In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-16 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >
Share
Shulou(Shulou.com)06/01 Report--
This article will explain in detail how to use semanage to manage SELinux security policy. The content of the article is of high quality. Therefore, Xiaobian shares it with you as a reference. I hope that after reading this article, you will have a certain understanding of relevant knowledge.
Semanage is a tool for configuring certain elements of SE Linux policy without modifying or recompiling the policy source. This includes mapping Linux user names to SELinux user identities as well as security context mapping of objects such as network ports, interfaces, and hosts.
profile
Semanage is a tool for configuring certain elements of SELinux policy without modifying or recompiling the policy source. This includes mapping Linux user names to SELinux user identities as well as security context mapping of objects such as network ports, interfaces, and hosts.
experimental environment
Centos 7.7 operating system
Selinux is open.
Opening method:
[root@localhost ~]# sed -i '/^SELINUX/s/disabled/enforcing/g' /etc/selinux/config#Then reboot the operating system [root@localhost ~]# reboot#After reboot check if it is enforcing mode [root@localhost ~]# getenforce Enforcement
common parameters
port: Manage defined network port types
fcontext: Manage defined file context
-l: List all records
-a: Add records
-m: modify record
-d: Delete records
-t: Type added
-p: Specify whether the port added is tcp or udp protocol, used under the port subcommand
-e: The destination path refers to the context type of the original path, used under the fcontext subcommand
List all defined ports
List all ports using semanage port command
[root@localhost ~]# semanage port -lSELinux Port Type Proto Port Numberafs3_callback_port_t tcp 7001afs3_callback_port_t udp 7001afs_bos_port_t udp 7007afs_fs_port_t tcp 2040afs_fs_port_t udp 7000, 7005afs_ka_port_t udp 7004afs_pt_port_t tcp 7002afs_pt_port_t udp 7002afs_vl_port_t udp 7003agentx_port_t tcp 705agentx_port_t udp 705amanda_port_t tcp 10080-10083amanda_port_t udp 10080-10082……
Lists ports for the specified port type
[root@localhost ~]# semanage port -l|grep -w http_port_thttp_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
List port types by querying port numbers
[root@localhost ~]# semanage port -l|grep -w 53dns_port_t tcp 53dns_port_t udp 53[root@localhost ~]# semanage port -l|grep -w 20ftp_data_port_t tcp 20[root@localhost ~]# semanage port -l|grep -w 21ftp_port_t tcp 21, 989, 990
Create, add, modify ports
Add a new port for http by
[root@localhost ~]# [root@localhost ~]# semanage port -a -t http_port_t -p tcp 8888[root@localhost ~]##View newly added ports [root@localhost ~]# semanage port -l| grep -w 8888http_port_t tcp 8888, 80, 81, 443, 488, 8008, 8009, 8443, 9000#Custom port numbers can also be viewed using the-C parameter [root@localhost ~]# semanage port -lCSELinux Port Type Proto Port Numberhttp_port_t tcp 8888
Add a range of ports
[root@localhost ~]# semanage port -a -t http_port_t -p tcp 11180-11188[root@localhost ~]# [root@localhost ~]# semanage port -lCSELinux Port Type Proto Port Numberhttp_port_t tcp 8888, 11180-11188
delete port
[root@localhost ~]# semanage port -d -t http_port_t -p tcp 8888[root@ localhost ~]# [root@localhost ~]# semanage port -d -t http_port_t -p tcp 11180-11188[root@localhost ~]# #Check, there is no custom port [root@localhost ~]# semanage port -lC
Modify Security Context
Add security context to samba shared directory
#default_t[root@localhost ~]# ll -dZ /share/drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /share/[root@localhost ~]# semanage fcontext -a -t samba_share_t '/share(/.*)? '#Restore file default security context [root@localhost ~]# restorecon -Rv /sharestorecon reset /share context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:samba_share_t: s0 #Check that folder has become samba_share_t [root@localhost ~]# ll -dZ /sharedrwxr-xr-x. root root unconfined_u:object_r:samba_share_t:s0 /share
Add read and write to nfs shared directory
[root@localhost ~]# ll -dZ /nfsshare/drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /nfsshare/[root@localhost ~]# [root@localhost ~]# semanage fcontext -a -t public_content_rw_t '/nfsshare(/.*)? ' [root@localhost ~]# restorecon -Rv /nfsshare[root@localhost ~]# ll -dZ /nfsshare/drwxr-xr-x. root root unconfined_u:object_r:public_content_rw_t:s0 /nfsshare/
summary
This article covers adding, modifying, and deleting ports, and modifying security contexts. If your system has an installed desktop, you can install the graphical management software policycorels-gui to manage it.
[root@localhost ~]# yum -y install policycoreutils-gui# system-config-selinux Execute this command to open the graphical administration interface [root@localhost ~]# system-config-selinux
About how to use semanage management SELinux security policy to share here, I hope the above content can be of some help to everyone, you can learn more knowledge. If you think the article is good, you can share it so that more people can see it.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.
12
Report
