Shulou(Shulou.com)06/01 Report--

This article is about how to use semanage to manage SELinux security policies. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

The semanage command is used to query and modify the security context of the SELinux default directory. SELinux policy and rule management related commands: seinfo command, sesearch command, getsebool command, setsebool command, semanage command.

Experimental environment

Centos7.7 operating system

Selinux has enabled the enable mode:

[root@localhost ~] # sed-I'/ ^ SELINUX/s/disabled/enforcing/g' / etc/selinux/config# then restart the operating system [root@localhost ~] # reboot# after the restart is completed, check whether it is enforcing mode [root@localhost ~] # getenforceEnforcing common parameters port: manage defined network port types fcontext: manage defined file context-l: list all records-a: Add record-m: modify record-d: delete record-t: type added-p: specify that the added port is tcp or udp protocol Use the-e: target path to refer to the context type of the original path under the port subcommand, and list all defined ports under the fcontext subcommand

Use the semanage port command to list all ports

[root@localhost ~] # semanage port-lSELinux Port Type Proto Port Numberafs3_callback_port_t tcp 7001afs3_callback_port_t udp 7001afs_bos_port_t udp 7007afs_fs_port_t tcp 2040afs_fs_port_t udp 7000 7005afs_ka_port_t udp 7004afs_pt_port_t tcp 7002afs_pt_port_t udp 7002afs_vl_port_t udp 7003agentx_port_t tcp 705agentx_port_t udp 705amanda_port_t tcp 10080-10083amanda_port_t udp 10080-10082.

Lists the ports of the specified port type

[root@localhost] # semanage port-l | grep-w http_port_thttp_port_t tcp 80,81,443,488, 8008, 8009, 8443, 9000

List the port type by querying the port number

[root@localhost ~] # semanage port-l | grep-w 53dns_port_t tcp 53dns_port_t udp 53 [root@localhost ~] # semanage port-l | grep-w 20ftp_data_port_t tcp 20 [root@localhost ~] # semanage port-l | grep-w 21ftp_port_t tcp 21,989,990

Create, add, modify ports

Add a new port for http with the following command

[root@localhost ~] # [root@localhost ~] # semanage port-a-t http_port_t-p tcp 8888 [root@localhost ~] # # View the newly added port [root@localhost ~] # semanage port-l | grep-w 8888http_port_t tcp 8888, 80, 81,443,488, 8008, 8009, 8443 900clients can also use the-C parameter to view the custom port number [root@localhost ~] # semanage port-lCSELinux Port Type Proto Port Numberhttp_port_t tcp 8888.

Add a range of ports

[root@localhost] # semanage port-a-t http_port_t-p tcp 11180-11188 [root@localhost] # [root@localhost] # semanage port-lCSELinux Port Type Proto Port Numberhttp_port_t tcp 8888, 11180-11188

Delete port [root@localhost ~] # semanage port-d-t http_port_t-p tcp 8888 [root@localhost ~] # [root@localhost ~] # semanage port-d-t http_port_t-p tcp 11180-11188 [root@localhost ~] # # check that there is no custom port [root@localhost ~] # semanage port-lC how to use semanage to manage SELinux security policy how to use semanage to manage SELinux security policy to modify security context

Add a security context to the samba shared directory

# before adding the security context, it was default_ t [root @ localhost ~] # ll-dZ / share/drwxr-xr-x. Root root unconfined_u:object_r:default_t:s0 / share/ [root@localhost ~] # semanage fcontext-a-t samba_share_t'/ share (/. *)?'# restore file default security context [root@localhost ~] # restorecon-Rv / sharerestorecon reset / share context unconfined_u:object_r:default_t:s0- > unconfined_u:object_r:samba_share_t:s0# check that the folder has become samba_ Share_t [root@localhost] # ll-dZ / sharedrwxr-xr-x. Root root unconfined_u:object_r:samba_share_t:s0 / share

Add read and write to the nfs shared directory

[root@localhost] # ll-dZ / nfsshare/drwxr-xr-x. Root root unconfined_u:object_r:default_t:s0 / nfsshare/ [root@localhost ~] # [root@localhost ~] # semanage fcontext-a-t public_content_rw_t'/ nfsshare (/. *)?'[root@localhost ~] # restorecon-Rv / nfsshare [root@localhost ~] # ll-dZ / nfsshare/drwxr-xr-x Root root unconfined_u:object_r:public_content_rw_t:s0 / nfsshare/

This article describes adding, modifying, and deleting ports and modifying the security context. If your system has a desktop installed, you can install the graphical management software policycoreutils-gui to manage it.

[root@localhost ~] # yum-y install policycoreutils-gui# system-config-selinux execute this command to open the graphical management interface [root@localhost ~] # system-config-selinux thank you for reading! This is the end of this article on "how to use semanage to manage SELinux security policies". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.