SELinux的三种模式
enforcing #强制模式,代表 SELinux 运作中,且已经正确的开始限制 domain/type 了; permissive #宽容模式:代表 SELinux 运作中,不过仅会有警告讯息并不会实际限制 domain/type 的存取。这种模式可以运来作为 SELinux 的 debug 之用; disabled #关闭,SELinux 并没有实际运作。
查看SElinux的状态
1,查看配置信息 /usr/sbin/sestatus -v
# /usr/sbin/sestatus -v SELinux status: enabled #若为enabled表示开启,应该是读取/etc/selinux/config文件 SELinuxfs mount: /selinux Current mode: permissive #实际上的模式(宽容模式) Mode from config file: enforcing Policy version: 24 Policy from config file: targeted Process contexts: Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Init context: system_u:system_r:init_t:s0 /sbin/mingetty system_u:system_r:getty_t:s0 /usr/sbin/sshd system_u:system_r:sshd_t:s0-s0:c0.c1023 File contexts: Controlling term: unconfined_u:object_r:user_devpts_t:s0 /etc/passwd system_u:object_r:etc_t:s0 /etc/shadow system_u:object_r:shadow_t:s0 /bin/bash system_u:object_r:shell_exec_t:s0 /bin/login system_u:object_r:login_exec_t:s0 /bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0 /sbin/agetty system_u:object_r:getty_exec_t:s0 /sbin/init system_u:object_r:init_exec_t:s0 /sbin/mingetty system_u:object_r:getty_exec_t:s0 /usr/sbin/sshd system_u:object_r:sshd_exec_t:s02,getenforce
# getenforce Permissive #实际上的模式(宽容模式)
关闭SElinux
1,修改配置文件/etc/selinux/config(需要重启)
# vim /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. # SELINUX=enforcing ##改为disabled SELINUX=disabled # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted
2,getenforce(临时修改,不需重启,重启失效)
# getenforce 0 Permissive # getenforce 1设置SELinux为enforcing模式,由于SELinux是直接整合到内核中,所以不可以直接disabled,只能强制在enforcing和permissive中转换。