RHEL6.1 vsftpd SELinux configuration and enable local user upload

RHEL6.1 vsftpd SELinux configuration and enable local user upload Modify/etc/vsftpd. conf, set anonymous_enable = NO, local_enable = YES. In this way, we disable anonymity.
User Access and allow local users to access www.2cto.com ============================ ========================================================== ================================ add users to the ftp group, and set linux permissions [root @ www ~] # Usermod-aG ftp alexscript [root @ www ~] # Groups alexscript [root @ www ~] # Chown ftp: ftp/var/ftp/pub/-R [root @ www ~] # Ls-ld/var/ftp/pub/drwxr-xr-x. 6 ftp 4096 14:48/var/ftp/pub/[root @ www ~] # Chmod 775/var/ftp/pub/-R [root @ www ~] # Ls-ld/var/ftp/pub/drwxrwxr-x. 6 ftp 4096 14:48/var/ftp/pub/========================== ========================================================== ====================================== SELinux settings official instructions: FTP must be allowed to write to a directory before users can upload files via FTP. SELinux allows FTP to write to directories labeled with the public_content_rw_t type. that is to say, if FTP is to allow upload, set the type to public_content_rw_t www.2cto.com. 1. view the type [root @ localhost ~] # Ls-dZ/var/ftp/drwxr-xr-x. root system_u: object_r: public_content_t: s0/var/ftp/public_content_t, which can only be read. Protocol 2. Modify Type [root @ localhost ~] # Semanage fcontext-a-t public_content_rw_t "/var/ftp (/.*)? "-Bash: semanage: command not found encountered a problem. The command does not exist. Official documentation policycoreutils-python: provides utilities such as semanage, audit2allow, audit2why
And chcat, for operating and managing SELinux. policycoreutils-python this package provides the semanage command. 3. Install yycoreutils-python to mount the optical drive [root @ localhost ~] # Mkdir/cdrom [root @ localhost ~] # Mount-o auto/dev/cdrom/cdrommount: block device/dev/sr0 is write-protected, mounting read-only [root @ localhost Packages] # rpm-ivh policycoreutils-python-2.0.83-19.8.el6_0.i686.rpm \ audit-libs-python-2.1-5.el6.i686.rpm \ libsemanage-python-2.0.43-4.el6.i686.rpm \ setools-libs-python-3.3.7-4.el6.i686.rpm warning: setools-libs-3.3.7-4.el6.i686.rpm: Header V3 RSA/SHA256 Signature,
Key ID fd431d51: NOKEY www.2cto.com Preparing... ######################################## ### [100%] 1: setools-libs ##################################### ###### [20%] 2: setools-libs-python ################################### ####### [40%] 3: libsemanage-python ##################################### ###### [60%] 4: audit-libs-python ################################### ####### [80%] 5: policycoreutils-python ######################################## ### [100%] 4. step 2: Modify and apply the Label [root @ localhost Packages] # semanage fcontext-a-t public_content_rw_t "/var/ftp (/. *)? "Libsemanage. dbase_llist_query: cocould not query record value (No such file or directory). libsemanage. get_home_dirs: alex homedir/var/ftp or its parent directory conflicts
A file context already specified in the policy. This usually indicates an incorrectly
Defined system account. If it is a system account please make sure its uid is less
500 or its login shell is/sbin/nologin. [root @ localhost Packages] # restorecon-R-v/var/ftprestorecon reset/var/ftp context system_u: object_r: public_content_t: s0-> system_u: object_r: objects: s0restorecon reset/var/ftp/pub context system_u: object_r: public_content_t: s0-> system_u: object_r: public_content_rw_t: s0 5. the allow_ftpd_anon_write Boolean must be on to allow vsftpd to write to files that
Are labeled with the public_content_rw_t type. Run the following command as the root user
To turn this Boolean on: allow_ftpd_anon_write Boolean must be set to on to upload. [Root @ localhost Packages] # setsebool-P allow_ftpd_anon_write onlibsemanage. get_home_dirs: alex homedir/var/ftp or its parent directory conflicts
A file context already specified in the policy. This usually indicates an incorrectly
Defined system account. If it is a system account please make sure its uid is less
500 or its login shell is/sbin/nologin. ========================================================== ========================================================== ========= firewall iptables settings: if iptables is set to prohibit all ports, only access to the policy is allowed. In most cases, ftp cannot be accessed normally.
Because ftp has two active and passive connection modes, a problem occurs if you add less policies.
1. first, load the module www.2cto.com [root @ localhost Packages] # cd/etc/sysconfig/[root @ localhost sysconfig] # vi iptables-config # Space separated list of nat helpers (e.g. 'IP _ nat_ftp ip_nat_irc '), which # are loaded after the firewall rules are applied. options for the helpers are # stored in/etc/modprobe. conf. IPTABLES_MODULES = "" IPTABLES_MODELES = "ip_conntrack_ftp" // here, two new lines are added: IPTABLES_MODELES = "ip_nat_ftp" 2. then load the policy [Root @ localhost sysconfig] # vi iptables ###### vsftpd ######-I input-p tcp -- dport 21-j ACCEPT-I OUTPUT-p tcp -- dport 21-j ACCEPT 3. restart firewall [root @ localhost sysconfig] # service iptables restartiptables: clear firewall rules: [OK] iptables: Set the chain to policy ACCEPT: filter [OK] iptables: uninstall the module: [OK] iptables: application firewall rules: [OK] ============================================ ========================================================== ============ description: www.2cto.com Set it to active connection mode during connection. [Root @ localhost sysconfig] # service vsftpd start is vsftpd to start vsftpd: [OK] [root @ localhost sysconfig] # chkconfig -- level 3 vsftpd on ================== ========================================================== ======================================= Reference documents: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined _
Services/sect-Managing_Confined_Services-File_Transfer_Protocol-Configuration_Examples.htmlRed_Hat_Enterprise_Linux-6-Security_Guide-en-US.pdf 5.1.SELinux Packages author big fruit