1.完全重新安装vsftpd

rm -rf /etc/vsftpd/
yum reinstall vsftpd  lftp -y
vim /etc/sysconfig/selinux		##内核selinux改为enforcing
reboot							##重新启动使selinux的改动生效

[root@localhost ~]# getenforce 		##查询selinux状态
Enforcing							##强制并拒绝

touch /var/ftp/haha				##直接在/var/ftp/建立文件
touch /mnt/xixi
mv /mnt/xixi /var/ftp			##建立文件再移动到/var/ftp/

lftp连接后查看
[kiosk@foundation32 ~]$ lftp 172.25.254.232
lftp 172.25.254.232:~> ls
-rw-r--r--    1 0        0               0 Jan 24 05:06 haha
drwxr-xr-x    2 0        0               6 Mar 07  2014 pub

移动过来的文件因为只是重命名过程，上下文特性不变，因此无法使用lftp查看

临时改变上下文特性

chcon -t public_content_t /var/ftp/xixi

[root@localhost ~]# ls /var/ftp -Z
-rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 haha
drwxr-xr-x. root root system_u:object_r:public_content_t:s0 pub
-rw-r--r--. root root unconfined_u:object_r:mnt_t:s0   xixi
					    -------
[root@localhost ~]# chcon -t public_content_t /var/ftp/xixi 
[root@localhost ~]# ls /var/ftp -Z
-rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 haha
drwxr-xr-x. root root system_u:object_r:public_content_t:s0 pub
-rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 xixi
					    -------------------

改之前与改之后：
[kiosk@foundation32 Desktop]$ lftp 172.25.254.232
lftp 172.25.254.232:~> ls ##无法看到xixi
-rw-r–r-- 1 0 0 0 Jan 24 05:06 haha
drwxr-xr-x 2 0 0 6 Mar 07 2014 pub
lftp 172.25.254.232:/> quit
[kiosk@foundation32 Desktop]$ lftp 172.25.254.232
lftp 172.25.254.232:~> ls ##可以看到xixi
-rw-r–r-- 1 0 0 0 Jan 24 05:06 haha
drwxr-xr-x 2 0 0 6 Mar 07 2014 pub
-rw-r–r-- 1 0 0 0 Jan 24 05:12 xixi

[root@localhost ftp]# mkdir /westos
[root@localhost ftp]# ls -Z /westos/
[root@localhost ftp]# touch /westos/westosfile{1…3}
[root@localhost ftp]# ls -Z /westos/
-rw-r–r--. root root unconfined_u:object_r:default_t:s0 westosfile1
-rw-r–r--. root root unconfined_u:object_r:default_t:s0 westosfile2
-rw-r–r--. root root unconfined_u:object_r:default_t:s0 westosfile3
[root@localhost ftp]# ls -Z /westos/ -d
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /westos/
[root@localhost ftp]# vim /etc/vsftpd/vsftpd.conf
anon_root=/westos ##修改匿名用户家目录为/westos

[root@localhost ftp]# systemctl restart vsftpd.service
[root@localhost ftp]# lftp 172.25.254.232
lftp 172.25.254.232:~> ls ##看不到
lftp 172.25.254.232:/> quit
[root@localhost ftp]# chcon -t public_content_t /westos/ -R
##修改上下文关系
[root@localhost ftp]# ls -Z /westos/ -d
drwxr-xr-x. root root unconfined_u:object_r:public_content_t:s0 /westos/
[root@localhost ftp]# lftp 172.25.254.232
lftp 172.25.254.232:~> ls ##可以看到
-rw-r–r-- 1 0 0 0 Jan 24 06:24 westosfile1
-rw-r–r-- 1 0 0 0 Jan 24 06:24 westosfile2
-rw-r–r-- 1 0 0 0 Jan 24 06:24 westosfile3
lftp 172.25.254.232:/> quit
重启selinux，reboot之后又会看不到，因为更改是临时的

永久更改上下文

[root@localhost ftp]# ls -Zd /westos/
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /westos/
[root@localhost ftp]# semanage fcontext -a -t public_content_t '/westos(/.*)?'						##永久修改上下文关系
[root@localhost ftp]# semanage fcontext -l | grep  westos	##查看westos与内部文件修改的上下文关系
/westos(/.*)?                                      all files          system_u:object_r:public_content_t:s0 

[root@localhost ftp]# ls -Zd /westos/		##查看安全上下文关系，并未改变，需要刷新
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /westos/
[root@localhost ftp]# restorecon -FvvR /westos/		##刷新文件安全上下文
restorecon reset /westos context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /westos/westosfile1 context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /westos/westosfile2 context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /westos/westosfile3 context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0

[root@localhost ftp]# ls -Zd /westos/		##再次查看，可以看到成功修改了上下文关系
drwxr-xr-x. root root system_u:object_r:public_content_t:s0 /westos/

本地用户上传开关

[root@localhost ftp]# lftp 172.25.254.232 -u student
Password: 
lftp [email protected]:~> ls      
lftp [email protected]:~> put /etc/passwd		##本地用户无法上传
put: Access failed: 553 Could not create file. (passwd)
lftp [email protected]:~> quit

[root@localhost ftp]# getsebool -a | grep ftp		##查看权限是否开启
ftp_home_dir --> off					##不允许本地用户上传
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
tftp_anon_write --> off
tftp_home_dir --> off
[root@localhost ftp]# setsebool  -P ftp_home_dir on	##打开上传

[root@server ~]#  lftp 172.25.254.232 -u student
Password: 
lftp [email protected]:~> ls      
lftp [email protected]:~> put /etc/passwd		##成功上传
2048 bytes transferred
lftp [email protected]:~> ls
-rw-r--r--    1 1000     1000         2048 Feb 14 12:29 passwd

匿名用户上传文件

[root@localhost ftp]# vim /etc/vsftpd/vsftpd.conf 
 12 anonymous_enable=YES
 13 #anon_root=/westos

29 # When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftp    d_full_access
 30 anon_upload_enable=YES		##允许匿名用户上传

[root@server ~]# systemctl restart vsftpd.service
[root@server ~]# lftp 172.25.254.232
lftp 172.25.254.232:~> ls
drwxr-xr-x    2 0        0               6 Mar 07  2014 pub
lftp 172.25.254.232:/> cd pub/
lftp 172.25.254.232:/pub> ls
lftp 172.25.254.232:/pub> put /etc/passwd
put: Access failed: 553 Could not create file. (passwd)
lftp 172.25.254.232:/pub> 

[root@server ~]# chmod 775 /var/ftp/pub/
[root@server ~]# chgrp ftp /var/ftp/pub/		##修改权限
[root@server ~]# lftp 172.25.254.232
lftp 172.25.254.232:~> ls
drwxrwxr-x    2 0        50              6 Mar 07  2014 pub
lftp 172.25.254.232:/> cd pub/
lftp 172.25.254.232:/pub> put /etc/passwd		##再次上传
put: Access failed: 553 Could not create file. (passwd)	##权限过小
lftp 172.25.254.232:/pub> quit

[root@localhost ftp]# getsebool -a | grep ftp			##查询权限开关
ftp_home_dir --> on
ftpd_anon_write --> off					##ftp匿名用户写权限关闭
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
tftp_anon_write --> off
tftp_home_dir --> off
[root@localhost ftp]# setsebool -P ftpd_anon_write on	##打开ftp匿名用户写权限
[root@localhost ftp]# lftp 172.25.254.232
lftp 172.25.254.232:~> cd pub/
lftp 172.25.254.232:/pub> ls
lftp 172.25.254.232:/pub> put /etc/passwd
put: Access failed: 553 Could not create file. (passwd)	##权限过小
lftp 172.25.254.232:/pub> quit

示例：

[root@localhost ftp]# ls -Zd /var/ftp/pub/
drwxrwxr-x. root ftp system_u:object_r:public_content_t:s0 /var/ftp/pub/

[root@localhost ftp]# semanage fcontext -a -t public_content_rw_t /var/ftp/pub
						##开启上下文写权限
[root@localhost ftp]# restorecon -RvvF /var/ftp/pub/	##刷新安全上下文
restorecon reset /var/ftp/pub context system_u:object_r:public_content_t:s0->system_u:object_r:public_content_rw_t:s0
[root@localhost ftp]# ls -Zd /var/ftp/pub/	##查看上下文权限
drwxrwxr-x. root ftp system_u:object_r:public_content_rw_t:s0 /var/ftp/pub/

[root@localhost ftp]# lftp 172.25.254.232
lftp 172.25.254.232:~> cd pub/
lftp 172.25.254.232:/pub> ls
lftp 172.25.254.232:/pub> put /etc/passwd	##成功上传
2048 bytes transferred
lftp 172.25.254.232:/pub> ls
-rw-------    1 14       50           2048 Jan 24 07:22 passwd
lftp 172.25.254.232:/pub> 

selinux有两种模式，可以使用setenforce 0|1进行修改

setenforce 1 ##Enforcing，拒绝访问

setenforce 0 ##peremissive警告，不拒绝

测试:

[root@localhost ~]# touch /mnt/file
[root@localhost ~]# mv /mnt/file /var/ftp		##建立文件移动到/var/ftp
[root@localhost ~]# lftp 172.25.254.232
lftp 172.25.254.232:~> ls				##匿名用户看不到
drwxrwxr-x    2 0        50             19 Jan 24 07:22 pub
-rw-r--r--    1 0        0               0 Jan 24 06:17 test
lftp 172.25.254.232:/> quit

[root@localhost ~]# getenforce 
Enforcing						##因为selinux为拒绝模式
[root@localhost ~]# setenforce 0			##设置为警告模式   
[root@localhost ~]# getenforce 
Permissive
[root@localhost ~]# lftp 172.25.254.232
lftp 172.25.254.232:~> ls				##可以查看
-rw-r--r--    1 0        0               0 Jan 24 08:13 file
drwxrwxr-x    2 0        50             19 Jan 24 07:22 pub
lftp 172.25.254.232:/> quit

[root@localhost ~]# > /var/log/audit/audit.log 		##清空日志
[root@localhost ~]# cat /var/log/audit/audit.log 	##查看日志中警告
type=AVC msg=audit(1548317729.316:760): avc:  denied  { read } for  pid=7870 comm="vsftpd" name="file" dev="vda1" ino=8962113 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mnt_t:s0 tclass=file

selinux 如何获取报错的解决方案

[root@localhost ~]# rpm -qa | grep setroubleshoot
setroubleshoot-server-3.2.17-2.el7.x86_64	##提供解决方案的软件
setroubleshoot-3.2.17-2.el7.x86_64
setroubleshoot-plugins-3.0.59-1.el7.noarch

[root@localhost ~]# yum install setroubleshoot-server-3.2.17-2.el7.x86_64
						##下载此软件

[root@localhost ~]# > /var/log/messages 	##清空日志
[root@localhost ~]# lftp 172.25.254.232		
lftp 172.25.254.232:~> ls
-rw-r--r--    1 0        0               0 Jan 24 08:13 file
drwxr-xr-x    2 0        0               6 Jan 24 08:25 pub
-rw-r--r--    1 0        0               0 Jan 24 06:17 test
lftp 172.25.254.232:/> cd pub/			##进入没有写权限的pub/
lftp 172.25.254.232:/pub> ls
lftp 172.25.254.232:/pub> put /etc/passwd	##在pub里搞事
put: Access failed: 553 Could not create file. (passwd)	##权限太小被拒绝
lftp 172.25.254.232:/pub> quit

[root@localhost ~]# cat /var/log/messages 	##查看日志

*****  Plugin catchall_boolean (57.6 confidence) suggests   ******************

If you want to allow ftpd to full access
Then you must tell SELinux about this by enabling the 'ftpd_full_access' boolean.
You can read 'None' man page for more details.
Do
setsebool -P ftpd_full_access 1			##出现解决方案

*****  Plugin catchall_labels (36.2 confidence) suggests   *******************