selinux - xud6的笔记本

xud6的笔记本

selinux

A collection of 6 posts

selinux 常用命令

查看是否有被selinux阻挡 sudo cat /var/log/audit/audit.log | grep denied boolean 查看boolean状态 sudo sestatus -b sudo sestatus -b | grep -i sendmail 设置boolean sudo setsebool -P $boolean名 $1或0 常用boolean boolean名意义httpd_can_network_connect允许httpd反向代理httpd_can_sendmail允许httpd发送邮件 semanager 安装semanager sudo yum install -y policycoreutils-python Centos 8 sudo yum install -y policycoreutils-python-utils 获取系统中的可用label sudo

Centos7 apache使用freeipa pki提供证书

安装apache和mod_nss sudo yum install httpd mod_nss -y 配置mod_nss sudo sh -c "echo 'Listen 443' >> /etc/httpd/conf.d/nssconfig.conf" sudo sh -c "echo 'NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_

查询是否被SELinux阻挡

sudo cat /var/log/audit/audit.log | grep denied

SELinux boolean操作

查询boolean状态 sudo sestatus -b 或者 sudo sestatus -b | grep -i sendmail 设置boolean sudo setsebool -P $boolean名 $1或0 如允许httpd发送邮件 sudo setsebool -P httpd_can_sendmail 1

selinux 允许apache访问文件

yum install -y policycoreutils-python semanage fcontext -a -t httpd_sys_content_t /path/to/file restorecon -v /path/to/file semanage fcontext -a -t httpd_sys_content_t "/path/to/dir(/.*)?" restorecon -R -v /path/to/dir

centos7 selinux 允许 apache 反向代理

执行 setsebool -P httpd_can_network_connect=1