运维学习23
来源:互联网 发布:c语言class怎么用 编辑:程序博客网 时间:2024/06/04 23:30
第十单元 selinux 的管理
selinux:
Selinux是Security-Enhanced Linux的简称
管理selinux级别:
getenforce ##查看状态
1)当selinux开启时
setenforce 0|1 ##更改selinux级别
vim /etc/sysconfig/selinux
@@@@@@
# enforcing - SELinux security policyis enforced.强制状态
# permissive - SELinux printswarnings instead of enforcing.警告状态
# disabled - No SELinux policy isloaded.关闭状态
SELINUX=disabled|permission|disabled
@@@@@@
更改文件安全上下文
1)******临时更改
chcon -t 安全上下文 文件
2)******永久更改
semanage fcontext -l ##列出内核安全上下文列表内容
semanage fcontext -a -t public_content_t '/dir(/.*)?' ##-a,增加,-t,修改
restorecon -FvvR /dir ##刷新安全上下文列表,-F,强制重置,-v,显示目录的刷新过程,-vv,显示目录和文件的刷新过程,-R,递归。
[root@station ~]# semanage fcontext -l | grep westos
[root@station ~]# semanage fcontext -l | grep var/ftp
/var/ftp(/.*)? allfiles system_u:object_r:public_content_t:s0
/var/ftp/bin(/.*)? all files system_u:object_r:bin_t:s0
/var/ftp/etc(/.*)? all files system_u:object_r:etc_t:s0
/var/ftp/lib(/.*)? all files system_u:object_r:lib_t:s0
/var/ftp/lib/ld[^/]*\.so(\.[^/]*)* regular file system_u:object_r:ld_so_t:s0
[root@station ~]# ls /westos/
file1 file2
[root@station ~]# semanage fcontext -a -t public_content_t'/westos(/.*)?'
[root@station ~]# semanage fcontext -l | grep var/ftp
/var/ftp(/.*)? allfiles system_u:object_r:public_content_t:s0
/var/ftp/bin(/.*)? all files system_u:object_r:bin_t:s0
/var/ftp/etc(/.*)? all files system_u:object_r:etc_t:s0
/var/ftp/lib(/.*)? all files system_u:object_r:lib_t:s0
/var/ftp/lib/ld[^/]*\.so(\.[^/]*)* regular file system_u:object_r:ld_so_t:s0
[root@station ~]# semanage fcontext -l | grep westos
/westos(/.*)? all files system_u:object_r:public_content_t:s0
[root@station ~]# ls -Zd /westos/
drwxrwsrwx. root student unconfined_u:object_r:default_t:s0 /westos/
[root@station ~]# restorecon -RvvF /westos/
restorecon reset /westos contextunconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /westos/file1 contextunconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /westos/file2 context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
[root@station ~]# ls -Zd /westos/
drwxrwsrwx. root student system_u:object_r:public_content_t:s0 /westos/
[root@station ~]#
在开启selinux下更改ftp的默认发布目录
selinux=enforcing,vsftpd软件
[root@station ~]# mkdir -p /publicftp/public
[root@station ~]# vim /etc/vsftpd/vsftpd.conf
@@@@@@
anon_root=/publicftp
@@@@@@
[root@station ~]# systemctl restart vsftpd
[root@station ~]# lftp 172.25.254.145 ##因为目录安全上下文的原因,不能访问修改后的发布目录
lftp 172.25.254.145:~> ls
lftp 172.25.254.145:/> exit
******临时修改安全上下文
[root@station ~]# ls -Zd/publicftp/
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /publicftp/
[root@station ~]# chcon -t public_content_t /publicftp/ -R ##临时将default_t改为public_content_t,使可以访问
[root@station ~]# ls -Zd /publicftp/
drwxr-xr-x. root root unconfined_u:object_r:public_content_t:s0/publicftp/
[root@station ~]# lftp172.25.254.103
lftp 172.25.254.103:~> ls
drwxr-xr-x 2 0 0 6 Nov 22 07:15 public
lftp 172.25.254.103:/> exit
[root@station ~]# restorecon /publicftp/ ##临时修改的安全上下文刷新后会失效
[root@station ~]# ls -Zd/publicftp/
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /publicftp/
******永久修改安全上下文
[root@station ~]# semanage fcontext -l |grep /var/ftp/ ##列出内核安全上下文列表内容
/var/ftp/bin(/.*)? all files system_u:object_r:bin_t:s0
/var/ftp/etc(/.*)? all files system_u:object_r:etc_t:s0
/var/ftp/lib(/.*)? all files system_u:object_r:lib_t:s0
/var/ftp/lib/ld[^/]*\.so(\.[^/]*)* regular file system_u:object_r:ld_so_t:s0
[root@station ~]# semanage fcontext -a -t public_content_t '/publicftp(./*)?' ##往内核中写入要增加的安全上下文列表内容
[root@station ~]# restorecon -FvvR/publicftp/
restorecon reset /publicftp contextunconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /publicftp/public contextunconfined_u:object_r:public_content_t:s0->system_u:object_r:default_t:s0
*******刷新后不会失效
[root@station ~]# ls -Zd/publicftp/
drwxr-xr-x. root root system_u:object_r:public_content_t:s0 /publicftp/
[root@station ~]# restorecon/publicftp/
[root@station ~]# ls -Zd/publicftp/
drwxr-xr-x. root root system_u:object_r:public_content_t:s0 /publicftp/
[root@station ~]# lftp172.25.254.103
lftp 172.25.254.103:~> ls
drwxr-xr-x 2 0 0 6 Nov 22 07:15 public
lftp 172.25.254.103:/> exit
使修改后的目录具有上传文件的功能
[root@station publicftp]# chmod 775 /publicftp/public/
[root@station publicftp]# chgrp ftp /publicftp/public/
[root@station publicftp]# chcon -tpublic_content_rw_t /publicftp/public/
[root@station publicftp]# ls -dZ /publicftp/public/
drwxrwxr-x. root ftp system_u:object_r:public_content_rw_t:s0/publicftp/public/
[root@station publicftp]# vim/etc/vsftpd/vsftpd.conf
@@@@@
anon_upload_enable=YES
@@@@@
[root@station publicftp]# systemctlrestart vsftpd.service
[root@station mnt]# getsebool -a | grepftp
ftp_home_dir --> off
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
tftp_anon_write --> off
tftp_home_dir --> off
[root@station mnt]# setsebool -P ftpd_anon_write on
[root@station mnt]# lftp 172.25.254.103
lftp 172.25.254.103:~> ls
drwxrwxr-x 2 0 50 6 Nov 22 07:15 public
lftp 172.25.254.103:/> cd public/
lftp 172.25.254.103:/public> put /mnt/pingall.sh ##成功上传文件
242 bytes transferred
lftp 172.25.254.103:/public> exit
- 运维学习23
- 运维学习网站
- 学习运维
- 运维学习1
- 运维学习4
- 运维学习5
- 运维学习6
- 运维学习7
- 运维学习8
- 运维学习9
- 运维学习10
- 运维学习11
- 运维领域学习
- 运维学习12
- 运维学习13
- 运维学习14
- 运维学习15
- 运维学习16
- 每天近百亿条用户数据,携程大数据高并发应用架构涅槃
- 字符串排序:oj Problem C: 国家排序
- 数据结构学习笔记(三)
- 浏览器渲染网页的过程
- 递归的理解
- 运维学习23
- Linux 常用开发工具笔记1
- Why is FreeBSD deprecating GCC in favor of Clang/LLVM?
- 测试标题
- csdl,msl,ssdl
- RTC实时时钟
- java的bufferImage异或加密jpg文件的一个有趣现象
- fl2440——Linux下I2C驱动体系
- oj Problem D: C语言习题 输出月份