首頁>技術>

vsftp、selinux、firewalld知識點串接講解

@[TOC](vsftp、selinux、firewalld知識點串接及上機講解)

## 一:概述

那麼我們已經學過了firewalld,但還不能滿足安全給我們帶來某些操作或配置的麻煩性,所以我們需要進一步學習selinux,它屬於應用層方面的安全,那麼我們這方面的內容,我們需要掌握selinux它的知識:1、安全上下文;2、策略BOOLeans 值。也許你不明白什麼意思,但我們透過實驗,製造出問題,讓你感覺它的重要性。

## 二:vsftp正常使用

## 三:操作示例

[root@server ~]#

[root@server ~]# setenforce 1

[root@server ~]#

[root@server ~]#

[root@server ~]# getenforce

Enforcing

[root@server ~]# chmod 777 /var/ftp/pub/

[root@localhost ~]# vi /etc/vsftpd/vsftpd.conf

local_enable=YES

local_umask=022

anon_upload_enable=YES

anon_mkdir_write_enable=YES

[root@localhost pub]# firewall-cmd --zone=public --list-all

public (default, active)

interfaces: eno16777736

sources:

services: dhcpv6-client ftp ssh

ports:

masquerade: no

forward-ports:

icmp-blocks:

[root@localhost ftp]# ll

total 0

drwxrwxrwx. 3 root root 39 Jul 21 10:43 pub

drwxr-xr-x. 2 root root 6 Jul 21 08:49 system

以上的內容是在firewalld放開了ftp伺服器及我們的資料夾許可權都是放開的。

以下實驗,我們是開啟防火牆和安全上下selinux:

輸入:ftp://192.168.92.129/,我們先往ftp伺服器裡面pub目錄存放資料,輸出內容如下:

[root@localhost pub]#

[root@localhost pub]# setenforce 1

[root@localhost pub]#

[root@localhost pub]#

[root@localhost pub]# getenforce

Enforcing

[root@localhost pub]#

[root@localhost pub]#

[root@localhost pub]#

[root@localhost pub]# ls -Z /var/ftp/

drwxrwxrwx. root root system_u:object_r:public_content_t:s0 pub

drwxr-xr-x. root root unconfined_u:object_r:public_content_t:s0 system

u:代表是使用者

r:代表角色

t:代表型別

system_u:代表系統管理員使用者

object_r:代表檔案和目錄物件角色

public_content_t:代表主體或客體一組某一個型別

unconfined_u:代表沒有定義的使用者

我們可以藉助以下命令修改安全上下文(context)的許可權

chcon

[root@localhost pub]#

[root@localhost pub]#

[root@localhost pub]#

[root@localhost pub]# cd /etc/se

securetty security/ selinux/ services sestatus.conf

[root@localhost pub]# cd /etc/se

securetty security/ selinux/ services sestatus.conf

[root@localhost pub]# cd /etc/selinux/

config semanage.conf targeted/

[root@localhost pub]# cd /etc/selinux/targeted/

booleans.subs_dist contexts/ logins/ modules/ policy/ .policy.sha512 setrans.conf seusers

[root@localhost pub]# cd /etc/selinux/targeted/contexts/

customizable_types default_contexts failsafe_context initrc_context netfilter_contexts securetty_types systemd_contexts users/ virtual_image_context

dbus_contexts default_type files/ lxc_contexts removable_context sepgsql_contexts userhelper_context virtual_domain_context x_contexts

[root@localhost pub]# cd /etc/selinux/targeted/contexts/

[root@localhost contexts]# ls

customizable_types default_contexts failsafe_context initrc_context netfilter_contexts securetty_types systemd_contexts users virtual_image_context

dbus_contexts default_type files lxc_contexts removable_context sepgsql_contexts userhelper_context virtual_domain_context x_contexts

[root@localhost contexts]# cd files/

[root@localhost files]# ls

file_contexts file_contexts.bin file_contexts.homedirs file_contexts.homedirs.bin file_contexts.local file_contexts.local.bin file_contexts.subs file_contexts.subs_dist media

[root@localhost files]# cat file_contexts | grep public_content*

/srv/([^/]*/)?ftp(/.*)? system_u:object_r:public_content_t:s0

/srv/([^/]*/)?rsync(/.*)? system_u:object_r:public_content_t:s0

/var/ftp(/.*)? system_u:object_r:public_content_t:s0

/var/spool/abrt-upload(/.*)? system_u:object_r:public_content_rw_t:s0

[root@localhost files]#

public_content_rw_t

chcon –t public_content_rw_t /var/ftp/pub

[root@localhost files]#

[root@localhost files]# chcon -t public_content_rw_t /var/ftp/pub

[root@localhost files]#

[root@localhost files]#

[root@localhost files]# ls -Z /var/ftp/pub/

drwx------. ftp ftp system_u:object_r:public_content_t:s0 æ°æ件夹

[root@localhost files]# ls -Z /var/ftp/pub

drwx------. ftp ftp system_u:object_r:public_content_t:s0 æ°æ件夹

[root@localhost files]# ls -Z /var/ftp

drwxrwxrwx. root root system_u:object_r:public_content_rw_t:s0 pub

drwxr-xr-x. root root unconfined_u:object_r:public_content_t:s0 system

[root@localhost files]#

[root@localhost files]#

[root@localhost files]#

[root@localhost targeted]# getsebool -a | grep ftp

ftp_home_dir --> off

ftpd_anon_write --> off

ftpd_connect_all_unreserved --> off

ftpd_connect_db --> off

ftpd_full_access --> off

ftpd_use_cifs --> off

ftpd_use_fusefs --> off

ftpd_use_nfs --> off

ftpd_use_passive_mode --> off

httpd_can_connect_ftp --> off

httpd_enable_ftp_server --> off

sftpd_anon_write --> off

sftpd_enable_homedirs --> off

sftpd_full_access --> off

sftpd_write_ssh_home --> off

tftp_anon_write --> off

tftp_home_dir --> off

[root@localhost targeted]#

[root@localhost targeted]# setsebool -P ftpd_anon_write=on

[root@localhost targeted]# getsebool -a | grep ftp

ftp_home_dir --> off

ftpd_anon_write --> on

ftpd_connect_all_unreserved --> off

ftpd_connect_db --> off

ftpd_full_access --> off

ftpd_use_cifs --> off

ftpd_use_fusefs --> off

ftpd_use_nfs --> off

ftpd_use_passive_mode --> off

httpd_can_connect_ftp --> off

httpd_enable_ftp_server --> off

sftpd_anon_write --> off

sftpd_enable_homedirs --> off

sftpd_full_access --> off

sftpd_write_ssh_home --> off

tftp_anon_write --> off

tftp_home_dir --> off

[root@localhost targeted]#

透過以上實驗,我們已經正常讀寫資料了。

13
最新評論
  • BSA-TRITC(10mg/ml) TRITC-BSA 牛血清白蛋白改性標記羅丹明
  • 資料結構之佇列