Linux 2 unit10 SELinux

Source: Internet
Author: User

Management of SELinux

# # # #安全上下文的查看与更改 # #

Vim/etc/sysconfig/selinux # # #更改状态

[Email protected] ~]# systemctl status vsftpd # #查看vsftpd服务状态

VSFTPD.SERVICE-VSFTPD FTP Daemon

loaded:loaded (/usr/lib/systemd/system/vsftpd.service; disabled)

Active:inactive (Dead)

[Email protected] ~]# systemctl start vsftpd

[Email protected] ~]# Systemctl stop Firewalld

[Email protected] ~]# Systemctl enable VSFTPD

ln-s '/usr/lib/systemd/system/vsftpd.service '/etc/systemd/system/multi-user.target.wants/vsftpd.service '     

[Email protected] ~]# Getenforce

Enforcing

[Email protected] ~]# Semanage fcontext-l | grep Westos # #查看westos安全上下文

[Email protected] ~]# Semanage fcontext-l | grep var/ftp # #查看var/ftp write the text securely

/var/ftp (/.*)? All Files System_u:object_r:public_content_t:s0

/var/ftp/bin (/.*)? All Files System_u:object_r:bin_t:s0

/VAR/FTP/ETC (/.*)? All Files System_u:object_r:etc_t:s0

/var/ftp/lib (/.*)? All Files System_u:object_r:lib_t:s0

/var/ftp/lib/ld[^/]*\\.so (\\.[ ^/]*) * Regular file System_u:object_r:ld_so_t:s0

[Email protected] ~]# semanage fcontext-a-T public_content_t '/westos (/.*)? ' # #更改/westos Security context (-a means add,-t refers to security context type)

[Email protected] ~]# Semanage fcontext-l | grep var/ftp ##-l View var/ftp security context type

/var/ftp (/.*)? All Files System_u:object_r:public_content_t:s0

/var/ftp/bin (/.*)? All Files System_u:object_r:bin_t:s0

/VAR/FTP/ETC (/.*)? All Files System_u:object_r:etc_t:s0

/var/ftp/lib (/.*)? All Files System_u:object_r:lib_t:s0

/var/ftp/lib/ld[^/]*\\.so (\\.[ ^/]*) * Regular file System_u:object_r:ld_so_t:s0

[Email protected] ~]# ls-zd/westos/# #查看安全上下文

Ls:cannot access/westos/: No such file or directory

[Email protected] ~]# Mkdir/westos

[[email protected] ~]# touch/westos/file{1..3}

[Email protected] ~]# ls/westos/

File1 file2 File3

[Email protected] ~]# Ls-zd/westos

Drwxr-xr-x. Root root unconfined_u:object_r:default_t:s0/westos/

[Email protected] ~]# restorecon-rvvf/westos/# #刷新安全上下文

Restorecon Reset/westos Context Unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0

Restorecon Reset/westos/file1 Context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t: S0

Restorecon Reset/westos/file2 Context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t: S0

Restorecon Reset/westos/file3 Context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t: S0

[[email protected] ~]# ls-zd/westos/# #再次查看安全上下文 to see if the change was successful

Drwxr-xr-x. Root root system_u:object_r:public_content_t:s0/westos/

Test:

[Email protected] ~]# lftp 172.25.254.113

LFTP 172.25.254.113:~> ls

Drwxr-xr-x 2 0 0 APR 09:15 Pub

Lftp 172.25.254.113:/> exit

[[email protected] ~]# vim/etc/vsftpd/vsftpd.conf # #在配置文件中加anon_root=/westos, change the anonymous user home directory to/westos

[Email protected] ~]# systemctl restart Vsftpd.service # #重新再次打开

[Email protected] ~]# PS Auxz | grep vsftpd # #安全上下文的查看

system_u:system_r:ftpd_t:s0-s0:c0.c1023 root 2770 0.0 0.0 52756 560? Ss 21:35 0:00/usr/sbin/vsftpd/etc/vsftpd/vsftpd.conf

unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2780 0.0 0.0 112640 936 pts/1 s+ 21:36 0:00 grep--color=aut o VSFTPD

[Email protected] ~]# ls-zd/westos/# #安全上下文查看

Drwxr-xr-x. Root root system_u:object_r:public_content_t:s0/westos/

Anonymous user connection Test

[Email protected] ~]# lftp 172.25.254.113

LFTP 172.25.254.113:~> ls

-rw-r--r--1 0 0 0 Apr 01:32 file1

-rw-r--r--1 0 0 0 Apr 01:32 file2

-rw-r--r--1 0 0 0 Apr 01:32 file3

Lftp 172.25.254.113:/> quit

[[email protected] ~]# ls-z/westos/# #再次查看/westos security context changed successfully

-rw-r--r--. Root root system_u:object_r:public_content_t:s0 file1

-rw-r--r--. Root root system_u:object_r:public_content_t:s0 file2

-rw-r--r--. Root root System_u:object_r:public_content_t:s0 file3

[Email protected] ~]# Semanage fcontext-l | grep Westos # #此时查看安全上下文即可以显示

/westos (/.*)? All Files System_u:object_r:public_content_t:s0

# # #查看不同状态下能否上传文件 # #

[[email protected] ~]# ID Student

uid=1000 (Student) gid=1000 (student) groups=1000 (student), ten (wheel)

[Email protected] ~]# lftp-u student 172.25.254.113 # #使用本地用户登陆

Password:

lftp [email protected]:~> ls

lftp [email protected]:~> put/etc/passwd # #上传文件

Put:access failed:553 Could not create file. (passwd) # #显示权限不够

lftp [Email protected]:~> exit

[Email protected] ~]# Setenforce 0 # #更改为警告模式

[Email protected] ~]# Getenforce # #查看状态显示

Permissive

[Email protected] ~]# lftp-u student 172.25.254.113 # #再次登陆

Password:

lftp [email protected]:~> ls

lftp [Email protected]:~> put/etc/passwd

2048 bytes Transferred # #上传成功

lftp [email protected]:~> ls

-rw-r--r--1 2048 Apr 02:07 passwd

lftp [Email protected]:~> exit

[Email protected] ~]# Getsebool-a | grep FTP # #查看各功能是否开启 (like a button and other services exist but the default state is off)

Ftp_home_dir--off

Ftpd_anon_write--off

Ftpd_connect_all_unreserved--off

ftpd_connect_db--off

Ftpd_full_access--off

Ftpd_use_cifs--off

Ftpd_use_fusefs--off

Ftpd_use_nfs--off

Ftpd_use_passive_mode--off

Httpd_can_connect_ftp--off

Httpd_enable_ftp_server--off

Sftpd_anon_write--off

Sftpd_enable_homedirs--off

Sftpd_full_access--off

Sftpd_write_ssh_home--off

Tftp_anon_write--off

Tftp_home_dir--off

[[email protected] ~]# setsebool-p ftp_home_dir 1 # after #开启-P (Permanent change) function (1 is on, 0 is off)

[Email protected] ~]# Getsebool-a | grep FTP # #再次查看ftp服务所对应的功能开启情况

Ftp_home_dir-On//The service status is open compared to the previous one

Ftpd_anon_write--off

Ftpd_connect_all_unreserved--off

ftpd_connect_db--off

Ftpd_full_access--off

Ftpd_use_cifs--off

Ftpd_use_fusefs--off

Ftpd_use_nfs--off

Ftpd_use_passive_mode--off

Httpd_can_connect_ftp--off

Httpd_enable_ftp_server--off

Sftpd_anon_write--off

Sftpd_enable_homedirs--off

Sftpd_full_access--off

Sftpd_write_ssh_home--off

Tftp_anon_write--off

Tftp_home_dir--off

[email protected] ~]# Setenforce 1 # #更改模式为强制 Mode

[Email protected] ~]# Getenforce

Enforcing

Test test:

[Email protected] ~]# lftp-u student 172.25.254.113

Password:

lftp [Email protected]:~> put/etc/passwd

2048 bytes Transferred # #在强制模式也上传成功

lftp [email protected]:~> ls

-rw-r--r--1 2048 Apr 02:10 passwd

lftp [Email protected]:~> exit


This article is from the "aely Wood" blog, please make sure to keep this source http://12768057.blog.51cto.com/12758057/1921088

Linux 2 unit10 SELinux

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.