首页 > 代码库 > linux 2 unit10 selinux

linux 2 unit10 selinux

selinux的管理

####安全上下文的查看与更改####

 

vim /etc/sysconfig/selinux  ###更改状态

[root@localhost ~]# systemctl status vsftpd   ##查看vsftpd服务状态

vsftpd.service - Vsftpd ftp daemon

   Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; disabled)

   Active: inactive (dead)

 

[root@localhost ~]# systemctl start vsftpd

[root@localhost ~]# systemctl stop firewalld

[root@localhost ~]# systemctl enable vsftpd

ln -s ‘/usr/lib/systemd/system/vsftpd.service‘ ‘/etc/systemd/system/multi-user.target.wants/vsftpd.service‘     

[root@localhost ~]# getenforce

Enforcing

[root@localhost ~]# semanage fcontext -l | grep westos  ##查看westos安全上下文

[root@localhost ~]# semanage fcontext -l | grep var/ftp   ##查看var/ftp安全上写文

/var/ftp(/.*)?                                     all files          system_u:object_r:public_content_t:s0

/var/ftp/bin(/.*)?                                 all files          system_u:object_r:bin_t:s0

/var/ftp/etc(/.*)?                                 all files          system_u:object_r:etc_t:s0

/var/ftp/lib(/.*)?                                 all files          system_u:object_r:lib_t:s0

/var/ftp/lib/ld[^/]*\\.so(\\.[^/]*)*                 regular file       system_u:object_r:ld_so_t:s0

[root@localhost ~]# semanage fcontext -a -t public_content_t ‘/westos(/.*)?‘    ##更改/westos的安全上下文(-a指添加,-t指安全上下文类型)

[root@localhost ~]# semanage fcontext -l | grep var/ftp   ##-l查看var/ftp安全上下文类型

/var/ftp(/.*)?                                     all files          system_u:object_r:public_content_t:s0

/var/ftp/bin(/.*)?                                 all files          system_u:object_r:bin_t:s0

/var/ftp/etc(/.*)?                                 all files          system_u:object_r:etc_t:s0

/var/ftp/lib(/.*)?                                 all files          system_u:object_r:lib_t:s0

/var/ftp/lib/ld[^/]*\\.so(\\.[^/]*)*                 regular file       system_u:object_r:ld_so_t:s0

[root@localhost ~]# ls -Zd /westos/  ##查看安全上下文

ls: cannot access /westos/: No such file or directory

[root@localhost ~]# mkdir /westos

[root@localhost ~]# touch /westos/file{1..3}

[root@localhost ~]# ls /westos/

file1  file2  file3

[root@localhost ~]# ls -Zd /westos

drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /westos/

[root@localhost ~]# restorecon -RvvF /westos/  ##刷新安全上下文

restorecon reset /westos context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0

restorecon reset /westos/file1 context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0

restorecon reset /westos/file2 context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0

restorecon reset /westos/file3 context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0

[root@localhost ~]# ls -Zd /westos/   ##再次查看安全上下文,看是否更改成功

drwxr-xr-x. root root system_u:object_r:public_content_t:s0 /westos/

测试:

[root@localhost ~]# lftp 172.25.254.113

lftp 172.25.254.113:~> ls

drwxr-xr-x    2 0        0              45 Apr 23 09:15 pub

lftp 172.25.254.113:/> exit

[root@localhost ~]# vim /etc/vsftpd/vsftpd.conf ##在配置文件中加anon_root=/westos,更改匿名用户家目录到/westos

[root@localhost ~]# systemctl restart vsftpd.service  ##重新再次打开

[root@localhost ~]# ps auxZ | grep vsftpd   ##安全上下文的查看

system_u:system_r:ftpd_t:s0-s0:c0.c1023 root 2770 0.0  0.0 52756  560 ?        Ss   21:35   0:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf

unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2780 0.0  0.0 112640 936 pts/1 S+ 21:36   0:00 grep --color=auto vsftpd

[root@localhost ~]# ls -Zd /westos/  ##安全上下文查看

drwxr-xr-x. root root system_u:object_r:public_content_t:s0 /westos/

匿名用户连接测试

[root@localhost ~]# lftp 172.25.254.113  

lftp 172.25.254.113:~> ls

-rw-r--r--    1 0        0               0 Apr 29 01:32 file1

-rw-r--r--    1 0        0               0 Apr 29 01:32 file2

-rw-r--r--    1 0        0               0 Apr 29 01:32 file3

lftp 172.25.254.113:/> quit

[root@localhost ~]# ls -Z /westos/  ##再次查看/westos安全上下文是否更改成功

-rw-r--r--. root root system_u:object_r:public_content_t:s0 file1

-rw-r--r--. root root system_u:object_r:public_content_t:s0 file2

-rw-r--r--. root root system_u:object_r:public_content_t:s0 file3

[root@localhost ~]# semanage fcontext -l | grep westos  ##此时查看安全上下文即可以显示

/westos(/.*)?                                      all files          system_u:object_r:public_content_t:s0

 

 

###查看不同状态下能否上传文件### 

[root@localhost ~]# id student

uid=1000(student) gid=1000(student) groups=1000(student),10(wheel)

[root@localhost ~]# lftp -u student 172.25.254.113 ##使用本地用户登陆

Password:

lftp student@172.25.254.113:~> ls      

lftp student@172.25.254.113:~> put /etc/passwd  ##上传文件

put: Access failed: 553 Could not create file. (passwd)##显示权限不够

lftp student@172.25.254.113:~> exit

[root@localhost ~]# setenforce 0  ##更改为警告模式

[root@localhost ~]# getenforce  ##查看状态显示

Permissive

[root@localhost ~]# lftp -u student 172.25.254.113  ##再次登陆

Password:

lftp student@172.25.254.113:~> ls      

lftp student@172.25.254.113:~> put /etc/passwd

2048 bytes transferred    ##上传成功

lftp student@172.25.254.113:~> ls

-rw-r--r--    1 1000     1000         2048 Apr 29 02:07 passwd

lftp student@172.25.254.113:~> exit

[root@localhost ~]# getsebool -a | grep ftp   ##查看各功能是否开启(如同微信扣扣等有的服务存在但默认状态是关闭的)

ftp_home_dir --> off

ftpd_anon_write --> off

ftpd_connect_all_unreserved --> off

ftpd_connect_db --> off

ftpd_full_access --> off

ftpd_use_cifs --> off

ftpd_use_fusefs --> off

ftpd_use_nfs --> off

ftpd_use_passive_mode --> off

httpd_can_connect_ftp --> off

httpd_enable_ftp_server --> off

sftpd_anon_write --> off

sftpd_enable_homedirs --> off

sftpd_full_access --> off

sftpd_write_ssh_home --> off

tftp_anon_write --> off

tftp_home_dir --> off

[root@localhost ~]# setsebool -P ftp_home_dir 1  ##开启-p(永久更改)之后的功能(1为开启,0为关闭)

[root@localhost ~]# getsebool -a | grep ftp  ##再次查看ftp服务所对应的功能开启情况

ftp_home_dir --> on   ///与之前那个相比这个服务状态已打开

ftpd_anon_write --> off

ftpd_connect_all_unreserved --> off

ftpd_connect_db --> off

ftpd_full_access --> off

ftpd_use_cifs --> off

ftpd_use_fusefs --> off

ftpd_use_nfs --> off

ftpd_use_passive_mode --> off

httpd_can_connect_ftp --> off

httpd_enable_ftp_server --> off

sftpd_anon_write --> off

sftpd_enable_homedirs --> off

sftpd_full_access --> off

sftpd_write_ssh_home --> off

tftp_anon_write --> off

tftp_home_dir --> off   

[root@localhost ~]# setenforce 1  ##更改模式为强制模式

[root@localhost ~]# getenforce

Enforcing

实验检测:

[root@localhost ~]# lftp -u student 172.25.254.113

Password:

lftp student@172.25.254.113:~> put /etc/passwd

2048 bytes transferred   ##在强制模式也上传成功

lftp student@172.25.254.113:~> ls

-rw-r--r--    1 1000     1000         2048 Apr 29 02:10 passwd

lftp student@172.25.254.113:~> exit


本文出自 “AELY木” 博客,请务必保留此出处http://12768057.blog.51cto.com/12758057/1921088

linux 2 unit10 selinux