semanage诚如其名,对SELinux中的安全上下文能够起到操作的作用。使用非常广泛,比如Rancher的轻量级的Kubernetes:K3S对于在SELinux下设定支持就是使用的semanage,所以安装时需要首先安装semanage所用到的包。这篇文章介绍一下使用semanage查看SELinux的方法。
安装
缺省方式下semanage是没有被安装的,需要自行安装
[root@liumiaocn ~]# which semanage /usr/bin/which: no semanage in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin) [root@liumiaocn ~]#
可以通过yum provides来查询所在安装包,从如下操作日志中可以看到,包名为policycoreutils-python-2.5-34.el7.x86_64
[root@liumiaocn ~]# yum provides semanage ...省略 Total download size: 2.3 M Downloading packages: Delta RPMs disabled because /usr/bin/applydeltarpm not installed. (1/9): audit-2.8.5-4.el7.x86_64.rpm | 256 kB 00:00:01 (2/9): audit-libs-python-2.8.5-4.el7.x86_64.rpm | 76 kB 00:00:00 (3/9): policycoreutils-2.5-34.el7.x86_64.rpm | 917 kB 00:00:00 (4/9): policycoreutils-python-2.5-34.el7.x86_64.rpm | 457 kB 00:00:00 (5/9): python-IPy-0.75-6.el7.noarch.rpm | 32 kB 00:00:00 (6/9): audit-libs-2.8.5-4.el7.x86_64.rpm | 102 kB 00:00:02 (7/9): libsemanage-python-2.5-14.el7.x86_64.rpm | 113 kB 00:00:01 (8/9): checkpolicy-2.5-8.el7.x86_64.rpm | 295 kB 00:00:02 (9/9): libcgroup-0.41-21.el7.x86_64.rpm | 66 kB 00:00:02 ---------------------------------------------------------------------------------------------------------------------------------------- Total 576 kB/s | 2.3 MB 00:00:04 ...省略 [root@liumiaocn ~]#
使用说明
[root@liumiaocn ~]# semanage --help
usage: semanage [-h]
{import,export,login,user,port,ibpkey,ibendport,interface,module,node,fcontext,boolean,permissive,dontaudit}
...
semanage is used to configure certain elements of SELinux policy with-out
requiring modification to or recompilation from policy source.
positional arguments:
{import,export,login,user,port,ibpkey,ibendport,interface,module,node,fcontext,boolean,permissive,dontaudit}
import Import local customizations
export Output local customizations
login Manage login mappings between linux users and SELinux
confined users
user Manage SELinux confined users (Roles and levels for an
SELinux user)
port Manage network port type definitions
ibpkey Manage infiniband ibpkey type definitions
ibendport Manage infiniband end port type definitions
interface Manage network interface type definitions
module Manage SELinux policy modules
node Manage network node type definitions
fcontext Manage file context mapping definitions
boolean Manage booleans to selectively enable functionality
permissive Manage process type enforcement mode
dontaudit Disable/Enable dontaudit rules in policy
optional arguments:
-h, --help show this help message and exit
[root@liumiaocn ~]#
常见操作选项
常见操作选项如下:
- -a:添加
- -l:列举
- -d:删除
- -m:修改
使用示例:查看用户相关信息
相较于seinfo显然要更加详细
[root@liumiaocn ~]# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
guest_u user s0 s0 guest_r
root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r
user_u user s0 s0 user_r
xguest_u user s0 s0 xguest_r
[root@liumiaocn ~]#
使用示例:查询规则
[root@liumiaocn ~]# semanage boolean -l |head -n10 SELinux boolean State Default Description privoxy_connect_any (on , on) Allow privoxy to connect any smartmon_3ware (off , off) Allow smartmon to 3ware mpd_enable_homedirs (off , off) Allow mpd to enable homedirs xdm_sysadm_login (off , off) Allow xdm to sysadm login xen_use_nfs (off , off) Allow xen to use nfs mozilla_read_content (off , off) Allow mozilla to read content ssh_chroot_rw_homedirs (off , off) Allow ssh to chroot rw homedirs mount_anyfile (on , on) Allow mount to anyfile IOError: [Errno 32] Broken pipe [root@liumiaocn ~]#
常用示例:添加一个SELinux用户
[root@liumiaocn ~]# semanage user -a -L s0 -r "s0-s0:c0.c1023" -R sysadm_r liumiao_se
[root@liumiaocn ~]# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
guest_u user s0 s0 guest_r
liumiao_se user s0 s0-s0:c0.c1023 sysadm_r
root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r
user_u user s0 s0 user_r
xguest_u user s0 s0 xguest_r
[root@liumiaocn ~]#
使用示例:查看用户映射关系
[root@liumiaocn ~]# semanage login -l Login Name SELinux User MLS/MCS Range Service __default__ unconfined_u s0-s0:c0.c1023 * root unconfined_u s0-s0:c0.c1023 * system_u system_u s0-s0:c0.c1023 * [root@liumiaocn ~]#
