Vsftpd and smbd configurations

The two services are relatively simple. If selinux = disabled during configuration, there is no difficulty.

Of course, if smbd_disable_trans = on

Ftpd_disable_trans = on is not difficult. I don't know if this is the right thing, but I personally think,

Selinux has received much attention since it was developed. All major linux release vendors have added selinux to the release. We can see the importance of selinux.

In addition, for redhat alone, from AS4 to AS5, they increased selinux's fcontext from 13 to 88, which may be increased later.

The importance of selinux.

Next, let's briefly talk about The selinux of vsftpd and smb: the understanding is not very thorough and will be further supplemented.

About ftp

1. upload an anonymous user:
Anon_upload_enable = YES
Anon_mkdir_write_enable = YES
Selinux settings:
Setsebool-P allow_ftpd_anon_write on
Mkdir/var/ftp/input
Chmod 777/var/ftp/input
Chcon-t public_content_rw_t/var/ftp/input
Ls-Zd/var/ftp/input

2. Upload Based on System users:
Setsebool-P ftp_home_dir on
Chroot_list_enable = YES
Chroot_list_file =/etc/vsftpd/chroot_list

About smb:

Upload an anonymous user:
1. # ls-dZ/samba-share/
Drwxr-xr-x nobody root: object_r: root_t/samba-share/

2. # chcon-R-t samba_assist_t/samba-share/

3. # ls-dZ/samba-share/
Drwxr-XR-x nobody Nobody root: object_r: samba_assist_t/samba-share/
Process 2:
1. # ls-DZ/samba-share/
Drwxr-XR-x Root: object_r: root_t/samba-share/
2. # chcon-r-t public_content_rw_t/samba-share/
3. # ls-dZ/samba-share/
Drwxr-xr-x nobody root: object_r: public_content_rw_t/samba-share/

Metadata: public_content_t (metadata) and public_content_rw_t (metadata) are all domain names.

The type of the case that can be accessed together. The latter usually needs to open the allow_xxx_anon_write comment object's Boolean value. Otherwise, it only has the permission of limit.

# Getsebool-a | grep allow_smbd_anon_write
Allow_smbd_anon_write --> off
• Enable anonymous write.
# Setsebool-P allow_smbd_anon_write = 1