selinux的管理
####安全上下文的查看与更改####
vim /etc/sysconfig/selinux ###更改状态
[root@localhost ~]# systemctl status vsftpd ##查看vsftpd服务状态
vsftpd.service - Vsftpd ftp daemon
Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; disabled)
Active: inactive (dead)
[root@localhost ~]# systemctl start vsftpd
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# systemctl enable vsftpd
ln -s '/usr/lib/systemd/system/vsftpd.service' '/etc/systemd/system/multi-user.target.wants/vsftpd.service'
[root@localhost ~]# getenforce
Enforcing
[root@localhost ~]# semanage fcontext -l | grep westos ##查看westos安全上下文
[root@localhost ~]# semanage fcontext -l | grep var/ftp ##查看var/ftp安全上写文
/var/ftp(/.*)? all files system_u:object_r:public_content_t:s0
/var/ftp/bin(/.*)? all files system_u:object_r:bin_t:s0
/var/ftp/etc(/.*)? all files system_u:object_r:etc_t:s0
/var/ftp/lib(/.*)? all files system_u:object_r:lib_t:s0
/var/ftp/lib/ld[^/]*\\.so(\\.[^/]*)* regular file system_u:object_r:ld_so_t:s0
[root@localhost ~]# semanage fcontext -a -t public_content_t '/westos(/.*)?' ##更改/westos的安全上下文(-a指添加,-t指安全上下文类型)
[root@localhost ~]# semanage fcontext -l | grep var/ftp ##-l查看var/ftp安全上下文类型
/var/ftp(/.*)? all files system_u:object_r:public_content_t:s0
/var/ftp/bin(/.*)? all files system_u:object_r:bin_t:s0
/var/ftp/etc(/.*)? all files system_u:object_r:etc_t:s0
/var/ftp/lib(/.*)? all files system_u:object_r:lib_t:s0
/var/ftp/lib/ld[^/]*\\.so(\\.[^/]*)* regular file system_u:object_r:ld_so_t:s0
[root@localhost ~]# ls -Zd /westos/ ##查看安全上下文
ls: cannot access /westos/: No such file or directory
[root@localhost ~]# mkdir /westos
[root@localhost ~]# touch /westos/file{1..3}
[root@localhost ~]# ls /westos/
file1 file2 file3
[root@localhost ~]# ls -Zd /westos
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /westos/
[root@localhost ~]# restorecon -RvvF /westos/ ##刷新安全上下文
restorecon reset /westos context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /westos/file1 context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /westos/file2 context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /westos/file3 context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
[root@localhost ~]# ls -Zd /westos/ ##再次查看安全上下文,看是否更改成功
drwxr-xr-x. root root system_u:object_r:public_content_t:s0 /westos/
测试:
[root@localhost ~]# lftp 172.25.254.113
lftp 172.25.254.113:~> ls
drwxr-xr-x 2 0 0 45 Apr 23 09:15 pub
lftp 172.25.254.113:/> exit
[root@localhost ~]# vim /etc/vsftpd/vsftpd.conf ##在配置文件中加anon_root=/westos,更改匿名用户家目录到/westos
[root@localhost ~]# systemctl restart vsftpd.service ##重新再次打开
[root@localhost ~]# ps auxZ | grep vsftpd ##安全上下文的查看
system_u:system_r:ftpd_t:s0-s0:c0.c1023 root 2770 0.0 0.0 52756 560 ? Ss 21:35 0:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2780 0.0 0.0 112640 936 pts/1 S+ 21:36 0:00 grep --color=auto vsftpd
[root@localhost ~]# ls -Zd /westos/ ##安全上下文查看
drwxr-xr-x. root root system_u:object_r:public_content_t:s0 /westos/
匿名用户连接测试
[root@localhost ~]# lftp 172.25.254.113
lftp 172.25.254.113:~> ls
-rw-r--r-- 1 0 0 0 Apr 29 01:32 file1
-rw-r--r-- 1 0 0 0 Apr 29 01:32 file2
-rw-r--r-- 1 0 0 0 Apr 29 01:32 file3
lftp 172.25.254.113:/> quit
[root@localhost ~]# ls -Z /westos/ ##再次查看/westos安全上下文是否更改成功
-rw-r--r--. root root system_u:object_r:public_content_t:s0 file1
-rw-r--r--. root root system_u:object_r:public_content_t:s0 file2
-rw-r--r--. root root system_u:object_r:public_content_t:s0 file3
[root@localhost ~]# semanage fcontext -l | grep westos ##此时查看安全上下文即可以显示
/westos(/.*)? all files system_u:object_r:public_content_t:s0
###查看不同状态下能否上传文件###
[root@localhost ~]# id student
uid=1000(student) gid=1000(student) groups=1000(student),10(wheel)
[root@localhost ~]# lftp -u student 172.25.254.113 ##使用本地用户登陆
Password:
lftp student@172.25.254.113:~> ls
lftp student@172.25.254.113:~> put /etc/passwd ##上传文件
put: Access failed: 553 Could not create file. (passwd)##显示权限不够
lftp student@172.25.254.113:~> exit
[root@localhost ~]# setenforce 0 ##更改为警告模式
[root@localhost ~]# getenforce ##查看状态显示
Permissive
[root@localhost ~]# lftp -u student 172.25.254.113 ##再次登陆
Password:
lftp student@172.25.254.113:~> ls
lftp student@172.25.254.113:~> put /etc/passwd
2048 bytes transferred ##上传成功
lftp student@172.25.254.113:~> ls
-rw-r--r-- 1 1000 1000 2048 Apr 29 02:07 passwd
lftp student@172.25.254.113:~> exit
[root@localhost ~]# getsebool -a | grep ftp ##查看各功能是否开启(如同微信扣扣等有的服务存在但默认状态是关闭的)
ftp_home_dir --> off
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
tftp_anon_write --> off
tftp_home_dir --> off
[root@localhost ~]# setsebool -P ftp_home_dir 1 ##开启-p(永久更改)之后的功能(1为开启,0为关闭)
[root@localhost ~]# getsebool -a | grep ftp ##再次查看ftp服务所对应的功能开启情况
ftp_home_dir --> on ///与之前那个相比这个服务状态已打开
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
tftp_anon_write --> off
tftp_home_dir --> off
[root@localhost ~]# setenforce 1 ##更改模式为强制模式
[root@localhost ~]# getenforce
Enforcing
实验检测:
[root@localhost ~]# lftp -u student 172.25.254.113
Password:
lftp student@172.25.254.113:~> put /etc/passwd
2048 bytes transferred ##在强制模式也上传成功
lftp student@172.25.254.113:~> ls
-rw-r--r-- 1 1000 1000 2048 Apr 29 02:10 passwd
lftp student@172.25.254.113:~> exit
