Linux SELinux 使用操做linux
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
Statistics for policy file: /sys/fs/selinux/policy Policy Version & Type: v.28 (binary, mls) Classes: 83 Permissions: 255 Sensitivities: 1 Categories: 1024 Types: 4620 Attributes: 357 Users: 8 Roles: 14 Booleans: 295 Cond. Expr.: 346 Allow: 102249 Neverallow: 0 Auditallow: 160 Dontaudit: 8413 Type_trans: 16863 Type_change: 74 Type_member: 35 Role allow: 30 Role_trans: 412 Range_trans: 5439 ....(底下省略).... # 從上面我們能夠看到這個政策是 targeted ,此政策的安全本文類別有 4620 個; # 而各種 SELinux 的規則 (Booleans) 共制訂了 295 條!
allow crond_t system_cron_spool_t : file { ioctl read write create getattr ..
allow crond_t system_cron_spool_t : dir { ioctl read getattr lock search op..
allow crond_t user_cron_spool_t : file { ioctl read write create getattr se..
allow crond_t user_cron_spool_t : dir { ioctl read write getattr lock add_n..
allow crond_t user_cron_spool_t : lnk_file { read getattr } ;