SELinux Booleans

/ .trash / Comment[0]
ポリシーのブール変数を使用してポリシーを調節する機能

ブール変数を一覧表示
# getsebool -a
 allow_execheap --> on
 allow_execmem --> on
 allow_execmod --> on
 allow_execstack --> on
 allow_mount_anyfile --> on
 allow_polyinstantiation --> off
 allow_ptrace --> off
 allow_ssh_keysign --> off
 allow_user_mysql_connect --> off
 allow_user_postgresql_connect --> off
 allow_write_xshm --> off
 allow_ypbind --> off
 cron_can_relabel --> off
 fcron_crond --> off
 global_ssp --> off
 init_upstart --> on
 mail_read_content --> off
 nfs_export_all_ro --> off
 nfs_export_all_rw --> off
 secure_mode --> off
 secure_mode_insmod --> off
 secure_mode_policyload --> off
 ssh_sysadm_login --> off
 use_lpd_server --> off
 use_nfs_home_dirs --> off
 use_samba_home_dirs --> off
 user_direct_mouse --> off
 user_dmesg --> off
 user_ping --> off
 user_rw_noexattrfile --> off
 user_tcp_server --> off
 user_ttyfile_stat --> off
 xdm_sysadm_login --> off
 xserver_object_manager --> off


特定のブール変数を表示
# getsebool allow_execheap
 allow_execheap --> on

ブール変数の値を変更
# setsebool ブール変数名 {true|false}
# setsebool secure_mode true



setseboolコマンドを使わずにブール変数を設定
# ls /selinux/booleans
 allow_execheap                 cron_can_relabel        use_nfs_home_dirs
 allow_execmem fcron_crond use_samba_home_dirs
 allow_execmod global_ssp user_direct_mouse
 allow_execstack init_upstart user_dmesg
 allow_mount_anyfile mail_read_content user_ping
 allow_polyinstantiation nfs_export_all_ro user_rw_noexattrfile
 allow_ptrace nfs_export_all_rw user_tcp_server
 allow_ssh_keysign secure_mode user_ttyfile_stat
 allow_user_mysql_connect secure_mode_insmod xdm_sysadm_login
 allow_user_postgresql_connect secure_mode_policyload xserver_object_manager
 allow_write_xshm ssh_sysadm_login
 allow_ypbind use_lpd_server

# echo 1 > /selinux/booleans/mail_read_content
※値を書き込んだこの時点ではまだ反映されていない

以下のコマンドでcommit_pending_boolsに1を書き込むことで反映される
# echo 1 > /selinux/commit_pending_bools



SELinuxのステータスを表示
# sestatus -v
 SELinux status:                 enabled
 SELinuxfs mount: /selinux
 Current mode: enforcing
 Mode from config file: permissive
 Policy version: 24
 Policy from config file: ubuntu

 Process contexts:
 Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255
 Init context: system_u:system_r:init_t:s0

 File contexts:
 Controlling term: unconfined_u:object_r:user_devpts_t:s0
 /etc/passwd system_u:object_r:etc_t:s0
 /etc/shadow system_u:object_r:shadow_t:s0
 /bin/bash system_u:object_r:shell_exec_t:s0
 /bin/login system_u:object_r:login_exec_t:s0
 /bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0
 /sbin/init system_u:object_r:init_exec_t:s0
 /lib/libc.so.6 system_u:object_r:lib_t:s0 -> system_u:object_r:lib_t:s0
 /lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:default_t:s0


関連記事

コメント

:
:
:
:
:
管理人のみ表示を許可