selinux

#################Selinux的管理

1、什么是selinux
Selinux是Security-Enhanced Linux的简称
2、selinux级别
getenforce ##查看状态
1)当selinux开启时
setenforce 0|1 ##更改selinux级别
vim /etc/sysconfig/selinux
enforcing - SELinux security policy is enforced. #####开启
permissive - SELinux prints warnings instead of enforcing ###
disabled - No SELinux policy is loaded. ###关闭

3、如何更改文件安全上下文
1)临时更改
chcon -t 安全上下文 文件

[root@localhost pub]# ls -lZ /var/ftp/pub/
-rwxrwxr-x. root ftp unconfined_u:object_r:public_content_t:s0 file1
-rwxrwxr-x. root ftp unconfined_u:object_r:public_content_t:s0 file2
-rwxrwxr-x. ftp ftp system_u:object_r:public_content_t:s0 passwd

2)永久更改
semanage fcontext -l ##列出内核安全上下文列表内容
semanage fcontext -a -t public_content_t ‘/dir(/.*)?’ ##-a，增加，-t，修改
restorecon -FvvR /dir ##刷新安全上下文列表， -F,强制重置 -v,显示目录的刷新过程-vv显示目录和文件的刷新过程 -R表示递归。

[root@localhost mnt]# getsebool -a | grep ftp
ftp_home_dir –> off
ftpd_anon_write –> off
ftpd_connect_all_unreserved –> off
ftpd_connect_db –> off
ftpd_full_access –> off
ftpd_use_cifs –> off
ftpd_use_fusefs –> off
ftpd_use_nfs –> off
ftpd_use_passive_mode –> off
httpd_can_connect_ftp –> off
httpd_enable_ftp_server –> off
sftpd_anon_write –> off
sftpd_enable_homedirs –> off
sftpd_full_access –> off
sftpd_write_ssh_home –> off
tftp_anon_write –> off
tftp_home_dir –> off
[root@localhost mnt]# setsebool -p ftp_home_dir on
setsebool: invalid option – ‘p’

Usage: setsebool [ -NPV ] boolean value | bool1=val1 bool2=val2…

[root@localhost mnt]# setsebool -P ftp_home_dir on
[root@localhost mnt]# lftp 172.25.254.106 -u westos
Password:
Interrupt
[root@localhost mnt]# passwd westos
Changing password for user westos.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
[root@localhost mnt]# lftp 172.25.254.106 -u westos
Password:
lftp westos@172.25.254.106:~> ls
ls: Login failed: 530 Login incorrect.
lftp westos@172.25.254.106:~> quit
[root@localhost mnt]# vim /etc/vsftpd/vsftpd.conf
[root@localhost mnt]# systemctl restart vsftpd
[root@localhost mnt]# lftp 172.25.254.106 -u westos
Password:
lftp westos@172.25.254.106:~> ls
drwxrwxr-x 2 0 50 43 Apr 11 12:06 pub
-rwxrwxr-x 1 0 50 0 Apr 11 11:51 westos
lftp westos@172.25.254.106:/> quit
[root@localhost mnt]# semanage fcontext -l | grep /var/ftp
/var/ftp(/.*)? all files system_u:object_r:public_content_t:s0
/var/ftp/bin(/.*)? all files system_u:object_r:bin_t:s0
/var/ftp/etc(/.*)? all files system_u:object_r:etc_t:s0
/var/ftp/lib(/.*)? all files system_u:object_r:lib_t:s0
/var/ftp/lib/ld[^/].so(.[^/])* regular file system_u:object_r:ld_so_t:s0
[root@localhost mnt]# semanage fcontext -l | grep /westos
[root@localhost mnt]# semanage fcontext -a -t public_content_t ‘/westos(/.*)?’
[root@localhost mnt]# semanage fcontext -l | grep /westos
/westos(/.*)? all files system_u:object_r:public_content_t:s0
[root@localhost mnt]# restorecon /westos/ -FvvR
restorecon reset /westos context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0