红帽全球峰会此内容没有您所选择的语言版本。
4.3. Booleans
SELinux is based on the least level of access required for a service to run. Services can be run in a variety of ways; therefore, you need to specify how you run your services. Use the following Booleans to set up SELinux:
allow_ftpd_anon_write- When disabled, this Boolean prevents
vsftpdfrom writing to files and directories labeled with thepublic_content_rw_ttype. Enable this Boolean to allow users to upload files via FTP. The directory where files are uploaded to must be labeled with thepublic_content_rw_ttype and Linux permissions set accordingly. allow_ftpd_full_access- When this Boolean is on, only Linux (DAC) permissions are used to control access, and authenticated users can read and write to files that are not labeled with the
public_content_torpublic_content_rw_ttypes. allow_ftpd_use_cifs- Having this Boolean enabled allows
vsftpdto access files and directories labeled with thecifs_ttype; therefore, having this Boolean enabled allows you to share file systems mounted via Samba throughvsftpd. allow_ftpd_use_nfs- Having this Boolean enabled allows
vsftpdto access files and directories labeled with thenfs_ttype; therefore, having this Boolean enabled allows you to share file systems mounted via NFS throughvsftpd. ftp_home_dir- Having this Boolean enabled allows authenticated users to read and write to files in their home directories. When this Boolean is off, attempting to download a file from a home directory results in an error such as
550 Failed to open file. An SELinux denial is logged. ftpd_connect_db- Allow FTP daemons to initiate a connection to a database.
httpd_enable_ftp_server- Allow
httpdto listen on the FTP port and act as a FTP server. tftp_anon_write- Having this Boolean enabled allows TFTP access to a public directory, such as an area reserved for common files that otherwise has no special access restrictions.
Note
Due to the continuous development of the SELinux policy, the list above might not contain all Booleans related to the service at all times. To list them, run the following command as root:
~]# semanage boolean -l | grep service_name
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}