selinux权限管理centos如何操作

Here’s a structured guide to SELinux permission management in CentOS:

1. Check SELinux Status

Verify if SELinux is enabled and its current mode (Enforcing/Permissive/Disabled):

getenforce

• Enforcing: SELinux enforces policies (blocks unauthorized access).
• Permissive: Logs violations but doesn’t block (useful for troubleshooting).
• Disabled: SELinux is turned off (not recommended for production).

To check detailed status (including mode and policy type):

sestatus

2. Change SELinux Mode (Temporary/Permanent)

• Temporary Change (resets after reboot):

  setenforce 1  # Enable Enforcing mode
  setenforce 0  # Enable Permissive mode
  

• Permanent Change (requires reboot):
  Edit /etc/selinux/config and modify the SELINUX= line:

  sudo vi /etc/selinux/config
  # Change to:
  SELINUX=enforcing  # or "permissive"
  

  Reboot the system to apply changes.

3. Manage File/Directory Contexts

SELinux uses security contexts (format: user:role:type:level) to define access rules. Key commands:

• View Context:

  ls -Z /path/to/file_or_directory
  

  Example output: -rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0

• Temporary Modify Context (e.g., change a file to httpd_sys_content_t for Apache):

  chcon -t httpd_sys_content_t /var/www/html/index.html
  

• Permanent Modify Context:
  Use semanage fcontext to add a new rule, then restorecon to apply it:

  sudo semanage fcontext -a -t httpd_sys_content_t "/var/www/html(/.*)?"  # Recursive for directory
  sudo restorecon -Rv /var/www/html  # Restore default context recursively
  

• Restore Default Context:

  restorecon -Rv /path/to/file_or_directory
  

4. Configure SELinux Boolean Values

Booleans are toggleable options that enable/disable specific SELinux features (e.g., allowing Apache to connect to databases).

• View All Booleans:

  getsebool -a
  

• Set a Boolean (persistent with -P):
  Example: Allow Apache to network-connect (for database access):

  sudo setsebool -P httpd_can_network_connect_db 1
  

5. Troubleshoot SELinux Issues

When you encounter “AVC denied” errors (e.g., a process can’t access a file):

• Check Audit Logs:

  sudo ausearch -m avc -ts recent  # Filter for SELinux denials
  

• Interpret Logs:
  Use audit2why to explain why access was denied:

  sudo ausearch -m avc -ts recent | audit2why
  

• Generate Custom Policy:
  If the denial is valid (not a misconfiguration), generate a custom module to allow the action:

  sudo grep httpd /var/log/audit/audit.log | audit2allow -M my_httpd_policy
  sudo semodule -i my_httpd_policy.pp  # Load the custom policy
  

6. Manage Port Contexts

Some services require specific SELinux ports (e.g., Apache needs port 80/tcp labeled as http_port_t).

• List Port Contexts:

  sudo semanage port -l | grep http
  

• Add a New Port Context:
  Example: Allow Apache to use port 8080:

  sudo semanage port -a -t http_port_t -p tcp 8080
  

• Delete a Port Context:

  sudo semanage port -d -t http_port_t -p tcp 8080
  

7. Advanced: Manage Users/Roles (Optional)

For fine-grained control over user access (not commonly used for basic setups):

• Add a New SELinux User:

  sudo semanage user -a -R user_u -r object_r -s system_u username
  

• Delete a SELinux User:

  sudo semanage user -d username
  

Key Notes:

• Always back up critical files (e.g., /etc/selinux/config) before making changes.
• Test changes in Permissive mode first to avoid locking yourself out.
• Avoid disabling SELinux in production—it significantly weakens system security.

These steps cover essential SELinux permission management tasks in CentOS. For complex scenarios (e.g., MLS policies), refer to the official Red Hat SELinux documentation.