record NAME

-l, --list List the OBJECTS

-h, --help Display this message

-n, --noheading Do not print heading when listing OBJECTS

-S, --store Select and alternate SELinux store to manage

Object-specific Options (see above):

-f, --ftype File Type of OBJECT

"" (all files)

-- (regular file)

-d (directory)

-c (character device)

-b (block device)

-s (socket)

-l (symbolic link)

-p (named pipe)

-p, --proto Port protocol (tcp or udp)

-P, --prefix Prefix for home directory labeling

-L, --level Default SELinux Level (MLS/MCS Systems only)

-R, --roles SELinux Roles (ex: "sysadm_r staff_r")

-T, --trans SELinux Level Translation (MLS/MCS Systems only)

-s, --seuser SELinux User Name

-t, --type SELinux Type for the object

-r, --range MLS/MCS Security Range (MLS/MCS Systems only)

Requires 2 or more arguments

[root@rhdb1 files]#

-a, --add

Add a OBJECT record NAME

-t, --type

SELinux Type for the object

======================================================(1)查看登录用户的权限信息

==========================

[root@rhdb1 wwwttt]# semanage login -l

Login Name SELinux User MLS/MCS Range

__default__ user_u s0

root root SystemLow-SystemHigh

[root@rhdb1 wwwttt]#

# semanage login -a -s user_u testuser

第一个用户(user_u): SElinux 用户

第二个用户(testuser): 系统用户

测试:

[root@Manager ~]# semanage login -l

Login Name SELinux User MLS/MCS Range

__default__ user_u s0

root root SystemLow-SystemHigh [root@Manager ~]#

从输出中看到,系统中存在两个selinux user(user_u和root)

1) 添加一个login name

注意:要添加的用户,必须首先为系统帐号,如下所示:

[root@Manager home]# semanage login -a -s user_u testuser

/usr/sbin/semanage: Linux User testuser does not exist

[root@Manager home]# useradd testuser

[root@Manager home]# semanage login -a -s user_u testuser

[root@Manager home]#

[root@Manager home]#

[root@Manager home]# semanage login -l

Login Name SELinux User MLS/MCS Range

__default__ user_u s0

root root SystemLow-SystemHigh testuser user_u s0

[root@Manager home]#

下面这两条命令等价,不指定-s上,以默认user_u来设置

# semanage login -a testuser

# semanage login -a -s user_u testuser

2) 删除创建的login name

[root@Manager home]# semanage login -d testuser

[root@Manager home]# semanage login -l

Login Name SELinux User MLS/MCS Range

__default__ user_u s0

root root SystemLow-SystemHigh [root@Manager home]#

3) 添加一个login name ,以root来进入

[root@Manager home]# semanage login -a -s root yzhq

[root@Manager home]# semanage login -l

Login Name SELinux User MLS/MCS Range

__default__ user_u s0

root root SystemLow-SystemHigh testuser user_u s0

yzhq root s0

[root@Manager home]#

用户:yzhq登录

[yzhq@Manager ~]$ id

uid=503(yzhq) gid=504(yzhq) groups=504(yzhq) context=root:system_r:unconfined_t [yzhq@Manager ~]$

[yzhq@Manager ~]$ df > disk.txt

[yzhq@Manager ~]$ ls -Z disk.txt

-rw-rw-r-- yzhq yzhq root:object_r:user_home_t disk.txt

[yzhq@Manager ~]$

删除login后,用户yzhq登录

[root@Manager home]# semanage login -d yzhq

[root@Manager home]# semanage login -l

Login Name SELinux User MLS/MCS Range

__default__ user_u s0

root root SystemLow-SystemHigh testuser user_u s0

[root@Manager home]#

用户:yzhq登录

[yzhq@Manager ~]$ id

uid=503(yzhq) gid=504(yzhq) groups=504(yzhq) context=user_u:system_r:unconfined_t

[yzhq@Manager ~]$ df > b.txt

[yzhq@Manager ~]$ ls -Z

-rw-rw-r-- yzhq yzhq user_u:object_r:user_home_t b.txt

-rw-rw-r-- yzhq yzhq root:object_r:user_home_t disk.txt

[yzhq@Manager ~]$

(2)View SELinux user mappings

===============================

[root@rhdb1 wwwttt]# semanage user -l

Labeling MLS/ MLS/

SELinux User Prefix MCS Level MCS Range SELinux Roles

root user s0 SystemLow-SystemHigh system_r sysadm_r user_r

system_u user s0 SystemLow-SystemHigh system_r user_u user s0 SystemLow-SystemHigh system_r sysadm_r user_r

[root@rhdb1 wwwttt]#

[root@rhdb1 wwwttt]#

(3)查看所有OBJECTS的授权端口号

===============================

[root@rhdb1 wwwttt]# semanage port -l |more

SELinux Port Type Proto Port Number

afs_bos_port_t udp 7007

afs_fs_port_t tcp 2040

afs_fs_port_t udp 7000, 7005

afs_ka_port_t udp 7004

afs_pt_port_t udp 7002

afs_vl_port_t udp 7003

amanda_port_t tcp 10080, 10081, 10082, 10083 amanda_port_t udp 10080, 10081

amavisd_recv_port_t tcp 10024

amavisd_send_port_t tcp 10025

apcupsd_port_t tcp 3551

apcupsd_port_t udp 3551

asterisk_port_t tcp 1720

asterisk_port_t udp 2427, 2727, 4569, 5060

auth_port_t tcp 113

(4)允许apache监听在81端口

==========================

Allow Apache to listen on port 81

开启selinux的情况下,改变默认端口(80->81)后,服务将不能启动,解决办法:

[root@rhdb1 wwwttt]# service httpd restart

Stopping httpd: [ OK ]

Starting httpd: (13)Permission denied: make_sock: could not bind to address [::]:81 (13)Permission denied: make_sock: could not bind to address 0.0.0.0:81

no listening sockets available, shutting down

Unable to open logs

[FAILED]

[root@rhdb1 wwwttt]#

[root@rhdb1 wwwttt]# semanage port -a -t http_port_t -p tcp 81

[root@rhdb1 wwwttt]# service httpd restart

Stopping httpd: [FAILED]

Starting httpd: [ OK ]

[root@rhdb1 wwwttt]# service httpd restart

Stopping httpd: [ OK ]

Starting httpd: [ OK ]

[root@rhdb1 wwwttt]#

注意:变回80后,不需要做设置。可以从下面的输出中查看到81端口已经授权给了http_port_t类型。

[root@rhdb1 wwwttt]# semanage port -l |grep http_port_t

http_port_t tcp 81, 80, 443, 488, 8008, 8009, 8443

pegasus_http_port_t tcp 5988

[root@rhdb1 wwwttt]#

(5)查看interface

==================

[root@rhdb1 wwwttt]# semanage interface -l

SELinux Interface Context

[root@rhdb1 wwwttt]#

(6)查看所有的fcontext

======================

[root@rhdb1 wwwttt]# semanage fcontext -l |more

SELinux fcontext type Context

/.* all files system_u:object_r:default_t:s0

/xen(/.*)? all files system_u:object_r:xen_image_t:s0

/mnt(/[^/]*) symbolic link system_u:object_r:mnt_t:s0

/mnt(/[^/]*)? directory system_u:object_r:mnt_t:s0

/lib(64)?/dbus-1/dbus-daemon-launch-helper regular file system_u:object_r:bin_t:s0

/bin/.* all files system_u:object_r:bin_t:s0

/dev/.* all files system_u:object_r:device_t:s0

/lib/.* all files system_u:object_r:lib_t:s0

/var/.* all files system_u:object_r:var_t:s0

/etc/.* all files system_u:object_r:etc_t:s0

/srv/.* all files system_u:object_r:var_t:s0

/sys/.* all files <>

/usr/.* all files system_u:object_r:usr_t:s0

/tmp/.* all files <>

/opt/.* all files system_u:object_r:usr_t:s0

/mnt/[^/]*/.* all files <>

注意:semanage fcontext -l的输出和原始的文件file_contexts的内容几乎是相同的

/etc/selinux/targeted/contexts/files/file_contexts

(7)为一个目录添加一个新的规则

=============================

Add file-context for everything under /web (used by restorecon)

1)新建一条规则,指定/web目录及其下的所有文件的扩展属性为httpd_sys_content_t [root@rhdb1 ~]# semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"

2) 验证新添加的规则,可以发现已经添加到系统里了。

[root@rhdb1 ~]# semanage fcontext -l |grep web

/var/lib/webalizer(/.*)? all files system_u:object_r:webalizer_var_lib_t:s0

/usr/libexec/evolution-webcal.* regular file system_u:object_r:evolution_webcal_exec_t:s0

/usr/bin/webalizer regular file system_u:object_r:webalizer_exec_t:s0

/usr/share/texmf/web2c/mktexdir regular file system_u:object_r:bin_t:s0

/usr/share/texmf/web2c/mktexnam regular file system_u:object_r:bin_t:s0

/usr/share/texmf/web2c/mktexupd regular file system_u:object_r:bin_t:s0

/web(/.*)? all files system_u:object_r:httpd_sys_content_t:s0

3) 修正文件系统,使其变为规则规定的扩展属性

[root@rhdb1 ~]# ls -Z /web

-rw-r--r-- root root root:object_r:default_t index.html

[root@rhdb1 ~]# fixfiles relabel /web

Files in the /tmp directory may be labeled incorrectly, this command

can remove all files in /tmp. If you choose to remove files from /tmp,

a reboot will be required after completion.

Do you wish to clean out the /tmp directory [N]?

[root@rhdb1 ~]# ls -Z /web

-rw-r--r-- root root system_u:object_r:httpd_sys_content_t index.html

[root@rhdb1 ~]#

(8)查看translation

====================

[root@rhdb1 wwwttt]# semanage translation -l

Level Translation

s0

s0-s0:c0.c1023 SystemLow-SystemHigh

s0:c0.c1023 SystemHigh

[root@rhdb1 wwwttt]#

(9)添加规则命令的注意事项

==========================

1)添加规则命令,至少会更新如下文件:

[root@rhdb1 files]# pwd

/etc/selinux/targeted/contexts/files

[root@rhdb1 files]# ll

total 164

-rw-r--r-- 1 root root 124157 Mar 27 00:06 file_contexts

-rw-r--r-- 1 root root 1218 Mar 27 00:06 file_contexts.homedirs

-rw-r--r-- 1 root root 151 Mar 27 00:06 file_contexts.local

-rw-r--r-- 1 root root 1006 Mar 27 00:06 homedir_template

-rw-r--r-- 1 root root 139 Apr 29 2008 media

[root@rhdb1 files]#

2) 命令【semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"】会创建一个新文件,如下所示:

[root@rhdb1 files]# cat file_contexts.local

# This file is auto-generated by libsemanage

# Please use the semanage command to make changes

/web(/.*)? system_u:object_r:httpd_sys_content_t:s0

[root@rhdb1 files]#

3) 直接写入文件的规则,在semanage更新时都会被删除:

/etc/selinux/targeted/contexts/files/file_contexts

/etc/selinux/targeted/contexts/files/file_contexts.local

4) 对于处在/home下的目录,设置权限时需使用命令semanage或编辑file_contexts.local, 编辑file_contexts无效。

[root@rhdb1 web]# semanage fcontext -a -t httpd_sys_content_t "/home/wwwttt(/.*)?" [root@rhdb1 home]# fixfiles relabel /home

Files in the /tmp directory may be labeled incorrectly, this command

can remove all files in /tmp. If you choose to remove files from /tmp,

a reboot will be required after completion.

Do you wish to clean out the /tmp directory [N]?

[root@rhdb1 home]#

取消添加的规则:

添加规则后,file_contexts.local新增的内容

/home/wwwttt(/.*)? system_u:object_r:httpd_sys_content_t:s0

[root@rhdb1 web]# semanage fcontext -d -t httpd_sys_content_t "/home/wwwttt(/.*)?"

(10) semanage操作的实际文件是哪个文件?

==================================

操作平台:REHL 5.2 x86

服务器:非品牌机

问题描述:直接编辑规则文件file_contexts和file_contexts.local,在使用semanage操作时,无法查找到变更,而且每次semanage更新都会更新file_contexts和file_contexts.local, 直接vi 进行编辑的更改,都将被重新恢复。

我想知道的是semanage对系统进行配置变更后,最终它存储的在什么位置。官方建议是直接编辑

文件还是使用semanage操作。

Redhat: 实际操作如下3个目录的文件,手工删除时必须同时删除这三个地方的相关文件信息。官方

建议使用semanage进行管理。

/etc/selinux/targeted/modules/previous

/etc/selinux/targeted/modules/active

/etc/selinux/targeted/contexts/files

相关主题
相关文档
最新文档