Linux基础：通过semanage管理SELinux

semanage诚如其名，对SELinux中的安全上下文能够起到操作的作用。使用非常广泛，比如Rancher的轻量级的Kubernetes：K3S对于在SELinux下设定支持就是使用的semanage，所以安装时需要首先安装semanage所用到的包。这篇文章介绍一下使用semanage查看SELinux的方法。

安装

缺省方式下semanage是没有被安装的，需要自行安装

[root@liumiaocn ~]# which semanage
/usr/bin/which: no semanage in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
[root@liumiaocn ~]#

可以通过yum provides来查询所在安装包，从如下操作日志中可以看到，包名为policycoreutils-python-2.5-34.el7.x86_64

[root@liumiaocn ~]# yum provides semanage
...省略
Total download size: 2.3 M
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(1/9): audit-2.8.5-4.el7.x86_64.rpm                                                                              | 256 kB  00:00:01     
(2/9): audit-libs-python-2.8.5-4.el7.x86_64.rpm                                                                  |  76 kB  00:00:00     
(3/9): policycoreutils-2.5-34.el7.x86_64.rpm                                                                     | 917 kB  00:00:00     
(4/9): policycoreutils-python-2.5-34.el7.x86_64.rpm                                                              | 457 kB  00:00:00     
(5/9): python-IPy-0.75-6.el7.noarch.rpm                                                                          |  32 kB  00:00:00     
(6/9): audit-libs-2.8.5-4.el7.x86_64.rpm                                                                         | 102 kB  00:00:02     
(7/9): libsemanage-python-2.5-14.el7.x86_64.rpm                                                                  | 113 kB  00:00:01     
(8/9): checkpolicy-2.5-8.el7.x86_64.rpm                                                                          | 295 kB  00:00:02     
(9/9): libcgroup-0.41-21.el7.x86_64.rpm                                                                          |  66 kB  00:00:02     
----------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                   576 kB/s | 2.3 MB  00:00:04     
...省略
[root@liumiaocn ~]#

使用说明

[root@liumiaocn ~]# semanage --help
usage: semanage [-h]
                
                {import,export,login,user,port,ibpkey,ibendport,interface,module,node,fcontext,boolean,permissive,dontaudit}
                ...

semanage is used to configure certain elements of SELinux policy with-out
requiring modification to or recompilation from policy source.

positional arguments:
  {import,export,login,user,port,ibpkey,ibendport,interface,module,node,fcontext,boolean,permissive,dontaudit}
    import              Import local customizations
    export              Output local customizations
    login               Manage login mappings between linux users and SELinux
                        confined users
    user                Manage SELinux confined users (Roles and levels for an
                        SELinux user)
    port                Manage network port type definitions
    ibpkey              Manage infiniband ibpkey type definitions
    ibendport           Manage infiniband end port type definitions
    interface           Manage network interface type definitions
    module              Manage SELinux policy modules
    node                Manage network node type definitions
    fcontext            Manage file context mapping definitions
    boolean             Manage booleans to selectively enable functionality
    permissive          Manage process type enforcement mode
    dontaudit           Disable/Enable dontaudit rules in policy

optional arguments:
  -h, --help            show this help message and exit
[root@liumiaocn ~]#

常见操作选项

常见操作选项如下：

• -a：添加
• -l：列举
• -d：删除
• -m：修改

使用示例：查看用户相关信息

相较于seinfo显然要更加详细

[root@liumiaocn ~]# semanage user -l

                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

guest_u         user       s0         s0                             guest_r
root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
system_u        user       s0         s0-s0:c0.c1023                 system_r unconfined_r
unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r
user_u          user       s0         s0                             user_r
xguest_u        user       s0         s0                             xguest_r
[root@liumiaocn ~]#

使用示例：查询规则

[root@liumiaocn ~]# semanage boolean -l |head -n10
SELinux boolean                State  Default Description

privoxy_connect_any            (on   ,   on)  Allow privoxy to connect any
smartmon_3ware                 (off  ,  off)  Allow smartmon to 3ware
mpd_enable_homedirs            (off  ,  off)  Allow mpd to enable homedirs
xdm_sysadm_login               (off  ,  off)  Allow xdm to sysadm login
xen_use_nfs                    (off  ,  off)  Allow xen to use nfs
mozilla_read_content           (off  ,  off)  Allow mozilla to read content
ssh_chroot_rw_homedirs         (off  ,  off)  Allow ssh to chroot rw homedirs
mount_anyfile                  (on   ,   on)  Allow mount to anyfile
IOError: [Errno 32] Broken pipe
[root@liumiaocn ~]#

常用示例：添加一个SELinux用户

[root@liumiaocn ~]# semanage user -a -L s0 -r "s0-s0:c0.c1023" -R sysadm_r liumiao_se
[root@liumiaocn ~]# semanage user -l

                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

guest_u         user       s0         s0                             guest_r
liumiao_se      user       s0         s0-s0:c0.c1023                 sysadm_r
root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
system_u        user       s0         s0-s0:c0.c1023                 system_r unconfined_r
unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r
user_u          user       s0         s0                             user_r
xguest_u        user       s0         s0                             xguest_r
[root@liumiaocn ~]#

使用示例：查看用户映射关系

[root@liumiaocn ~]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *
[root@liumiaocn ~]#