Shulou(Shulou.com)06/01 Report--

Today, I will talk to you about how to use semanage to modify the text in Linux, many people may not know much about it. In order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

The chcon tools included in the CentOS system can only modify the file types and policies of files, directories, etc., and can not manage ports, message interfaces and network interfaces. Semanage is effectively competent for the configuration of SELinux.

Installation:

The code is as follows:

# yum-y install policycoreutils-python

Usage:

The semanage command is used to query and modify the security context of the SELinux default directory.

Semanage fcontext [- S store]-{a | d | m | l | n | D} [- frst] file_spec

Semanage fcontext [- S store]-{a | d | m | l | n | D}-e replacement target

Main parameters:

-a: add

-d: deletin

-m: modify

-l: enumerate

-n: do not print the description header

-D: delete all

-f: file

-s: user

-t: type

R: role

Basic use:

Manages the mapping between users logged in to linux and users limited to SELinux.

The code is as follows:

Semanage login [- S store]-{a | d | m | l | n | D} [- sr] login_name |% groupname

Management Policy Module:

The code is as follows:

Semanage module [- S store]-{a | d | l} [- m [- enable |-- disable]] module_name

Manage network port type definition

The code is as follows:

Semanage port [- S store]-{a | d | m | l | n | D} [- tr] [- p proto] port | port_range

For example, if apache uses a non-standard port, you need to execute the following command:

The code is as follows:

Emanage port-a-t http_port_t-p tcp port_number

View the currently allowed httpd ports:

The code is as follows:

# semanage port-l | grep http

Http_cache_port_t tcp 3128, 8080, 8118, 8123, 10001-10010

Http_cache_port_t udp 3130

Http_port_t tcp 8888, 80, 443, 488, 8008, 8009, 8443

Pegasus_http_port_t tcp 5988

Pegasus_https_port_t tcp 5989

Note: 8888 is what I just added.

Manage network interface type definition

The code is as follows:

Semanage interface [- S store]-{a | d | m | l | n | D} [- tr] interface_spec

Manage network node type definition

The code is as follows:

Semanage node [- S store]-{a | d | m | l | n | D} [- tr] [- p protocol] [- M netmask] address

Manage mapping definitions in files

The code is as follows:

Semanage fcontext [- S store]-{a | d | m | l | n | D} [- frst] file_spec

Semanage fcontext [- S store]-{a | d | m | l | n | D}-e replacement target

Example: enable Apache to access website files located in a non-default directory

First, use semanage fcontext-l | grep'/ var/www' to learn the SELinux context of the default / var/www directory:

The code is as follows:

/ var/www (/. *) All files system_u:object_r:httpd_sys_content_t:s0

You can see that Apache can only access files that contain httpd_sys_content_t tags.

Suppose you want Apache to use / srv/www as the website file directory, then you need to add httpd_sys_content_t tags to the files in this directory, which is implemented in two steps.

First, add the default tag type for the files in the / srv/www directory: semanage fcontext-a-t httpd_sys_content_t'/ srv/www (/. *)? Then mark the existing file with a new tag type: restorecon-Rv / srv/www and then Apache can use the files in this directory to build the site.

Among them, restorecon is very common in SELinux management, which plays the role of restoring the default tag of files. For example, when copying a file from the user's home directory to the Apache website directory, Apache is inaccessible by default, because the file label under the user's home directory is user_home_t. At this point, you need restorecon to restore it to the httpd_sys_content_t type that can be accessed by Apache:

The code is as follows:

Restorecon-v / srv/www/foo.com/html/file.html

Restorecon reset / srv/www/foo.com/html/file.html context unconfined_u:object_r:user_home_t:s0- > system_u:object_r:httpd_sys_content_t:s0

Semanage fcontext-a-t httpd_sys_content_t "/ web (/. *)? / / create a new rule that specifies that the extended attribute of the / web directory and all files under it is httpd_sys_content_t

After reading the above, do you have any further understanding of how to use semanage to modify the text in Linux? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.