Semanage命令详解
Semanage命令详解(1)查看登录用户的权限信息
(2)View SELinux user mappings
(3)查看所有OBJECTS的授权端口号
(4)允许apache监听在81端口
(5)查看interface
(6)查看所有的fcontext
(7)为一个目录添加一个新的规则
(8)查看translation
(9)添加规则命令的注意事项
(10) semanage操作的实际文件是哪个文件?
[root@rhdb1 files]# semanage -h
semanage {login|user|port|interface|fcontext|translation} -l [-n] semanage login -{a|d|m} [-sr] login_name
semanage user -{a|d|m} [-LrRP] selinux_name
semanage port -{a|d|m} [-tr] [ -p protocol ] port | port_range semanage interface -{a|d|m} [-tr] interface_spec
semanage fcontext -{a|d|m} [-frst] file_spec
semanage translation -{a|d|m} [-T] level
Primary Options:
-a, --add Add a OBJECT record NAME
-d, --delete Delete a OBJECT record NAME
-m, --modify Modify a OBJECT record NAME
-l, --list List the OBJECTS
-h, --help Display this message
-n, --noheading Do not print heading when listing OBJECTS
-S, --store Select and alternate SELinux store to manage
Object-specific Options (see above):
-f, --ftype File Type of OBJECT
"" (all files)
-- (regular file)
-d (directory)
-c (character device)
-b (block device)
-s (socket)
-l (symbolic link)
-p (named pipe)
-p, --proto Port protocol (tcp or udp)
-P, --prefix Prefix for home directory labeling
-L, --level Default SELinux Level (MLS/MCS Systems only)
-R, --roles SELinux Roles (ex: "sysadm_r staff_r")
-T, --trans SELinux Level Translation (MLS/MCS Systems only)
-s, --seuser SELinux User Name
-t, --type SELinux Type for the object
-r, --range MLS/MCS Security Range (MLS/MCS Systems only)
Requires 2 or more arguments
[root@rhdb1 files]#
-a, --add
Add a OBJECT record NAME
-t, --type
SELinux Type for the object
======================================================(1)查看登录用户的权限信息
==========================
[root@rhdb1 wwwttt]# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ user_u s0
root root SystemLow-SystemHigh
[root@rhdb1 wwwttt]#
# semanage login -a -s user_u testuser
第一个用户(user_u): SElinux 用户
第二个用户(testuser): 系统用户
测试:
[root@Manager ~]# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ user_u s0
root root SystemLow-SystemHigh [root@Manager ~]#
从输出中看到,系统中存在两个selinux user(user_u和root)
1) 添加一个login name
注意:要添加的用户,必须首先为系统帐号,如下所示:
[root@Manager home]# semanage login -a -s user_u testuser
/usr/sbin/semanage: Linux User testuser does not exist
[root@Manager home]# useradd testuser
[root@Manager home]# semanage login -a -s user_u testuser
[root@Manager home]#
[root@Manager home]#
[root@Manager home]# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ user_u s0
root root SystemLow-SystemHigh testuser user_u s0
[root@Manager home]#
下面这两条命令等价,不指定-s上,以默认user_u来设置
# semanage login -a testuser
# semanage login -a -s user_u testuser
2) 删除创建的login name
[root@Manager home]# semanage login -d testuser
[root@Manager home]# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ user_u s0
root root SystemLow-SystemHigh [root@Manager home]#
3) 添加一个login name ,以root来进入
[root@Manager home]# semanage login -a -s root yzhq
[root@Manager home]# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ user_u s0
root root SystemLow-SystemHigh testuser user_u s0
yzhq root s0
[root@Manager home]#
用户:yzhq登录
[yzhq@Manager ~]$ id
uid=503(yzhq) gid=504(yzhq) groups=504(yzhq) context=root:system_r:unconfined_t [yzhq@Manager ~]$
[yzhq@Manager ~]$ df > disk.txt
[yzhq@Manager ~]$ ls -Z disk.txt
-rw-rw-r-- yzhq yzhq root:object_r:user_home_t disk.txt
[yzhq@Manager ~]$
删除login后,用户yzhq登录
[root@Manager home]# semanage login -d yzhq
[root@Manager home]# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ user_u s0
root root SystemLow-SystemHigh testuser user_u s0
[root@Manager home]#
用户:yzhq登录
[yzhq@Manager ~]$ id
uid=503(yzhq) gid=504(yzhq) groups=504(yzhq) context=user_u:system_r:unconfined_t
[yzhq@Manager ~]$ df > b.txt
[yzhq@Manager ~]$ ls -Z
-rw-rw-r-- yzhq yzhq user_u:object_r:user_home_t b.txt
-rw-rw-r-- yzhq yzhq root:object_r:user_home_t disk.txt
[yzhq@Manager ~]$
(2)View SELinux user mappings
===============================
[root@rhdb1 wwwttt]# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
root user s0 SystemLow-SystemHigh system_r sysadm_r user_r
system_u user s0 SystemLow-SystemHigh system_r user_u user s0 SystemLow-SystemHigh system_r sysadm_r user_r
[root@rhdb1 wwwttt]#
[root@rhdb1 wwwttt]#
(3)查看所有OBJECTS的授权端口号
===============================
[root@rhdb1 wwwttt]# semanage port -l |more
SELinux Port Type Proto Port Number
afs_bos_port_t udp 7007
afs_fs_port_t tcp 2040
afs_fs_port_t udp 7000, 7005
afs_ka_port_t udp 7004
afs_pt_port_t udp 7002
afs_vl_port_t udp 7003
amanda_port_t tcp 10080, 10081, 10082, 10083 amanda_port_t udp 10080, 10081
amavisd_recv_port_t tcp 10024
amavisd_send_port_t tcp 10025
apcupsd_port_t tcp 3551
apcupsd_port_t udp 3551
asterisk_port_t tcp 1720
asterisk_port_t udp 2427, 2727, 4569, 5060
auth_port_t tcp 113
(4)允许apache监听在81端口
==========================
Allow Apache to listen on port 81
开启selinux的情况下,改变默认端口(80->81)后,服务将不能启动,解决办法:
[root@rhdb1 wwwttt]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: (13)Permission denied: make_sock: could not bind to address [::]:81 (13)Permission denied: make_sock: could not bind to address 0.0.0.0:81
no listening sockets available, shutting down
Unable to open logs
[FAILED]
[root@rhdb1 wwwttt]#
[root@rhdb1 wwwttt]# semanage port -a -t http_port_t -p tcp 81
[root@rhdb1 wwwttt]# service httpd restart
Stopping httpd: [FAILED]
Starting httpd: [ OK ]
[root@rhdb1 wwwttt]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
[root@rhdb1 wwwttt]#
注意:变回80后,不需要做设置。可以从下面的输出中查看到81端口已经授权给了http_port_t类型。
[root@rhdb1 wwwttt]# semanage port -l |grep http_port_t
http_port_t tcp 81, 80, 443, 488, 8008, 8009, 8443
pegasus_http_port_t tcp 5988
[root@rhdb1 wwwttt]#
(5)查看interface
==================
[root@rhdb1 wwwttt]# semanage interface -l
SELinux Interface Context
[root@rhdb1 wwwttt]#
(6)查看所有的fcontext
======================
[root@rhdb1 wwwttt]# semanage fcontext -l |more
SELinux fcontext type Context
/.* all files system_u:object_r:default_t:s0
/xen(/.*)? all files system_u:object_r:xen_image_t:s0
/mnt(/[^/]*) symbolic link system_u:object_r:mnt_t:s0
/mnt(/[^/]*)? directory system_u:object_r:mnt_t:s0
/lib(64)?/dbus-1/dbus-daemon-launch-helper regular file system_u:object_r:bin_t:s0
/bin/.* all files system_u:object_r:bin_t:s0
/dev/.* all files system_u:object_r:device_t:s0
/lib/.* all files system_u:object_r:lib_t:s0
/var/.* all files system_u:object_r:var_t:s0
/etc/.* all files system_u:object_r:etc_t:s0
/srv/.* all files system_u:object_r:var_t:s0
/sys/.* all files <
/usr/.* all files system_u:object_r:usr_t:s0
/tmp/.* all files <
/opt/.* all files system_u:object_r:usr_t:s0
/mnt/[^/]*/.* all files <
注意:semanage fcontext -l的输出和原始的文件file_contexts的内容几乎是相同的
/etc/selinux/targeted/contexts/files/file_contexts
(7)为一个目录添加一个新的规则
=============================
Add file-context for everything under /web (used by restorecon)
1)新建一条规则,指定/web目录及其下的所有文件的扩展属性为httpd_sys_content_t [root@rhdb1 ~]# semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
2) 验证新添加的规则,可以发现已经添加到系统里了。
[root@rhdb1 ~]# semanage fcontext -l |grep web
/var/lib/webalizer(/.*)? all files system_u:object_r:webalizer_var_lib_t:s0
/usr/libexec/evolution-webcal.* regular file system_u:object_r:evolution_webcal_exec_t:s0
/usr/bin/webalizer regular file system_u:object_r:webalizer_exec_t:s0
/usr/share/texmf/web2c/mktexdir regular file system_u:object_r:bin_t:s0
/usr/share/texmf/web2c/mktexnam regular file system_u:object_r:bin_t:s0
/usr/share/texmf/web2c/mktexupd regular file system_u:object_r:bin_t:s0
/web(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
3) 修正文件系统,使其变为规则规定的扩展属性
[root@rhdb1 ~]# ls -Z /web
-rw-r--r-- root root root:object_r:default_t index.html
[root@rhdb1 ~]# fixfiles relabel /web
Files in the /tmp directory may be labeled incorrectly, this command
can remove all files in /tmp. If you choose to remove files from /tmp,
a reboot will be required after completion.
Do you wish to clean out the /tmp directory [N]?
[root@rhdb1 ~]# ls -Z /web
-rw-r--r-- root root system_u:object_r:httpd_sys_content_t index.html
[root@rhdb1 ~]#
(8)查看translation
====================
[root@rhdb1 wwwttt]# semanage translation -l
Level Translation
s0
s0-s0:c0.c1023 SystemLow-SystemHigh
s0:c0.c1023 SystemHigh
[root@rhdb1 wwwttt]#
(9)添加规则命令的注意事项
==========================
1)添加规则命令,至少会更新如下文件:
[root@rhdb1 files]# pwd
/etc/selinux/targeted/contexts/files
[root@rhdb1 files]# ll
total 164
-rw-r--r-- 1 root root 124157 Mar 27 00:06 file_contexts
-rw-r--r-- 1 root root 1218 Mar 27 00:06 file_contexts.homedirs
-rw-r--r-- 1 root root 151 Mar 27 00:06 file_contexts.local
-rw-r--r-- 1 root root 1006 Mar 27 00:06 homedir_template
-rw-r--r-- 1 root root 139 Apr 29 2008 media
[root@rhdb1 files]#
2) 命令【semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"】会创建一个新文件,如下所示:
[root@rhdb1 files]# cat file_contexts.local
# This file is auto-generated by libsemanage
# Please use the semanage command to make changes
/web(/.*)? system_u:object_r:httpd_sys_content_t:s0
[root@rhdb1 files]#
3) 直接写入文件的规则,在semanage更新时都会被删除:
/etc/selinux/targeted/contexts/files/file_contexts
/etc/selinux/targeted/contexts/files/file_contexts.local
4) 对于处在/home下的目录,设置权限时需使用命令semanage或编辑file_contexts.local, 编辑file_contexts无效。
[root@rhdb1 web]# semanage fcontext -a -t httpd_sys_content_t "/home/wwwttt(/.*)?" [root@rhdb1 home]# fixfiles relabel /home
Files in the /tmp directory may be labeled incorrectly, this command
can remove all files in /tmp. If you choose to remove files from /tmp,
a reboot will be required after completion.
Do you wish to clean out the /tmp directory [N]?
[root@rhdb1 home]#
取消添加的规则:
添加规则后,file_contexts.local新增的内容
/home/wwwttt(/.*)? system_u:object_r:httpd_sys_content_t:s0
[root@rhdb1 web]# semanage fcontext -d -t httpd_sys_content_t "/home/wwwttt(/.*)?"
(10) semanage操作的实际文件是哪个文件?
==================================
操作平台:REHL 5.2 x86
服务器:非品牌机
问题描述:直接编辑规则文件file_contexts和file_contexts.local,在使用semanage操作时,无法查找到变更,而且每次semanage更新都会更新file_contexts和file_contexts.local, 直接vi 进行编辑的更改,都将被重新恢复。
我想知道的是semanage对系统进行配置变更后,最终它存储的在什么位置。官方建议是直接编辑
文件还是使用semanage操作。
Redhat: 实际操作如下3个目录的文件,手工删除时必须同时删除这三个地方的相关文件信息。官方
建议使用semanage进行管理。
/etc/selinux/targeted/modules/previous
/etc/selinux/targeted/modules/active
/etc/selinux/targeted/contexts/files