RHEL-RH134-UNIT10-selinux的管理
来源:互联网 发布:java商品库存管理系统 编辑:程序博客网 时间:2024/06/12 01:13
[root@localhost Desktop]# touch /mnt/hello
[root@localhost Desktop]# mv /mnt/hello /var/ftp/pub/
[root@localhost Desktop]# cd /var/ftp/pub/
[root@localhost pub]# setenforce 0
[root@localhost pub]# setenforce 1
[root@localhost pub]# chcon -t public_content_t /var/ftp/pub/hello
[root@localhost Desktop]# getenforce
Enforcing
[root@localhost Desktop]#
[root@localhost Desktop]#
[root@localhost Desktop]# touch /mnt/hello
[root@localhost Desktop]# mv /mnt/hello /var/ftp/pub/
[root@localhost Desktop]# cd /var/ftp/pub/
[root@localhost pub]# ls
hello
[root@localhost pub]# cd /var/ftp/pub/
[root@localhost pub]# touch westos
[root@localhost pub]# lftp 127.25.254.108
lftp 127.25.254.108:~> ls
Interrupt 9]
lftp 127.25.254.108:~> quit
[root@localhost pub]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.25.254.108 netmask 255.255.255.0 broadcast 172.25.254.255
inet6 fe80::5054:ff:fe00:80b prefixlen 64 scopeid 0x20<link>
ether 52:54:00:00:08:0b txqueuelen 1000 (Ethernet)
RX packets 1867 bytes 234046 (228.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 26 bytes 3963 (3.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 650 bytes 55056 (53.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 650 bytes 55056 (53.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@localhost pub]# setenforce 0
[root@localhost pub]# getenforce
Permissive
[root@localhost pub]#
[root@localhost pub]#
[root@localhost pub]#
[root@localhost pub]# lftp 127.25.254.108
lftp 127.25.254.108:~> cd pub
cd ok, cwd=/pub
lftp 127.25.254.108:/pub> ls
-rw-r--r-- 1 0 0 0 Apr 23 09:01 hello
-rw-r--r-- 1 0 0 0 Apr 23 09:01 westos
lftp 127.25.254.108:/pub> quit
[root@localhost pub]# setenforce 1
[root@localhost pub]# getenforce
Enforcing
[root@localhost pub]# ps auxZ|grep vsftpd
system_u:system_r:ftpd_t:s0-s0:c0.c1023 root 2541 0.0 0.0 52756 564 ? Ss 05:03 0:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2695 0.0 0.0 112640 932 pts/0 S+ 05:05 0:00 grep --color=auto vsftpd
[root@localhost pub]# ls -Z /var/ftp/pub/
hello westos
[root@localhost pub]# ls -Z /var/ftp/pub/
-rw-r--r--. root root unconfined_u:object_r:mnt_t:s0 hello
-rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 westos
[root@localhost pub]# chc
chcat chcon chcpu
[root@localhost pub]# chc
chcat chcon chcpu
[root@localhost pub]# chcon -t public_content_t /var/ftp/pub/hello
[root@localhost pub]# lftp 127.25.254.108
lftp 127.25.254.108:~> ls
drwxr-xr-x 2 0 0 31 Mar 07 2014 pub
lftp 127.25.254.108:/> cd pub
lftp 127.25.254.108:/pub> ls
-rw-r--r-- 1 0 0 0 Apr 23 09:01 hello
-rw-r--r-- 1 0 0 0 Apr 23 09:01 westos
lftp 127.25.254.108:/pub> quit
[root@localhost vsftpd]# getenforce ##查看增强设置是否打开
Enforcing
[root@localhost vsftpd]# vi vsftpd.conf ##将匿名用户设置家目录为/westos
[root@localhost vsftpd]# systemctl restart vsftpd ##重启vsftpd服务
[root@localhost vsftpd]# cd
[root@localhost ~]# mkdir /westos
[root@localhost ~]# touch /westos/westosfile{1..10}
[root@localhost ~]# ls -Z /westos ##查看当前的文件上下文,显示为默认
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 westosfile1
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 westosfile10
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 westosfile2
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 westosfile3
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 westosfile4
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 westosfile5
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 westosfile6
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 westosfile7
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 westosfile8
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 westosfile9
[root@localhost ~]# ls -Z /var/ftp ##ftp上下文为public_content_t
drwxr-xr-x. root root system_u:object_r:public_content_t:s0 pub
[root@localhost ~]# lftp 172.25.254.108
lftp 172.25.254.108:~> ls
lftp 172.25.254.108:/> quit
[root@localhost ~]# semanage fcontext -l |grep /westos ##查看fcontext文件
[root@localhost ~]# ls -lZ /westos
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 westosfile1
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 westosfile10
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 westosfile2
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 westosfile3
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 westosfile4
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 westosfile5
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 westosfile6
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 westosfile7
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 westosfile8
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 westosfile9
[root@localhost ~]# cd /westos
[root@localhost westos]# semanage fcontext -l |grep westos
[root@localhost westos]# semanage fcontext -l |grep var/ftp ##查看fcontext文件
/var/ftp(/.*)? all files system_u:object_r:public_content_t:s0
/var/ftp/bin(/.*)? all files system_u:object_r:bin_t:s0
/var/ftp/etc(/.*)? all files system_u:object_r:etc_t:s0
/var/ftp/lib(/.*)? all files system_u:object_r:lib_t:s0
/var/ftp/lib/ld[^/]*\.so(\.[^/]*)* regular file system_u:object_r:ld_so_t:s0
[root@localhost westos]# semanage fcontext -a -t public_content_t '/westos(/.*)?' ##从内核中设置/westos下的所有文件安全上下文均为public_content_t
[root@localhost westos]# ls -lZ /westos ##再次查看文件安全上下文,依然是default
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 westosfile1
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 westosfile10
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 westosfile2
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 westosfile3
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 westosfile4
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 westosfile5
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 westosfile6
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 westosfile7
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 westosfile8
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 westosfile9
[root@localhost westos]# restorecon -RvvF /westos ##对文件进行刷新
restorecon reset /westos context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /westos/westosfile1 context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /westos/westosfile2 context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /westos/westosfile3 context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /westos/westosfile4 context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /westos/westosfile5 context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /westos/westosfile6 context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /westos/westosfile7 context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /westos/westosfile8 context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /westos/westosfile9 context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /westos/westosfile10 context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
[root@localhost westos]# ls -lZ /westos ##文件安全上下文已变更为public_content_t
-rw-r--r--. root root system_u:object_r:public_content_t:s0 westosfile1
-rw-r--r--. root root system_u:object_r:public_content_t:s0 westosfile10
-rw-r--r--. root root system_u:object_r:public_content_t:s0 westosfile2
-rw-r--r--. root root system_u:object_r:public_content_t:s0 westosfile3
-rw-r--r--. root root system_u:object_r:public_content_t:s0 westosfile4
-rw-r--r--. root root system_u:object_r:public_content_t:s0 westosfile5
-rw-r--r--. root root system_u:object_r:public_content_t:s0 westosfile6
-rw-r--r--. root root system_u:object_r:public_content_t:s0 westosfile7
-rw-r--r--. root root system_u:object_r:public_content_t:s0 westosfile8
-rw-r--r--. root root system_u:object_r:public_content_t:s0 westosfile9
[root@localhost westos]# lftp 172.25.254.108 ##可以查看文件
lftp 172.25.254.108:~> ls
-rw-r--r-- 1 0 0 0 Apr 29 01:33 westosfile1
-rw-r--r-- 1 0 0 0 Apr 29 01:33 westosfile10
-rw-r--r-- 1 0 0 0 Apr 29 01:33 westosfile2
-rw-r--r-- 1 0 0 0 Apr 29 01:33 westosfile3
-rw-r--r-- 1 0 0 0 Apr 29 01:33 westosfile4
-rw-r--r-- 1 0 0 0 Apr 29 01:33 westosfile5
-rw-r--r-- 1 0 0 0 Apr 29 01:33 westosfile6
-rw-r--r-- 1 0 0 0 Apr 29 01:33 westosfile7
-rw-r--r-- 1 0 0 0 Apr 29 01:33 westosfile8
-rw-r--r-- 1 0 0 0 Apr 29 01:33 westosfile9
lftp 172.25.254.108:/> quit
[root@localhost westos]# touch /westos/westfile11 ##新建文件依然可以查看
[root@localhost westos]# lftp 172.25.254.108
lftp 172.25.254.108:~> ls
-rw-r--r-- 1 0 0 0 Apr 29 01:42 westfile11
-rw-r--r-- 1 0 0 0 Apr 29 01:33 westosfile1
-rw-r--r-- 1 0 0 0 Apr 29 01:33 westosfile10
-rw-r--r-- 1 0 0 0 Apr 29 01:33 westosfile2
-rw-r--r-- 1 0 0 0 Apr 29 01:33 westosfile3
-rw-r--r-- 1 0 0 0 Apr 29 01:33 westosfile4
-rw-r--r-- 1 0 0 0 Apr 29 01:33 westosfile5
-rw-r--r-- 1 0 0 0 Apr 29 01:33 westosfile6
-rw-r--r-- 1 0 0 0 Apr 29 01:33 westosfile7
-rw-r--r-- 1 0 0 0 Apr 29 01:33 westosfile8
-rw-r--r-- 1 0 0 0 Apr 29 01:33 westosfile9
lftp 172.25.254.108:/>
[root@localhost home]# lftp 172.25.254.108 -u student ##lftp至studnet账户
Password:
[root@localhost home]# lftp 172.25.254.108 -u student
Password:
lftp student@172.25.254.108:~> ls
lftp student@172.25.254.108:~>
lftp student@172.25.254.108:~>
lftp student@172.25.254.108:~>
lftp student@172.25.254.108:~> ls
lftp student@172.25.254.108:~> put /etc/passwd
put: Access failed: 553 Could not create file. (passwd) ##无法写文件
lftp student@172.25.254.108:~> quit
[root@localhost home]# ls -ld /home/student ##有写权限
drwx------. 5 student student 4096 Apr 22 21:20 /home/student
[root@localhost home]# getenforce ##增强型开启
Enforcing
[root@localhost home]# getsebool -a |grep ftp ##查看增强型对服务的限制
ftp_home_dir --> off ##默认为off
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
tftp_anon_write --> off
tftp_home_dir --> off
[root@localhost home]# setse
setsebool setserial
[root@localhost home]# setse
setsebool setserial
[root@localhost home]# setse
setsebool setserial
[root@localhost home]# setsebool -P ftp_home_dir=1 ##设置ftp_home_dir为1,-P为永久打开
[root@localhost home]# getsebool -a |grep ftp ##再次查看
ftp_home_dir --> on
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
tftp_anon_write --> off
tftp_home_dir --> off
[root@localhost home]# lftp 172.25.254.108 -u student
Password:
lftp student@172.25.254.108:~> ls
lftp student@172.25.254.108:~> put /etc/passwd ##可以上传
2005 bytes transferred
lftp student@172.25.254.108:~> ls
-rw-r--r-- 1 1000 1000 2005 Apr 29 02:08 passwd
lftp student@172.25.254.108:~>
- RHEL-RH134-UNIT10-selinux的管理
- unit10~~selinux 的管理
- 第二本书unit10 selinux的初级管理
- Linux--RH134---unit 10 selinux的初级管理
- RHEL-RH134-UNIT4--管理系统中的简单分区和文件系统
- RHEL-RH134-UNIT5-使用逻辑卷管理器管理灵活存储
- RHEL二十(管理SELINUX的安全性)
- RH134-第二十一节-selinux对文件的控制
- RHEL-RH134-UNI2-控制对文件的访问
- RHEL-RH134-UNIT6-文本处理工具
- RHEL-RH134-UNIT8-LDAP 网络用户账户
- RHEL-RH134-UNIT11-系统恢复技术
- seLinux的管理
- SElinux的管理
- 第十 selinux的管理
- SELinux的管理
- SELINUX的管理
- selinux的管理
- Android手机USB OTG支持网线
- body的滚动事件的坑
- CodeForces
- nyoj 35 表达式求值
- HTML中几种为<button>绑定点击事件的方式比较
- RHEL-RH134-UNIT10-selinux的管理
- Lua实现事件派发器
- 设计模式-观察者模式
- DataInputStream处理字符串问题
- 通过广播实现网络监听及判断网络类型
- Android 中的InputFilter
- Linux 用户和用户组管理
- MFC的使用技巧(如何彻底删除一个类)
- CentOS镜像使用帮助