1、什么是selinux Selinux是Security-Enhanced Linux的简称 2、selinux级别 getenforce ##查看状态 1)当selinux开启时 setenforce 0|1 ##更改selinux级别 vim /etc/sysconfig/selinux enforcing - SELinux security policy is enforced. #####开启 permissive - SELinux prints warnings instead of enforcing ### disabled - No SELinux policy is loaded. ###关闭
3、如何更改文件安全上下文 1)临时更改 chcon -t 安全上下文 文件
[root@localhost pub]# ls -lZ /var/ftp/pub/ -rwxrwxr-x. root ftp unconfined_u:object_r:public_content_t:s0 file1 -rwxrwxr-x. root ftp unconfined_u:object_r:public_content_t:s0 file2 -rwxrwxr-x. ftp ftp system_u:object_r:public_content_t:s0 passwd
2)永久更改 semanage fcontext -l ##列出内核安全上下文列表内容 semanage fcontext -a -t public_content_t ‘/dir(/.*)?’ ##-a,增加,-t,修改 restorecon -FvvR /dir ##刷新安全上下文列表, -F,强制重置 -v,显示目录的刷新过程-vv显示目录和文件的刷新过程 -R表示递归。
[root@localhost mnt]# getsebool -a | grep ftp ftp_home_dir –> off ftpd_anon_write –> off ftpd_connect_all_unreserved –> off ftpd_connect_db –> off ftpd_full_access –> off ftpd_use_cifs –> off ftpd_use_fusefs –> off ftpd_use_nfs –> off ftpd_use_passive_mode –> off httpd_can_connect_ftp –> off httpd_enable_ftp_server –> off sftpd_anon_write –> off sftpd_enable_homedirs –> off sftpd_full_access –> off sftpd_write_ssh_home –> off tftp_anon_write –> off tftp_home_dir –> off [root@localhost mnt]# setsebool -p ftp_home_dir on setsebool: invalid option – ‘p’
Usage: setsebool [ -NPV ] boolean value | bool1=val1 bool2=val2…
[root@localhost mnt]# setsebool -P ftp_home_dir on [root@localhost mnt]# lftp 172.25.254.106 -u westos Password: Interrupt [root@localhost mnt]# passwd westos Changing password for user westos. New password: BAD PASSWORD: The password is shorter than 8 characters Retype new password: passwd: all authentication tokens updated successfully. [root@localhost mnt]# lftp 172.25.254.106 -u westos Password: lftp westos@172.25.254.106:~> ls ls: Login failed: 530 Login incorrect. lftp westos@172.25.254.106:~> quit [root@localhost mnt]# vim /etc/vsftpd/vsftpd.conf [root@localhost mnt]# systemctl restart vsftpd [root@localhost mnt]# lftp 172.25.254.106 -u westos Password: lftp westos@172.25.254.106:~> ls drwxrwxr-x 2 0 50 43 Apr 11 12:06 pub -rwxrwxr-x 1 0 50 0 Apr 11 11:51 westos lftp westos@172.25.254.106:/> quit [root@localhost mnt]# semanage fcontext -l | grep /var/ftp /var/ftp(/.*)? all files system_u:object_r:public_content_t:s0 /var/ftp/bin(/.*)? all files system_u:object_r:bin_t:s0 /var/ftp/etc(/.*)? all files system_u:object_r:etc_t:s0 /var/ftp/lib(/.*)? all files system_u:object_r:lib_t:s0 /var/ftp/lib/ld[^/].so(.[^/])* regular file system_u:object_r:ld_so_t:s0 [root@localhost mnt]# semanage fcontext -l | grep /westos [root@localhost mnt]# semanage fcontext -a -t public_content_t ‘/westos(/.*)?’ [root@localhost mnt]# semanage fcontext -l | grep /westos /westos(/.*)? all files system_u:object_r:public_content_t:s0 [root@localhost mnt]# restorecon /westos/ -FvvR restorecon reset /westos context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
