如何禁用systemd脚本的SELINUX?

我在CentOS 7中有一个systemd脚本,除非我禁用SELINUX,否则无法正常运行。 是否有可能以某种方式在系统上启用SELINUX,但仅对此systemd脚本禁用它?

systemd脚本:

[Unit] Description=Tractor Blade Service Wants=network.target network-online.target autofs.service After=network.target network-online.target autofs.service RequiresMountsFor=/101.102.103.104/pipeline/ [Service] Type=simple User=IRUser ExecStart=/opt/pixar/Tractor-2.1/bin/tractor-blade --debug --log /101.102.103.104/pipeline/logs/tractor/tractor-blade-%H.log --engine=111.222.333.444 --supersede --pidfile=/var/run/tractor-blade.pid [Install] WantedBy=multi-user.target 

您可以运行该进程作为非限制,因此它将具有与禁用SELinux相同的权限。

 # This will setup the executable to be unconfined. Temporarily chcon -t unconfined_exec_t /opt/pixar/Tractor-2.1/bin/tractor-blade # This command will make that permanent semanage fcontext -a -t unconfined_exec_t /opt/pixar/Tractor-2.1/bin/tractor-blade 

您可以在Red Hat文档中阅读有关无限制进程的更多信息: https : //access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes.html

尝试使用semanage fcontext命令

semanage fcontext -a -t <YourLabel> -ff <YourPath>应该可以工作。

-a =为fcontext对象types添加一条logging

-t =对象的SELinuxtypes

-f =文件types

Security-Enhanced_Linux-Systemd_Access_Control( https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/chap-Security-Enhanced_Linux-Systemd_Access_Control.html

你也可以更新selinux状态为宽容
setenforce 0
getenforcesestatus