Management of SELinux
# # # #安全上下文的查看与更改 # #
Vim/etc/sysconfig/selinux # # #更改状态
[Email protected] ~]# systemctl status vsftpd # #查看vsftpd服务状态
VSFTPD.SERVICE-VSFTPD FTP Daemon
loaded:loaded (/usr/lib/systemd/system/vsftpd.service; disabled)
Active:inactive (Dead)
[Email protected] ~]# systemctl start vsftpd
[Email protected] ~]# Systemctl stop Firewalld
[Email protected] ~]# Systemctl enable VSFTPD
ln-s '/usr/lib/systemd/system/vsftpd.service '/etc/systemd/system/multi-user.target.wants/vsftpd.service '
[Email protected] ~]# Getenforce
Enforcing
[Email protected] ~]# Semanage fcontext-l | grep Westos # #查看westos安全上下文
[Email protected] ~]# Semanage fcontext-l | grep var/ftp # #查看var/ftp write the text securely
/var/ftp (/.*)? All Files System_u:object_r:public_content_t:s0
/var/ftp/bin (/.*)? All Files System_u:object_r:bin_t:s0
/VAR/FTP/ETC (/.*)? All Files System_u:object_r:etc_t:s0
/var/ftp/lib (/.*)? All Files System_u:object_r:lib_t:s0
/var/ftp/lib/ld[^/]*\\.so (\\.[ ^/]*) * Regular file System_u:object_r:ld_so_t:s0
[Email protected] ~]# semanage fcontext-a-T public_content_t '/westos (/.*)? ' # #更改/westos Security context (-a means add,-t refers to security context type)
[Email protected] ~]# Semanage fcontext-l | grep var/ftp ##-l View var/ftp security context type
/var/ftp (/.*)? All Files System_u:object_r:public_content_t:s0
/var/ftp/bin (/.*)? All Files System_u:object_r:bin_t:s0
/VAR/FTP/ETC (/.*)? All Files System_u:object_r:etc_t:s0
/var/ftp/lib (/.*)? All Files System_u:object_r:lib_t:s0
/var/ftp/lib/ld[^/]*\\.so (\\.[ ^/]*) * Regular file System_u:object_r:ld_so_t:s0
[Email protected] ~]# ls-zd/westos/# #查看安全上下文
Ls:cannot access/westos/: No such file or directory
[Email protected] ~]# Mkdir/westos
[[email protected] ~]# touch/westos/file{1..3}
[Email protected] ~]# ls/westos/
File1 file2 File3
[Email protected] ~]# Ls-zd/westos
Drwxr-xr-x. Root root unconfined_u:object_r:default_t:s0/westos/
[Email protected] ~]# restorecon-rvvf/westos/# #刷新安全上下文
Restorecon Reset/westos Context Unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
Restorecon Reset/westos/file1 Context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t: S0
Restorecon Reset/westos/file2 Context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t: S0
Restorecon Reset/westos/file3 Context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t: S0
[[email protected] ~]# ls-zd/westos/# #再次查看安全上下文 to see if the change was successful
Drwxr-xr-x. Root root system_u:object_r:public_content_t:s0/westos/
Test:
[Email protected] ~]# lftp 172.25.254.113
LFTP 172.25.254.113:~> ls
Drwxr-xr-x 2 0 0 APR 09:15 Pub
Lftp 172.25.254.113:/> exit
[[email protected] ~]# vim/etc/vsftpd/vsftpd.conf # #在配置文件中加anon_root=/westos, change the anonymous user home directory to/westos
[Email protected] ~]# systemctl restart Vsftpd.service # #重新再次打开
[Email protected] ~]# PS Auxz | grep vsftpd # #安全上下文的查看
system_u:system_r:ftpd_t:s0-s0:c0.c1023 root 2770 0.0 0.0 52756 560? Ss 21:35 0:00/usr/sbin/vsftpd/etc/vsftpd/vsftpd.conf
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2780 0.0 0.0 112640 936 pts/1 s+ 21:36 0:00 grep--color=aut o VSFTPD
[Email protected] ~]# ls-zd/westos/# #安全上下文查看
Drwxr-xr-x. Root root system_u:object_r:public_content_t:s0/westos/
Anonymous user connection Test
[Email protected] ~]# lftp 172.25.254.113
LFTP 172.25.254.113:~> ls
-rw-r--r--1 0 0 0 Apr 01:32 file1
-rw-r--r--1 0 0 0 Apr 01:32 file2
-rw-r--r--1 0 0 0 Apr 01:32 file3
Lftp 172.25.254.113:/> quit
[[email protected] ~]# ls-z/westos/# #再次查看/westos security context changed successfully
-rw-r--r--. Root root system_u:object_r:public_content_t:s0 file1
-rw-r--r--. Root root system_u:object_r:public_content_t:s0 file2
-rw-r--r--. Root root System_u:object_r:public_content_t:s0 file3
[Email protected] ~]# Semanage fcontext-l | grep Westos # #此时查看安全上下文即可以显示
/westos (/.*)? All Files System_u:object_r:public_content_t:s0
# # #查看不同状态下能否上传文件 # #
[[email protected] ~]# ID Student
uid=1000 (Student) gid=1000 (student) groups=1000 (student), ten (wheel)
[Email protected] ~]# lftp-u student 172.25.254.113 # #使用本地用户登陆
Password:
lftp [email protected]:~> ls
lftp [email protected]:~> put/etc/passwd # #上传文件
Put:access failed:553 Could not create file. (passwd) # #显示权限不够
lftp [Email protected]:~> exit
[Email protected] ~]# Setenforce 0 # #更改为警告模式
[Email protected] ~]# Getenforce # #查看状态显示
Permissive
[Email protected] ~]# lftp-u student 172.25.254.113 # #再次登陆
Password:
lftp [email protected]:~> ls
lftp [Email protected]:~> put/etc/passwd
2048 bytes Transferred # #上传成功
lftp [email protected]:~> ls
-rw-r--r--1 2048 Apr 02:07 passwd
lftp [Email protected]:~> exit
[Email protected] ~]# Getsebool-a | grep FTP # #查看各功能是否开启 (like a button and other services exist but the default state is off)
Ftp_home_dir--off
Ftpd_anon_write--off
Ftpd_connect_all_unreserved--off
ftpd_connect_db--off
Ftpd_full_access--off
Ftpd_use_cifs--off
Ftpd_use_fusefs--off
Ftpd_use_nfs--off
Ftpd_use_passive_mode--off
Httpd_can_connect_ftp--off
Httpd_enable_ftp_server--off
Sftpd_anon_write--off
Sftpd_enable_homedirs--off
Sftpd_full_access--off
Sftpd_write_ssh_home--off
Tftp_anon_write--off
Tftp_home_dir--off
[[email protected] ~]# setsebool-p ftp_home_dir 1 # after #开启-P (Permanent change) function (1 is on, 0 is off)
[Email protected] ~]# Getsebool-a | grep FTP # #再次查看ftp服务所对应的功能开启情况
Ftp_home_dir-On//The service status is open compared to the previous one
Ftpd_anon_write--off
Ftpd_connect_all_unreserved--off
ftpd_connect_db--off
Ftpd_full_access--off
Ftpd_use_cifs--off
Ftpd_use_fusefs--off
Ftpd_use_nfs--off
Ftpd_use_passive_mode--off
Httpd_can_connect_ftp--off
Httpd_enable_ftp_server--off
Sftpd_anon_write--off
Sftpd_enable_homedirs--off
Sftpd_full_access--off
Sftpd_write_ssh_home--off
Tftp_anon_write--off
Tftp_home_dir--off
[email protected] ~]# Setenforce 1 # #更改模式为强制 Mode
[Email protected] ~]# Getenforce
Enforcing
Test test:
[Email protected] ~]# lftp-u student 172.25.254.113
Password:
lftp [Email protected]:~> put/etc/passwd
2048 bytes Transferred # #在强制模式也上传成功
lftp [email protected]:~> ls
-rw-r--r--1 2048 Apr 02:10 passwd
lftp [Email protected]:~> exit
This article is from the "aely Wood" blog, please make sure to keep this source http://12768057.blog.51cto.com/12758057/1921088
Linux 2 unit10 SELinux