Good to Know Database

SELinux: Verfügbare boolesche Variablen auflisten


Mit dem folgenden Befehl können Sie sich unter CentOS 6 alle verfügbaren booleschen Variablen von SELinux mit einer kurzen Beschreibung auflisten lassen.

[root@centos6 ~]# semanage boolean -l
SELinux Boolesche Variablen              Beschreibung

ftp_home_dir                   -> aus   Allow ftp to read and write files in the user home directories
smartmon_3ware                 -> aus   Enable additional permissions needed to support devices on 3ware controllers.
xdm_sysadm_login               -> aus   Allow xdm logins as sysadm
xen_use_nfs                    -> aus   Allow xen to manage nfs files
mozilla_read_content           -> aus   Control mozilla content access
xguest_connect_network         -> ein   Allow xguest to configure Network Manager and connect to apache ports
tftp_anon_write                -> aus   Allow tftp to modify public files used for public file transfer services.
allow_console_login            -> ein   Allow direct login to the console device. Required for System 390
spamassassin_can_network       -> aus   Allow user spamassassin clients to use the network.
httpd_can_network_relay        -> aus   Allow httpd to act as a relay
openvpn_enable_homedirs        -> ein   Allow openvpn to read home directories
allow_execheap                 -> aus   Allow unconfined executables to make their heap memory executable.  Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
telepathy_tcp_connect_generic_network_ports -> aus   Allow the Telepathy connection managers to connect to any generic TCP port.
httpd_can_network_connect_db   -> aus   Allow HTTPD scripts and modules to connect to databases over the network.
allow_user_mysql_connect       -> aus   Allow users to connect to mysql
user_setrlimit                 -> ein   Allow user processes to change their priority
allow_ftpd_full_access         -> aus   Allow ftp servers to login to local users and read/write all files on the system, governed by DAC.
httpd_use_gpg                  -> aus   Allow httpd to run gpg in gpg-web domain
samba_domain_controller        -> aus   Allow samba to act as the domain controller, add users, groups and change passwords.
exim_manage_user_files         -> aus   Allow exim to create, read, write, and delete unprivileged user files.
httpd_enable_cgi               -> ein   Allow httpd cgi support
virt_use_nfs                   -> aus   Allow virt to manage nfs files
allow_daemons_use_tty          -> ein   Allow all daemons the ability to read/write terminals
virt_use_comm                  -> aus   Allow virt to use serial/parallell communication ports
rsync_client                   -> aus   Allow rsync to run as a client
rgmanager_can_network_connect  -> aus   Allow rgmanager domain to connect to the network using TCP.
sepgsql_unconfined_dbadm       -> ein   Allow database admins to execute DML statement
use_nfs_home_dirs              -> ein   Support NFS home directories
puppet_manage_all_files        -> aus   Allow Puppet client to manage all file types.
sftpd_write_ssh_home           -> aus   Allow interlnal-sftp to read and write files in the user ssh home directories.
ssh_sysadm_login               -> aus   SSH-Logins als 'sysadm_r:sysadm_t' erlauben
named_write_master_zones       -> aus   Allow BIND to write the master zone files. Generally this is used for dynamic DNS or zone transfers.
sepgsql_enable_users_ddl       -> ein   Allow unprived users to execute DDL statement
squid_use_tproxy               -> aus   Allow squid to run as a transparent proxy (TPROXY)
tor_bind_all_unreserved_ports  -> aus   Allow tor daemon to bind tcp sockets to all unreserved ports.
allow_ssh_keysign              -> aus   allow host key based authentication
httpd_use_cifs                 -> aus   Allow httpd to access cifs file systems
piranha_lvs_can_network_connect -> aus   Allow piranha-lvs domain to connect to the network using TCP.
nagios_plugin_dontaudit_bind_port -> aus   Allow fenced domain to connect to the network using TCP.
secure_mode                    -> aus   Enabling secure mode disallows programs, such as newrole, from transitioning to administrative user domains.
allow_httpd_mod_auth_pam       -> aus   Allow Apache to use mod_auth_pam
samba_enable_home_dirs         -> aus   Allow samba to share users home directories.
samba_export_all_ro            -> aus   Allow samba to share any file/directory read only.
samba_export_all_rw            -> aus   Allow samba to share any file/directory read/write.
git_system_enable_homedirs     -> aus   Allow Git daemon system to search home directories.
use_samba_home_dirs            -> aus   Support SAMBA home directories
allow_execmem                  -> ein   Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
samba_create_home_dirs         -> aus   Allow samba to create new home directories (e.g. via PAM)
user_ping                      -> ein   Control users use of ping and traceroute
allow_httpd_anon_write         -> aus   Allow Apache to modify public files used for public file transfer services. Directories/Files must be labeled public_rw_content_t.
irssi_use_full_network         -> aus   Allow the Irssi IRC Client to connect to any port, and to bind to any unreserved port.
allow_ftpd_use_nfs             -> aus   Allow ftp servers to use nfs used for public file transfer services.
httpd_enable_homedirs          -> aus   Allow httpd to read home directories
gpg_web_anon_write             -> aus   Allow gpg web domain to modify public files used for public file transfer services.
rsync_export_all_ro            -> aus   Allow rsync to export any files/directories read only.
allow_execmod                  -> ein   Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
allow_httpd_sys_script_anon_write -> aus   Allow apache scripts to write to public content.  Directories/Files must be labeled public_rw_content_t.
mysql_connect_any              -> aus   Allow mysqld to connect to all ports
allow_sysadm_exec_content      -> ein   allow_sysadm_exec_content
httpd_dbus_avahi               -> ein   Allow Apache to communicate with avahi service via dbus
dhcpc_exec_iptables            -> aus   Allow dhcpc client applications to execute iptables commands
allow_ftpd_anon_write          -> aus   Allow ftp servers to upload files,  used for public file transfer services. Directories must be labeled public_content_rw_t.
pppd_for_user                  -> aus   'pppd' erlauben, für einen regulären Benutzer ausgeführt zu werden
global_ssp                     -> aus   Enable reading of urandom for all domains.
user_direct_dri                -> ein   Allow regular users direct dri device access
cobbler_can_network_connect    -> aus   Allow Cobbler to connect to the network using TCP.
allow_xserver_execmem          -> aus   Allows XServer to execute writable memory
secure_mode_policyload         -> aus   boolean to determine whether the system permits loading policy, setting enforcing mode, and changing boolean values.  Set this to true and you have to reboot to set it back
gpg_agent_env_file             -> aus   Allow usage of the gpg-agent --write-env-file option. This also allows gpg-agent to manage user files.
virt_use_xserver               -> aus   Allow virtual machine to interact with the xserver
allow_unconfined_qemu_transition -> aus   Transition to confined qemu domains from unconfined user
git_system_use_nfs             -> aus   Allow Git daemon system to access nfs file systems.
httpd_unified                  -> ein   Unify HTTPD handling of all content files.
nsplugin_can_network           -> ein   Allow nsplugin code to connect to unreserved ports
allow_rsync_anon_write         -> aus   Allow rsync to modify public files used for public file transfer services.  Files/Directories must be labeled public_content_rw_t.
qemu_use_nfs                   -> ein   Allow qemu to use nfs file systems
spamd_enable_home_dirs         -> ein   Allow spamd to read/write user home directories.
qemu_use_usb                   -> ein   Allow qemu to use usb devices
exim_can_connect_db            -> aus   Allow exim to connect to databases (postgres, mysql)
allow_xguest_exec_content      -> aus   allow_xguest_exec_content
varnishd_connect_any           -> aus   Allow varnishd to connect to all ports, not just HTTP.
allow_mplayer_execstack        -> aus   Ausführbaren 'mplayer'-Stapel erlauben
virt_use_usb                   -> ein   Allow virt to use usb devices
allow_daemons_dump_core        -> ein   Allen Daemons erlauben, corefiles nach / zu schreiben
cdrecord_read_content          -> aus   'cdrecord' erlauben, verschiedenen Inhalt zu lesen. NFS, SAMBA, entfernbare Geräte, temporäre Benutzerdateien und nicht vertrauenswürdige Inhaltsdateien
virt_use_sysfs                 -> aus   Allow virt to manage device configuration, (pci)
httpd_can_network_connect      -> aus   Allow HTTPD scripts and modules to connect to the network using TCP.
icecast_connect_any            -> aus   Allow icecast to connect to all ports, not just sound ports.
allow_ypbind                   -> aus   Allow system to run with NIS
qemu_full_network              -> ein   Allow qemu to connect fully to the network
allow_nfsd_anon_write          -> aus   Allow nfs servers to modify public files used for public file transfer services.  Files/Directories must be labeled public_content_rw_t.
allow_execstack                -> ein   Allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
httpd_tty_comm                 -> ein   Unify HTTPD to communicate with the terminal. Needed for entering the passphrase for certificates at the terminal.
sftpd_enable_homedirs          -> aus   Allow sftp-internal to read and write files in the user home directories
allow_user_exec_content        -> ein   allow_user_exec_content
nscd_use_shm                   -> ein   Allow confined applications to use nscd shared memory.
user_ttyfile_stat              -> aus   Allow w to display everyone
allow_ftpd_use_cifs            -> aus   Allow ftp servers to use cifs used for public file transfer services.
allow_smbd_anon_write          -> aus   Allow samba to modify public files used for public file transfer services.  Files/Directories must be labeled public_content_rw_t.
racoon_read_shadow             -> aus   Allow racoon to read shadow
allow_mount_anyfile            -> ein   Allow the mount command to mount any directory or file.
unconfined_login               -> ein   Allow a user to login as an unconfined domain
secure_mode_insmod             -> aus   Disable transitions to insmod.
allow_saslauthd_read_shadow    -> aus   Allow sasl to read shadow
allow_nsplugin_execmem         -> ein   Allow nsplugin code to execmem/execstack
allow_write_xshm               -> aus   Allows clients to write to the X server shared memory segments.
webadm_read_user_files         -> aus   Allow webadm to read files in users home directories
allow_polyinstantiation        -> aus   Enable polyinstantiated directory support.
use_fusefs_home_dirs           -> aus   Support fusefs home directories
vbetool_mmap_zero_ignore       -> aus   Ignore vbetool mmap_zero errors.
httpd_read_user_content        -> aus   Allow httpd to read user content
httpd_use_nfs                  -> aus   Allow httpd to access nfs file systems
allow_postfix_local_write_mail_spool -> ein   Allow postfix_local domain full write access to mail_spool directories
xguest_use_bluetooth           -> ein   Allow xguest to use blue tooth devices
use_lpd_server                 -> aus   Use lpd server instead of cups
httpd_tmp_exec                 -> aus   Allow Apache to execute tmp content.
user_rw_noexattrfile           -> ein   Allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY)
user_tcp_server                -> aus   Allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users)  disabling this forces FTP passive mode and may change other protocols.
qemu_use_cifs                  -> ein   Allow qemu to use cifs/Samba file systems
user_direct_mouse              -> aus   Allow regular users direct mouse access
domain_kernel_load_modules     -> aus   Allow all domains to have the kernel load modules
httpd_execmem                  -> aus   Allow httpd scripts and modules execmem/execstack
privoxy_connect_any            -> ein   Allow privoxy to connect to all ports, not just HTTP, FTP, and Gopher ports.
abrt_anon_write                -> aus   Allow ABRT to modify public files used for public file transfer services.
allow_java_execstack           -> aus   Ausführbaren Java-Stapel erlauben
ncftool_read_user_content      -> aus   Allow ncftool to read user content.
qemu_use_comm                  -> aus   Allow qemu to user serial/parallel communication ports
httpd_can_sendmail             -> aus   Allow http daemon to send mail
samba_share_fusefs             -> aus   Allow samba to export ntfs/fusefs volumes.
init_upstart                   -> ein   Enable support for upstart as the init program.
allow_zebra_write_config       -> ein   Allow zebra daemon to write it configuration files
httpd_builtin_scripting        -> ein   Allow httpd to use built in scripting (usually php)
xserver_object_manager         -> aus   Support X userspace object manager
cobbler_anon_write             -> aus   Allow Cobbler to modify public files used for public file transfer services.
samba_share_nfs                -> aus   Allow samba to export NFS volumes.
mmap_low_allowed               -> aus   Allow certain domains to map low memory in the kernel
wine_mmap_zero_ignore          -> aus   Ignore wine mmap_zero errors
allow_ptrace                   -> aus   Allow sysadm to debug or ptrace all processes.
fenced_can_network_connect     -> aus   Allow fenced domain to connect to the network using TCP.
allow_user_postgresql_connect  -> aus   Allow users to connect to PostgreSQL
allow_cvs_read_shadow          -> aus   Allow cvs daemon to read shadow
httpd_can_check_spam           -> aus   Allow http daemon to check spam
sftpd_full_access              -> aus   Allow sftp-internal to login to local users and read/write all files on the system, governed by DAC.
xguest_mount_media             -> ein   Allow xguest users to mount removable media
allow_httpd_mod_auth_ntlm_winbind -> aus   Allow Apache to use mod_auth_pam
pppd_can_insmod                -> aus   Allow pppd to load kernel modules for certain modems
samba_run_unconfined           -> aus   Allow samba to run unconfined scripts
ftpd_connect_db                -> aus   Allow ftp servers to use connect to mysql database
unconfined_mmap_zero_ignore    -> aus   Ignore wine mmap_zero errors
allow_kerberos                 -> ein   Allow confined applications to run with kerberos.
httpd_can_network_memcache     -> aus   Allow httpd to connect to memcache server
exim_read_user_files           -> aus   Allow exim to read unprivileged user files.
httpd_can_network_connect_cobbler -> aus   Allow HTTPD scripts and modules to connect to cobbler over the network.
allow_staff_exec_content       -> ein   allow_staff_exec_content
allow_guest_exec_content       -> aus   allow_guest_exec_content
allow_gssd_read_tmp            -> ein   Allow gssd to read temp directory.  For access to kerberos tgt.
webadm_manage_user_files       -> aus   Allow webadm to manage files in users home directories
clamd_use_jit                  -> aus   Allow clamd to use JIT compiler
git_session_bind_all_unreserved_ports -> aus   Allow Git daemon session to bind tcp sockets to all unreserved ports.
httpd_ssi_exec                 -> aus   Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
httpd_enable_ftp_server        -> aus   Allow httpd to act as a FTP server by listening on the ftp port.
fcron_crond                    -> aus   Enable extra rules in the cron domain to support fcron.
virt_use_fusefs                -> aus   Allow virt to read fuse files
nfs_export_all_rw              -> ein   Allow any files/directories to be exported read/write via NFS.
allow_domain_fd_use            -> ein   Allow all domains to use other domains file descriptors
httpd_setrlimit                -> aus   Allow httpd daemon to change system limits
squid_connect_any              -> ein   Allow squid to connect to all ports, not just HTTP, FTP, and Gopher ports.
virt_use_samba                 -> aus   Allow virt to manage cifs files
allow_unconfined_nsplugin_transition -> aus   Transition to confined nsplugin domains from unconfined user
nfs_export_all_ro              -> ein   Allow any files/directories to be exported read/only via NFS.
cron_can_relabel               -> aus   Allow system cron jobs to relabel filesystem for restoring file contexts.
sftpd_anon_write               -> aus   Allow anon internal-sftp to upload files, used for public file transfer services. Directories must be labeled public_content_rw_t.
git_system_use_cifs            -> aus   Allow Git daemon system to access cifs file systems.

Sollte das Programm semanage auf Ihrem System nicht verfügbar sein, müssen Sie nur das Paket policycoreutils-python installieren.

[root@centos6 ~]# yum install policycoreutils-python


Dieser Eintrag wurde am 16.09.2011 erstellt und zuletzt am 08.01.2014 bearbeitet.

Direkter Link zu dieser Seite: http://www.gtkdb.de/index_33_1372.html

[ Zur Startseite ]   [ Zur Kategorie ]


Valid XHTML 1.0 Transitional Valid CSS Valid Atom 1.0

© 2004-2018 by Georg Kainzbauer