linux2unit10selinux
selinux的管理
####安全上下文的檢視與更改####
vim /etc/sysconfig/selinux ###更改狀態
[root@localhost ~]# systemctl status vsftpd ##檢視vsftpd服務狀態
vsftpd.service – Vsftpd ftp daemon
Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; disabled)
Active: inactive (dead)
[root@localhost ~]# systemctl start vsftpd
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# systemctl enable vsftpd
ln -s `/usr/lib/systemd/system/vsftpd.service` `/etc/systemd/system/multi-user.target.wants/vsftpd.service`
[root@localhost ~]# getenforce
Enforcing
[root@localhost ~]# semanage fcontext -l | grep westos ##檢視westos安全上下文
[root@localhost ~]# semanage fcontext -l | grep var/ftp ##檢視var/ftp安全上寫文
/var/ftp(/.*)? all files system_u:object_r:public_content_t:s0
/var/ftp/bin(/.*)? all files system_u:object_r:bin_t:s0
/var/ftp/etc(/.*)? all files system_u:object_r:etc_t:s0
/var/ftp/lib(/.*)? all files system_u:object_r:lib_t:s0
/var/ftp/lib/ld[^/]*\.so(\.[^/]*)* regular file system_u:object_r:ld_so_t:s0
[root@localhost ~]# semanage fcontext -a -t public_content_t `/westos(/.*)?` ##更改/westos的安全上下文(-a指新增,-t指安全上下文型別)
[root@localhost ~]# semanage fcontext -l | grep var/ftp ##-l檢視var/ftp安全上下文型別
/var/ftp(/.*)? all files system_u:object_r:public_content_t:s0
/var/ftp/bin(/.*)? all files system_u:object_r:bin_t:s0
/var/ftp/etc(/.*)? all files system_u:object_r:etc_t:s0
/var/ftp/lib(/.*)? all files system_u:object_r:lib_t:s0
/var/ftp/lib/ld[^/]*\.so(\.[^/]*)* regular file system_u:object_r:ld_so_t:s0
[root@localhost ~]# ls -Zd /westos/ ##檢視安全上下文
ls: cannot access /westos/: No such file or directory
[root@localhost ~]# mkdir /westos
[root@localhost ~]# touch /westos/file{1..3}
[root@localhost ~]# ls /westos/
file1 file2 file3
[root@localhost ~]# ls -Zd /westos
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /westos/
[root@localhost ~]# restorecon -RvvF /westos/ ##重新整理安全上下文
restorecon reset /westos context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /westos/file1 context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /westos/file2 context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /westos/file3 context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
[root@localhost ~]# ls -Zd /westos/ ##再次檢視安全上下文,看是否更改成功
drwxr-xr-x. root root system_u:object_r:public_content_t:s0 /westos/
測試:
[root@localhost ~]# lftp 172.25.254.113
lftp 172.25.254.113:~> ls
drwxr-xr-x 2 0 0 45 Apr 23 09:15 pub
lftp 172.25.254.113:/> exit
[root@localhost ~]# vim /etc/vsftpd/vsftpd.conf ##在配置檔案中加anon_root=/westos,更改匿名使用者家目錄到/westos
[root@localhost ~]# systemctl restart vsftpd.service ##重新再次開啟
[root@localhost ~]# ps auxZ | grep vsftpd ##安全上下文的檢視
system_u:system_r:ftpd_t:s0-s0:c0.c1023 root 2770 0.0 0.0 52756 560 ? Ss 21:35 0:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2780 0.0 0.0 112640 936 pts/1 S+ 21:36 0:00 grep –color=auto vsftpd
[root@localhost ~]# ls -Zd /westos/ ##安全上下文檢視
drwxr-xr-x. root root system_u:object_r:public_content_t:s0 /westos/
匿名使用者連線測試
[root@localhost ~]# lftp 172.25.254.113
lftp 172.25.254.113:~> ls
-rw-r–r– 1 0 0 0 Apr 29 01:32 file1
-rw-r–r– 1 0 0 0 Apr 29 01:32 file2
-rw-r–r– 1 0 0 0 Apr 29 01:32 file3
lftp 172.25.254.113:/> quit
[root@localhost ~]# ls -Z /westos/ ##再次檢視/westos安全上下文是否更改成功
-rw-r–r–. root root system_u:object_r:public_content_t:s0 file1
-rw-r–r–. root root system_u:object_r:public_content_t:s0 file2
-rw-r–r–. root root system_u:object_r:public_content_t:s0 file3
[root@localhost ~]# semanage fcontext -l | grep westos ##此時檢視安全上下文即可以顯示
/westos(/.*)? all files system_u:object_r:public_content_t:s0
###檢視不同狀態下能否上傳檔案###
[root@localhost ~]# id student
uid=1000(student) gid=1000(student) groups=1000(student),10(wheel)
[root@localhost ~]# lftp -u student 172.25.254.113 ##使用本地使用者登陸
Password:
lftp student@172.25.254.113:~> ls
lftp student@172.25.254.113:~> put /etc/passwd ##上傳檔案
put: Access failed: 553 Could not create file. (passwd)##顯示許可權不夠
lftp student@172.25.254.113:~> exit
[root@localhost ~]# setenforce 0 ##更改為警告模式
[root@localhost ~]# getenforce ##檢視狀態顯示
Permissive
[root@localhost ~]# lftp -u student 172.25.254.113 ##再次登陸
Password:
lftp student@172.25.254.113:~> ls
lftp student@172.25.254.113:~> put /etc/passwd
2048 bytes transferred ##上傳成功
lftp student@172.25.254.113:~> ls
-rw-r–r– 1 1000 1000 2048 Apr 29 02:07 passwd
lftp student@172.25.254.113:~> exit
[root@localhost ~]# getsebool -a | grep ftp ##檢視各功能是否開啟(如同微信扣扣等有的服務存在但預設狀態是關閉的)
ftp_home_dir –> off
ftpd_anon_write –> off
ftpd_connect_all_unreserved –> off
ftpd_connect_db –> off
ftpd_full_access –> off
ftpd_use_cifs –> off
ftpd_use_fusefs –> off
ftpd_use_nfs –> off
ftpd_use_passive_mode –> off
httpd_can_connect_ftp –> off
httpd_enable_ftp_server –> off
sftpd_anon_write –> off
sftpd_enable_homedirs –> off
sftpd_full_access –> off
sftpd_write_ssh_home –> off
tftp_anon_write –> off
tftp_home_dir –> off
[root@localhost ~]# setsebool -P ftp_home_dir 1 ##開啟-p(永久更改)之後的功能(1為開啟,0為關閉)
[root@localhost ~]# getsebool -a | grep ftp ##再次檢視ftp服務所對應的功能開啟情況
ftp_home_dir –> on ///與之前那個相比這個服務狀態已開啟
ftpd_anon_write –> off
ftpd_connect_all_unreserved –> off
ftpd_connect_db –> off
ftpd_full_access –> off
ftpd_use_cifs –> off
ftpd_use_fusefs –> off
ftpd_use_nfs –> off
ftpd_use_passive_mode –> off
httpd_can_connect_ftp –> off
httpd_enable_ftp_server –> off
sftpd_anon_write –> off
sftpd_enable_homedirs –> off
sftpd_full_access –> off
sftpd_write_ssh_home –> off
tftp_anon_write –> off
tftp_home_dir –> off
[root@localhost ~]# setenforce 1 ##更改模式為強制模式
[root@localhost ~]# getenforce
Enforcing
實驗檢測:
[root@localhost ~]# lftp -u student 172.25.254.113
Password:
lftp student@172.25.254.113:~> put /etc/passwd
2048 bytes transferred ##在強制模式也上傳成功
lftp student@172.25.254.113:~> ls
-rw-r–r– 1 1000 1000 2048 Apr 29 02:10 passwd
lftp student@172.25.254.113:~> exit