如何不启用 SELinux

如何不启用 SELinux

在 Ubuntu 20.10 上:

  • 禁用装甲
  • 安装了 selinux*
  • selinux-激活
  • 在 /etc/selinux/config 中强制执行
    # This file controls the state of SELinux on the system.
    # SELINUX= can take one of these three values:
    # enforcing - SELinux security policy is enforced.
    # permissive - SELinux prints warnings instead of enforcing.
    # disabled - No SELinux policy is loaded.
    SELINUX=enforcing
    # SELINUXTYPE= can take one of these two values:
    # default - equivalent to the old strict and targeted policies
    # mls     - Multi-Level Security (for military and educational use)
    # src     - Custom policy built from source
    SELINUXTYPE=default
    
    # SETLOCALDEFS= Check local definition changes
    SETLOCALDEFS=0

重启

brad@zika:/home/brad# sudo seinfo
    Statistics for policy file: /etc/selinux/default/policy/policy.32
    Policy Version:             32 (MLS enabled)
    Target Policy:              selinux
    Handle unknown classes:     allow
      Classes:             131    Permissions:         423
      Sensitivities:         1    Categories:         1024
      Types:              3943    Attributes:          212
      Users:                 7    Roles:                15
      Booleans:            300    Cond. Expr.:         331
      Allow:            102134    Neverallow:            0
      Auditallow:           22    Dontaudit:         16881
      Type_trans:         8877    Type_change:         123
      Type_member:          16    Range_trans:          33
      Role allow:           32    Role_trans:          388
      Constraints:         133    Validatetrans:         0
      MLS Constrain:        57    MLS Val. Tran:         0
      Permissives:           0    Polcap:                5
      Defaults:              0    Typebounds:            0
      Allowxperm:            0    Neverallowxperm:       0
      Auditallowxperm:       0    Dontauditxperm:        0
      Ibendportcon:          0    Ibpkeycon:             0
      Initial SIDs:         27    Fs_use:               26
      Genfscon:             92    Portcon:             475
      Netifcon:              0    Nodecon:               0

但 check-selinux-installation 输出报告缺少 2 个目录:

    check-selinux-installation
    getfilecon:  getfilecon(/proc/1) failed
    SELinux is not enabled.
    Could not read the domain of PID 1.
    The directories /sys/fs/selinux and /selinux are missing.
    Postfix init script is syncing the chroots.
    Postfix has chrooted service in master.cf
/etc/default/grub
GRUB_CMDLINE_LINUX=" security=selinux"
and 
update-grub

启动时没有注意到重新标记,并且 getenforce 报告已被禁用..我做错了什么?

更新:SELinux 突然激活并在宽容模式下正常工作。

相关内容