10.selinux***************
# #1. What is a selinux##
SELinux, kernel-level enhanced firewall
# #2. How to manage SELinux levels # #
SELinux turned on or off
Vim/etc/sysconfig/selinux
selinux=disabled // off State
selinux=enforcing // Mandatory State
selinux=permissive // Warning Status
Getenforce // View Status
when SELinux opens
Setenforce 0|1 // Change the SELinux run level (0: Warning, 1: mandatory)
# #3. Management of Service Access files # #
If the file security context and service do not match, the service does not see this file
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/8A/81/wKioL1gyxG3DbhdrAADqfh9_q48320.png "style=" float: none; "title=" Image 1.png "alt=" Wkiol1gyxg3dbhdraadqfh9_q48320.png "/>
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/8A/85/wKiom1gyxG6Dws4TAACRXs9t_RE846.png "style=" float: none; "title=" Image 2.png "alt=" Wkiom1gyxg6dws4taacrxs9t_re846.png "/>
Modify the file security context
< temporary changes >
Chcon-t Security Context File
Chcon-t Public_content_t/publicftp-r
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/8A/81/wKioL1gyxIPxi9MrAACgwY3Z8PY763.png "style=" float: none; "title=" Image 3.png "alt=" Wkiol1gyxipxi9mraacgwy3z8py763.png "/>
Test
650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M00/8A/85/wKiom1gyxITAlLDLAACgwY3Z8PY927.png " title= "Picture 4.png" style= "Float:none;" alt= "Wkiom1gyxitalldlaacgwy3z8py927.png"/>
< permanent changes >
temporary changes can only support changes to the security context under SELinux settings, and when SELinux is turned off, the system kernel reloads the security context
semanage fcontext-l // lists the contents of the Kernel security context list
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/8A/81/wKioL1gyxKHyF5rHAACnir-TH_4535.png "style=" float: none; "title=" Image 5.png "alt=" Wkiol1gyxkhyf5rhaacnir-th_4535.png "/>
Semanage fcontext-a-T public_content_t '/publicftp (/.*)? '
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/8A/81/wKioL1gyxKPTq5hgAAEiBecfAdg834.png "title=" Picture 6.png "style=" Float:none; "alt=" Wkiol1gyxkptq5hgaaeibecfadg834.png "/>
restorecon-fvvr/publicftp/ //Refresh File security context
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/8A/81/wKioL1gyxMay7to9AAKEvkbj8l4974.png "title=" Picture 7.png "alt=" Wkiol1gyxmay7to9aakevkbj8l4974.png "/>
# #4. Manage the functionality of the service itself # #
Some features of some services are turned off by default due to system security considerations
How to control the switch of SELinux to service function
getsebool-a | grep service Name //View service feature allowed status
getsebool-a | grep FTP
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/8A/85/wKiom1gyxN-Dbu62AAFXT7ET5gA353.png "style=" float: none; "title=" Image 8.png "alt=" Wkiom1gyxn-dbu62aafxt7et5ga353.png "/>
setsebool-p function bool Value On|off //Set service function status
Setsebool-p Ftpd_anon_write on
650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M02/8A/81/wKioL1gyxOHT-5u8AAGBvSVgAJc522.png " title= "Picture 9.png" style= "Float:none;" alt= "Wkiol1gyxoht-5u8aagbvsvgajc522.png"/>
# #5. Monitor the SELinux error message # #
Setroubleshoot-server
Linux notes 2-10 SELinux