selinux 操作詳解

2021-09-02 20:26:03 字數 2679 閱讀 3371

getenforce 命令是單詞get(獲取)和enforce(執行)連寫,可檢視selinux狀態,與setenforce命令相反。

setenforce 命令則是單詞set(設定)和enforce(執行)連寫,用於設定selinux防火牆狀態,如: setenforce 0用於關閉selinux防火牆,但重啟後失效

[root@localhost ~]# getenforce


enforcing
current mode表示當前selinux防火牆的安全策略

[root@localhost ~]# /usr/sbin/sestatus


selinux status:                 enabled


selinuxfs mount:                /sys/fs/selinux


selinux root directory:         /etc/selinux


loaded policy name:             targeted


current mode:                   enforcing


mode from config file:          enforcing


policy mls status:              enabled


policy deny_unknown status:     allowed


max kernel policy version:      28

selinux status:selinux防火牆的狀態,enabled表示啟用selinux防火牆

current mode: selinux防火牆當前的安全策略,enforcing 表示強

setenforce 0 :用於關閉selinux防火牆,但重啟後失效。

[root@localhost ~]# setenforce 0


[root@localhost ~]# /usr/sbin/sestatus


selinux status:                 enabled


selinuxfs mount:                /sys/fs/selinux


selinux root directory:         /etc/selinux


loaded policy name:             targeted


current mode:                   permissive


mode from config file:          enforcing


policy mls status:              enabled


policy deny_unknown status:     allowed


max kernel policy version:      28
修改selinux的配置檔案,重啟後生效。開啟 selinux 配置檔案,修改 selinux 配置檔案,將selinux=enforcing改為selinux=disabled,儲存後退出。

[root@localhost ~]# vim /etc/selinux/config


# this file controls the state of selinux on the system.


# selinux= can take one of these three values:


#     enforcing - selinux security policy is enforced.


#     permissive - selinux prints warnings instead of enforcing.


#     disabled - no selinux policy is loaded.


selinux=enforcing


# selinuxtype= can take one of three two values:


#     targeted - targeted processes are protected,


#     minimum - modification of targeted policy. only selected processes are protected. 


#     mls - multi level security protection.


selinuxtype=targeted

此時獲取當前selinux防火牆的安全策略仍為enforcing,配置檔案並未生效。

[root@localhost ~]# getenforce


enforcing

重啟

[root@localhost ~]# reboot

驗證

root@localhost ~]# /usr/sbin/sestatus


selinux status:                 disabled


[root@localhost ~]# getenforce


disabled

linux系統之selinux詳解

一 全稱 核心級加強型防火牆作用 限制ftp服務功能 1.針對檔案,會對系統中每個檔案新增安全上下文 context 2.針對程序,會對系統中每個程序新增安全上下文 context 3.會在系統服務上設定sebool開關 閥值 4.當程序安全上下文和檔案的安全上下文不匹配時,程序無法訪問此檔案 5....

檢視SELinux狀態 關閉SELinux

1.1 getenforce 1.2 usr sbin sestatus current mode表示當前selinux防火牆的安全策略 root localhost usr sbin sestatus selinux status enabled selinuxfs mount sys fs se...

檢視Selinux和關閉Selinux

selinux的檢視和設定 1.1 getenforce 1.2 usr sbin sestatus current mode表示當前selinux防火牆的安全策略 root localhost usr sbin sestatus selinux status enabled selinuxfs m...