From 1c4f439791cb5c4641682ea2ea703281beb32f1d Mon Sep 17 00:00:00 2001 From: cyqsimon <28627918+cyqsimon@users.noreply.github.com> Date: Mon, 27 May 2024 02:28:37 +0800 Subject: [PATCH] setenforce, {get,set}sebool, semanage-{boolean,port,permissive}: add page (#12834) Co-authored-by: spageektti --- pages/linux/getenforce.md | 1 + pages/linux/getsebool.md | 17 +++++++++++++++++ pages/linux/semanage-boolean.md | 17 +++++++++++++++++ pages/linux/semanage-permissive.md | 14 ++++++++++++++ pages/linux/semanage-port.md | 21 +++++++++++++++++++++ pages/linux/semanage.md | 1 + pages/linux/setenforce.md | 14 ++++++++++++++ pages/linux/setsebool.md | 25 +++++++++++++++++++++++++ 8 files changed, 110 insertions(+) create mode 100644 pages/linux/getsebool.md create mode 100644 pages/linux/semanage-boolean.md create mode 100644 pages/linux/semanage-permissive.md create mode 100644 pages/linux/semanage-port.md create mode 100644 pages/linux/setenforce.md create mode 100644 pages/linux/setsebool.md diff --git a/pages/linux/getenforce.md b/pages/linux/getenforce.md index 206cf0342..e06be2f0f 100644 --- a/pages/linux/getenforce.md +++ b/pages/linux/getenforce.md @@ -1,6 +1,7 @@ # getenforce > Get the current mode of SELinux (i.e. enforcing, permissive, or disabled). +> See also: `setenforce`, `semanage-permissive`. > More information: . - Display the current mode of SELinux: diff --git a/pages/linux/getsebool.md b/pages/linux/getsebool.md new file mode 100644 index 000000000..aafd10234 --- /dev/null +++ b/pages/linux/getsebool.md @@ -0,0 +1,17 @@ +# getsebool + +> Get SELinux boolean value. +> See also: `semanage-boolean`, `setsebool`. +> More information: . + +- Show the current setting of a boolean: + +`getsebool {{httpd_can_connect_ftp}}` + +- Show the current setting of [a]ll booleans: + +`getsebool -a` + +- Show the current setting of all booleans with explanations: + +`sudo semanage boolean {{-l|--list}}` diff --git a/pages/linux/semanage-boolean.md b/pages/linux/semanage-boolean.md new file mode 100644 index 000000000..c04e6a94f --- /dev/null +++ b/pages/linux/semanage-boolean.md @@ -0,0 +1,17 @@ +# semanage boolean + +> Manage persistent SELinux boolean settings. +> See also: `semanage` for managing SELinux policies, `getsebool` for checking boolean values, and `setsebool` for applying non-persistent boolean settings. +> More information: . + +- List all booleans settings: + +`sudo semanage boolean {{-l|--list}}` + +- List all user-defined boolean settings without headings: + +`sudo semanage boolean {{-l|--list}} {{-C|--locallist}} {{-n|--noheading}}` + +- Set or unset a boolean persistently: + +`sudo semanage boolean {{-m|--modify}} {{-1|--on|-0|--off}} {{haproxy_connect_any}}` diff --git a/pages/linux/semanage-permissive.md b/pages/linux/semanage-permissive.md new file mode 100644 index 000000000..4c86c23de --- /dev/null +++ b/pages/linux/semanage-permissive.md @@ -0,0 +1,14 @@ +# semanage permissive + +> Manage persistent SELinux permissive domains. +> Note that this effectively makes the process unconfined. For long-term use, it is recommended to configure SELiunx properly. +> See also: `semanage`, `getenforce`, `setenforce`. +> More information: . + +- List all process types (a.k.a domains) that are in permissive mode: + +`sudo semanage permissive {{-l|--list}}` + +- Set or unset permissive mode for a domain: + +`sudo semanage permissive {{-a|--add|-d|--delete}} {{httpd_t}}` diff --git a/pages/linux/semanage-port.md b/pages/linux/semanage-port.md new file mode 100644 index 000000000..050e4c1e3 --- /dev/null +++ b/pages/linux/semanage-port.md @@ -0,0 +1,21 @@ +# semanage port + +> Manage persistent SELinux port definitions. +> See also: `semanage`. +> More information: . + +- List all port labeling rules: + +`sudo semanage port {{-l|--list}}` + +- List all user-defined port labeling rules without headings: + +`sudo semanage port {{-l|--list}} {{-C|--locallist}} {{-n|--noheading}}` + +- Add a user-defined rule that assigns a label to a protocol-port pair: + +`sudo semanage port {{-a|--add}} {{-t|--type}} {{ssh_port_t}} {{-p|--proto}} {{tcp}} {{22000}}` + +- Delete a user-defined rule using its protocol-port pair: + +`sudo semanage port {{-d|--delete}} {{-p|--proto}} {{udp}} {{11940}}` diff --git a/pages/linux/semanage.md b/pages/linux/semanage.md index 89b3459d9..46ccb21f9 100644 --- a/pages/linux/semanage.md +++ b/pages/linux/semanage.md @@ -1,6 +1,7 @@ # semanage > SELinux persistent policy management tool. +> Some subcommands such as `boolean`, `fcontext`, `port`, etc. have their own usage documentation. > More information: . - Set or unset a SELinux boolean. Booleans allow the administrator to customize how policy rules affect confined process types (a.k.a domains): diff --git a/pages/linux/setenforce.md b/pages/linux/setenforce.md new file mode 100644 index 000000000..fd551a33c --- /dev/null +++ b/pages/linux/setenforce.md @@ -0,0 +1,14 @@ +# setenforce + +> Toggle SELinux between enforcing and permissive modes. +> To enable or disable SELinux, edit `/etc/selinux/config` instead. +> See also: `getenforce`, `semanage-permissive`. +> More information: . + +- Put SELinux in enforcing mode: + +`setenforce {{1|Enforcing}}` + +- Put SELiunx in permissive mode: + +`setenforce {{0|Permissive}}` diff --git a/pages/linux/setsebool.md b/pages/linux/setsebool.md new file mode 100644 index 000000000..f73695454 --- /dev/null +++ b/pages/linux/setsebool.md @@ -0,0 +1,25 @@ +# setsebool + +> Set SELinux boolean value. +> See also: `semanage-boolean`, `getsebool`. +> More information: . + +- Show the current setting of [a]ll booleans: + +`getsebool -a` + +- Set or unset a boolean temporarily (non-persistent across reboot): + +`sudo setsebool {{httpd_can_network_connect}} {{1|true|on|0|false|off}}` + +- Set or unset a boolean [p]ersistently: + +`sudo setsebool -P {{container_use_devices}} {{1|true|on|0|false|off}}` + +- Set or unset multiple booleans [p]ersistently at once: + +`sudo setsebool -P {{ftpd_use_fusefs=1 mount_anyfile=0 ...}}` + +- Set or unset a boolean persistently (alternative method using `semanage-boolean`): + +`sudo semanage boolean {{-m|--modify}} {{-1|--on|-0|--off}} {{haproxy_connect_any}}`