Changing The Security Category Of A File Or User; Running A Command In A Specific Security Context; Useful Commands For Scripts - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual
Hide thumbs
Also See for ENTERPRISE LINUX 5 - DEPLOYMENT:
- Manual (402 pages) ,
- Configuration (86 pages) ,
- Overview (68 pages)
Table of Contents
Advertisement
linked to /var/www/html/foo, you have two security contexts to be concerned with.
Because one security context is of the object class file and the other of type lnk_file, they
are treated differently by the policy and unexpected behavior may occur.
45.2.10. Changing the Security Category of a File or User
Section 44.5.5, "Assigning Categories to Files"
Refer to
Users"
for information about adding and changing the security categories of files and users.
45.2.11. Running a Command in a Specific Security Context
You can use the runcon command to run a command in a specific context. This is useful for scripting
or for testing policy, but care should be taken to ensure that it is implemented correctly.
For example, you could use the following command to run a script to test for mislabeled content.
The arguments that appear after the command are considered to be part of the command. (In this
example, ~/bin/contexttest is a user-defined script.)
runcon -t httpd_t ~/bin/contexttest -ARG1 -ARG2
You can also specify the entire context, as follows:
runcon user_u:system_r:httpd_t ~/bin/contexttest
45.2.12. Useful Commands for Scripts
The following is a list of useful commands introduced with SELinux, and which you may find useful
when writing scripts to help administer your system:
getenforce
This command returns the enforcing status of SELinux.
setenforce [ Enforcing | Permissive | 1 | 0 ]
This command controls the enforcing mode of SELinux. The option 1 or Enforcing tells SELinux
to enter enforcing mode. The option 0 or Permissive tells SELinux to enter passive mode.
Access violations are still logged, but not prevented.
selinuxenabled
This command exits with a status of 0 if SELinux is enabled, and 1 if SELinux is disabled.
selinuxenabled echo $? 0
getsebool [-a] [boolean_name]
This command shows the status of all booleans (-a) or a specific boolean (<boolean_name>).
setsebool [-P] <boolean_name> value | bool1=val1 bool2=val2 ...
This command sets one or more boolean values. The -P option makes the changes persistent
across reboots.
Changing the Security Category of a File or User
Section 44.5.4, "Assigning Categories to
and
767
Advertisement
Table of Contents
Related Manuals for Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT
Related Products for Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT
- Red Hat CLUSTER FOR ENTERPRISE LINUX 5.0
- Red Hat CLUSTER SUITE FOR ENTERPRISE LINUX 5.1
- Red Hat ENTERPRISE LINUX 5 - DM MULTIPATH
- Red Hat ENTERPRISE LINUX 5.1 DM MULTIPATH
- Red Hat ENTERPRISE LINUX 5.1 - LVM ADMINISTRATION
- Red Hat ENTERPRISE LINUX 5.1 - LINUX ORACLE
- Red Hat ENTERPRISE LINUX 5.3 - RELEASE MANIFEST
- Red Hat ENTERPRISE LINUX 5.5 - S 2010
- Red Hat CLUSTER SUITE FOR ENTERPRISE LINUX 5.2
- Red Hat CLUSTER SUITE FOR ENTERPRISE LINUX 4.5
- Red Hat CLUSTER SUITE FOR ENTERPRISE LINUX 4.7
- Red Hat ENTERPRISE LINUX 3 - SECURITY GUIDE
- Red Hat ENTERPRISE LINUX 3 - USING BINUTILS
- Red Hat ENTERPRISE LINUX 3 - STEP BY STEP GUIDE
- Red Hat ENTERPRISE LINUX 4 - DM MULTIPATH
- Red Hat ENTERPRISE LINUX 4.5.0 -
Need help?
Do you have a question about the ENTERPRISE LINUX 5 - DEPLOYMENT and is the answer not in the manual?
Questions and answers