In-depth analysis of the usage of semanage command

Introduction

The semanage command is used to query and modify the security context of the SELinux default directory. SELinux policy and rule management related commands: seinfo command, sesearch command, getsebool command, setsebool command, semanage command. Let us explain in detail how to use the chcon command.

grammar

semanage {login|user|port|interface|fcontext|translation} -l 
semanage fcontext -{a|d|m} [-frst] file_spec

Options

--l：查询。 
fcontext：主要用在安全上下文方面。 
-a：增加，你可以增加一些目录的默认安全上下文类型设置。 
-m：修改。 
-d：删除。

Example Check the default security settings of /var/www/html:

semanage fcontext -l 
SELinux fcontext type Context 
....(前面省略).... /var/www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 ....(後面省略)....

As shown in the above example, we can query the security article of each directory! The directory setting can use regular expressions to specify a range. So what if we want to increase the security of some custom directories? For example, when I want the color setting /srv/samba to become the type of public_content_t inline code, how should I set it?

Use the semanage command to set the default security of the /srv/samba directory. This article is public_content_t:

chcon -t public_content_rw_t /var/ftp/incoming

Allow users to HHTP access their home directories. This setting is limited to the user's home directory homepage:

mkdir /srv/samba 
ll -Zd /srv/samba 
drwxr-xr-x root root root:object_r:var_t /srv/samba

As shown above, the default situation should be var_tthis dong dong!

semanage fcontext -l | grep '/srv' 
/srv/.* all files system_u:object_r:var_t:s0 
/srv/([^/]*/)?ftp(/.*)? all files system_u:object_r:public_content_t:s0 
/srv/([^/]*/)?www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /srv/([^/]*/)?rsync(/.*)? all files system_u:object_r:public_content_t:s0 /srv/gallery2(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 
/srv directory system_u:object_r:var_t:s0 //看这里！

The above is the security information of this article under the default /srv, however, it is not specified to /srv/samba.

semanage fcontext -a -t public_content_t "/srv/samba(/.*)?" 
semanage fcontext -l | grep '/srv/samba' 
/srv/samba(/.*)? all files system_u:object_r:public_content_t:s0

cat /etc/selinux/targeted/contexts/files/file_contexts.local 
# This file is auto-generated by libsemanage # Please use the semanage command to make changes 
/srv/samba(/.*)? system_u:object_r:public_content_t:s0 #写入这个档案

restorecon -Rv /srv/samba* #尝试恢复默认值 ll -Zd /srv/samba drwxr-xr-x root root system_u:object_r:public_content_t /srv/samba/ #有默认值，以后用restorecon命令来修改比较简单！

The above is the detailed content of In-depth analysis of the usage of semanage command. For more information, please follow other related articles on the PHP Chinese website!