2016年2月22日 星期一

[研究] 停用 SELinux (CentOS 7.2 x64)

[研究] 停用 SELinux (CentOS 7.2 x64)

2016-02-22

檢查 SELinux 狀態

[root@centos1 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

SELinux 有三種模式:強制 (enforcing)、寬容 (permissive)、關閉 (disabled)
寬容 (permissive) 模式讓 SELinux 只會警告無法順利連線的訊息, 而不是直接抵擋主體程序的讀取權限。

[root@centos1 ~]# setenforce 0

檢查 SELinux 狀態

[root@centos1 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
[root@centos1 ~]#

真要停掉 SELinux,請修改 SELinux 設定檔案

[root@centos1 ~]#  vi /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

SELINUX=enforcing
改為
SELINUX=disabled

重新啟動電腦

[root@centos1 ~]# reboot

測試 SELinux 狀態

[root@centos1 ~]# sestatus
SELinux status:                 disabled

[root@centos1 ~]# getenforce
Disabled

********************************************************************************

如果要在 shell script 偵測是否 SELinux 可以用  selinuxenabled 指令

[root@localhost ~]# man selinuxenabled
...(略)
DESCRIPTION
       selinuxenabled Indicates whether SELinux is  enabled  or  disabled.  It
       exits with status 0 if SELinux is enabled and 1 if it is not enabled.
...(略)

在 shell script 中



selinuxenabled
if  [  $?   -eq  1  ]
then
  echo SELinux is diabled
else
  echo SELinux is enabled
fi


注意,$? 會傳回剛剛執行命令的狀態,所以 selinuxenabled 和 判斷 $? 之間不能再寫其他程式碼。另外  [  和 $?   之間至少要有一個空格。

(完)





沒有留言:

張貼留言