我在 CentOS 7 中有一個 systemd 腳本,除非停用 SELINUX,否則它無法正常運作。是否可以以某種方式在系統上啟用 SELINUX,但僅針對此 systemd 腳本停用它?
系統腳本:
[Unit]
Description=Tractor Blade Service
Wants=network.target network-online.target autofs.service
After=network.target network-online.target autofs.service
RequiresMountsFor=/101.102.103.104/pipeline/
[Service]
Type=simple
User=IRUser
ExecStart=/opt/pixar/Tractor-2.1/bin/tractor-blade --debug --log /101.102.103.104/pipeline/logs/tractor/tractor-blade-%H.log --engine=111.222.333.444 --supersede --pidfile=/var/run/tractor-blade.pid
[Install]
WantedBy=multi-user.target
答案1
您可以不受限制地運行該進程,這樣它就具有與禁用 SELinux 相同的權限。
# This will setup the executable to be unconfined. Temporarily
chcon -t unconfined_exec_t /opt/pixar/Tractor-2.1/bin/tractor-blade
# This command will make that permanent
semanage fcontext -a -t unconfined_exec_t /opt/pixar/Tractor-2.1/bin/tractor-blade
您可以在 Red Hat 文件中閱讀有關無限進程的更多資訊:https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html
答案2
嘗試使用semanage fcontext命令
semanage fcontext -a -t <YourLabel> -f f <YourPath>應該管用。
-a = 新增 fcontext 物件類型的記錄
-t = 物件的 SELinux 類型
-f = 文件類型
答案3
安全性增強_Linux-Systemd_Access_Control (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/chap-Security-Enhanced_Linux-Systemd_Access_Control.html)
您也可以將 selinux 狀態更新為授權
setenforce 0
getenforce或sestatus