selinux的布尔变量

1.作用：

利用布尔变量，在系统运行情况下可以实现：

调整网络服务的部分SELinux策略，

而不用知道具体的SELinux策略如何编写，

也不需要重新加载或重新编译SELinux策略。

2.管理布尔变量

1）查询布尔变量

[[email protected] ~]# semanage boolean -l   ##长格式查看所有布尔变量

SELinux 布尔值                              描述

ftp_home_dir                   -> 关     Allow ftp to read and write files in the user home directories

smartmon_3ware                 -> 关     Enable additional permissions needed to support devices on 3ware controllers.

xdm_sysadm_login               -> 关     Allow xdm logins as sysadm

xen_use_nfs                    -> 关     Allow xen to manage nfs files

mozilla_read_content           -> 关     Control mozilla content access

ssh_chroot_rw_homedirs         -> 关     Allow ssh with chroot env to read and write files in the user home directories

[[email protected] ~]# semanage boolean -l |grep ssh   ##查看与ssh服务有关的布尔变量

ssh_chroot_rw_homedirs         -> 关     Allow ssh with chroot env to read and write files in the user home directories

ssh_sysadm_login               -> 关     允许通过 ssh 登录为 sysadm_r:sysadm_t

allow_ssh_keysign              -> 关     allow host key based authentication

fenced_can_ssh                 -> 关     Allow fenced domain to execute ssh.

[[email protected] ~]# getsebool -a |grep http  ##列出与http有关的布尔设置（off关、on开）

allow_httpd_anon_write --> off

allow_httpd_mod_auth_ntlm_winbind --> off

allow_httpd_mod_auth_pam --> off

allow_httpd_sys_script_anon_write --> off

httpd_builtin_scripting --> on

httpd_can_check_spam --> off

httpd_can_network_connect --> off

httpd_can_network_connect_cobbler --> off

httpd_can_network_connect_db --> off

httpd_can_network_memcache --> off

httpd_can_network_relay --> off

httpd_can_sendmail --> off

httpd_dbus_avahi --> on

httpd_enable_cgi --> on

httpd_enable_ftp_server --> off

httpd_enable_homedirs --> off

httpd_execmem --> off

httpd_read_user_content --> off

httpd_setrlimit --> off

httpd_ssi_exec --> off

httpd_tmp_exec --> off

httpd_tty_comm --> on

httpd_unified --> on

httpd_use_cifs --> off

httpd_use_gpg --> off

httpd_use_nfs --> off

[[email protected] ~]# getsebool httpd_enable_cgi  ##查看某个boolean的具体状态

httpd_enable_cgi --> on

[[email protected] ~]# getsebool httpd_enable_cgi tftp_anon_write   ##查看多个boolean的具体状态

httpd_enable_cgi --> on

tftp_anon_write --> off

2）设置布尔变量

[[email protected] ~]# getsebool httpd_enable_cgi

httpd_enable_cgi --> on

[[email protected] ~]# setsebool httpd_enable_cgi off   ##临时关闭布尔变量,重启失效

[[email protected] ~]# getsebool httpd_enable_cgi

httpd_enable_cgi --> off

[[email protected] ~]# getsebool httpd_enable_cgi

httpd_enable_cgi --> on

[[email protected] ~]# setsebool -P httpd_enable_cgi off   ##永久关闭布尔变量、使用选项大写P

[[email protected] ~]# getsebool httpd_enable_cgi

httpd_enable_cgi --> off

3）限制用户执行应用程序的布尔变量

RHEL6系统中，guest_t和xguest_t域中的linux用户通常不能执行主目录或/tmp目录中的应用程序，

user_t和staff_t域中的linux用户没有此限制。

[[email protected] ~]# getsebool allow_guest_exec_content   ##guest_t域默认设置

allow_guest_exec_content --> off

[[email protected] ~]# setsebool -P allow_guest_exec_content on  ##允许guest_t域中用户执行应用程序

[[email protected] ~]# getsebool allow_guest_exec_content

allow_guest_exec_content --> on

[[email protected] ~]# setsebool -P allow_user_exec_content off  ##禁用user_t用户在对应目录执行应用程序

[[email protected] ~]# getsebool allow_user_exec_content

allow_user_exec_content --> off