SELinux其实是Security-Enhanced Linux 安全增强型linux的英文缩写,是由美国国家安全局开发的一个内核模块,它主要流行在红帽Red Hat Linux及其衍生版本中,如centos。而Ubuntu、SUSE及其衍生版本使用的是AppArmor。
传统的linux是自主访问控制 Discretionary Access Control(DAC),在这种形式下,一个进程以UserID(UID)或SetOwnerUserID(SUID)身份运行,并且拥有该用户的问、套接字等权限,这样,恶意代码就能很容易的运行在特定权限模式下。
MAC(Mandatory Access Control)强制访问控制,是基于保密性和完整性强制隔离以限制破坏。决定一个资源能否被访问,除用户身份外,还会判断每一个进程是否拥有对某一类资源的访问权限。这样,即便进程使用root身份运行的,也需要判断这个进程的类型及允许访问的资源类型,才能决定是否允许访问某个资源,进程的活动空间被压缩到最小。SELinux使用的就是MAC.
直白的理解就是,SELinux是最大限度的减小系统中服务进程可访问的资源,所以,在默认开启时,安全级别非常高,很多常规操作受限制。
在SELinux中,当一个主体(Subject),如一个程序,要访问某一个目标(Object),如一个文件,服务器内核策略数据库(PolicyDatabase),就会去获取系统当前的运行模式(Mode),根据模式选择是否授予权限访问该目标。如果拒绝,则会在 /var/log/messages中记录一条拒绝信息。
- SELinux运行模式(Mode),有三种:
- Enforcing,强制执行SELinux策略
- Permissive,不强制执行SELinux策略,不会拒绝访问,但是会记录拒绝信息到日志
- Disabled,禁用SELinux策略
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
默认情况下,现在的centos系统,SELinux为Enforcing强制执行策略。可以通过 getenforce 命令,查看当前的模式。
- 修改策略(不建议修改为Disable)
- 方法一:
- 超管执行命令
setenforce 0设置为Permissive(不强制执行安全策略); 超管执行命令setenforce 1设置为Enforcing
- 超管执行命令
- 方法二:
- 修改 /etc/selinux/config文件,修改文件中 SELINUX 的值
- 方法一:
- 策略类型SELINUXTYPE
- targeted 有目标的,对大部分网络服务相关进程(dhcpd、httpd、named、nscd、ntpd、portmap、snmpd、squid、syslogd)进行管制
- minimum 最低限度的,仅选定的进程受保护
- mls 多级安全保护,是最严格的政策
当系统SELinux策略为enforcing 或 permissive时,可以通过 sestatus -v 查看策略信息。 disabled时,不能获得更多信息
[root@centos7 ~]# getenforce
Enforcing
[root@centos7 ~]# sestatus -v
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
Process contexts:
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Init context: system_u:system_r:init_t:s0
/usr/sbin/sshd system_u:system_r:sshd_t:s0-s0:c0.c1023
File contexts:
Controlling terminal: unconfined_u:object_r:user_devpts_t:s0
/etc/passwd system_u:object_r:passwd_file_t:s0
/etc/shadow system_u:object_r:shadow_t:s0
/bin/bash system_u:object_r:shell_exec_t:s0
/bin/login system_u:object_r:login_exec_t:s0
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0
/sbin/agetty system_u:object_r:getty_exec_t:s0
/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0
/usr/sbin/sshd system_u:object_r:sshd_exec_t:s0
[root@centos7 ~]# setenforce 0
[root@centos7 ~]# getenforce
Permissive
[root@centos7 ~]# sestatus -v
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
Process contexts:
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Init context: system_u:system_r:init_t:s0
/usr/sbin/sshd system_u:system_r:sshd_t:s0-s0:c0.c1023
File contexts:
Controlling terminal: unconfined_u:object_r:user_devpts_t:s0
/etc/passwd system_u:object_r:passwd_file_t:s0
/etc/shadow system_u:object_r:shadow_t:s0
/bin/bash system_u:object_r:shell_exec_t:s0
/bin/login system_u:object_r:login_exec_t:s0
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0
/sbin/agetty system_u:object_r:getty_exec_t:s0
/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0
/usr/sbin/sshd system_u:object_r:sshd_exec_t:s0
使用 sestatus -b 可以看具体策略目标配置
[root@centos7 ~]# sestatus -b
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
Policy booleans:
abrt_anon_write off
abrt_handle_event off
abrt_upload_watch_anon_write on 允许abrt上传观看记录,默认开启
antivirus_can_scan_system off
antivirus_use_jit off
auditadm_exec_content on 允许auditadm执行内容,默认开启
authlogin_nsswitch_use_ldap off
authlogin_radius off
authlogin_yubikey off
awstats_purge_apache_log_files off
boinc_execmem on
cdrecord_read_content off
cluster_can_network_connect off
cluster_manage_all_files off
cluster_use_execmem off
cobbler_anon_write off
cobbler_can_network_connect off
cobbler_use_cifs off
cobbler_use_nfs off
collectd_tcp_network_connect off
condor_tcp_network_connect off
conman_can_network off
conman_use_nfs off
container_connect_any off
container_manage_cgroup off
container_use_cephfs off
cron_can_relabel off
cron_system_cronjob_use_shares off
cron_userdomain_transition on
cups_execmem off
cvs_read_shadow off
daemons_dump_core off
daemons_enable_cluster_mode off
daemons_use_tcp_wrapper off
daemons_use_tty off
dbadm_exec_content on
dbadm_manage_user_files off
dbadm_read_user_files off
deny_execmem off
deny_ptrace off
dhcpc_exec_iptables off
dhcpd_use_ldap off
domain_can_mmap_files on
domain_can_write_kmsg off
domain_fd_use on
domain_kernel_load_modules off
entropyd_use_audio on
exim_can_connect_db off
exim_manage_user_files off
exim_read_user_files off
fcron_crond off
fenced_can_network_connect off
fenced_can_ssh off
fips_mode on
ftpd_anon_write off
ftpd_connect_all_unreserved off
ftpd_connect_db off
ftpd_full_access off
ftpd_use_cifs off
ftpd_use_fusefs off
ftpd_use_nfs off 允许ftpd服务使用nfs,默认关闭
ftpd_use_passive_mode off
ganesha_use_fusefs off
git_cgi_enable_homedirs off
git_cgi_use_cifs off
git_cgi_use_nfs off
git_session_bind_all_unreserved_ports off
git_session_users off
git_system_enable_homedirs off
git_system_use_cifs off
git_system_use_nfs off
gitosis_can_sendmail off
glance_api_can_network off
glance_use_execmem off
glance_use_fusefs off
global_ssp off
gluster_anon_write off
gluster_export_all_ro off
gluster_export_all_rw on
gluster_use_execmem off
gpg_web_anon_write off
gssd_read_tmp on
guest_exec_content on
haproxy_connect_any off
httpd_anon_write off
httpd_builtin_scripting on
httpd_can_check_spam off
httpd_can_connect_ftp off 允许httpd网络可以连接ftp服务,默认关闭
httpd_can_connect_ldap off
httpd_can_connect_mythtv off
httpd_can_connect_zabbix off
httpd_can_network_connect off 允许httpd网络可以连接网络,默认关闭
httpd_can_network_connect_cobbler off
httpd_can_network_connect_db off 允许httpd网络可以连接数据库,默认关闭
httpd_can_network_memcache off 允许httpd网络可以连接缓存,默认关闭
httpd_can_network_relay off 允许httpd可以网络中继,默认关闭
httpd_can_sendmail off 允许httpd可以发送邮件,默认关闭
httpd_dbus_avahi off
httpd_dbus_sssd off
httpd_dontaudit_search_dirs off
httpd_enable_cgi on
httpd_enable_ftp_server off
httpd_enable_homedirs off
httpd_execmem off
httpd_graceful_shutdown on
httpd_manage_ipa off
httpd_mod_auth_ntlm_winbind off
httpd_mod_auth_pam off
httpd_read_user_content off
httpd_run_ipa off
httpd_run_preupgrade off
httpd_run_stickshift off
httpd_serve_cobbler_files off
httpd_setrlimit off
httpd_ssi_exec off
httpd_sys_script_anon_write off
httpd_tmp_exec off
httpd_tty_comm off
httpd_unified off
httpd_use_cifs off
httpd_use_fusefs off
httpd_use_gpg off
httpd_use_nfs off
httpd_use_openstack off
httpd_use_sasl off
httpd_verify_dns off
icecast_use_any_tcp_ports off
irc_use_any_tcp_ports off
irssi_use_full_network off
kdumpgui_run_bootloader off
keepalived_connect_any off
kerberos_enabled on
ksmtuned_use_cifs off
ksmtuned_use_nfs off
logadm_exec_content on
logging_syslogd_can_sendmail off
logging_syslogd_run_nagios_plugins off
logging_syslogd_use_tty on
login_console_enabled on
logrotate_read_inside_containers off
logrotate_use_nfs off
logwatch_can_network_connect_mail off
lsmd_plugin_connect_any off
mailman_use_fusefs off
mcelog_client off
mcelog_exec_scripts on
mcelog_foreground off
mcelog_server off
minidlna_read_generic_user_content off
mmap_low_allowed off
mock_enable_homedirs off
mount_anyfile on
mozilla_plugin_bind_unreserved_ports off
mozilla_plugin_can_network_connect off
mozilla_plugin_use_bluejeans off
mozilla_plugin_use_gps off
mozilla_plugin_use_spice off
mozilla_read_content off
mpd_enable_homedirs off
mpd_use_cifs off
mpd_use_nfs off
mplayer_execstack off
mysql_connect_any off 允许mysql连接所有,默认关闭
nagios_run_pnp4nagios off
nagios_run_sudo off
nagios_use_nfs off
named_tcp_bind_http_port off
named_write_master_zones off
neutron_can_network off
nfs_export_all_ro on
nfs_export_all_rw on
nfsd_anon_write off
nis_enabled off
nscd_use_shm on
openshift_use_nfs off
openvpn_can_network_connect on
openvpn_enable_homedirs on
openvpn_run_unconfined off
pcp_bind_all_unreserved_ports off
pcp_read_generic_logs off
piranha_lvs_can_network_connect off
polipo_connect_all_unreserved off
polipo_session_bind_all_unreserved_ports off
polipo_session_users off
polipo_use_cifs off
polipo_use_nfs off
polyinstantiation_enabled off
postfix_local_write_mail_spool on
postgresql_can_rsync off
postgresql_selinux_transmit_client_label off
postgresql_selinux_unconfined_dbadm on
postgresql_selinux_users_ddl on
pppd_can_insmod off
pppd_for_user off
privoxy_connect_any on
prosody_bind_http_port off
puppetagent_manage_all_files off
puppetmaster_use_db off
racoon_read_shadow off
radius_use_jit off
redis_enable_notify off
rpcd_use_fusefs off
rsync_anon_write off
rsync_client off
rsync_export_all_ro off
rsync_full_access off
samba_create_home_dirs off
samba_domain_controller off
samba_enable_home_dirs off
samba_export_all_ro off
samba_export_all_rw off
samba_load_libgfapi off
samba_portmapper off
samba_run_unconfined off
samba_share_fusefs off
samba_share_nfs off
sanlock_enable_home_dirs off
sanlock_use_fusefs off
sanlock_use_nfs off
sanlock_use_samba off
saslauthd_read_shadow off
secadm_exec_content on
secure_mode off
secure_mode_insmod off
secure_mode_policyload off
selinuxuser_direct_dri_enabled on
selinuxuser_execheap off
selinuxuser_execmod on
selinuxuser_execstack on
selinuxuser_mysql_connect_enabled off
selinuxuser_ping on
selinuxuser_postgresql_connect_enabled off
selinuxuser_rw_noexattrfile on
selinuxuser_share_music off
selinuxuser_tcp_server off
selinuxuser_udp_server off
selinuxuser_use_ssh_chroot off
sge_domain_can_network_connect off
sge_use_nfs off
smartmon_3ware off
smbd_anon_write off
spamassassin_can_network off
spamd_enable_home_dirs on
spamd_update_can_network off
squid_connect_any on
squid_use_tproxy off
ssh_chroot_rw_homedirs off
ssh_keysign off
ssh_sysadm_login off
staff_exec_content on
staff_use_svirt off
swift_can_network off
sysadm_exec_content on
telepathy_connect_all_ports off
telepathy_tcp_connect_generic_network_ports on
tftp_anon_write off
tftp_home_dir off
tmpreaper_use_cifs off
tmpreaper_use_nfs off
tmpreaper_use_samba off
tomcat_can_network_connect_db off
tomcat_read_rpm_db off
tomcat_use_execmem off
tor_bind_all_unreserved_ports off
tor_can_network_relay off
unconfined_chrome_sandbox_transition on
unconfined_login on
unconfined_mozilla_plugin_transition on
unprivuser_use_svirt off
use_ecryptfs_home_dirs off
use_fusefs_home_dirs off
use_lpd_server off
use_nfs_home_dirs off
use_samba_home_dirs off
user_exec_content on
varnishd_connect_any off
virt_read_qemu_ga_data off
virt_rw_qemu_ga_data off
virt_sandbox_use_all_caps on
virt_sandbox_use_audit on
virt_sandbox_use_fusefs off
virt_sandbox_use_mknod off
virt_sandbox_use_netlink off
virt_sandbox_use_sys_admin off
virt_transition_userdomain off
virt_use_comm off
virt_use_execmem off
virt_use_fusefs off
virt_use_glusterd off
virt_use_nfs on
virt_use_rawip off
virt_use_samba off
virt_use_sanlock off
virt_use_usb on
virt_use_xserver off
webadm_manage_user_files off
webadm_read_user_files off
wine_mmap_zero_ignore off
xdm_bind_vnc_tcp_port off
xdm_exec_bootloader off
xdm_sysadm_login off
xdm_write_home off
xen_use_nfs off
xend_run_blktap on
xend_run_qemu on
xguest_connect_network on
xguest_exec_content on
xguest_mount_media on
xguest_use_bluetooth on
xserver_clients_write_xshm off
xserver_execmem off
xserver_object_manager off
zabbix_can_network off
zabbix_run_sudo off
zarafa_setrlimit off
zebra_write_config off
zoneminder_anon_write off
zoneminder_run_sudo off
[root@centos7 ~]#
可以通过 semanage boolean --list 查看具体配置及用法,semanage boolean -h获取帮助;setsebool 配置 状态 进行临时设置。
[root@vircent7 ~]# semanage boolean --list
SELinux 布尔值 状态 默认 描述
privoxy_connect_any (开 , 开) Allow privoxy to connect any
smartmon_3ware (关 , 关) Allow smartmon to 3ware
mpd_enable_homedirs (关 , 关) Allow mpd to enable homedirs
xdm_sysadm_login (关 , 关) Allow xdm to sysadm login
xen_use_nfs (关 , 关) Allow xen to use nfs
mozilla_read_content (关 , 关) Allow mozilla to read content
ssh_chroot_rw_homedirs (关 , 关) Allow ssh to chroot rw homedirs
mount_anyfile (开 , 开) Allow mount to anyfile
cron_userdomain_transition (开 , 开) Allow cron to userdomain transition
xdm_write_home (关 , 关) Allow xdm to write home
openvpn_can_network_connect (开 , 开) Allow openvpn to can network connect
xserver_execmem (关 , 关) Allow xserver to execmem
minidlna_read_generic_user_content (关 , 关) Allow minidlna to read generic user content
authlogin_nsswitch_use_ldap (关 , 关) Allow authlogin to nsswitch use ldap
gluster_anon_write (关 , 关) Allow gluster to anon write
piranha_lvs_can_network_connect (关 , 关) Allow piranha to lvs can network connect
selinuxuser_execmod (开 , 开) Allow selinuxuser to execmod
httpd_can_network_relay (关 , 关) Allow httpd to can network relay
openvpn_enable_homedirs (开 , 开) Allow openvpn to enable homedirs
glance_use_execmem (关 , 关) Allow glance to use execmem
telepathy_tcp_connect_generic_network_ports (开 , 开) Allow telepathy to tcp connect generic network ports
httpd_can_connect_mythtv (关 , 关) Allow httpd to can connect mythtv
unconfined_mozilla_plugin_transition (开 , 开) Allow unconfined to mozilla plugin transition
nagios_run_sudo (关 , 关) Allow nagios to run sudo
httpd_can_network_connect_db (关 , 关) Allow httpd to can network connect db
use_ecryptfs_home_dirs (关 , 关) Allow use to ecryptfs home dirs
mpd_use_nfs (关 , 关) Allow mpd to use nfs
postgresql_can_rsync (关 , 关) Allow postgresql to can rsync
polipo_connect_all_unreserved (关 , 关) Allow polipo to connect all unreserved
httpd_use_gpg (关 , 关) Allow httpd to use gpg
samba_export_all_rw (关 , 关) Allow samba to export all rw
samba_domain_controller (关 , 关) Allow samba to domain controller
httpd_dbus_sssd (关 , 关) Allow httpd to dbus sssd
selinuxuser_udp_server (关 , 关) Allow selinuxuser to udp server
fenced_can_network_connect (关 , 关) Allow fenced to can network connect
httpd_enable_cgi (开 , 开) Allow httpd to enable cgi
polipo_use_cifs (关 , 关) Allow polipo to use cifs
xend_run_blktap (开 , 开) Allow xend to run blktap
httpd_verify_dns (关 , 关) Allow httpd to verify dns
ftpd_use_cifs (关 , 关) Allow ftpd to use cifs
polyinstantiation_enabled (关 , 关) Allow polyinstantiation to enabled
virt_use_nfs (开 , 开) Allow virt to use nfs
virt_use_comm (关 , 关) Allow virt to use comm
tmpreaper_use_cifs (关 , 关) Allow tmpreaper to use cifs
rsync_client (关 , 关) Allow rsync to client
xdm_exec_bootloader (关 , 关) Allow xdm to exec bootloader
exim_read_user_files (关 , 关) Allow exim to read user files
use_nfs_home_dirs (关 , 关) Allow use to nfs home dirs
swift_can_network (关 , 关) Allow swift to can network
xserver_clients_write_xshm (关 , 关) Allow xserver to clients write xshm
container_connect_any (关 , 关) Allow container to connect any
ksmtuned_use_nfs (关 , 关) Allow ksmtuned to use nfs
entropyd_use_audio (开 , 开) Allow entropyd to use audio
selinuxuser_share_music (关 , 关) Allow selinuxuser to share music
httpd_dontaudit_search_dirs (关 , 关) Allow httpd to dontaudit search dirs
named_write_master_zones (关 , 关) Allow named to write master zones
git_system_use_cifs (关 , 关) Allow git to system use cifs
samba_portmapper (关 , 关) Allow samba to portmapper
nagios_run_pnp4nagios (关 , 关) Allow nagios to run pnp4nagios
postgresql_selinux_users_ddl (开 , 开) Allow postgresql to selinux users ddl
tor_bind_all_unreserved_ports (关 , 关) Allow tor to bind all unreserved ports
logrotate_read_inside_containers (关 , 关) Allow logrotate to read inside containers
mcelog_exec_scripts (开 , 开) Allow mcelog to exec scripts
zebra_write_config (关 , 关) Allow zebra to write config
cvs_read_shadow (关 , 关) Allow cvs to read shadow
httpd_use_cifs (关 , 关) Allow httpd to use cifs
deny_ptrace (关 , 关) Allow deny to ptrace
ssh_keysign (关 , 关) Allow ssh to keysign
postfix_local_write_mail_spool (开 , 开) Allow postfix to local write mail spool
antivirus_use_jit (关 , 关) Allow antivirus to use jit
logwatch_can_network_connect_mail (关 , 关) Allow logwatch to can network connect mail
secure_mode (关 , 关) Allow secure to mode
gluster_export_all_ro (关 , 关) Allow gluster to export all ro
httpd_manage_ipa (关 , 关) Allow httpd to manage ipa
virt_sandbox_use_sys_admin (关 , 关) Allow virt to sandbox use sys admin
conman_can_network (关 , 关) Allow conman to can network
pppd_for_user (关 , 关) Allow pppd to for user
samba_export_all_ro (关 , 关) Allow samba to export all ro
ftpd_connect_db (关 , 关) Allow ftpd to connect db
git_system_enable_homedirs (关 , 关) Allow git to system enable homedirs
use_samba_home_dirs (关 , 关) Allow use to samba home dirs
domain_can_write_kmsg (关 , 关) Allow domain to can write kmsg
mock_enable_homedirs (关 , 关) Allow mock to enable homedirs
sge_domain_can_network_connect (关 , 关) Allow sge to domain can network connect
httpd_run_stickshift (关 , 关) Allow httpd to run stickshift
samba_create_home_dirs (关 , 关) Allow samba to create home dirs
virt_transition_userdomain (关 , 关) Allow virt to transition userdomain
mozilla_plugin_bind_unreserved_ports (关 , 关) Allow mozilla to plugin bind unreserved ports
git_session_users (关 , 关) Allow git to session users
zabbix_can_network (关 , 关) Allow zabbix to can network
fenced_can_ssh (关 , 关) Allow fenced to can ssh
zoneminder_run_sudo (关 , 关) Allow zoneminder to run sudo
httpd_enable_homedirs (关 , 关) Allow httpd to enable homedirs
gpg_web_anon_write (关 , 关) Allow gpg to web anon write
lsmd_plugin_connect_any (关 , 关) Allow lsmd to plugin connect any
selinuxuser_direct_dri_enabled (开 , 开) Allow selinuxuser to direct dri enabled
nfsd_anon_write (关 , 关) Allow nfsd to anon write
gluster_use_execmem (关 , 关) Allow gluster to use execmem
mysql_connect_any (关 , 关) Allow mysql to connect any
glance_use_fusefs (关 , 关) Allow glance to use fusefs
polipo_session_bind_all_unreserved_ports (关 , 关) Allow polipo to session bind all unreserved ports
cluster_can_network_connect (关 , 关) Allow cluster to can network connect
httpd_dbus_avahi (关 , 关) Allow httpd to dbus avahi
ftpd_use_fusefs (关 , 关) Allow ftpd to use fusefs
sanlock_use_fusefs (关 , 关) Allow sanlock to use fusefs
rsync_full_access (关 , 关) Allow rsync to full access
global_ssp (关 , 关) Allow global to ssp
cobbler_can_network_connect (关 , 关) Allow cobbler to can network connect
virt_sandbox_use_audit (开 , 开) Allow virt to sandbox use audit
staff_use_svirt (关 , 关) Allow staff to use svirt
squid_use_tproxy (关 , 关) Allow squid to use tproxy
ftpd_full_access (关 , 关) Allow ftpd to full access
gluster_export_all_rw (开 , 开) Allow gluster to export all rw
secure_mode_policyload (关 , 关) Allow secure to mode policyload
virt_use_rawip (关 , 关) Allow virt to use rawip
dbadm_manage_user_files (关 , 关) Allow dbadm to manage user files
domain_can_mmap_files (开 , 开) Allow domain to can mmap files
abrt_handle_event (关 , 关) Allow abrt to handle event
fips_mode (开 , 开) Allow fips to mode
rpcd_use_fusefs (关 , 关) Allow rpcd to use fusefs
webadm_manage_user_files (关 , 关) Allow webadm to manage user files
virt_sandbox_use_mknod (关 , 关) Allow virt to sandbox use mknod
tomcat_can_network_connect_db (关 , 关) Allow tomcat to can network connect db
git_system_use_nfs (关 , 关) Allow git to system use nfs
gssd_read_tmp (开 , 开) Allow gssd to read tmp
httpd_unified (关 , 关) Allow httpd to unified
staff_exec_content (开 , 开) Allow staff to exec content
virt_sandbox_use_netlink (关 , 关) Allow virt to sandbox use netlink
tftp_anon_write (关 , 关) Allow tftp to anon write
irc_use_any_tcp_ports (关 , 关) Allow irc to use any tcp ports
xguest_exec_content (开 , 开) Allow xguest to exec content
saslauthd_read_shadow (关 , 关) Allow saslauthd to read shadow
openvpn_run_unconfined (关 , 关) Allow openvpn to run unconfined
httpd_mod_auth_pam (关 , 关) Allow httpd to mod auth pam
selinuxuser_rw_noexattrfile (开 , 开) Allow selinuxuser to rw noexattrfile
httpd_can_network_connect (关 , 关) Allow httpd to can network connect
keepalived_connect_any (关 , 关) Allow keepalived to connect any
exim_can_connect_db (关 , 关) Allow exim to can connect db
auditadm_exec_content (开 , 开) Allow auditadm to exec content
git_cgi_use_nfs (关 , 关) Allow git to cgi use nfs
xguest_connect_network (开 , 开) Allow xguest to connect network
varnishd_connect_any (关 , 关) Allow varnishd to connect any
tftp_home_dir (关 , 关) Allow tftp to home dir
guest_exec_content (开 , 开) Allow guest to exec content
exim_manage_user_files (关 , 关) Allow exim to manage user files
httpd_execmem (关 , 关) Allow httpd to execmem
virt_use_xserver (关 , 关) Allow virt to use xserver
httpd_use_fusefs (关 , 关) Allow httpd to use fusefs
cdrecord_read_content (关 , 关) Allow cdrecord to read content
cluster_use_execmem (关 , 关) Allow cluster to use execmem
login_console_enabled (开 , 开) Allow login to console enabled
httpd_mod_auth_ntlm_winbind (关 , 关) Allow httpd to mod auth ntlm winbind
logrotate_use_nfs (关 , 关) Allow logrotate to use nfs
selinuxuser_postgresql_connect_enabled (关 , 关) Allow selinuxuser to postgresql connect enabled
httpd_use_sasl (关 , 关) Allow httpd to use sasl
httpd_tty_comm (关 , 关) Allow httpd to tty comm
httpd_sys_script_anon_write (关 , 关) Allow httpd to sys script anon write
rsync_anon_write (关 , 关) Allow rsync to anon write
mplayer_execstack (关 , 关) Allow mplayer to execstack
zoneminder_anon_write (关 , 关) Allow zoneminder to anon write
selinuxuser_tcp_server (关 , 关) Allow selinuxuser to tcp server
dbadm_exec_content (开 , 开) Allow dbadm to exec content
postgresql_selinux_unconfined_dbadm (开 , 开) Allow postgresql to selinux unconfined dbadm
selinuxuser_execheap (关 , 关) Allow selinuxuser to execheap
conman_use_nfs (关 , 关) Allow conman to use nfs
virt_use_sanlock (关 , 关) Allow virt to use sanlock
virt_use_samba (关 , 关) Allow virt to use samba
irssi_use_full_network (关 , 关) Allow irssi to use full network
mozilla_plugin_use_bluejeans (关 , 关) Allow mozilla to plugin use bluejeans
tmpreaper_use_samba (关 , 关) Allow tmpreaper to use samba
nscd_use_shm (开 , 开) Allow nscd to use shm
tomcat_read_rpm_db (关 , 关) Allow tomcat to read rpm db
zabbix_run_sudo (关 , 关) Allow zabbix to run sudo
haproxy_connect_any (关 , 关) Allow haproxy to connect any
wine_mmap_zero_ignore (关 , 关) Allow wine to mmap zero ignore
racoon_read_shadow (关 , 关) Allow racoon to read shadow
puppetmaster_use_db (关 , 关) Allow puppetmaster to use db
httpd_graceful_shutdown (开 , 开) Allow httpd to graceful shutdown
nis_enabled (关 , 关) Allow nis to enabled
logadm_exec_content (开 , 开) Allow logadm to exec content
container_use_cephfs (关 , 关) Allow container to use cephfs
unconfined_login (开 , 开) Allow unconfined to login
secure_mode_insmod (关 , 关) Allow secure to mode insmod
virt_sandbox_use_fusefs (关 , 关) Allow virt to sandbox use fusefs
httpd_can_connect_ftp (关 , 关) Allow httpd to can connect ftp
ftpd_use_passive_mode (关 , 关) Allow ftpd to use passive mode
smbd_anon_write (关 , 关) Allow smbd to anon write
daemons_enable_cluster_mode (关 , 关) Allow daemons to enable cluster mode
cobbler_use_nfs (关 , 关) Allow cobbler to use nfs
tor_can_network_relay (关 , 关) Allow tor to can network relay
virt_use_usb (开 , 开) Allow virt to use usb
selinuxuser_execstack (开 , 开) Allow selinuxuser to execstack
selinuxuser_mysql_connect_enabled (关 , 关) Allow selinuxuser to mysql connect enabled
virt_sandbox_use_all_caps (开 , 开) Allow virt to sandbox use all caps
httpd_run_ipa (关 , 关) Allow httpd to run ipa
ganesha_use_fusefs (关 , 关) Allow ganesha to use fusefs
rsync_export_all_ro (关 , 关) Allow rsync to export all ro
daemons_use_tcp_wrapper (关 , 关) Allow daemons to use tcp wrapper
prosody_bind_http_port (关 , 关) Allow prosody to bind http port
sanlock_enable_home_dirs (关 , 关) Allow sanlock to enable home dirs
webadm_read_user_files (关 , 关) Allow webadm to read user files
mozilla_plugin_use_gps (关 , 关) Allow mozilla to plugin use gps
use_fusefs_home_dirs (关 , 关) Allow use to fusefs home dirs
pcp_bind_all_unreserved_ports (关 , 关) Allow pcp to bind all unreserved ports
httpd_read_user_content (关 , 关) Allow httpd to read user content
httpd_use_nfs (关 , 关) Allow httpd to use nfs
unconfined_chrome_sandbox_transition (开 , 开) Allow unconfined to chrome sandbox transition
pppd_can_insmod (关 , 关) Allow pppd to can insmod
sge_use_nfs (关 , 关) Allow sge to use nfs
xguest_use_bluetooth (开 , 开) Allow xguest to use bluetooth
spamd_enable_home_dirs (开 , 开) Allow spamd to enable home dirs
dhcpd_use_ldap (关 , 关) Allow dhcpd to use ldap
git_cgi_use_cifs (关 , 关) Allow git to cgi use cifs
pcp_read_generic_logs (关 , 关) Allow pcp to read generic logs
httpd_can_connect_zabbix (关 , 关) Allow httpd to can connect zabbix
zarafa_setrlimit (关 , 关) Allow zarafa to setrlimit
mailman_use_fusefs (关 , 关) Allow mailman to use fusefs
icecast_use_any_tcp_ports (关 , 关) Allow icecast to use any tcp ports
httpd_tmp_exec (关 , 关) Allow httpd to tmp exec
secadm_exec_content (开 , 开) Allow secadm to exec content
httpd_run_preupgrade (关 , 关) Allow httpd to run preupgrade
virt_use_execmem (关 , 关) Allow virt to use execmem
ksmtuned_use_cifs (关 , 关) Allow ksmtuned to use cifs
spamassassin_can_network (关 , 关) Allow spamassassin to can network
boinc_execmem (开 , 开) Allow boinc to execmem
sanlock_use_nfs (关 , 关) Allow sanlock to use nfs
domain_kernel_load_modules (关 , 关) Allow domain to kernel load modules
collectd_tcp_network_connect (关 , 关) Allow collectd to tcp network connect
abrt_anon_write (关 , 关) Allow abrt to anon write
xserver_object_manager (关 , 关) Allow xserver to object manager
puppetagent_manage_all_files (关 , 关) Allow puppetagent to manage all files
httpd_can_sendmail (关 , 关) Allow httpd to can sendmail
samba_share_fusefs (关 , 关) Allow samba to share fusefs
mcelog_foreground (关 , 关) Allow mcelog to foreground
xend_run_qemu (开 , 开) Allow xend to run qemu
mozilla_plugin_can_network_connect (关 , 关) Allow mozilla to plugin can network connect
radius_use_jit (关 , 关) Allow radius to use jit
httpd_builtin_scripting (开 , 开) Allow httpd to builtin scripting
selinuxuser_ping (开 , 开) Allow selinuxuser to ping
authlogin_yubikey (关 , 关) Allow authlogin to yubikey
cluster_manage_all_files (关 , 关) Allow cluster to manage all files
httpd_can_connect_ldap (关 , 关) Allow httpd to can connect ldap
cobbler_anon_write (关 , 关) Allow cobbler to anon write
samba_share_nfs (关 , 关) Allow samba to share nfs
virt_use_glusterd (关 , 关) Allow virt to use glusterd
nagios_use_nfs (关 , 关) Allow nagios to use nfs
mmap_low_allowed (关 , 关) Allow mmap to low allowed
dbadm_read_user_files (关 , 关) Allow dbadm to read user files
kdumpgui_run_bootloader (关 , 关) Allow kdumpgui to run bootloader
git_cgi_enable_homedirs (关 , 关) Allow git to cgi enable homedirs
xdm_bind_vnc_tcp_port (关 , 关) Allow xdm to bind vnc tcp port
spamd_update_can_network (关 , 关) Allow spamd to update can network
ftpd_use_nfs (关 , 关) Allow ftpd to use nfs
antivirus_can_scan_system (关 , 关) Allow antivirus to can scan system
polipo_session_users (关 , 关) Allow polipo to session users
kerberos_enabled (开 , 开) Allow kerberos to enabled
httpd_can_check_spam (关 , 关) Allow httpd to can check spam
xguest_mount_media (开 , 开) Allow xguest to mount media
openshift_use_nfs (关 , 关) Allow openshift to use nfs
named_tcp_bind_http_port (关 , 关) Allow named to tcp bind http port
deny_execmem (关 , 关) Allow deny to execmem
dhcpc_exec_iptables (关 , 关) Allow dhcpc to exec iptables
logging_syslogd_can_sendmail (关 , 关) Allow logging to syslogd can sendmail
polipo_use_nfs (关 , 关) Allow polipo to use nfs
samba_run_unconfined (关 , 关) Allow samba to run unconfined
telepathy_connect_all_ports (关 , 关) Allow telepathy to connect all ports
user_exec_content (开 , 开) Allow user to exec content
neutron_can_network (关 , 关) Allow neutron to can network
mpd_use_cifs (关 , 关) Allow mpd to use cifs
ftpd_connect_all_unreserved (关 , 关) Allow ftpd to connect all unreserved
glance_api_can_network (关 , 关) Allow glance to api can network
samba_load_libgfapi (关 , 关) Allow samba to load libgfapi
gitosis_can_sendmail (关 , 关) Allow gitosis to can sendmail
redis_enable_notify (关 , 关) Allow redis to enable notify
logging_syslogd_use_tty (开 , 开) Allow logging to syslogd use tty
httpd_can_network_memcache (关 , 关) Allow httpd to can network memcache
container_manage_cgroup (关 , 关) Allow container to manage cgroup
httpd_can_network_connect_cobbler (关 , 关) Allow httpd to can network connect cobbler
httpd_anon_write (关 , 关) Allow httpd to anon write
httpd_serve_cobbler_files (关 , 关) Allow httpd to serve cobbler files
daemons_use_tty (关 , 关) Allow daemons to use tty
condor_tcp_network_connect (关 , 关) Allow condor to tcp network connect
ftpd_anon_write (关 , 关) Allow ftpd to anon write
sanlock_use_samba (关 , 关) Allow sanlock to use samba
awstats_purge_apache_log_files (关 , 关) Allow awstats to purge apache log files
virt_rw_qemu_ga_data (关 , 关) Allow virt to rw qemu ga data
sysadm_exec_content (开 , 开) Allow sysadm to exec content
unprivuser_use_svirt (关 , 关) Allow unprivuser to use svirt
use_lpd_server (关 , 关) Allow use to lpd server
abrt_upload_watch_anon_write (开 , 开) Allow abrt to upload watch anon write
cups_execmem (关 , 关) Allow cups to execmem
tmpreaper_use_nfs (关 , 关) Allow tmpreaper to use nfs
cron_system_cronjob_use_shares (关 , 关) Allow cron to system cronjob use shares
selinuxuser_use_ssh_chroot (关 , 关) Allow selinuxuser to use ssh chroot
virt_read_qemu_ga_data (关 , 关) Allow virt to read qemu ga data
git_session_bind_all_unreserved_ports (关 , 关) Allow git to session bind all unreserved ports
httpd_ssi_exec (关 , 关) Allow httpd to ssi exec
mozilla_plugin_use_spice (关 , 关) Allow mozilla to plugin use spice
httpd_use_openstack (关 , 关) Allow httpd to use openstack
httpd_enable_ftp_server (关 , 关) Allow httpd to enable ftp server
daemons_dump_core (关 , 关) Allow daemons to dump core
fcron_crond (关 , 关) Allow fcron to crond
virt_use_fusefs (关 , 关) Allow virt to use fusefs
nfs_export_all_rw (开 , 开) Allow nfs to export all rw
postgresql_selinux_transmit_client_label (关 , 关) Allow postgresql to selinux transmit client label
authlogin_radius (关 , 关) Allow authlogin to radius
cobbler_use_cifs (关 , 关) Allow cobbler to use cifs
mcelog_server (关 , 关) Allow mcelog to server
httpd_setrlimit (关 , 关) Allow httpd to setrlimit
logging_syslogd_run_nagios_plugins (关 , 关) Allow logging to syslogd run nagios plugins
squid_connect_any (开 , 开) Allow squid to connect any
ssh_sysadm_login (关 , 关) Allow ssh to sysadm login
domain_fd_use (开 , 开) Allow domain to fd use
samba_enable_home_dirs (关 , 关) Allow samba to enable home dirs
mcelog_client (关 , 关) Allow mcelog to client
tomcat_use_execmem (关 , 关) Allow tomcat to use execmem
nfs_export_all_ro (开 , 开) Allow nfs to export all ro
cron_can_relabel (关 , 关) Allow cron to can relabel
欢迎来到testingpai.com!
注册 关于