In CentOS or other Red Hat Linux derivatives, if SELinux is enabled and we want to add exception to a given port, we can use the “semanage” command. But, on CentOS 6.3 semanage is not installed by default. We can easily install semanage using the following command:
yum install policycoreutils-python
That's it.Dependencies Resolved
================================================================================
Package Arch Version Repository
Size
================================================================================
Installing:
policycoreutils-python i686 2.0.83-19.24.el6 base 338 k
Installing for dependencies:
audit-libs-python i686 2.2-2.el6 base 57 k
libcgroup i686 0.37-4.el6 base 102 k
libsemanage-python i686 2.0.43-4.1.el6 base 80 k
setools-libs i686 3.3.7-4.el6 base 400 k
setools-libs-python i686 3.3.7-4.el6 base 210 k
Updating for dependencies:
audit i686 2.2-2.el6 base 225 k
audit-libs i686 2.2-2.el6 base 60 k
policycoreutils i686 2.0.83-19.24.el6 base 641 kTransaction Summary
================================================================================
Install 6 Package(s)
Upgrade 3 Package(s)Total download size: 2.1 M
Is this ok [y/N]: y
Now you can start using semanage
[root@centos phpvirtualbox]# semanage
/usr/sbin/semanage:
semanage [ -S store ] -i [ input_file | - ]
semanage [ -S store ] -o [ output_file | - ]semanage login -{a|d|m|l|D|E} [-nrs] login_name | %groupname
semanage user -{a|d|m|l|D|E} [-LnrRP] selinux_name
semanage port -{a|d|m|l|D|E} [-nrt] [ -p proto ] port | port_range
semanage interface -{a|d|m|l|D|E} [-nrt] interface_spec
semanage module -{a|d|m} [--enable|--disable] module
semanage node -{a|d|m|l|D|E} [-nrt] [ -p protocol ] [-M netmask] addr
semanage fcontext -{a|d|m|l|D|E} [-efnrst] file_spec
semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file
semanage permissive -{d|a|l} [-n] type
semanage dontaudit [ on | off ]Primary Options:
-a, --add Add a OBJECT record NAME
-d, --delete Delete a OBJECT record NAME
-m, --modify Modify a OBJECT record NAME
-i, --input Input multiple semange commands in a transaction
-o, --output Output current customizations as semange commands
-l, --list List the OBJECTS
-E, --extract extract customizable commands
-C, --locallist List OBJECTS local customizations
-D, --deleteall Remove all OBJECTS local customizations-h, --help Display this message
-n, --noheading Do not print heading when listing OBJECTS
-S, --store Select and alternate SELinux store to manageObject-specific Options (see above):
-f, --ftype File Type of OBJECT
"" (all files)
-- (regular file)
-d (directory)
-c (character device)
-b (block device)
-s (socket)
-l (symbolic link)
-p (named pipe)-F, --file Treat target as an input file for command, change multiple settings
-p, --proto Port protocol (tcp or udp) or internet protocol version of node (ipv4 or ipv6)
-M, --mask Netmask
-e, --equal Substitue source path for dest path when labeling
-P, --prefix Prefix for home directory labeling
-L, --level Default SELinux Level (MLS/MCS Systems only)
-R, --roles SELinux Roles (ex: "sysadm_r staff_r")
-s, --seuser SELinux User Name
-t, --type SELinux Type for the object
-r, --range MLS/MCS Security Range (MLS/MCS Systems only)
--enable Enable a module
--disable Disable a module
1 comments:
Thx a lot, that was very helpful.
Exactly what i was lookign for.