现象
在ftp 服务部署中,selinux 一直是关闭
selinux的开启???????????????????????????????? ?
对访问的控制
[root@westoslinux Desktop]# touch /mnt/file
[root@westoslinux Desktop]# mv /mnt/file /var/ftp/pub
[root@westoslinux Desktop]# getenforce
Enforcing
[root@westoslinux Desktop]#
修改配置文件匿名用户访问时,不可访问
[root@westoslinux Desktop]# lftp 172.25.254.72
lftp 172.25.254.72:~> ls
drwxr-xr-x??? 2 0??????? 0?????????????? 6 Feb 17? 2020 pub
lftp 172.25.254.72:/>
修改配置文件匿名用户可上传,依旧不可上传
[root@westoslinux Desktop]# getenforce
Enforcing
[root@westoslinux Desktop]# lftp 172.25.254.72
lftp 172.25.254.72:~> ls
drwxr-xr-x??? 2 0??????? 0?????????????? 6 Feb 17? 2020 pub
lftp 172.25.254.72:/> put /etc/group
put: /etc/group: Access failed: 553 Could not create file. (group)
当开启的强制状态变为 警告状态 则可以上传
[root@westoslinux Desktop]# getenforce
Permissive
[root@westoslinux Desktop]# lftp 172.25.254.72
lftp 172.25.254.72:~> cd /pub/
lftp 172.25.254.72:/pub> put /etc/passwd
2664 bytes transferred
lftp 172.25.254.72:/pub>
1.安全上下文
当selinux关闭时 ls -Z 文件
[root@westos-ftp ~]# getenforce
Disabled
[root@westos-ftp ~]# ls -Z /var/ftp/pub/file
? /var/ftp/pub/file
[root@westos-ftp ~]#
[root@westos-ftp ~]# ls -Z /var/ftp/pub/file
system_u:object_r:public_content_t:s0 /var/ftp/pub/file
[root@westos-ftp ~]# getenforce
Enforcing
[root@westos-ftp ~]#
2.selinux 状态的改变
selinux 开启后,通过setenforce 0|1 来转变开启的强制状态和警告状态
关闭和永久改变状态,依靠vim /etc/sysconfig/selinux改变? 然后重启
touch /.autorelabel? 初始化selinux(开启)
安全上下文的查看
[root@westos-ftp ~]# ls -Z /var/ftp/pub/file
system_u:object_r:public_content_t:s0 /var/ftp/pub/file
[root@westoslinux Desktop]# ls -Zd /var/ftp/pub/
system_u:object_r:public_content_t:s0 /var/ftp/pub/
[root@westoslinux Desktop]#
安全上下文的修改
临时修改
chcon -t label 文件/目录
chcon -Rt? 文件和目录中的所有内容
临时修改
[root@westoslinux Desktop]# touch /mnt/file2
[root@westoslinux Desktop]# mv /mnt/file2 /var/ftp/pub/
[root@westoslinux Desktop]# setenforce
usage:? setenforce [ Enforcing | Permissive | 1 | 0 ]
[root@westoslinux Desktop]# setenforce 1
[root@westoslinux Desktop]# lftp 172.25.254.72
lftp 172.25.254.72:~> cd /pub??????????????????? ?
cd ok, cwd=/pub???????????????? ?
lftp 172.25.254.72:/pub> ls
-rw-r--r--??? 1 0??????? 0?????????????? 0 Nov 04 02:55 files
-rw-------??? 1 14?????? 50??????????? 988 Nov 04 02:17 group
-rw-------??? 1 14?????? 50?????????? 2664 Nov 04 02:19 passwd
lftp 172.25.254.72:/pub> exit
[root@westoslinux Desktop]# getenforce
Enforcing
[root@westoslinux Desktop]#
匿名用户无法访问到 file2
[root@westoslinux Desktop]# chcon -t public_content_t /var/ftp/pub/file2
[root@westoslinux Desktop]# ls -Z /var/ftp/pub/file2
unconfined_u:object_r:public_content_t:s0 /var/ftp/pub/file2
[root@westoslinux Desktop]# lftp 172.25.254.72
lftp 172.25.254.72:~> cd /pub??????????????????? ?
cd ok, cwd=/pub???????????????? ?
lftp 172.25.254.72:/pub> ls
-rw-r--r--??? 1 0??????? 0?????????????? 0 Nov 04 03:03 file2
-rw-r--r--??? 1 0??????? 0?????????????? 0 Nov 04 02:55 files
-rw-------??? 1 14?????? 50??????????? 988 Nov 04 02:17 group
-rw-------??? 1 14?????? 50?????????? 2664 Nov 04 02:19 passwd
lftp 172.25.254.72:/pub>
可以看到
当安全上下文匹配在selinux的开启状态下可以查看
永久性修改
semanage fcontext -l查看内核的安全上下文
semanage fcontext -a -t 标签 '/westosidir(/.*)?' 无法查看到改变
restorecon -RvvF /westosidir/
touch /.autorelabel
3.sebool
匿名用户即使ftp 配置文件配好在给了目录写的权力依旧无法上传
[root@westoslinux ~]# semanage fcontext -a -t public_content_rw_t '/var/ftp/pub(/.*)?'
[root@westoslinux ~]# restorecon -RF /var/ftp/pub/
[root@westoslinux ~]# ls -Zd /var/ftp/pub/
system_u:object_r:public_content_rw_t:s0 /var/ftp/pub/
[root@westoslinux ~]#
[root@westoslinux ~]# getenforce
Enforcing
[root@westoslinux ~]# lftp 172.25.254.72
lftp 172.25.254.72:~> ls???????????????????????? ?
drwxrwxr-x??? 2 0??????? 50???????????? 60 Nov 04 03:41 pub
lftp 172.25.254.72:/> cd /pub
lftp 172.25.254.72:/pub> put /etc/group
put: /etc/group: Access failed: 553 Could not create file. (group)
lftp 172.25.254.72:/pub>
此时需要修改sebool 的bool 值
查看
[root@westoslinux ~]# getsebool -a | grep ftp
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
tftp_home_dir --> off
修改
[root@westoslinux ~]# setsebool -P ftpd_anon_write on#on或者1
[root@westoslinux ~]# getsebool -a | grep ftp
ftpd_anon_write --> on
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
tftp_home_dir --> off
接着上传
[root@westoslinux ~]# lftp 172.25.254.72
lftp 172.25.254.72:~> ls
drwxrwxr-x??? 2 0??????? 50???????????? 60 Nov 04 03:41 pub
lftp 172.25.254.72:/> cd /pub
lftp 172.25.254.72:/pub> put /etc/group
988 bytes transferred
lftp 172.25.254.72:/pub>
4.seport端口的修改
当将配置文件中的端口修改后
selinux 强制状态无法重启
[root@westoslinux ~]# vim /etc/ssh/sshd_config
[root@westoslinux ~]# systemctl restart sshd
Job for sshd.service failed because the control process exited with error code.
See "systemctl status sshd.service" and "journalctl -xe" for details.
[root@westoslinux ~]# getenforce
Enforcing
更改警告状态可以重启
[root@westoslinux ~]# setenforce 0
[root@westoslinux ~]# getenforce
Permissive
[root@westoslinux ~]# systemctl restart sshd
[root@westoslinux ~]#
要使强制状态可以重启服务
修改端口
[root@westoslinux ~]# setenforce 1
[root@westoslinux ~]# getenforce
Enforcing
[root@westoslinux ~]# systemctl restart sshd
Job for sshd.service failed because the control process exited with error code.
See "systemctl status sshd.service" and "journalctl -xe" for details.
[root@westoslinux ~]# semanage port -l | grep ssh
ssh_port_t???????????????????? tcp????? 22
[root@westoslinux ~]# semanage port -a -t ssh_port_t -p tcp 222
[root@westoslinux ~]# semanage port -l | grep ssh
ssh_port_t???????????????????? tcp????? 222, 22
[root@westoslinux ~]# systemctl restart sshd
[root@westoslinux ~]#
5.setrouble
?/var/log/audit/audit.log???? selinux警告信息日志
/var/log/messages???????????? 问题解决方案
setroubleshoot-server.x86_64 : SELinux troubleshoot server
通过上述软件得到解决问题的方案
并存放到/var/log/messages
lftp 172.25.254.72:/> exit
[root@westoslinux Desktop]# > /var/log/messages
[root@westoslinux Desktop]# touch /mnt/westos1
[root@westoslinux Desktop]# mv /mnt/westos1 /var/ftp
[root@westoslinux Desktop]# lftp 172.25.254.72
lftp 172.25.254.72:~> ls
-rw-r--r--??? 1 0??????? 0?????????????? 0 Nov 04 04:54 file3
-rw-r--r--??? 1 0??????? 0?????????????? 0 Nov 04 04:56 file4
drwxrwxr-x??? 2 0??????? 50???????????? 73 Nov 04 04:15 pub
lftp 172.25.254.72:/>
无法查看到westos1
查看日志cat? /var/log/audit/audit.log
type=AVC msg=audit(1636002691.054:291): avc:? denied? { getattr } for? pid=8824 comm="vsftpd" path="/westos1" dev="vda3" ino=17676149 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mnt_t:s0 tclass=file permissive=0
查看解决方案
cat /var/log/message
Nov? 4 13:11:45 westoslinux platform-python[8826]: SELinux is preventing vsftpd from getattr access on the file /westos1.#012#012*****? Plugin restorecon (88.2 confidence) suggests?? ************************#012#012If you want to fix the label. #012/westos1 default label should be etc_runtime_t.#012Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.#012Do#012# /sbin/restorecon -v /westos1#012#012*****? Plugin catchall_boolean (7.51 confidence) suggests?? ******************#012#012If you want to allow ftpd to full access#012Then you must tell SELinux about this by enabling the 'ftpd_full_access' boolean.#012#012Do#012setsebool -P ftpd_full_access 1#012#012*****? Plugin catchall_labels (4.88 confidence) suggests?? *******************#012#012If you want to allow vsftpd to have getattr access on the westos1 file#012Then you need to change the label on /westos1#012Do#012# semanage fcontext -a -t FILE_TYPE '/westos1'#012where FILE_TYPE is one of the following: NetworkManager_log_t, NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_log_t, abrt_var_run_t, acct_data_t, admin_crontab_tmp_t, afs_logfile_t, aide_log_t, alsa_tmp_t, amanda_log_t, amanda_tmp_t, antivirus_log_t, antivirus_tmp_t, apcupsd_log_t, apcupsd_tmp_t, apmd_log_t, apmd_tmp_t, arpwatch_tmp_t, asterisk_log_t, asterisk_tmp_t, auditadm_sudo_tmp_t, auditd_tmp_t, auth_cache_t, automount_tmp_t, awstats_tmp_t, bacula_log_t, bacula_tmp_t, bin_t, bitlbee_log_t, bitlbee_tmp_t, blueman_tmp_t, bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_tmp_t, boinc_log_t, boinc_project_tmp_t, boinc_tmp_t, boot_t, bootloader_tmp_t, brltty_log_t, bugzilla_tmp_t, calamaris_log_t, callweaver_log_t, canna_log_t, cardmgr_dev_t, ccs_tmp_t, ccs_var_lib_t, ccs_var_log_t, cdcc_tmp_t, cert_t, certmaster_var_log_t, certmonger_tmp_t, cfengine_log_t, cgred_log_t, checkpc_log_t, chkpwd_exec_t, chrome_sandbox_tmp_t, chronyd_tmp_t, chronyd_var_log_t, cinder_api_tmp_t, cinder_backup_tmp_t, cinder_log_t, cinder_scheduler_tmp_t, cinder_volume_tmp_t, cloud_init_tmp_t, cloud_log_t, cluster_conf_t, cluster_tmp_t, cluster_var_lib_t, cluster_var_log_t, cluster_var_run_t, cobbler_tmp_t, cobbler_var_log_t, cockpit_tmp_t, cockpit_tmpfs_t, collectd_log_t, collectd_script_tmp_t, colord_tmp_t, comsat_tmp_t, condor_log_t, condor_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, conman_l
?sealert -l ce54ee21-1f58-47e9-8103-c659f37a4f71 | less? 分页浏览
[root@westoslinux Desktop]# /sbin/restorecon -v /var/ftp/westos1
Relabeled /var/ftp/westos1 from unconfined_u:object_r:mnt_t:s0 to unconfined_u:object_r:public_content_t:s0
[root@westoslinux Desktop]#?? lftp 172.25.254.72
lftp 172.25.254.72:~> ls???????????????????????? ?
-rw-r--r--??? 1 0??????? 0?????????????? 0 Nov 04 04:54 file3
-rw-r--r--??? 1 0??????? 0?????????????? 0 Nov 04 04:56 file4
drwxrwxr-x??? 2 0??????? 50???????????? 73 Nov 04 04:15 pub
-rw-r--r--??? 1 0??????? 0?????????????? 0 Nov 04 05:11 westos1
lftp 172.25.254.72:/>
|