[研究] 停用 SELinux (CentOS 7.2 x64)

[研究] 停用 SELinux (CentOS 7.2 x64)

2016-02-22

檢查 SELinux 狀態

[root@centos1 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

SELinux 有三種模式：強制 (enforcing)、寬容 (permissive)、關閉 (disabled)
寬容 (permissive) 模式讓 SELinux 只會警告無法順利連線的訊息， 而不是直接抵擋主體程序的讀取權限。

[root@centos1 ~]# setenforce 0

檢查 SELinux 狀態

[root@centos1 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
[root@centos1 ~]#

真要停掉 SELinux，請修改 SELinux 設定檔案

[root@centos1 ~]#  vi /etc/selinux/config

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

#     enforcing - SELinux security policy is enforced.

#     permissive - SELinux prints warnings instead of enforcing.

#     disabled - No SELinux policy is loaded.

SELINUX=enforcing

# SELINUXTYPE= can take one of three two values:

#     targeted - Targeted processes are protected,

#     minimum - Modification of targeted policy. Only selected processes are protected.

#     mls - Multi Level Security protection.

SELINUXTYPE=targeted

把

SELINUX=enforcing

改為

SELINUX=disabled

重新啟動電腦

[root@centos1 ~]# reboot

測試 SELinux 狀態

[root@centos1 ~]# sestatus

SELinux status:                 disabled

[root@centos1 ~]# getenforce

Disabled

********************************************************************************

如果要在 shell script 偵測是否 SELinux 可以用  selinuxenabled 指令

[root@localhost ~]# man selinuxenabled

...(略)

DESCRIPTION

       selinuxenabled Indicates whether SELinux is  enabled  or  disabled.  It

       exits with status 0 if SELinux is enabled and 1 if it is not enabled.

...(略)

在 shell script 中

selinuxenabled if  [  $?   -eq  1  ] then   echo SELinux is diabled else   echo SELinux is enabled fi

注意，$? 會傳回剛剛執行命令的狀態，所以 selinuxenabled 和 判斷 $? 之間不能再寫其他程式碼。另外  [  和 $?   之間至少要有一個空格。

(完)