2016-02-22
檢查 SELinux 狀態
[root@centos1 ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
SELinux 有三種模式:強制 (enforcing)、寬容 (permissive)、關閉 (disabled)
寬容 (permissive) 模式讓 SELinux 只會警告無法順利連線的訊息, 而不是直接抵擋主體程序的讀取權限。
[root@centos1 ~]# setenforce 0
檢查 SELinux 狀態
[root@centos1 ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
[root@centos1 ~]#
真要停掉 SELinux,請修改 SELinux 設定檔案
[root@centos1 ~]# vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
把
SELINUX=enforcing
改為
SELINUX=disabled
重新啟動電腦
[root@centos1 ~]# reboot
測試 SELinux 狀態
[root@centos1 ~]# sestatus
SELinux status: disabled
[root@centos1 ~]# getenforce
Disabled
********************************************************************************
如果要在 shell script 偵測是否 SELinux 可以用 selinuxenabled 指令
[root@localhost ~]# man selinuxenabled
...(略)
DESCRIPTION
selinuxenabled Indicates whether SELinux is enabled or disabled. It
exits with status 0 if SELinux is enabled and 1 if it is not enabled.
...(略)
在 shell script 中
selinuxenabled if [ $? -eq 1 ]
then
echo SELinux is diabled
else
echo SELinux is enabled
fi
|
注意,$? 會傳回剛剛執行命令的狀態,所以 selinuxenabled 和 判斷 $? 之間不能再寫其他程式碼。另外 [ 和 $? 之間至少要有一個空格。
(完)
沒有留言:
張貼留言