centos 不可不知的 SElinux 安全增强型策略

本贴最后更新于 1343 天前,其中的信息可能已经事过境迁

SELinux其实是Security-Enhanced Linux 安全增强型linux的英文缩写,是由美国国家安全局开发的一个内核模块,它主要流行在红帽Red Hat Linux及其衍生版本中,如centos。而Ubuntu、SUSE及其衍生版本使用的是AppArmor。

传统的linux是自主访问控制 Discretionary Access Control(DAC),在这种形式下,一个进程以UserID(UID)或SetOwnerUserID(SUID)身份运行,并且拥有该用户的问、套接字等权限,这样,恶意代码就能很容易的运行在特定权限模式下。

MAC(Mandatory Access Control)强制访问控制,是基于保密性和完整性强制隔离以限制破坏。决定一个资源能否被访问,除用户身份外,还会判断每一个进程是否拥有对某一类资源的访问权限。这样,即便进程使用root身份运行的,也需要判断这个进程的类型及允许访问的资源类型,才能决定是否允许访问某个资源,进程的活动空间被压缩到最小。SELinux使用的就是MAC.

直白的理解就是,SELinux是最大限度的减小系统中服务进程可访问的资源,所以,在默认开启时,安全级别非常高,很多常规操作受限制。

在SELinux中,当一个主体(Subject),如一个程序,要访问某一个目标(Object),如一个文件,服务器内核策略数据库(PolicyDatabase),就会去获取系统当前的运行模式(Mode),根据模式选择是否授予权限访问该目标。如果拒绝,则会在 /var/log/messages中记录一条拒绝信息。

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

默认情况下,现在的centos系统,SELinux为Enforcing强制执行策略。可以通过 getenforce 命令,查看当前的模式。

当系统SELinux策略为enforcing 或 permissive时,可以通过 sestatus -v 查看策略信息。 disabled时,不能获得更多信息

[root@centos7 ~]# getenforce
Enforcing
[root@centos7 ~]# sestatus -v
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

Process contexts:
Current context:                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Init context:                   system_u:system_r:init_t:s0
/usr/sbin/sshd                  system_u:system_r:sshd_t:s0-s0:c0.c1023

File contexts:
Controlling terminal:           unconfined_u:object_r:user_devpts_t:s0
/etc/passwd                     system_u:object_r:passwd_file_t:s0
/etc/shadow                     system_u:object_r:shadow_t:s0
/bin/bash                       system_u:object_r:shell_exec_t:s0
/bin/login                      system_u:object_r:login_exec_t:s0
/bin/sh                         system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0
/sbin/agetty                    system_u:object_r:getty_exec_t:s0
/sbin/init                      system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0
/usr/sbin/sshd                  system_u:object_r:sshd_exec_t:s0
[root@centos7 ~]# setenforce 0
[root@centos7 ~]# getenforce
Permissive
[root@centos7 ~]# sestatus -v
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

Process contexts:
Current context:                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Init context:                   system_u:system_r:init_t:s0
/usr/sbin/sshd                  system_u:system_r:sshd_t:s0-s0:c0.c1023

File contexts:
Controlling terminal:           unconfined_u:object_r:user_devpts_t:s0
/etc/passwd                     system_u:object_r:passwd_file_t:s0
/etc/shadow                     system_u:object_r:shadow_t:s0
/bin/bash                       system_u:object_r:shell_exec_t:s0
/bin/login                      system_u:object_r:login_exec_t:s0
/bin/sh                         system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0
/sbin/agetty                    system_u:object_r:getty_exec_t:s0
/sbin/init                      system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0
/usr/sbin/sshd                  system_u:object_r:sshd_exec_t:s0

使用 sestatus -b 可以看具体策略目标配置

[root@centos7 ~]# sestatus -b
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

Policy booleans:
abrt_anon_write                             off
abrt_handle_event                           off
abrt_upload_watch_anon_write                on	允许abrt上传观看记录,默认开启
antivirus_can_scan_system                   off
antivirus_use_jit                           off
auditadm_exec_content                       on	允许auditadm执行内容,默认开启
authlogin_nsswitch_use_ldap                 off
authlogin_radius                            off
authlogin_yubikey                           off
awstats_purge_apache_log_files              off
boinc_execmem                               on
cdrecord_read_content                       off
cluster_can_network_connect                 off
cluster_manage_all_files                    off
cluster_use_execmem                         off
cobbler_anon_write                          off
cobbler_can_network_connect                 off
cobbler_use_cifs                            off
cobbler_use_nfs                             off
collectd_tcp_network_connect                off
condor_tcp_network_connect                  off
conman_can_network                          off
conman_use_nfs                              off
container_connect_any                       off
container_manage_cgroup                     off
container_use_cephfs                        off
cron_can_relabel                            off
cron_system_cronjob_use_shares              off
cron_userdomain_transition                  on
cups_execmem                                off
cvs_read_shadow                             off
daemons_dump_core                           off
daemons_enable_cluster_mode                 off
daemons_use_tcp_wrapper                     off
daemons_use_tty                             off
dbadm_exec_content                          on
dbadm_manage_user_files                     off
dbadm_read_user_files                       off
deny_execmem                                off
deny_ptrace                                 off
dhcpc_exec_iptables                         off
dhcpd_use_ldap                              off
domain_can_mmap_files                       on
domain_can_write_kmsg                       off
domain_fd_use                               on
domain_kernel_load_modules                  off
entropyd_use_audio                          on
exim_can_connect_db                         off
exim_manage_user_files                      off
exim_read_user_files                        off
fcron_crond                                 off
fenced_can_network_connect                  off
fenced_can_ssh                              off
fips_mode                                   on
ftpd_anon_write                             off
ftpd_connect_all_unreserved                 off
ftpd_connect_db                             off
ftpd_full_access                            off
ftpd_use_cifs                               off
ftpd_use_fusefs                             off
ftpd_use_nfs                                off	允许ftpd服务使用nfs,默认关闭
ftpd_use_passive_mode                       off
ganesha_use_fusefs                          off
git_cgi_enable_homedirs                     off
git_cgi_use_cifs                            off
git_cgi_use_nfs                             off
git_session_bind_all_unreserved_ports       off
git_session_users                           off
git_system_enable_homedirs                  off
git_system_use_cifs                         off
git_system_use_nfs                          off
gitosis_can_sendmail                        off
glance_api_can_network                      off
glance_use_execmem                          off
glance_use_fusefs                           off
global_ssp                                  off
gluster_anon_write                          off
gluster_export_all_ro                       off
gluster_export_all_rw                       on
gluster_use_execmem                         off
gpg_web_anon_write                          off
gssd_read_tmp                               on
guest_exec_content                          on
haproxy_connect_any                         off
httpd_anon_write                            off
httpd_builtin_scripting                     on
httpd_can_check_spam                        off
httpd_can_connect_ftp                       off 允许httpd网络可以连接ftp服务,默认关闭
httpd_can_connect_ldap                      off
httpd_can_connect_mythtv                    off
httpd_can_connect_zabbix                    off
httpd_can_network_connect                   off 允许httpd网络可以连接网络,默认关闭
httpd_can_network_connect_cobbler           off
httpd_can_network_connect_db                off 允许httpd网络可以连接数据库,默认关闭
httpd_can_network_memcache                  off 允许httpd网络可以连接缓存,默认关闭
httpd_can_network_relay                     off 允许httpd可以网络中继,默认关闭
httpd_can_sendmail                          off 允许httpd可以发送邮件,默认关闭
httpd_dbus_avahi                            off
httpd_dbus_sssd                             off
httpd_dontaudit_search_dirs                 off
httpd_enable_cgi                            on
httpd_enable_ftp_server                     off
httpd_enable_homedirs                       off
httpd_execmem                               off
httpd_graceful_shutdown                     on
httpd_manage_ipa                            off
httpd_mod_auth_ntlm_winbind                 off
httpd_mod_auth_pam                          off
httpd_read_user_content                     off
httpd_run_ipa                               off
httpd_run_preupgrade                        off
httpd_run_stickshift                        off
httpd_serve_cobbler_files                   off
httpd_setrlimit                             off
httpd_ssi_exec                              off
httpd_sys_script_anon_write                 off
httpd_tmp_exec                              off
httpd_tty_comm                              off
httpd_unified                               off
httpd_use_cifs                              off
httpd_use_fusefs                            off
httpd_use_gpg                               off
httpd_use_nfs                               off
httpd_use_openstack                         off
httpd_use_sasl                              off
httpd_verify_dns                            off
icecast_use_any_tcp_ports                   off
irc_use_any_tcp_ports                       off
irssi_use_full_network                      off
kdumpgui_run_bootloader                     off
keepalived_connect_any                      off
kerberos_enabled                            on
ksmtuned_use_cifs                           off
ksmtuned_use_nfs                            off
logadm_exec_content                         on
logging_syslogd_can_sendmail                off
logging_syslogd_run_nagios_plugins          off
logging_syslogd_use_tty                     on
login_console_enabled                       on
logrotate_read_inside_containers            off
logrotate_use_nfs                           off
logwatch_can_network_connect_mail           off
lsmd_plugin_connect_any                     off
mailman_use_fusefs                          off
mcelog_client                               off
mcelog_exec_scripts                         on
mcelog_foreground                           off
mcelog_server                               off
minidlna_read_generic_user_content          off
mmap_low_allowed                            off
mock_enable_homedirs                        off
mount_anyfile                               on
mozilla_plugin_bind_unreserved_ports        off
mozilla_plugin_can_network_connect          off
mozilla_plugin_use_bluejeans                off
mozilla_plugin_use_gps                      off
mozilla_plugin_use_spice                    off
mozilla_read_content                        off
mpd_enable_homedirs                         off
mpd_use_cifs                                off
mpd_use_nfs                                 off
mplayer_execstack                           off
mysql_connect_any                           off	允许mysql连接所有,默认关闭
nagios_run_pnp4nagios                       off
nagios_run_sudo                             off
nagios_use_nfs                              off
named_tcp_bind_http_port                    off
named_write_master_zones                    off
neutron_can_network                         off
nfs_export_all_ro                           on
nfs_export_all_rw                           on
nfsd_anon_write                             off
nis_enabled                                 off
nscd_use_shm                                on
openshift_use_nfs                           off
openvpn_can_network_connect                 on
openvpn_enable_homedirs                     on
openvpn_run_unconfined                      off
pcp_bind_all_unreserved_ports               off
pcp_read_generic_logs                       off
piranha_lvs_can_network_connect             off
polipo_connect_all_unreserved               off
polipo_session_bind_all_unreserved_ports    off
polipo_session_users                        off
polipo_use_cifs                             off
polipo_use_nfs                              off
polyinstantiation_enabled                   off
postfix_local_write_mail_spool              on
postgresql_can_rsync                        off
postgresql_selinux_transmit_client_label    off
postgresql_selinux_unconfined_dbadm         on
postgresql_selinux_users_ddl                on
pppd_can_insmod                             off
pppd_for_user                               off
privoxy_connect_any                         on
prosody_bind_http_port                      off
puppetagent_manage_all_files                off
puppetmaster_use_db                         off
racoon_read_shadow                          off
radius_use_jit                              off
redis_enable_notify                         off
rpcd_use_fusefs                             off
rsync_anon_write                            off
rsync_client                                off
rsync_export_all_ro                         off
rsync_full_access                           off
samba_create_home_dirs                      off
samba_domain_controller                     off
samba_enable_home_dirs                      off
samba_export_all_ro                         off
samba_export_all_rw                         off
samba_load_libgfapi                         off
samba_portmapper                            off
samba_run_unconfined                        off
samba_share_fusefs                          off
samba_share_nfs                             off
sanlock_enable_home_dirs                    off
sanlock_use_fusefs                          off
sanlock_use_nfs                             off
sanlock_use_samba                           off
saslauthd_read_shadow                       off
secadm_exec_content                         on
secure_mode                                 off
secure_mode_insmod                          off
secure_mode_policyload                      off
selinuxuser_direct_dri_enabled              on
selinuxuser_execheap                        off
selinuxuser_execmod                         on
selinuxuser_execstack                       on
selinuxuser_mysql_connect_enabled           off
selinuxuser_ping                            on
selinuxuser_postgresql_connect_enabled      off
selinuxuser_rw_noexattrfile                 on
selinuxuser_share_music                     off
selinuxuser_tcp_server                      off
selinuxuser_udp_server                      off
selinuxuser_use_ssh_chroot                  off
sge_domain_can_network_connect              off
sge_use_nfs                                 off
smartmon_3ware                              off
smbd_anon_write                             off
spamassassin_can_network                    off
spamd_enable_home_dirs                      on
spamd_update_can_network                    off
squid_connect_any                           on
squid_use_tproxy                            off
ssh_chroot_rw_homedirs                      off
ssh_keysign                                 off
ssh_sysadm_login                            off
staff_exec_content                          on
staff_use_svirt                             off
swift_can_network                           off
sysadm_exec_content                         on
telepathy_connect_all_ports                 off
telepathy_tcp_connect_generic_network_ports on
tftp_anon_write                             off
tftp_home_dir                               off
tmpreaper_use_cifs                          off
tmpreaper_use_nfs                           off
tmpreaper_use_samba                         off
tomcat_can_network_connect_db               off
tomcat_read_rpm_db                          off
tomcat_use_execmem                          off
tor_bind_all_unreserved_ports               off
tor_can_network_relay                       off
unconfined_chrome_sandbox_transition        on
unconfined_login                            on
unconfined_mozilla_plugin_transition        on
unprivuser_use_svirt                        off
use_ecryptfs_home_dirs                      off
use_fusefs_home_dirs                        off
use_lpd_server                              off
use_nfs_home_dirs                           off
use_samba_home_dirs                         off
user_exec_content                           on
varnishd_connect_any                        off
virt_read_qemu_ga_data                      off
virt_rw_qemu_ga_data                        off
virt_sandbox_use_all_caps                   on
virt_sandbox_use_audit                      on
virt_sandbox_use_fusefs                     off
virt_sandbox_use_mknod                      off
virt_sandbox_use_netlink                    off
virt_sandbox_use_sys_admin                  off
virt_transition_userdomain                  off
virt_use_comm                               off
virt_use_execmem                            off
virt_use_fusefs                             off
virt_use_glusterd                           off
virt_use_nfs                                on
virt_use_rawip                              off
virt_use_samba                              off
virt_use_sanlock                            off
virt_use_usb                                on
virt_use_xserver                            off
webadm_manage_user_files                    off
webadm_read_user_files                      off
wine_mmap_zero_ignore                       off
xdm_bind_vnc_tcp_port                       off
xdm_exec_bootloader                         off
xdm_sysadm_login                            off
xdm_write_home                              off
xen_use_nfs                                 off
xend_run_blktap                             on
xend_run_qemu                               on
xguest_connect_network                      on
xguest_exec_content                         on
xguest_mount_media                          on
xguest_use_bluetooth                        on
xserver_clients_write_xshm                  off
xserver_execmem                             off
xserver_object_manager                      off
zabbix_can_network                          off
zabbix_run_sudo                             off
zarafa_setrlimit                            off
zebra_write_config                          off
zoneminder_anon_write                       off
zoneminder_run_sudo                         off
[root@centos7 ~]# 

可以通过 semanage boolean --list 查看具体配置及用法,semanage boolean -h获取帮助;setsebool 配置 状态 进行临时设置。

[root@vircent7 ~]# semanage boolean --list
SELinux 布尔值                    状态  默认 描述
privoxy_connect_any            (开    ,    开)  Allow privoxy to connect any
smartmon_3ware                 (关    ,    关)  Allow smartmon to 3ware
mpd_enable_homedirs            (关    ,    关)  Allow mpd to enable homedirs
xdm_sysadm_login               (关    ,    关)  Allow xdm to sysadm login
xen_use_nfs                    (关    ,    关)  Allow xen to use nfs
mozilla_read_content           (关    ,    关)  Allow mozilla to read content
ssh_chroot_rw_homedirs         (关    ,    关)  Allow ssh to chroot rw homedirs
mount_anyfile                  (开    ,    开)  Allow mount to anyfile
cron_userdomain_transition     (开    ,    开)  Allow cron to userdomain transition
xdm_write_home                 (关    ,    关)  Allow xdm to write home
openvpn_can_network_connect    (开    ,    开)  Allow openvpn to can network connect
xserver_execmem                (关    ,    关)  Allow xserver to execmem
minidlna_read_generic_user_content (关    ,    关)  Allow minidlna to read generic user content
authlogin_nsswitch_use_ldap    (关    ,    关)  Allow authlogin to nsswitch use ldap
gluster_anon_write             (关    ,    关)  Allow gluster to anon write
piranha_lvs_can_network_connect (关    ,    关)  Allow piranha to lvs can network connect
selinuxuser_execmod            (开    ,    开)  Allow selinuxuser to execmod
httpd_can_network_relay        (关    ,    关)  Allow httpd to can network relay
openvpn_enable_homedirs        (开    ,    开)  Allow openvpn to enable homedirs
glance_use_execmem             (关    ,    关)  Allow glance to use execmem
telepathy_tcp_connect_generic_network_ports (开    ,    开)  Allow telepathy to tcp connect generic network ports
httpd_can_connect_mythtv       (关    ,    关)  Allow httpd to can connect mythtv
unconfined_mozilla_plugin_transition (开    ,    开)  Allow unconfined to mozilla plugin transition
nagios_run_sudo                (关    ,    关)  Allow nagios to run sudo
httpd_can_network_connect_db   (关    ,    关)  Allow httpd to can network connect db
use_ecryptfs_home_dirs         (关    ,    关)  Allow use to ecryptfs home dirs
mpd_use_nfs                    (关    ,    关)  Allow mpd to use nfs
postgresql_can_rsync           (关    ,    关)  Allow postgresql to can rsync
polipo_connect_all_unreserved  (关    ,    关)  Allow polipo to connect all unreserved
httpd_use_gpg                  (关    ,    关)  Allow httpd to use gpg
samba_export_all_rw            (关    ,    关)  Allow samba to export all rw
samba_domain_controller        (关    ,    关)  Allow samba to domain controller
httpd_dbus_sssd                (关    ,    关)  Allow httpd to dbus sssd
selinuxuser_udp_server         (关    ,    关)  Allow selinuxuser to udp server
fenced_can_network_connect     (关    ,    关)  Allow fenced to can network connect
httpd_enable_cgi               (开    ,    开)  Allow httpd to enable cgi
polipo_use_cifs                (关    ,    关)  Allow polipo to use cifs
xend_run_blktap                (开    ,    开)  Allow xend to run blktap
httpd_verify_dns               (关    ,    关)  Allow httpd to verify dns
ftpd_use_cifs                  (关    ,    关)  Allow ftpd to use cifs
polyinstantiation_enabled      (关    ,    关)  Allow polyinstantiation to enabled
virt_use_nfs                   (开    ,    开)  Allow virt to use nfs
virt_use_comm                  (关    ,    关)  Allow virt to use comm
tmpreaper_use_cifs             (关    ,    关)  Allow tmpreaper to use cifs
rsync_client                   (关    ,    关)  Allow rsync to client
xdm_exec_bootloader            (关    ,    关)  Allow xdm to exec bootloader
exim_read_user_files           (关    ,    关)  Allow exim to read user files
use_nfs_home_dirs              (关    ,    关)  Allow use to nfs home dirs
swift_can_network              (关    ,    关)  Allow swift to can network
xserver_clients_write_xshm     (关    ,    关)  Allow xserver to clients write xshm
container_connect_any          (关    ,    关)  Allow container to connect any
ksmtuned_use_nfs               (关    ,    关)  Allow ksmtuned to use nfs
entropyd_use_audio             (开    ,    开)  Allow entropyd to use audio
selinuxuser_share_music        (关    ,    关)  Allow selinuxuser to share music
httpd_dontaudit_search_dirs    (关    ,    关)  Allow httpd to dontaudit search dirs
named_write_master_zones       (关    ,    关)  Allow named to write master zones
git_system_use_cifs            (关    ,    关)  Allow git to system use cifs
samba_portmapper               (关    ,    关)  Allow samba to portmapper
nagios_run_pnp4nagios          (关    ,    关)  Allow nagios to run pnp4nagios
postgresql_selinux_users_ddl   (开    ,    开)  Allow postgresql to selinux users ddl
tor_bind_all_unreserved_ports  (关    ,    关)  Allow tor to bind all unreserved ports
logrotate_read_inside_containers (关    ,    关)  Allow logrotate to read inside containers
mcelog_exec_scripts            (开    ,    开)  Allow mcelog to exec scripts
zebra_write_config             (关    ,    关)  Allow zebra to write config
cvs_read_shadow                (关    ,    关)  Allow cvs to read shadow
httpd_use_cifs                 (关    ,    关)  Allow httpd to use cifs
deny_ptrace                    (关    ,    关)  Allow deny to ptrace
ssh_keysign                    (关    ,    关)  Allow ssh to keysign
postfix_local_write_mail_spool (开    ,    开)  Allow postfix to local write mail spool
antivirus_use_jit              (关    ,    关)  Allow antivirus to use jit
logwatch_can_network_connect_mail (关    ,    关)  Allow logwatch to can network connect mail
secure_mode                    (关    ,    关)  Allow secure to mode
gluster_export_all_ro          (关    ,    关)  Allow gluster to export all ro
httpd_manage_ipa               (关    ,    关)  Allow httpd to manage ipa
virt_sandbox_use_sys_admin     (关    ,    关)  Allow virt to sandbox use sys admin
conman_can_network             (关    ,    关)  Allow conman to can network
pppd_for_user                  (关    ,    关)  Allow pppd to for user
samba_export_all_ro            (关    ,    关)  Allow samba to export all ro
ftpd_connect_db                (关    ,    关)  Allow ftpd to connect db
git_system_enable_homedirs     (关    ,    关)  Allow git to system enable homedirs
use_samba_home_dirs            (关    ,    关)  Allow use to samba home dirs
domain_can_write_kmsg          (关    ,    关)  Allow domain to can write kmsg
mock_enable_homedirs           (关    ,    关)  Allow mock to enable homedirs
sge_domain_can_network_connect (关    ,    关)  Allow sge to domain can network connect
httpd_run_stickshift           (关    ,    关)  Allow httpd to run stickshift
samba_create_home_dirs         (关    ,    关)  Allow samba to create home dirs
virt_transition_userdomain     (关    ,    关)  Allow virt to transition userdomain
mozilla_plugin_bind_unreserved_ports (关    ,    关)  Allow mozilla to plugin bind unreserved ports
git_session_users              (关    ,    关)  Allow git to session users
zabbix_can_network             (关    ,    关)  Allow zabbix to can network
fenced_can_ssh                 (关    ,    关)  Allow fenced to can ssh
zoneminder_run_sudo            (关    ,    关)  Allow zoneminder to run sudo
httpd_enable_homedirs          (关    ,    关)  Allow httpd to enable homedirs
gpg_web_anon_write             (关    ,    关)  Allow gpg to web anon write
lsmd_plugin_connect_any        (关    ,    关)  Allow lsmd to plugin connect any
selinuxuser_direct_dri_enabled (开    ,    开)  Allow selinuxuser to direct dri enabled
nfsd_anon_write                (关    ,    关)  Allow nfsd to anon write
gluster_use_execmem            (关    ,    关)  Allow gluster to use execmem
mysql_connect_any              (关    ,    关)  Allow mysql to connect any
glance_use_fusefs              (关    ,    关)  Allow glance to use fusefs
polipo_session_bind_all_unreserved_ports (关    ,    关)  Allow polipo to session bind all unreserved ports
cluster_can_network_connect    (关    ,    关)  Allow cluster to can network connect
httpd_dbus_avahi               (关    ,    关)  Allow httpd to dbus avahi
ftpd_use_fusefs                (关    ,    关)  Allow ftpd to use fusefs
sanlock_use_fusefs             (关    ,    关)  Allow sanlock to use fusefs
rsync_full_access              (关    ,    关)  Allow rsync to full access
global_ssp                     (关    ,    关)  Allow global to ssp
cobbler_can_network_connect    (关    ,    关)  Allow cobbler to can network connect
virt_sandbox_use_audit         (开    ,    开)  Allow virt to sandbox use audit
staff_use_svirt                (关    ,    关)  Allow staff to use svirt
squid_use_tproxy               (关    ,    关)  Allow squid to use tproxy
ftpd_full_access               (关    ,    关)  Allow ftpd to full access
gluster_export_all_rw          (开    ,    开)  Allow gluster to export all rw
secure_mode_policyload         (关    ,    关)  Allow secure to mode policyload
virt_use_rawip                 (关    ,    关)  Allow virt to use rawip
dbadm_manage_user_files        (关    ,    关)  Allow dbadm to manage user files
domain_can_mmap_files          (开    ,    开)  Allow domain to can mmap files
abrt_handle_event              (关    ,    关)  Allow abrt to handle event
fips_mode                      (开    ,    开)  Allow fips to mode
rpcd_use_fusefs                (关    ,    关)  Allow rpcd to use fusefs
webadm_manage_user_files       (关    ,    关)  Allow webadm to manage user files
virt_sandbox_use_mknod         (关    ,    关)  Allow virt to sandbox use mknod
tomcat_can_network_connect_db  (关    ,    关)  Allow tomcat to can network connect db
git_system_use_nfs             (关    ,    关)  Allow git to system use nfs
gssd_read_tmp                  (开    ,    开)  Allow gssd to read tmp
httpd_unified                  (关    ,    关)  Allow httpd to unified
staff_exec_content             (开    ,    开)  Allow staff to exec content
virt_sandbox_use_netlink       (关    ,    关)  Allow virt to sandbox use netlink
tftp_anon_write                (关    ,    关)  Allow tftp to anon write
irc_use_any_tcp_ports          (关    ,    关)  Allow irc to use any tcp ports
xguest_exec_content            (开    ,    开)  Allow xguest to exec content
saslauthd_read_shadow          (关    ,    关)  Allow saslauthd to read shadow
openvpn_run_unconfined         (关    ,    关)  Allow openvpn to run unconfined
httpd_mod_auth_pam             (关    ,    关)  Allow httpd to mod auth pam
selinuxuser_rw_noexattrfile    (开    ,    开)  Allow selinuxuser to rw noexattrfile
httpd_can_network_connect      (关    ,    关)  Allow httpd to can network connect
keepalived_connect_any         (关    ,    关)  Allow keepalived to connect any
exim_can_connect_db            (关    ,    关)  Allow exim to can connect db
auditadm_exec_content          (开    ,    开)  Allow auditadm to exec content
git_cgi_use_nfs                (关    ,    关)  Allow git to cgi use nfs
xguest_connect_network         (开    ,    开)  Allow xguest to connect network
varnishd_connect_any           (关    ,    关)  Allow varnishd to connect any
tftp_home_dir                  (关    ,    关)  Allow tftp to home dir
guest_exec_content             (开    ,    开)  Allow guest to exec content
exim_manage_user_files         (关    ,    关)  Allow exim to manage user files
httpd_execmem                  (关    ,    关)  Allow httpd to execmem
virt_use_xserver               (关    ,    关)  Allow virt to use xserver
httpd_use_fusefs               (关    ,    关)  Allow httpd to use fusefs
cdrecord_read_content          (关    ,    关)  Allow cdrecord to read content
cluster_use_execmem            (关    ,    关)  Allow cluster to use execmem
login_console_enabled          (开    ,    开)  Allow login to console enabled
httpd_mod_auth_ntlm_winbind    (关    ,    关)  Allow httpd to mod auth ntlm winbind
logrotate_use_nfs              (关    ,    关)  Allow logrotate to use nfs
selinuxuser_postgresql_connect_enabled (关    ,    关)  Allow selinuxuser to postgresql connect enabled
httpd_use_sasl                 (关    ,    关)  Allow httpd to use sasl
httpd_tty_comm                 (关    ,    关)  Allow httpd to tty comm
httpd_sys_script_anon_write    (关    ,    关)  Allow httpd to sys script anon write
rsync_anon_write               (关    ,    关)  Allow rsync to anon write
mplayer_execstack              (关    ,    关)  Allow mplayer to execstack
zoneminder_anon_write          (关    ,    关)  Allow zoneminder to anon write
selinuxuser_tcp_server         (关    ,    关)  Allow selinuxuser to tcp server
dbadm_exec_content             (开    ,    开)  Allow dbadm to exec content
postgresql_selinux_unconfined_dbadm (开    ,    开)  Allow postgresql to selinux unconfined dbadm
selinuxuser_execheap           (关    ,    关)  Allow selinuxuser to execheap
conman_use_nfs                 (关    ,    关)  Allow conman to use nfs
virt_use_sanlock               (关    ,    关)  Allow virt to use sanlock
virt_use_samba                 (关    ,    关)  Allow virt to use samba
irssi_use_full_network         (关    ,    关)  Allow irssi to use full network
mozilla_plugin_use_bluejeans   (关    ,    关)  Allow mozilla to plugin use bluejeans
tmpreaper_use_samba            (关    ,    关)  Allow tmpreaper to use samba
nscd_use_shm                   (开    ,    开)  Allow nscd to use shm
tomcat_read_rpm_db             (关    ,    关)  Allow tomcat to read rpm db
zabbix_run_sudo                (关    ,    关)  Allow zabbix to run sudo
haproxy_connect_any            (关    ,    关)  Allow haproxy to connect any
wine_mmap_zero_ignore          (关    ,    关)  Allow wine to mmap zero ignore
racoon_read_shadow             (关    ,    关)  Allow racoon to read shadow
puppetmaster_use_db            (关    ,    关)  Allow puppetmaster to use db
httpd_graceful_shutdown        (开    ,    开)  Allow httpd to graceful shutdown
nis_enabled                    (关    ,    关)  Allow nis to enabled
logadm_exec_content            (开    ,    开)  Allow logadm to exec content
container_use_cephfs           (关    ,    关)  Allow container to use cephfs
unconfined_login               (开    ,    开)  Allow unconfined to login
secure_mode_insmod             (关    ,    关)  Allow secure to mode insmod
virt_sandbox_use_fusefs        (关    ,    关)  Allow virt to sandbox use fusefs
httpd_can_connect_ftp          (关    ,    关)  Allow httpd to can connect ftp
ftpd_use_passive_mode          (关    ,    关)  Allow ftpd to use passive mode
smbd_anon_write                (关    ,    关)  Allow smbd to anon write
daemons_enable_cluster_mode    (关    ,    关)  Allow daemons to enable cluster mode
cobbler_use_nfs                (关    ,    关)  Allow cobbler to use nfs
tor_can_network_relay          (关    ,    关)  Allow tor to can network relay
virt_use_usb                   (开    ,    开)  Allow virt to use usb
selinuxuser_execstack          (开    ,    开)  Allow selinuxuser to execstack
selinuxuser_mysql_connect_enabled (关    ,    关)  Allow selinuxuser to mysql connect enabled
virt_sandbox_use_all_caps      (开    ,    开)  Allow virt to sandbox use all caps
httpd_run_ipa                  (关    ,    关)  Allow httpd to run ipa
ganesha_use_fusefs             (关    ,    关)  Allow ganesha to use fusefs
rsync_export_all_ro            (关    ,    关)  Allow rsync to export all ro
daemons_use_tcp_wrapper        (关    ,    关)  Allow daemons to use tcp wrapper
prosody_bind_http_port         (关    ,    关)  Allow prosody to bind http port
sanlock_enable_home_dirs       (关    ,    关)  Allow sanlock to enable home dirs
webadm_read_user_files         (关    ,    关)  Allow webadm to read user files
mozilla_plugin_use_gps         (关    ,    关)  Allow mozilla to plugin use gps
use_fusefs_home_dirs           (关    ,    关)  Allow use to fusefs home dirs
pcp_bind_all_unreserved_ports  (关    ,    关)  Allow pcp to bind all unreserved ports
httpd_read_user_content        (关    ,    关)  Allow httpd to read user content
httpd_use_nfs                  (关    ,    关)  Allow httpd to use nfs
unconfined_chrome_sandbox_transition (开    ,    开)  Allow unconfined to chrome sandbox transition
pppd_can_insmod                (关    ,    关)  Allow pppd to can insmod
sge_use_nfs                    (关    ,    关)  Allow sge to use nfs
xguest_use_bluetooth           (开    ,    开)  Allow xguest to use bluetooth
spamd_enable_home_dirs         (开    ,    开)  Allow spamd to enable home dirs
dhcpd_use_ldap                 (关    ,    关)  Allow dhcpd to use ldap
git_cgi_use_cifs               (关    ,    关)  Allow git to cgi use cifs
pcp_read_generic_logs          (关    ,    关)  Allow pcp to read generic logs
httpd_can_connect_zabbix       (关    ,    关)  Allow httpd to can connect zabbix
zarafa_setrlimit               (关    ,    关)  Allow zarafa to setrlimit
mailman_use_fusefs             (关    ,    关)  Allow mailman to use fusefs
icecast_use_any_tcp_ports      (关    ,    关)  Allow icecast to use any tcp ports
httpd_tmp_exec                 (关    ,    关)  Allow httpd to tmp exec
secadm_exec_content            (开    ,    开)  Allow secadm to exec content
httpd_run_preupgrade           (关    ,    关)  Allow httpd to run preupgrade
virt_use_execmem               (关    ,    关)  Allow virt to use execmem
ksmtuned_use_cifs              (关    ,    关)  Allow ksmtuned to use cifs
spamassassin_can_network       (关    ,    关)  Allow spamassassin to can network
boinc_execmem                  (开    ,    开)  Allow boinc to execmem
sanlock_use_nfs                (关    ,    关)  Allow sanlock to use nfs
domain_kernel_load_modules     (关    ,    关)  Allow domain to kernel load modules
collectd_tcp_network_connect   (关    ,    关)  Allow collectd to tcp network connect
abrt_anon_write                (关    ,    关)  Allow abrt to anon write
xserver_object_manager         (关    ,    关)  Allow xserver to object manager
puppetagent_manage_all_files   (关    ,    关)  Allow puppetagent to manage all files
httpd_can_sendmail             (关    ,    关)  Allow httpd to can sendmail
samba_share_fusefs             (关    ,    关)  Allow samba to share fusefs
mcelog_foreground              (关    ,    关)  Allow mcelog to foreground
xend_run_qemu                  (开    ,    开)  Allow xend to run qemu
mozilla_plugin_can_network_connect (关    ,    关)  Allow mozilla to plugin can network connect
radius_use_jit                 (关    ,    关)  Allow radius to use jit
httpd_builtin_scripting        (开    ,    开)  Allow httpd to builtin scripting
selinuxuser_ping               (开    ,    开)  Allow selinuxuser to ping
authlogin_yubikey              (关    ,    关)  Allow authlogin to yubikey
cluster_manage_all_files       (关    ,    关)  Allow cluster to manage all files
httpd_can_connect_ldap         (关    ,    关)  Allow httpd to can connect ldap
cobbler_anon_write             (关    ,    关)  Allow cobbler to anon write
samba_share_nfs                (关    ,    关)  Allow samba to share nfs
virt_use_glusterd              (关    ,    关)  Allow virt to use glusterd
nagios_use_nfs                 (关    ,    关)  Allow nagios to use nfs
mmap_low_allowed               (关    ,    关)  Allow mmap to low allowed
dbadm_read_user_files          (关    ,    关)  Allow dbadm to read user files
kdumpgui_run_bootloader        (关    ,    关)  Allow kdumpgui to run bootloader
git_cgi_enable_homedirs        (关    ,    关)  Allow git to cgi enable homedirs
xdm_bind_vnc_tcp_port          (关    ,    关)  Allow xdm to bind vnc tcp port
spamd_update_can_network       (关    ,    关)  Allow spamd to update can network
ftpd_use_nfs                   (关    ,    关)  Allow ftpd to use nfs
antivirus_can_scan_system      (关    ,    关)  Allow antivirus to can scan system
polipo_session_users           (关    ,    关)  Allow polipo to session users
kerberos_enabled               (开    ,    开)  Allow kerberos to enabled
httpd_can_check_spam           (关    ,    关)  Allow httpd to can check spam
xguest_mount_media             (开    ,    开)  Allow xguest to mount media
openshift_use_nfs              (关    ,    关)  Allow openshift to use nfs
named_tcp_bind_http_port       (关    ,    关)  Allow named to tcp bind http port
deny_execmem                   (关    ,    关)  Allow deny to execmem
dhcpc_exec_iptables            (关    ,    关)  Allow dhcpc to exec iptables
logging_syslogd_can_sendmail   (关    ,    关)  Allow logging to syslogd can sendmail
polipo_use_nfs                 (关    ,    关)  Allow polipo to use nfs
samba_run_unconfined           (关    ,    关)  Allow samba to run unconfined
telepathy_connect_all_ports    (关    ,    关)  Allow telepathy to connect all ports
user_exec_content              (开    ,    开)  Allow user to exec content
neutron_can_network            (关    ,    关)  Allow neutron to can network
mpd_use_cifs                   (关    ,    关)  Allow mpd to use cifs
ftpd_connect_all_unreserved    (关    ,    关)  Allow ftpd to connect all unreserved
glance_api_can_network         (关    ,    关)  Allow glance to api can network
samba_load_libgfapi            (关    ,    关)  Allow samba to load libgfapi
gitosis_can_sendmail           (关    ,    关)  Allow gitosis to can sendmail
redis_enable_notify            (关    ,    关)  Allow redis to enable notify
logging_syslogd_use_tty        (开    ,    开)  Allow logging to syslogd use tty
httpd_can_network_memcache     (关    ,    关)  Allow httpd to can network memcache
container_manage_cgroup        (关    ,    关)  Allow container to manage cgroup
httpd_can_network_connect_cobbler (关    ,    关)  Allow httpd to can network connect cobbler
httpd_anon_write               (关    ,    关)  Allow httpd to anon write
httpd_serve_cobbler_files      (关    ,    关)  Allow httpd to serve cobbler files
daemons_use_tty                (关    ,    关)  Allow daemons to use tty
condor_tcp_network_connect     (关    ,    关)  Allow condor to tcp network connect
ftpd_anon_write                (关    ,    关)  Allow ftpd to anon write
sanlock_use_samba              (关    ,    关)  Allow sanlock to use samba
awstats_purge_apache_log_files (关    ,    关)  Allow awstats to purge apache log files
virt_rw_qemu_ga_data           (关    ,    关)  Allow virt to rw qemu ga data
sysadm_exec_content            (开    ,    开)  Allow sysadm to exec content
unprivuser_use_svirt           (关    ,    关)  Allow unprivuser to use svirt
use_lpd_server                 (关    ,    关)  Allow use to lpd server
abrt_upload_watch_anon_write   (开    ,    开)  Allow abrt to upload watch anon write
cups_execmem                   (关    ,    关)  Allow cups to execmem
tmpreaper_use_nfs              (关    ,    关)  Allow tmpreaper to use nfs
cron_system_cronjob_use_shares (关    ,    关)  Allow cron to system cronjob use shares
selinuxuser_use_ssh_chroot     (关    ,    关)  Allow selinuxuser to use ssh chroot
virt_read_qemu_ga_data         (关    ,    关)  Allow virt to read qemu ga data
git_session_bind_all_unreserved_ports (关    ,    关)  Allow git to session bind all unreserved ports
httpd_ssi_exec                 (关    ,    关)  Allow httpd to ssi exec
mozilla_plugin_use_spice       (关    ,    关)  Allow mozilla to plugin use spice
httpd_use_openstack            (关    ,    关)  Allow httpd to use openstack
httpd_enable_ftp_server        (关    ,    关)  Allow httpd to enable ftp server
daemons_dump_core              (关    ,    关)  Allow daemons to dump core
fcron_crond                    (关    ,    关)  Allow fcron to crond
virt_use_fusefs                (关    ,    关)  Allow virt to use fusefs
nfs_export_all_rw              (开    ,    开)  Allow nfs to export all rw
postgresql_selinux_transmit_client_label (关    ,    关)  Allow postgresql to selinux transmit client label
authlogin_radius               (关    ,    关)  Allow authlogin to radius
cobbler_use_cifs               (关    ,    关)  Allow cobbler to use cifs
mcelog_server                  (关    ,    关)  Allow mcelog to server
httpd_setrlimit                (关    ,    关)  Allow httpd to setrlimit
logging_syslogd_run_nagios_plugins (关    ,    关)  Allow logging to syslogd run nagios plugins
squid_connect_any              (开    ,    开)  Allow squid to connect any
ssh_sysadm_login               (关    ,    关)  Allow ssh to sysadm login
domain_fd_use                  (开    ,    开)  Allow domain to fd use
samba_enable_home_dirs         (关    ,    关)  Allow samba to enable home dirs
mcelog_client                  (关    ,    关)  Allow mcelog to client
tomcat_use_execmem             (关    ,    关)  Allow tomcat to use execmem
nfs_export_all_ro              (开    ,    开)  Allow nfs to export all ro
cron_can_relabel               (关    ,    关)  Allow cron to can relabel
1 操作
Allen 在 2021-03-23 14:31:30 更新了该帖
1 回帖
请输入回帖内容 ...
  • Cat

    ?