SELinux 其实是 Security-Enhanced Linux 安全增强型 Linux 的英文缩写,是由美国国家安全局开发的一个内核模块,它主要流行在红帽 Red Hat Linux 及其衍生版本中,如 CentOS。而 Ubuntu、SUSE 及其衍生版本使用的是 AppArmor。
传统的 Linux 是自主访问控制 Discretionary Access Control(DAC),在这种形式下,一个进程以 UserID(UID)或 SetOwnerUserID(SUID)身份运行,并且拥有该用户的问、套接字等权限,这样,恶意代码就能很容易的运行在特定权限模式下。
MAC(Mandatory Access Control)强制访问控制,是基于保密性和完整性强制隔离以限制破坏。决定一个资源能否被访问,除用户身份外,还会判断每一个进程是否拥有对某一类资源的访问权限。这样,即便进程使用 root 身份运行的,也需要判断这个进程的类型及允许访问的资源类型,才能决定是否允许访问某个资源,进程的活动空间被压缩到最小。SELinux 使用的就是 MAC.
直白的理解就是,SELinux 是最大限度的减小系统中服务进程可访问的资源,所以,在默认开启时,安全级别非常高,很多常规操作受限制。
在 SELinux 中,当一个主体(Subject),如一个程序,要访问某一个目标(Object),如一个文件,服务器内核策略数据库(PolicyDatabase),就会去获取系统当前的运行模式(Mode),根据模式选择是否授予权限访问该目标。如果拒绝,则会在 /var/log/messages 中记录一条拒绝信息。
# This file controls the state of SELinux on the system.# SELINUX= can take one of these three values:# enforcing - SELinux security policy is enforced.# permissive - SELinux prints warnings instead of enforcing.# disabled - No SELinux policy is loaded.SELINUX=enforcing# SELINUXTYPE= can take one of these three values:# targeted - Targeted processes are protected,# minimum - Modification of targeted policy. Only selected processes are protected.# mls - Multi Level Security protection.SELINUXTYPE=targeted默认情况下,现在的 CentOS 系统,SELinux 为 Enforcing 强制执行策略。可以通过 getenforce 命令,查看当前的模式。
当系统 SELinux 策略为 enforcing 或 permissive 时,可以通过 sestatus -v 查看策略信息。 disabled 时,不能获得更多信息
# getenforceEnforcing# sestatus -vSELinux status: enabledSELinuxfs mount: /sys/fs/selinuxSELinux root directory: /etc/selinuxLoaded policy name: targetedCurrent mode: enforcingMode from config file: enforcingPolicy MLS status: enabledPolicy deny_unknown status: allowedMax kernel policy version: 31Process contexts:Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023Init context: system_u:system_r:init_t:s0/usr/sbin/sshd system_u:system_r:sshd_t:s0-s0:c0.c1023File contexts:Controlling terminal: unconfined_u:object_r:user_devpts_t:s0/etc/passwd system_u:object_r:passwd_file_t:s0/etc/shadow system_u:object_r:shadow_t:s0/bin/bash system_u:object_r:shell_exec_t:s0/bin/login system_u:object_r:login_exec_t:s0/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0/sbin/agetty system_u:object_r:getty_exec_t:s0/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0/usr/sbin/sshd system_u:object_r:sshd_exec_t:s0 # setenforce 0# getenforcePermissive# sestatus -vSELinux status: enabledSELinuxfs mount: /sys/fs/selinuxSELinux root directory: /etc/selinuxLoaded policy name: targetedCurrent mode: permissiveMode from config file: enforcingPolicy MLS status: enabledPolicy deny_unknown status: allowedMax kernel policy version: 31Process contexts:Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023Init context: system_u:system_r:init_t:s0/usr/sbin/sshd system_u:system_r:sshd_t:s0-s0:c0.c1023File contexts:Controlling terminal: unconfined_u:object_r:user_devpts_t:s0/etc/passwd system_u:object_r:passwd_file_t:s0/etc/shadow system_u:object_r:shadow_t:s0/bin/bash system_u:object_r:shell_exec_t:s0/bin/login system_u:object_r:login_exec_t:s0/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0/sbin/agetty system_u:object_r:getty_exec_t:s0/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0/usr/sbin/sshd system_u:object_r:sshd_exec_t:s0 使用 sestatus -b 可以看具体策略目标配置
# sestatus -bSELinux status: enabledSELinuxfs mount: /sys/fs/selinuxSELinux root directory: /etc/selinuxLoaded policy name: targetedCurrent mode: permissiveMode from config file: enforcingPolicy MLS status: enabledPolicy deny_unknown status: allowedMax kernel policy version: 31Policy booleans:abrt_anon_write offabrt_handle_event offabrt_upload_watch_anon_write on 允许abrt上传观看记录,默认开启antivirus_can_scan_system offantivirus_use_jit offauditadm_exec_content on 允许auditadm执行内容,默认开启authlogin_nsswitch_use_ldap offauthlogin_radius offauthlogin_yubikey offawstats_purge_apache_log_files offboinc_execmem oncdrecord_read_content offcluster_can_network_connect offcluster_manage_all_files offcluster_use_execmem offcobbler_anon_write offcobbler_can_network_connect offcobbler_use_cifs offcobbler_use_nfs offcollectd_tcp_network_connect offcondor_tcp_network_connect offconman_can_network offconman_use_nfs offcontainer_connect_any offcontainer_manage_cgroup offcontainer_use_cephfs offcron_can_relabel offcron_system_cronjob_use_shares offcron_userdomain_transition oncups_execmem offcvs_read_shadow offdaemons_dump_core offdaemons_enable_cluster_mode offdaemons_use_tcp_wrapper offdaemons_use_tty offdbadm_exec_content ondbadm_manage_user_files offdbadm_read_user_files offdeny_execmem offdeny_ptrace offdhcpc_exec_iptables offdhcpd_use_ldap offdomain_can_mmap_files ondomain_can_write_kmsg offdomain_fd_use ondomain_kernel_load_modules offentropyd_use_audio onexim_can_connect_db offexim_manage_user_files offexim_read_user_files offfcron_crond offfenced_can_network_connect offfenced_can_ssh offfips_mode onftpd_anon_write offftpd_connect_all_unreserved offftpd_connect_db offftpd_full_access offftpd_use_cifs offftpd_use_fusefs offftpd_use_nfs off 允许ftpd服务使用nfs,默认关闭ftpd_use_passive_mode offganesha_use_fusefs offgit_cgi_enable_homedirs offgit_cgi_use_cifs offgit_cgi_use_nfs offgit_session_bind_all_unreserved_ports offgit_session_users offgit_system_enable_homedirs offgit_system_use_cifs offgit_system_use_nfs offgitosis_can_sendmail offglance_api_can_network offglance_use_execmem offglance_use_fusefs offglobal_ssp offgluster_anon_write offgluster_export_all_ro offgluster_export_all_rw ongluster_use_execmem offgpg_web_anon_write offgssd_read_tmp onguest_exec_content onhaproxy_connect_any offhttpd_anon_write offhttpd_builtin_scripting onhttpd_can_check_spam offhttpd_can_connect_ftp off 允许httpd网络可以连接ftp服务,默认关闭httpd_can_connect_ldap offhttpd_can_connect_mythtv offhttpd_can_connect_zabbix offhttpd_can_network_connect off 允许httpd网络可以连接网络,默认关闭httpd_can_network_connect_cobbler offhttpd_can_network_connect_db off 允许httpd网络可以连接数据库,默认关闭httpd_can_network_memcache off 允许httpd网络可以连接缓存,默认关闭httpd_can_network_relay off 允许httpd可以网络中继,默认关闭httpd_can_sendmail off 允许httpd可以发送邮件,默认关闭httpd_dbus_avahi offhttpd_dbus_sssd offhttpd_dontaudit_search_dirs offhttpd_enable_cgi onhttpd_enable_ftp_server offhttpd_enable_homedirs offhttpd_execmem offhttpd_graceful_shutdown onhttpd_manage_ipa offhttpd_mod_auth_ntlm_winbind offhttpd_mod_auth_pam offhttpd_read_user_content offhttpd_run_ipa offhttpd_run_preupgrade offhttpd_run_stickshift offhttpd_serve_cobbler_files offhttpd_setrlimit offhttpd_ssi_exec offhttpd_sys_script_anon_write offhttpd_tmp_exec offhttpd_tty_comm offhttpd_unified offhttpd_use_cifs offhttpd_use_fusefs offhttpd_use_gpg offhttpd_use_nfs offhttpd_use_openstack offhttpd_use_sasl offhttpd_verify_dns officecast_use_any_tcp_ports offirc_use_any_tcp_ports offirssi_use_full_network offkdumpgui_run_bootloader offkeepalived_connect_any offkerberos_enabled onksmtuned_use_cifs offksmtuned_use_nfs offlogadm_exec_content onlogging_syslogd_can_sendmail offlogging_syslogd_run_nagios_plugins offlogging_syslogd_use_tty onlogin_console_enabled onlogrotate_read_inside_containers offlogrotate_use_nfs offlogwatch_can_network_connect_mail offlsmd_plugin_connect_any offmailman_use_fusefs offmcelog_client offmcelog_exec_scripts onmcelog_foreground offmcelog_server offminidlna_read_generic_user_content offmmap_low_allowed offmock_enable_homedirs offmount_anyfile onmozilla_plugin_bind_unreserved_ports offmozilla_plugin_can_network_connect offmozilla_plugin_use_bluejeans offmozilla_plugin_use_gps offmozilla_plugin_use_spice offmozilla_read_content offmpd_enable_homedirs offmpd_use_cifs offmpd_use_nfs offmplayer_execstack offmysql_connect_any off 允许mysql连接所有,默认关闭nagios_run_pnp4nagios offnagios_run_sudo offnagios_use_nfs offnamed_tcp_bind_http_port offnamed_write_master_zones offneutron_can_network offnfs_export_all_ro onnfs_export_all_rw onnfsd_anon_write offnis_enabled offnscd_use_shm onopenshift_use_nfs offopenvpn_can_network_connect onopenvpn_enable_homedirs onopenvpn_run_unconfined offpcp_bind_all_unreserved_ports offpcp_read_generic_logs offpiranha_lvs_can_network_connect offpolipo_connect_all_unreserved offpolipo_session_bind_all_unreserved_ports offpolipo_session_users offpolipo_use_cifs offpolipo_use_nfs offpolyinstantiation_enabled offpostfix_local_write_mail_spool onpostgresql_can_rsync offpostgresql_selinux_transmit_client_label offpostgresql_selinux_unconfined_dbadm onpostgresql_selinux_users_ddl onpppd_can_insmod offpppd_for_user offprivoxy_connect_any onprosody_bind_http_port offpuppetagent_manage_all_files offpuppetmaster_use_db offracoon_read_shadow offradius_use_jit offredis_enable_notify offrpcd_use_fusefs offrsync_anon_write offrsync_client offrsync_export_all_ro offrsync_full_access offsamba_create_home_dirs offsamba_domain_controller offsamba_enable_home_dirs offsamba_export_all_ro offsamba_export_all_rw offsamba_load_libgfapi offsamba_portmapper offsamba_run_unconfined offsamba_share_fusefs offsamba_share_nfs offsanlock_enable_home_dirs offsanlock_use_fusefs offsanlock_use_nfs offsanlock_use_samba offsaslauthd_read_shadow offsecadm_exec_content onsecure_mode offsecure_mode_insmod offsecure_mode_policyload offselinuxuser_direct_dri_enabled onselinuxuser_execheap offselinuxuser_execmod onselinuxuser_execstack onselinuxuser_mysql_connect_enabled offselinuxuser_ping onselinuxuser_postgresql_connect_enabled offselinuxuser_rw_noexattrfile onselinuxuser_share_music offselinuxuser_tcp_server offselinuxuser_udp_server offselinuxuser_use_ssh_chroot offsge_domain_can_network_connect offsge_use_nfs offsmartmon_3ware offsmbd_anon_write offspamassassin_can_network offspamd_enable_home_dirs onspamd_update_can_network offsquid_connect_any onsquid_use_tproxy offssh_chroot_rw_homedirs offssh_keysign offssh_sysadm_login offstaff_exec_content onstaff_use_svirt offswift_can_network offsysadm_exec_content ontelepathy_connect_all_ports offtelepathy_tcp_connect_generic_network_ports ontftp_anon_write offtftp_home_dir offtmpreaper_use_cifs offtmpreaper_use_nfs offtmpreaper_use_samba offtomcat_can_network_connect_db offtomcat_read_rpm_db offtomcat_use_execmem offtor_bind_all_unreserved_ports offtor_can_network_relay offunconfined_chrome_sandbox_transition onunconfined_login onunconfined_mozilla_plugin_transition onunprivuser_use_svirt offuse_ecryptfs_home_dirs offuse_fusefs_home_dirs offuse_lpd_server offuse_nfs_home_dirs offuse_samba_home_dirs offuser_exec_content onvarnishd_connect_any offvirt_read_qemu_ga_data offvirt_rw_qemu_ga_data offvirt_sandbox_use_all_caps onvirt_sandbox_use_audit onvirt_sandbox_use_fusefs offvirt_sandbox_use_mknod offvirt_sandbox_use_netlink offvirt_sandbox_use_sys_admin offvirt_transition_userdomain offvirt_use_comm offvirt_use_execmem offvirt_use_fusefs offvirt_use_glusterd offvirt_use_nfs onvirt_use_rawip offvirt_use_samba offvirt_use_sanlock offvirt_use_usb onvirt_use_xserver offwebadm_manage_user_files offwebadm_read_user_files offwine_mmap_zero_ignore offxdm_bind_vnc_tcp_port offxdm_exec_bootloader offxdm_sysadm_login offxdm_write_home offxen_use_nfs offxend_run_blktap onxend_run_qemu onxguest_connect_network onxguest_exec_content onxguest_mount_media onxguest_use_bluetooth onxserver_clients_write_xshm offxserver_execmem offxserver_object_manager offzabbix_can_network offzabbix_run_sudo offzarafa_setrlimit offzebra_write_config offzoneminder_anon_write offzoneminder_run_sudo off# 可以通过 semanage boolean --list 查看具体配置及用法,semanage boolean -h 获取帮助;setsebool 配置 状态 进行临时设置。
# semanage boolean --listSELinux 布尔值 状态 默认 描述privoxy_connect_any (开 , 开) Allow privoxy to connect anysmartmon_3ware (关 , 关) Allow smartmon to 3warempd_enable_homedirs (关 , 关) Allow mpd to enable homedirsxdm_sysadm_login (关 , 关) Allow xdm to sysadm loginxen_use_nfs (关 , 关) Allow xen to use nfsmozilla_read_content (关 , 关) Allow mozilla to read contentssh_chroot_rw_homedirs (关 , 关) Allow ssh to chroot rw homedirsmount_anyfile (开 , 开) Allow mount to anyfilecron_userdomain_transition (开 , 开) Allow cron to userdomain transitionxdm_write_home (关 , 关) Allow xdm to write homeopenvpn_can_network_connect (开 , 开) Allow openvpn to can network connectxserver_execmem (关 , 关) Allow xserver to execmemminidlna_read_generic_user_content (关 , 关) Allow minidlna to read generic user contentauthlogin_nsswitch_use_ldap (关 , 关) Allow authlogin to nsswitch use ldapgluster_anon_write (关 , 关) Allow gluster to anon writepiranha_lvs_can_network_connect (关 , 关) Allow piranha to lvs can network connectselinuxuser_execmod (开 , 开) Allow selinuxuser to execmodhttpd_can_network_relay (关 , 关) Allow httpd to can network relayopenvpn_enable_homedirs (开 , 开) Allow openvpn to enable homedirsglance_use_execmem (关 , 关) Allow glance to use execmemtelepathy_tcp_connect_generic_network_ports (开 , 开) Allow telepathy to tcp connect generic network portshttpd_can_connect_mythtv (关 , 关) Allow httpd to can connect mythtvunconfined_mozilla_plugin_transition (开 , 开) Allow unconfined to mozilla plugin transitionnagios_run_sudo (关 , 关) Allow nagios to run sudohttpd_can_network_connect_db (关 , 关) Allow httpd to can network connect dbuse_ecryptfs_home_dirs (关 , 关) Allow use to ecryptfs home dirsmpd_use_nfs (关 , 关) Allow mpd to use nfspostgresql_can_rsync (关 , 关) Allow postgresql to can rsyncpolipo_connect_all_unreserved (关 , 关) Allow polipo to connect all unreservedhttpd_use_gpg (关 , 关) Allow httpd to use gpgsamba_export_all_rw (关 , 关) Allow samba to export all rwsamba_domain_controller (关 , 关) Allow samba to domain controllerhttpd_dbus_sssd (关 , 关) Allow httpd to dbus sssdselinuxuser_udp_server (关 , 关) Allow selinuxuser to udp serverfenced_can_network_connect (关 , 关) Allow fenced to can network connecthttpd_enable_cgi (开 , 开) Allow httpd to enable cgipolipo_use_cifs (关 , 关) Allow polipo to use cifsxend_run_blktap (开 , 开) Allow xend to run blktaphttpd_verify_dns (关 , 关) Allow httpd to verify dnsftpd_use_cifs (关 , 关) Allow ftpd to use cifspolyinstantiation_enabled (关 , 关) Allow polyinstantiation to enabledvirt_use_nfs (开 , 开) Allow virt to use nfsvirt_use_comm (关 , 关) Allow virt to use commtmpreaper_use_cifs (关 , 关) Allow tmpreaper to use cifsrsync_client (关 , 关) Allow rsync to clientxdm_exec_bootloader (关 , 关) Allow xdm to exec bootloaderexim_read_user_files (关 , 关) Allow exim to read user filesuse_nfs_home_dirs (关 , 关) Allow use to nfs home dirsswift_can_network (关 , 关) Allow swift to can networkxserver_clients_write_xshm (关 , 关) Allow xserver to clients write xshmcontainer_connect_any (关 , 关) Allow container to connect anyksmtuned_use_nfs (关 , 关) Allow ksmtuned to use nfsentropyd_use_audio (开 , 开) Allow entropyd to use audioselinuxuser_share_music (关 , 关) Allow selinuxuser to share musichttpd_dontaudit_search_dirs (关 , 关) Allow httpd to dontaudit search dirsnamed_write_master_zones (关 , 关) Allow named to write master zonesgit_system_use_cifs (关 , 关) Allow git to system use cifssamba_portmapper (关 , 关) Allow samba to portmappernagios_run_pnp4nagios (关 , 关) Allow nagios to run pnp4nagiospostgresql_selinux_users_ddl (开 , 开) Allow postgresql to selinux users ddltor_bind_all_unreserved_ports (关 , 关) Allow tor to bind all unreserved portslogrotate_read_inside_containers (关 , 关) Allow logrotate to read inside containersmcelog_exec_scripts (开 , 开) Allow mcelog to exec scriptszebra_write_config (关 , 关) Allow zebra to write configcvs_read_shadow (关 , 关) Allow cvs to read shadowhttpd_use_cifs (关 , 关) Allow httpd to use cifsdeny_ptrace (关 , 关) Allow deny to ptracessh_keysign (关 , 关) Allow ssh to keysignpostfix_local_write_mail_spool (开 , 开) Allow postfix to local write mail spoolantivirus_use_jit (关 , 关) Allow antivirus to use jitlogwatch_can_network_connect_mail (关 , 关) Allow logwatch to can network connect mailsecure_mode (关 , 关) Allow secure to modegluster_export_all_ro (关 , 关) Allow gluster to export all rohttpd_manage_ipa (关 , 关) Allow httpd to manage ipavirt_sandbox_use_sys_admin (关 , 关) Allow virt to sandbox use sys adminconman_can_network (关 , 关) Allow conman to can networkpppd_for_user (关 , 关) Allow pppd to for usersamba_export_all_ro (关 , 关) Allow samba to export all roftpd_connect_db (关 , 关) Allow ftpd to connect dbgit_system_enable_homedirs (关 , 关) Allow git to system enable homedirsuse_samba_home_dirs (关 , 关) Allow use to samba home dirsdomain_can_write_kmsg (关 , 关) Allow domain to can write kmsgmock_enable_homedirs (关 , 关) Allow mock to enable homedirssge_domain_can_network_connect (关 , 关) Allow sge to domain can network connecthttpd_run_stickshift (关 , 关) Allow httpd to run stickshiftsamba_create_home_dirs (关 , 关) Allow samba to create home dirsvirt_transition_userdomain (关 , 关) Allow virt to transition userdomainmozilla_plugin_bind_unreserved_ports (关 , 关) Allow mozilla to plugin bind unreserved portsgit_session_users (关 , 关) Allow git to session userszabbix_can_network (关 , 关) Allow zabbix to can networkfenced_can_ssh (关 , 关) Allow fenced to can sshzoneminder_run_sudo (关 , 关) Allow zoneminder to run sudohttpd_enable_homedirs (关 , 关) Allow httpd to enable homedirsgpg_web_anon_write (关 , 关) Allow gpg to web anon writelsmd_plugin_connect_any (关 , 关) Allow lsmd to plugin connect anyselinuxuser_direct_dri_enabled (开 , 开) Allow selinuxuser to direct dri enablednfsd_anon_write (关 , 关) Allow nfsd to anon writegluster_use_execmem (关 , 关) Allow gluster to use execmemmysql_connect_any (关 , 关) Allow mysql to connect anyglance_use_fusefs (关 , 关) Allow glance to use fusefspolipo_session_bind_all_unreserved_ports (关 , 关) Allow polipo to session bind all unreserved portscluster_can_network_connect (关 , 关) Allow cluster to can network connecthttpd_dbus_avahi (关 , 关) Allow httpd to dbus avahiftpd_use_fusefs (关 , 关) Allow ftpd to use fusefssanlock_use_fusefs (关 , 关) Allow sanlock to use fusefsrsync_full_access (关 , 关) Allow rsync to full accessglobal_ssp (关 , 关) Allow global to sspcobbler_can_network_connect (关 , 关) Allow cobbler to can network connectvirt_sandbox_use_audit (开 , 开) Allow virt to sandbox use auditstaff_use_svirt (关 , 关) Allow staff to use svirtsquid_use_tproxy (关 , 关) Allow squid to use tproxyftpd_full_access (关 , 关) Allow ftpd to full accessgluster_export_all_rw (开 , 开) Allow gluster to export all rwsecure_mode_policyload (关 , 关) Allow secure to mode policyloadvirt_use_rawip (关 , 关) Allow virt to use rawipdbadm_manage_user_files (关 , 关) Allow dbadm to manage user filesdomain_can_mmap_files (开 , 开) Allow domain to can mmap filesabrt_handle_event (关 , 关) Allow abrt to handle eventfips_mode (开 , 开) Allow fips to moderpcd_use_fusefs (关 , 关) Allow rpcd to use fusefswebadm_manage_user_files (关 , 关) Allow webadm to manage user filesvirt_sandbox_use_mknod (关 , 关) Allow virt to sandbox use mknodtomcat_can_network_connect_db (关 , 关) Allow tomcat to can network connect dbgit_system_use_nfs (关 , 关) Allow git to system use nfsgssd_read_tmp (开 , 开) Allow gssd to read tmphttpd_unified (关 , 关) Allow httpd to unifiedstaff_exec_content (开 , 开) Allow staff to exec contentvirt_sandbox_use_netlink (关 , 关) Allow virt to sandbox use netlinktftp_anon_write (关 , 关) Allow tftp to anon writeirc_use_any_tcp_ports (关 , 关) Allow irc to use any tcp portsxguest_exec_content (开 , 开) Allow xguest to exec contentsaslauthd_read_shadow (关 , 关) Allow saslauthd to read shadowopenvpn_run_unconfined (关 , 关) Allow openvpn to run unconfinedhttpd_mod_auth_pam (关 , 关) Allow httpd to mod auth pamselinuxuser_rw_noexattrfile (开 , 开) Allow selinuxuser to rw noexattrfilehttpd_can_network_connect (关 , 关) Allow httpd to can network connectkeepalived_connect_any (关 , 关) Allow keepalived to connect anyexim_can_connect_db (关 , 关) Allow exim to can connect dbauditadm_exec_content (开 , 开) Allow auditadm to exec contentgit_cgi_use_nfs (关 , 关) Allow git to cgi use nfsxguest_connect_network (开 , 开) Allow xguest to connect networkvarnishd_connect_any (关 , 关) Allow varnishd to connect anytftp_home_dir (关 , 关) Allow tftp to home dirguest_exec_content (开 , 开) Allow guest to exec contentexim_manage_user_files (关 , 关) Allow exim to manage user fileshttpd_execmem (关 , 关) Allow httpd to execmemvirt_use_xserver (关 , 关) Allow virt to use xserverhttpd_use_fusefs (关 , 关) Allow httpd to use fusefscdrecord_read_content (关 , 关) Allow cdrecord to read contentcluster_use_execmem (关 , 关) Allow cluster to use execmemlogin_console_enabled (开 , 开) Allow login to console enabledhttpd_mod_auth_ntlm_winbind (关 , 关) Allow httpd to mod auth ntlm winbindlogrotate_use_nfs (关 , 关) Allow logrotate to use nfsselinuxuser_postgresql_connect_enabled (关 , 关) Allow selinuxuser to postgresql connect enabledhttpd_use_sasl (关 , 关) Allow httpd to use saslhttpd_tty_comm (关 , 关) Allow httpd to tty commhttpd_sys_script_anon_write (关 , 关) Allow httpd to sys script anon writersync_anon_write (关 , 关) Allow rsync to anon writemplayer_execstack (关 , 关) Allow mplayer to execstackzoneminder_anon_write (关 , 关) Allow zoneminder to anon writeselinuxuser_tcp_server (关 , 关) Allow selinuxuser to tcp serverdbadm_exec_content (开 , 开) Allow dbadm to exec contentpostgresql_selinux_unconfined_dbadm (开 , 开) Allow postgresql to selinux unconfined dbadmselinuxuser_execheap (关 , 关) Allow selinuxuser to execheapconman_use_nfs (关 , 关) Allow conman to use nfsvirt_use_sanlock (关 , 关) Allow virt to use sanlockvirt_use_samba (关 , 关) Allow virt to use sambairssi_use_full_network (关 , 关) Allow irssi to use full networkmozilla_plugin_use_bluejeans (关 , 关) Allow mozilla to plugin use bluejeanstmpreaper_use_samba (关 , 关) Allow tmpreaper to use sambanscd_use_shm (开 , 开) Allow nscd to use shmtomcat_read_rpm_db (关 , 关) Allow tomcat to read rpm dbzabbix_run_sudo (关 , 关) Allow zabbix to run sudohaproxy_connect_any (关 , 关) Allow haproxy to connect anywine_mmap_zero_ignore (关 , 关) Allow wine to mmap zero ignoreracoon_read_shadow (关 , 关) Allow racoon to read shadowpuppetmaster_use_db (关 , 关) Allow puppetmaster to use dbhttpd_graceful_shutdown (开 , 开) Allow httpd to graceful shutdownnis_enabled (关 , 关) Allow nis to enabledlogadm_exec_content (开 , 开) Allow logadm to exec contentcontainer_use_cephfs (关 , 关) Allow container to use cephfsunconfined_login (开 , 开) Allow unconfined to loginsecure_mode_insmod (关 , 关) Allow secure to mode insmodvirt_sandbox_use_fusefs (关 , 关) Allow virt to sandbox use fusefshttpd_can_connect_ftp (关 , 关) Allow httpd to can connect ftpftpd_use_passive_mode (关 , 关) Allow ftpd to use passive modesmbd_anon_write (关 , 关) Allow smbd to anon writedaemons_enable_cluster_mode (关 , 关) Allow daemons to enable cluster modecobbler_use_nfs (关 , 关) Allow cobbler to use nfstor_can_network_relay (关 , 关) Allow tor to can network relayvirt_use_usb (开 , 开) Allow virt to use usbselinuxuser_execstack (开 , 开) Allow selinuxuser to execstackselinuxuser_mysql_connect_enabled (关 , 关) Allow selinuxuser to mysql connect enabledvirt_sandbox_use_all_caps (开 , 开) Allow virt to sandbox use all capshttpd_run_ipa (关 , 关) Allow httpd to run ipaganesha_use_fusefs (关 , 关) Allow ganesha to use fusefsrsync_export_all_ro (关 , 关) Allow rsync to export all rodaemons_use_tcp_wrapper (关 , 关) Allow daemons to use tcp wrapperprosody_bind_http_port (关 , 关) Allow prosody to bind http portsanlock_enable_home_dirs (关 , 关) Allow sanlock to enable home dirswebadm_read_user_files (关 , 关) Allow webadm to read user filesmozilla_plugin_use_gps (关 , 关) Allow mozilla to plugin use gpsuse_fusefs_home_dirs (关 , 关) Allow use to fusefs home dirspcp_bind_all_unreserved_ports (关 , 关) Allow pcp to bind all unreserved portshttpd_read_user_content (关 , 关) Allow httpd to read user contenthttpd_use_nfs (关 , 关) Allow httpd to use nfsunconfined_chrome_sandbox_transition (开 , 开) Allow unconfined to chrome sandbox transitionpppd_can_insmod (关 , 关) Allow pppd to can insmodsge_use_nfs (关 , 关) Allow sge to use nfsxguest_use_bluetooth (开 , 开) Allow xguest to use bluetoothspamd_enable_home_dirs (开 , 开) Allow spamd to enable home dirsdhcpd_use_ldap (关 , 关) Allow dhcpd to use ldapgit_cgi_use_cifs (关 , 关) Allow git to cgi use cifspcp_read_generic_logs (关 , 关) Allow pcp to read generic logshttpd_can_connect_zabbix (关 , 关) Allow httpd to can connect zabbixzarafa_setrlimit (关 , 关) Allow zarafa to setrlimitmailman_use_fusefs (关 , 关) Allow mailman to use fusefsicecast_use_any_tcp_ports (关 , 关) Allow icecast to use any tcp portshttpd_tmp_exec (关 , 关) Allow httpd to tmp execsecadm_exec_content (开 , 开) Allow secadm to exec contenthttpd_run_preupgrade (关 , 关) Allow httpd to run preupgradevirt_use_execmem (关 , 关) Allow virt to use execmemksmtuned_use_cifs (关 , 关) Allow ksmtuned to use cifsspamassassin_can_network (关 , 关) Allow spamassassin to can networkboinc_execmem (开 , 开) Allow boinc to execmemsanlock_use_nfs (关 , 关) Allow sanlock to use nfsdomain_kernel_load_modules (关 , 关) Allow domain to kernel load modulescollectd_tcp_network_connect (关 , 关) Allow collectd to tcp network connectabrt_anon_write (关 , 关) Allow abrt to anon writexserver_object_manager (关 , 关) Allow xserver to object managerpuppetagent_manage_all_files (关 , 关) Allow puppetagent to manage all fileshttpd_can_sendmail (关 , 关) Allow httpd to can sendmailsamba_share_fusefs (关 , 关) Allow samba to share fusefsmcelog_foreground (关 , 关) Allow mcelog to foregroundxend_run_qemu (开 , 开) Allow xend to run qemumozilla_plugin_can_network_connect (关 , 关) Allow mozilla to plugin can network connectradius_use_jit (关 , 关) Allow radius to use jithttpd_builtin_scripting (开 , 开) Allow httpd to builtin scriptingselinuxuser_ping (开 , 开) Allow selinuxuser to pingauthlogin_yubikey (关 , 关) Allow authlogin to yubikeycluster_manage_all_files (关 , 关) Allow cluster to manage all fileshttpd_can_connect_ldap (关 , 关) Allow httpd to can connect ldapcobbler_anon_write (关 , 关) Allow cobbler to anon writesamba_share_nfs (关 , 关) Allow samba to share nfsvirt_use_glusterd (关 , 关) Allow virt to use glusterdnagios_use_nfs (关 , 关) Allow nagios to use nfsmmap_low_allowed (关 , 关) Allow mmap to low alloweddbadm_read_user_files (关 , 关) Allow dbadm to read user fileskdumpgui_run_bootloader (关 , 关) Allow kdumpgui to run bootloadergit_cgi_enable_homedirs (关 , 关) Allow git to cgi enable homedirsxdm_bind_vnc_tcp_port (关 , 关) Allow xdm to bind vnc tcp portspamd_update_can_network (关 , 关) Allow spamd to update can networkftpd_use_nfs (关 , 关) Allow ftpd to use nfsantivirus_can_scan_system (关 , 关) Allow antivirus to can scan systempolipo_session_users (关 , 关) Allow polipo to session userskerberos_enabled (开 , 开) Allow kerberos to enabledhttpd_can_check_spam (关 , 关) Allow httpd to can check spamxguest_mount_media (开 , 开) Allow xguest to mount mediaopenshift_use_nfs (关 , 关) Allow openshift to use nfsnamed_tcp_bind_http_port (关 , 关) Allow named to tcp bind http portdeny_execmem (关 , 关) Allow deny to execmemdhcpc_exec_iptables (关 , 关) Allow dhcpc to exec iptableslogging_syslogd_can_sendmail (关 , 关) Allow logging to syslogd can sendmailpolipo_use_nfs (关 , 关) Allow polipo to use nfssamba_run_unconfined (关 , 关) Allow samba to run unconfinedtelepathy_connect_all_ports (关 , 关) Allow telepathy to connect all portsuser_exec_content (开 , 开) Allow user to exec contentneutron_can_network (关 , 关) Allow neutron to can networkmpd_use_cifs (关 , 关) Allow mpd to use cifsftpd_connect_all_unreserved (关 , 关) Allow ftpd to connect all unreservedglance_api_can_network (关 , 关) Allow glance to api can networksamba_load_libgfapi (关 , 关) Allow samba to load libgfapigitosis_can_sendmail (关 , 关) Allow gitosis to can sendmailredis_enable_notify (关 , 关) Allow redis to enable notifylogging_syslogd_use_tty (开 , 开) Allow logging to syslogd use ttyhttpd_can_network_memcache (关 , 关) Allow httpd to can network memcachecontainer_manage_cgroup (关 , 关) Allow container to manage cgrouphttpd_can_network_connect_cobbler (关 , 关) Allow httpd to can network connect cobblerhttpd_anon_write (关 , 关) Allow httpd to anon writehttpd_serve_cobbler_files (关 , 关) Allow httpd to serve cobbler filesdaemons_use_tty (关 , 关) Allow daemons to use ttycondor_tcp_network_connect (关 , 关) Allow condor to tcp network connectftpd_anon_write (关 , 关) Allow ftpd to anon writesanlock_use_samba (关 , 关) Allow sanlock to use sambaawstats_purge_apache_log_files (关 , 关) Allow awstats to purge apache log filesvirt_rw_qemu_ga_data (关 , 关) Allow virt to rw qemu ga datasysadm_exec_content (开 , 开) Allow sysadm to exec contentunprivuser_use_svirt (关 , 关) Allow unprivuser to use svirtuse_lpd_server (关 , 关) Allow use to lpd serverabrt_upload_watch_anon_write (开 , 开) Allow abrt to upload watch anon writecups_execmem (关 , 关) Allow cups to execmemtmpreaper_use_nfs (关 , 关) Allow tmpreaper to use nfscron_system_cronjob_use_shares (关 , 关) Allow cron to system cronjob use sharesselinuxuser_use_ssh_chroot (关 , 关) Allow selinuxuser to use ssh chrootvirt_read_qemu_ga_data (关 , 关) Allow virt to read qemu ga datagit_session_bind_all_unreserved_ports (关 , 关) Allow git to session bind all unreserved portshttpd_ssi_exec (关 , 关) Allow httpd to ssi execmozilla_plugin_use_spice (关 , 关) Allow mozilla to plugin use spicehttpd_use_openstack (关 , 关) Allow httpd to use openstackhttpd_enable_ftp_server (关 , 关) Allow httpd to enable ftp serverdaemons_dump_core (关 , 关) Allow daemons to dump corefcron_crond (关 , 关) Allow fcron to crondvirt_use_fusefs (关 , 关) Allow virt to use fusefsnfs_export_all_rw (开 , 开) Allow nfs to export all rwpostgresql_selinux_transmit_client_label (关 , 关) Allow postgresql to selinux transmit client labelauthlogin_radius (关 , 关) Allow authlogin to radiuscobbler_use_cifs (关 , 关) Allow cobbler to use cifsmcelog_server (关 , 关) Allow mcelog to serverhttpd_setrlimit (关 , 关) Allow httpd to setrlimitlogging_syslogd_run_nagios_plugins (关 , 关) Allow logging to syslogd run nagios pluginssquid_connect_any (开 , 开) Allow squid to connect anyssh_sysadm_login (关 , 关) Allow ssh to sysadm logindomain_fd_use (开 , 开) Allow domain to fd usesamba_enable_home_dirs (关 , 关) Allow samba to enable home dirsmcelog_client (关 , 关) Allow mcelog to clienttomcat_use_execmem (关 , 关) Allow tomcat to use execmemnfs_export_all_ro (开 , 开) Allow nfs to export all rocron_can_relabel (关 , 关) Allow cron to can relabel 
