chcon命令詳解.docx

chcon命令：修改對象（文件）的安全上下文。比如：用戶：角色：類型：安全級別。命令格式：Chcon OPTIONS CONTEXT FILES.Chcon OPTIONS reference=PEF_FILES FILES說明：CONTEXT 為要設(shè)置的安全上下文FILES 對象（文件）-reference 參照的對象PEF_FILES 參照文件上下文FILES應(yīng)用參照文件上下文為我的上下文。OPTIONS 如下：-f強迫執(zhí)行-R遞歸地修改對象的安全上下文-r ROLE修改安全上下文角色的配置-t TYPE修改安全上下文類型的配置-u USER修改安全上下文用戶的配置-v顯示冗長的信息 -l, -range=RANGE 修改安全上下文中的安全級別范例：1、ftp/If you want to share files anonymously chcon -R -t public_content_t /var/ftp/If you want to setup a directory where you can upload files如果你想讓你設(shè)置的FTP目錄可以上傳文件的話，SELINUX需要設(shè)置chcon -t public_content_rw_t /var/ftp/incoming/You must also turn on the boolean allow_ftpd_anon_write 允許匿名用戶寫入權(quán)限setsebool -P allow_ftpd_anon_write=1/If you are setting up this machine as a ftpd server and wish to allow users to access their home directororiessetsebool -P ftp_home_dir 1/If you want to run ftpd as a daemonsetsebool -P ftpd_is_daemon 1/You can disable SELinux protection for the ftpd daemonsetsebool -P ftpd_disable_trans 12、httpd/If you want a particular domain to write to the public_content_rw_t domainsetsebool -P allow_httpd_anon_write=1orsetsebool -P allow_httpd_sys_anon_write=1/httpd can be setup to allow cgi s to be executed setsebool -P httpd_enable_cgi 1/If you want to allow access to users home directoriessetsebool -P httpd_enable_homedirs 1chcon -R -t httpd_sys_content_t user/public_html/httpd is allowed access to the controling terminal允許httpd訪問終端setsebool -P httpd_tty_comm 1/such that one httpd service can not interfere with anothersetsebool -P httpd_unified 0/loadable modules run under the same context as httpdsetsebool -P httpd_builtin_ing 0/httpd s are allowed to connect out to the networksetsebool -P httpd_can_network_connect 1/ You can disable suexec transitionsetsebool -P httpd_suexec_disable_trans 1/You can disable SELinux protection for the httpd daemon by executing setsebool -P httpd_disable_trans 1service httpd restart3、named/If you want to have named update the master zone files setsebool -P named_write_master_zones 1/You can disable SELinux protection for the named daemon by executingsetsebool -P named_disable_trans 1service named restart4、nfs/If you want to setup this machine to share nfs partitions read onlysetsebool -P nfs_export_all_ro 1/If you want to share files read/writesetsebool -P nfs_export_all_rw 1/If you want to use a remote NFS server for the home directories on this machine如果你想要將遠程NFS的家目錄共享到本機，需要開啟setsebool -P use_nfs_home_dirs 15、samba/If you want to share files other than home directoriechcon -t samba_share_t /directory/If you want to share files with multiple domains如果samba服務(wù)器共享目錄給多個域，則需要：setsebool -P allow_smbd_anon_write=1/If you are setting up this machine as a Samba server and wish to share the home directoriessamba服務(wù)器要共享家目錄時：setsebool -P samba_enable_home_dirs 1/If you want to use a remote Samba server for the home directories on this machine如果你需在本機上使用遠程samba服務(wù)器的家目錄setsebool -P use_samba_home_dirs 1/You can disable SELinux protection for the samba daemon by executing關(guān)閉selinux關(guān)于samba的進程守護的保護setsebool -P smbd_disable_trans 1service smb restart6、rsync/If you want to share files using the rsync daemon共享rsync目錄時：chcon -t public_content_t /directories/If you want to share files with multiple domains允許其他用戶寫入時setsebool -P allow_rsync_anon_write=1/You can disable SELinux protection for the rsync daemon by executing停止rsync的進程保護setsebool -P rsync_disable_trans 17、kerberos/allow your system to work properly in a Kerberos environment允許系統(tǒng)使用kerberossetsebool -P allow_kerberos 1/If you are running Kerberos daemons kadmind or krb5kdcsetsebool -P krb5kdc_disable_