
greatwall@greatwall-KVM-Virtual-Machine:~/cproj$ gcc a.c
greatwall@greatwall-KVM-Virtual-Machine:~/cproj$ ll
总用量 24
drwxrwxr-x  2 greatwall greatwall 4096 6月   9 14:49 ./
drwx------ 26 greatwall greatwall 4096 6月   9 14:39 ../
-rw-rw-r--  1 greatwall greatwall   55 6月   9 14:38 a.c
-rwxrwxr-x  1 greatwall greatwall 9488 6月   9 14:49 a.out*



greatwall@greatwall-KVM-Virtual-Machine:~/cproj$ ./a.out
bash: ./a.out: 权限不够


greatwall@greatwall-KVM-Virtual-Machine:~/cproj$ sudo setstatus Softmode
[sudo] greatwall 的密码:
greatwall@greatwall-KVM-Virtual-Machine:~/cproj$ getstatus 
KySec status: Softmode
exec control: on
file protect: on
kmod protect: on
three admin : off
greatwall@greatwall-KVM-Virtual-Machine:~/cproj$ ./a.out


greatwall@greatwall-KVM-Virtual-Machine:~/cproj$ sudo kysec_set -n exectl -v trusted ./a.out
[sudo] greatwall 的密码:
greatwall@greatwall-KVM-Virtual-Machine:~/cproj$ ./a.out

1. 方案一适合用在开发环境,可有效避免编译生成的各类文件不可执行故障

2. 方案二适合Normal模式下,安装软件后为软件制定可执行权限

kysec_set man手册

kysec_set(8)              System Manager's Manual              kysec_set(8)
       kysec_set - set kysec label for specfied path(s)
       kysec_set [ -n part ] [ -r ] -v value path1 ..
       kysec_set  set  the kysec label of specified files or directories to
       value.  Kysec label is composed of three parts: identify part,  pro‐
       tect part and exectl part.
       when  not used with -n option, kysec label should be in such format:
       "identify:protect:exectl". Set the new value to 'none' to clear  the
       corresponding part of kysec label.
       for identify part, these values are valid:
           secadm          commands for secadm
           audadm          commands for auditadm
       for exectl part, these values are valid:
           unknown              unknown files
           original             original system files
           verified             verified 3rd party files
           kysoft               software installer
           trusted              trusted files
       for protect part, only readonly is valid.
       -n          set  specified part of kysec labels. part can be exectl,
              userid or protect.
       -r          process labels recursively, only usable for directories.
       -v          the new label value
       getstatus(8), setstatus(8), kysec_get(8)
