1.完全重新安装vsftpd
rm -rf /etc/vsftpd/
yum reinstall vsftpd lftp -y
vim /etc/sysconfig/selinux ##内核selinux改为enforcing
reboot ##重新启动使selinux的改动生效
[root@localhost ~]# getenforce ##查询selinux状态
Enforcing ##强制并拒绝
touch /var/ftp/haha ##直接在/var/ftp/建立文件
touch /mnt/xixi
mv /mnt/xixi /var/ftp ##建立文件再移动到/var/ftp/
lftp连接后查看
[kiosk@foundation32 ~]$ lftp 172.25.254.232
lftp 172.25.254.232:~> ls
-rw-r--r-- 1 0 0 0 Jan 24 05:06 haha
drwxr-xr-x 2 0 0 6 Mar 07 2014 pub
移动过来的文件因为只是重命名过程,上下文特性不变,因此无法使用lftp查看
临时改变上下文特性
chcon -t public_content_t /var/ftp/xixi
[root@localhost ~]# ls /var/ftp -Z
-rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 haha
drwxr-xr-x. root root system_u:object_r:public_content_t:s0 pub
-rw-r--r--. root root unconfined_u:object_r:mnt_t:s0 xixi
-------
[root@localhost ~]# chcon -t public_content_t /var/ftp/xixi
[root@localhost ~]# ls /var/ftp -Z
-rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 haha
drwxr-xr-x. root root system_u:object_r:public_content_t:s0 pub
-rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 xixi
-------------------
改之前与改之后:
[kiosk@foundation32 Desktop]$ lftp 172.25.254.232
lftp 172.25.254.232:~> ls ##无法看到xixi
-rw-r–r-- 1 0 0 0 Jan 24 05:06 haha
drwxr-xr-x 2 0 0 6 Mar 07 2014 pub
lftp 172.25.254.232:/> quit
[kiosk@foundation32 Desktop]$ lftp 172.25.254.232
lftp 172.25.254.232:~> ls ##可以看到xixi
-rw-r–r-- 1 0 0 0 Jan 24 05:06 haha
drwxr-xr-x 2 0 0 6 Mar 07 2014 pub
-rw-r–r-- 1 0 0 0 Jan 24 05:12 xixi
[root@localhost ftp]# mkdir /westos
[root@localhost ftp]# ls -Z /westos/
[root@localhost ftp]# touch /westos/westosfile{1…3}
[root@localhost ftp]# ls -Z /westos/
-rw-r–r--. root root unconfined_u:object_r:default_t:s0 westosfile1
-rw-r–r--. root root unconfined_u:object_r:default_t:s0 westosfile2
-rw-r–r--. root root unconfined_u:object_r:default_t:s0 westosfile3
[root@localhost ftp]# ls -Z /westos/ -d
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /westos/
[root@localhost ftp]# vim /etc/vsftpd/vsftpd.conf
anon_root=/westos ##修改匿名用户家目录为/westos
[root@localhost ftp]# systemctl restart vsftpd.service
[root@localhost ftp]# lftp 172.25.254.232
lftp 172.25.254.232:~> ls ##看不到
lftp 172.25.254.232:/> quit
[root@localhost ftp]# chcon -t public_content_t /westos/ -R
##修改上下文关系
[root@localhost ftp]# ls -Z /westos/ -d
drwxr-xr-x. root root unconfined_u:object_r:public_content_t:s0 /westos/
[root@localhost ftp]# lftp 172.25.254.232
lftp 172.25.254.232:~> ls ##可以看到
-rw-r–r-- 1 0 0 0 Jan 24 06:24 westosfile1
-rw-r–r-- 1 0 0 0 Jan 24 06:24 westosfile2
-rw-r–r-- 1 0 0 0 Jan 24 06:24 westosfile3
lftp 172.25.254.232:/> quit
重启selinux,reboot之后又会看不到,因为更改是临时的
永久更改上下文
[root@localhost ftp]# ls -Zd /westos/
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /westos/
[root@localhost ftp]# semanage fcontext -a -t public_content_t '/westos(/.*)?' ##永久修改上下文关系
[root@localhost ftp]# semanage fcontext -l | grep westos ##查看westos与内部文件修改的上下文关系
/westos(/.*)? all files system_u:object_r:public_content_t:s0
[root@localhost ftp]# ls -Zd /westos/ ##查看安全上下文关系,并未改变,需要刷新
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /westos/
[root@localhost ftp]# restorecon -FvvR /westos/ ##刷新文件安全上下文
restorecon reset /westos context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /westos/westosfile1 context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /westos/westosfile2 context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /westos/westosfile3 context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
[root@localhost ftp]# ls -Zd /westos/ ##再次查看,可以看到成功修改了上下文关系
drwxr-xr-x. root root system_u:object_r:public_content_t:s0 /westos/
本地用户上传开关
[root@localhost ftp]# lftp 172.25.254.232 -u student
Password:
lftp [email protected]:~> ls
lftp [email protected]:~> put /etc/passwd ##本地用户无法上传
put: Access failed: 553 Could not create file. (passwd)
lftp [email protected]:~> quit
[root@localhost ftp]# getsebool -a | grep ftp ##查看权限是否开启
ftp_home_dir --> off ##不允许本地用户上传
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
tftp_anon_write --> off
tftp_home_dir --> off
[root@localhost ftp]# setsebool -P ftp_home_dir on ##打开上传
[root@server ~]# lftp 172.25.254.232 -u student
Password:
lftp [email protected]:~> ls
lftp [email protected]:~> put /etc/passwd ##成功上传
2048 bytes transferred
lftp [email protected]:~> ls
-rw-r--r-- 1 1000 1000 2048 Feb 14 12:29 passwd
匿名用户上传文件
[root@localhost ftp]# vim /etc/vsftpd/vsftpd.conf
12 anonymous_enable=YES
13 #anon_root=/westos
29 # When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftp d_full_access
30 anon_upload_enable=YES ##允许匿名用户上传
[root@server ~]# systemctl restart vsftpd.service
[root@server ~]# lftp 172.25.254.232
lftp 172.25.254.232:~> ls
drwxr-xr-x 2 0 0 6 Mar 07 2014 pub
lftp 172.25.254.232:/> cd pub/
lftp 172.25.254.232:/pub> ls
lftp 172.25.254.232:/pub> put /etc/passwd
put: Access failed: 553 Could not create file. (passwd)
lftp 172.25.254.232:/pub>
[root@server ~]# chmod 775 /var/ftp/pub/
[root@server ~]# chgrp ftp /var/ftp/pub/ ##修改权限
[root@server ~]# lftp 172.25.254.232
lftp 172.25.254.232:~> ls
drwxrwxr-x 2 0 50 6 Mar 07 2014 pub
lftp 172.25.254.232:/> cd pub/
lftp 172.25.254.232:/pub> put /etc/passwd ##再次上传
put: Access failed: 553 Could not create file. (passwd) ##权限过小
lftp 172.25.254.232:/pub> quit
[root@localhost ftp]# getsebool -a | grep ftp ##查询权限开关
ftp_home_dir --> on
ftpd_anon_write --> off ##ftp匿名用户写权限关闭
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
tftp_anon_write --> off
tftp_home_dir --> off
[root@localhost ftp]# setsebool -P ftpd_anon_write on ##打开ftp匿名用户写权限
[root@localhost ftp]# lftp 172.25.254.232
lftp 172.25.254.232:~> cd pub/
lftp 172.25.254.232:/pub> ls
lftp 172.25.254.232:/pub> put /etc/passwd
put: Access failed: 553 Could not create file. (passwd) ##权限过小
lftp 172.25.254.232:/pub> quit
示例:
[root@localhost ftp]# ls -Zd /var/ftp/pub/
drwxrwxr-x. root ftp system_u:object_r:public_content_t:s0 /var/ftp/pub/
[root@localhost ftp]# semanage fcontext -a -t public_content_rw_t /var/ftp/pub
##开启上下文写权限
[root@localhost ftp]# restorecon -RvvF /var/ftp/pub/ ##刷新安全上下文
restorecon reset /var/ftp/pub context system_u:object_r:public_content_t:s0->system_u:object_r:public_content_rw_t:s0
[root@localhost ftp]# ls -Zd /var/ftp/pub/ ##查看上下文权限
drwxrwxr-x. root ftp system_u:object_r:public_content_rw_t:s0 /var/ftp/pub/
[root@localhost ftp]# lftp 172.25.254.232
lftp 172.25.254.232:~> cd pub/
lftp 172.25.254.232:/pub> ls
lftp 172.25.254.232:/pub> put /etc/passwd ##成功上传
2048 bytes transferred
lftp 172.25.254.232:/pub> ls
-rw------- 1 14 50 2048 Jan 24 07:22 passwd
lftp 172.25.254.232:/pub>
selinux有两种模式,可以使用setenforce 0|1进行修改
setenforce 1 ##Enforcing,拒绝访问
setenforce 0 ##peremissive警告,不拒绝
测试:
[root@localhost ~]# touch /mnt/file
[root@localhost ~]# mv /mnt/file /var/ftp ##建立文件移动到/var/ftp
[root@localhost ~]# lftp 172.25.254.232
lftp 172.25.254.232:~> ls ##匿名用户看不到
drwxrwxr-x 2 0 50 19 Jan 24 07:22 pub
-rw-r--r-- 1 0 0 0 Jan 24 06:17 test
lftp 172.25.254.232:/> quit
[root@localhost ~]# getenforce
Enforcing ##因为selinux为拒绝模式
[root@localhost ~]# setenforce 0 ##设置为警告模式
[root@localhost ~]# getenforce
Permissive
[root@localhost ~]# lftp 172.25.254.232
lftp 172.25.254.232:~> ls ##可以查看
-rw-r--r-- 1 0 0 0 Jan 24 08:13 file
drwxrwxr-x 2 0 50 19 Jan 24 07:22 pub
lftp 172.25.254.232:/> quit
[root@localhost ~]# > /var/log/audit/audit.log ##清空日志
[root@localhost ~]# cat /var/log/audit/audit.log ##查看日志中警告
type=AVC msg=audit(1548317729.316:760): avc: denied { read } for pid=7870 comm="vsftpd" name="file" dev="vda1" ino=8962113 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mnt_t:s0 tclass=file
selinux 如何获取报错的解决方案
[root@localhost ~]# rpm -qa | grep setroubleshoot
setroubleshoot-server-3.2.17-2.el7.x86_64 ##提供解决方案的软件
setroubleshoot-3.2.17-2.el7.x86_64
setroubleshoot-plugins-3.0.59-1.el7.noarch
[root@localhost ~]# yum install setroubleshoot-server-3.2.17-2.el7.x86_64
##下载此软件
[root@localhost ~]# > /var/log/messages ##清空日志
[root@localhost ~]# lftp 172.25.254.232
lftp 172.25.254.232:~> ls
-rw-r--r-- 1 0 0 0 Jan 24 08:13 file
drwxr-xr-x 2 0 0 6 Jan 24 08:25 pub
-rw-r--r-- 1 0 0 0 Jan 24 06:17 test
lftp 172.25.254.232:/> cd pub/ ##进入没有写权限的pub/
lftp 172.25.254.232:/pub> ls
lftp 172.25.254.232:/pub> put /etc/passwd ##在pub里搞事
put: Access failed: 553 Could not create file. (passwd) ##权限太小被拒绝
lftp 172.25.254.232:/pub> quit
[root@localhost ~]# cat /var/log/messages ##查看日志
***** Plugin catchall_boolean (57.6 confidence) suggests ******************
If you want to allow ftpd to full access
Then you must tell SELinux about this by enabling the 'ftpd_full_access' boolean.
You can read 'None' man page for more details.
Do
setsebool -P ftpd_full_access 1 ##出现解决方案
***** Plugin catchall_labels (36.2 confidence) suggests *******************