chcon命令：修改對象（文件）的安全上下文。比如：用戶：角色：類型：安全級別。

命令格式：

   Chcon [OPTIONS…] CONTEXT FILES…..

   Chcon [OPTIONS…] –reference=PEF_FILES FILES…

說明：

    CONTEXT 為要設(shè)置的安全上下文

    FILES 對象（文件）

    --reference 參照的對象

    PEF_FILES 參照文件上下文

    FILES      應(yīng)用參照文件上下文為我的上下文。

    OPTIONS 如下：

        -f          強(qiáng)迫執(zhí)行

        -R         遞歸地修改對象的安全上下文

        -r ROLE    修改安全上下文角色的配置

        -t TYPE    修改安全上下文類型的配置

        -u USER   修改安全上下文用戶的配置

        -v         顯示冗長的信息

         -l, --range=RANGE    修改安全上下文中的安全級別

范例：

1、ftp

//If you want to share files anonymously <如果你想把這個共享給匿名的話，需要開啟以下>

chcon -R -t public_content_t /var/ftp

//If you want to setup a directory where you can upload files

＜如果你想讓你設(shè)置的FTP目錄可以上傳文件的話，SELINUX需要設(shè)置＞

chcon -t public_content_rw_t /var/ftp/incoming

//You must also turn on the boolean allow_ftpd_anon_write <允許匿名用戶寫入權(quán)限＞

setsebool -P allow_ftpd_anon_write=1

//If you are setting up this machine as a ftpd server and wish to allow users to access their home directorories<如果你希望你的FTP用戶可以訪問自己的家目錄的話，需要開啟>

setsebool -P ftp_home_dir 1

//If you want to run ftpd as a daemon<如果你希望將vsftpd以daemon的方式運(yùn)行的話，需要開啟>

setsebool -P ftpd_is_daemon 1

//You can disable SELinux protection for the ftpd daemon<你可以讓SElinux停止保護(hù)vsftpd的daemon方式動行>

setsebool -P ftpd_disable_trans 1

 2、httpd

//If you want a particular domain to write to the public_content_rw_t domain

<如果希望具體個doman具有可寫權(quán)限的話，需要設(shè)置>

setsebool -P allow_httpd_anon_write=1

or

setsebool -P allow_httpd_sys__anon_write=1

//httpd can be setup to allow cgi s to be executed <HTTP被設(shè)置允許cgi的設(shè)置>

setsebool -P httpd_enable_cgi 1

//If you want to allow access to users home directories<允許用戶HHTP訪問其家目錄，該設(shè)定限僅于用戶的家目錄主頁>

setsebool -P httpd_enable_homedirs 1

chcon -R -t httpd_sys_content_t ~user/public_html

//httpd is allowed access to the controling terminal<允許httpd訪問終端＞

setsebool -P httpd_tty_comm 1

//such that one httpd service can not interfere with another

setsebool -P httpd_unified 0

//loadable modules run under the same context as httpd

setsebool -P httpd_builtin_ing 0

//httpd s are allowed to connect out to the network

setsebool -P httpd_can_network_connect 1

// You can disable suexec transition

setsebool -P httpd_suexec_disable_trans 1

//You can disable SELinux protection for the httpd daemon by executing <關(guān)閉Selinux的關(guān)于httpd進(jìn)程守護(hù)的保護(hù)>

setsebool -P httpd_disable_trans 1

service httpd restart

3、named

//If you want to have named update the master zone files <關(guān)于named,master更新selinux設(shè)定>

setsebool -P named_write_master_zones 1

//You can disable SELinux protection for the named daemon by executing

<關(guān)閉named的進(jìn)程守護(hù)保護(hù)>

setsebool -P named_disable_trans 1

service named restart

4、nfs

//If you want to setup this machine to share nfs partitions read only

<Selinux將本機(jī)的NFS共享設(shè)置成只讀>

setsebool -P nfs_export_all_ro 1

//If you want to share files read/write<Selinux將本機(jī)的NFS共享設(shè)置成可讀可寫>

setsebool -P nfs_export_all_rw 1

//If you want to use a remote NFS server for the home directories on this machine

＜如果你想要將遠(yuǎn)程NFS的家目錄共享到本機(jī)，需要開啟>

setsebool -P use_nfs_home_dirs 1

5、samba

//If you want to share files other than home directorie

<如果你希望將目錄共享給其他用戶，你需要設(shè)置>

chcon -t samba_share_t /directory

//If you want to share files with multiple domains

如果samba服務(wù)器共享目錄給多個域，則需要：

setsebool -P allow_smbd_anon_write=1

//If you are setting up this machine as a Samba server and wish to share the home directories

samba服務(wù)器要共享家目錄時：

setsebool -P samba_enable_home_dirs 1

//If you want to use a remote Samba server for the home directories on this machine

如果你需在本機(jī)上使用遠(yuǎn)程samba服務(wù)器的家目錄

setsebool -P use_samba_home_dirs 1

//You can disable SELinux protection for the samba daemon by executing

關(guān)閉selinux關(guān)于samba的進(jìn)程守護(hù)的保護(hù)

setsebool -P smbd_disable_trans 1

service smb restart

6、rsync

//If you want to share files using the rsync daemon

共享rsync目錄時：

chcon -t public_content_t /directories

//If you want to share files with multiple domains

允許其他用戶寫入時

setsebool -P allow_rsync_anon_write=1

//You can disable SELinux protection for the rsync daemon by executing

停止rsync的進(jìn)程保護(hù)

setsebool -P rsync_disable_trans 1

7、kerberos

//allow your system to work properly in a Kerberos environment

允許系統(tǒng)使用kerberos

setsebool -P allow_kerberos 1

//If you are running Kerberos daemons kadmind or krb5kdc

setsebool -P krb5kdc_disable_trans 1

service krb5kdc restart

setsebool -P kadmind_disable_trans 1

service kadmind restart

8、nis

Allow your system to work properly in a NIS environment

系統(tǒng)工作在nis環(huán)境時

setsebool -P allow_ypbind 1

[出處: http://www.tjdsmy.cn/lin_jianying/blog/static/1309355862012149519935/]