chcon命令:修改对象(文件)的安全上下文。比如:用户:角色:类型:安全级别。 命令格式: Chcon [OPTIONS…] CONTEXT FILES….. Chcon [OPTIONS…] –reference=PEF_FILES FILES… 说明: CONTEXT 为要设置的安全上下文 FILES 对象(文件) –reference 参照的对象 PEF_FILES 参照文件上下文 FILES 应用参照文件上下文为我的上下文。 OPTIONS 如下: -f 强迫执行 -R 递归地修改对象的安全上下文 -r ROLE 修改安全上下文角色的配置 -t TYPE 修改安全上下文类型的配置 -u USER 修改安全上下文用户的配置 -v 显示冗长的信息 -l, –range=RANGE 修改安全上下文中的安全级别 范例: 1、ftp //If you want to share files anonymously <如果你想把这个共享给匿名的话,需要开启以下> chcon -R -t public_content_t /var/ftp //If you want to setup a directory where you can upload files <如果你想让你设置的FTP目录可以上传文件的话,SELINUX需要设置> chcon -t public_content_rw_t /var/ftp/incoming //You must also turn on the boolean allow_ftpd_anon_write <允许匿名用户写入权限> setsebool -P allow_ftpd_anon_write=1 //If you are setting up this machine as a ftpd server and wish to allow users to access their home directorories<如果你希望你的FTP用户可以访问自己的家目录的话,需要开启> setsebool -P ftp_home_dir 1 //If you want to run ftpd as a daemon<如果你希望将vsftpd以daemon的方式运行的话,需要开启> setsebool -P ftpd_is_daemon 1 //You can disable SELinux protection for the ftpd daemon<你可以让SElinux停止保护vsftpd的daemon方式动行> setsebool -P ftpd_disable_trans 1 2、httpd //If you want a particular domain to write to the public_content_rw_t domain <如果希望具体个doman具有可写权限的话,需要设置> setsebool -P allow_httpd_anon_write=1 or setsebool -P allow_httpd_sys__anon_write=1 //httpd can be setup to allow cgi s to be executed setsebool -P httpd_enable_cgi 1 //If you want to allow access to users home directories<允许用户HHTP访问其家目录,该设定限仅于用户的家目录主页> setsebool -P httpd_enable_homedirs 1 chcon -R -t httpd_sys_content_t ~user/public_html //httpd is allowed access to the controling terminal<允许httpd访问终端> setsebool -P httpd_tty_comm 1 //such that one httpd service can not interfere with another setsebool -P httpd_unified 0 //loadable modules run under the same context as httpd setsebool -P httpd_builtin_ing 0 //httpd s are allowed to connect out to the network setsebool -P httpd_can_network_connect 1 // You can disable suexec transition setsebool -P httpd_suexec_disable_trans 1 //You can disable SELinux protection for the httpd daemon by executing <关闭Selinux的关于httpd进程守护的保护> setsebool -P httpd_disable_trans 1 service httpd restart 3、named //If you want to have named update the master zone files <关于named,master更新selinux设定> setsebool -P named_write_master_zones 1 //You can disable SELinux protection for the named daemon by executing <关闭named的进程守护保护> setsebool -P named_disable_trans 1 service named restart 4、nfs //If you want to setup this machine to share nfs partitions read only setsebool -P nfs_export_all_ro 1 //If you want to share files read/write setsebool -P nfs_export_all_rw 1 //If you want to use a remote NFS server for the home directories on this machine <如果你想要将远程NFS的家目录共享到本机,需要开启> setsebool -P use_nfs_home_dirs 1 5、samba //If you want to share files other than home directorie <如果你希望将目录共享给其他用户,你需要设置> chcon -t samba_share_t /directory //If you want to share files with multiple domains 如果samba服务器共享目录给多个域,则需要: setsebool -P allow_smbd_anon_write=1 //If you are setting up this machine as a Samba server and wish to share the home directories samba服务器要共享家目录时: setsebool -P samba_enable_home_dirs 1 //If you want to use a remote Samba server for the home directories on this machine 如果你需在本机上使用远程samba服务器的家目录 setsebool -P use_samba_home_dirs 1 //You can disable SELinux protection for the samba daemon by executing 关闭selinux关于samba的进程守护的保护 setsebool -P smbd_disable_trans 1 service smb restart 6、rsync //If you want to share files using the rsync daemon 共享rsync目录时: chcon -t public_content_t /directories //If you want to share files with multiple domains 允许其他用户写入时 setsebool -P allow_rsync_anon_write=1 //You can disable SELinux protection for the rsync daemon by executing 停止rsync的进程保护 setsebool -P rsync_disable_trans 1 7、kerberos //allow your system to work properly in a Kerberos environment 允许系统使用kerberos setsebool -P allow_kerberos 1 //If you are running Kerberos daemons kadmind or krb5kdc setsebool -P krb5kdc_disable_trans 1 service krb5kdc restart setsebool -P kadmind_disable_trans 1 service kadmind restart 8、nis Allow your system to work properly in a NIS environment 系统工作在nis环境时 setsebool -P allow_ypbind 1