SELinux Boolean variable

SELinux Boolean variable

1. Function:

Using Boolean variables, the system can be implemented under the condition of running:

Adjust some of the SELinux policies for network services,

Without knowing how the specific SELinux strategy is written,

There is no need to reload or recompile the SELinux policy.

2. Managing Boolean variables

1) Query Boolean variable

[Email protected] ~]# semanage boolean-l # #长格式查看所有布尔变量

SELinux Boolean value Description

Ftp_home_dir-by-pass FTP to read and write files in the user home directories

Smartmon_3ware-to-off Enable additional permissions needed to support devices on 3ware controllers.

Xdm_sysadm_login-to-off allow XDm logins as Sysadm

Xen_use_nfs-down Allow Xen to manage NFS files

Mozilla_read_content-Control Mozilla content access

Ssh_chroot_rw_homedirs, off allow SSH with chroot env to read and write files in the user home directories

[Email protected] ~]# semanage boolean-l |grep SSH # #查看与ssh服务有关的布尔变量

Ssh_chroot_rw_homedirs, off allow SSH with chroot env to read and write files in the user home directories

Ssh_sysadm_login-off Allow SSH login to sysadm_r:sysadm_t

Allow_ssh_keysign-off Allow host key based authentication

FENCED_CAN_SSH-off allow fenced domain to execute ssh.

[[email protected] ~]# getsebool-a |grep http # #列出与http有关的布尔设置 (off off, on off)

Allow_httpd_anon_write--off

Allow_httpd_mod_auth_ntlm_winbind--off

Allow_httpd_mod_auth_pam--off

Allow_httpd_sys_script_anon_write--off

Httpd_builtin_scripting-On

Httpd_can_check_spam--off

Httpd_can_network_connect--off

Httpd_can_network_connect_cobbler--off

httpd_can_network_connect_db--off

Httpd_can_network_memcache--off

Httpd_can_network_relay--off

Httpd_can_sendmail--off

Httpd_dbus_avahi-On

HTTPD_ENABLE_CGI-On

Httpd_enable_ftp_server--off

Httpd_enable_homedirs--off

Httpd_execmem--off

Httpd_read_user_content--off

Httpd_setrlimit--off

Httpd_ssi_exec--off

Httpd_tmp_exec--off

Httpd_tty_comm-On

Httpd_unified-On

Httpd_use_cifs--off

HTTPD_USE_GPG--off

Httpd_use_nfs--off

[Email protected] ~]# Getsebool httpd_enable_cgi # #查看某个boolean的具体状态

HTTPD_ENABLE_CGI-On

[Email protected] ~]# getsebool httpd_enable_cgi tftp_anon_write # #查看多个boolean的具体状态

HTTPD_ENABLE_CGI-On

Tftp_anon_write--off

2) Set Boolean variable

[Email protected] ~]# Getsebool httpd_enable_cgi

HTTPD_ENABLE_CGI-On

[[email protected] ~]# setsebool httpd_enable_cgi off # #临时关闭布尔变量, restart failed

[Email protected] ~]# Getsebool httpd_enable_cgi

HTTPD_ENABLE_CGI--off

[Email protected] ~]# Getsebool httpd_enable_cgi

HTTPD_ENABLE_CGI-On

[[email protected] ~]# setsebool-p httpd_enable_cgi off # #永久关闭布尔变量, use option capital P

[Email protected] ~]# Getsebool httpd_enable_cgi

HTTPD_ENABLE_CGI--off

3) A Boolean variable that restricts the user from executing the application

In RHEL6 systems, Linux users in guest_t and xguest_t domains typically cannot perform applications in the home directory or the/tmp directory.

Linux users in the user_t and staff_t domains do not have this limitation.

[Email protected] ~]# Getsebool allow_guest_exec_content # #guest_t域默认设置

Allow_guest_exec_content--off

[Email protected] ~]# setsebool-p allow_guest_exec_content on # #允许guest_t域中用户执行应用程序

[Email protected] ~]# Getsebool allow_guest_exec_content

Allow_guest_exec_content-On

[Email protected] ~]# setsebool-p allow_user_exec_content off # #禁用user_t用户在对应目录执行应用程序

[Email protected] ~]# Getsebool allow_user_exec_content

Allow_user_exec_content--off

This article is from the blog, "to learn the good system to work smoothly", please keep this source http://stlong.blog.51cto.com/5144113/1565508

SELinux Boolean variable