主页 > 知识库 > 服务器 > Linux/BSD >

RHEL6.1 vsftpd SELinux配置和开启本地用户上传

来源: 作者: 发表于:2012-08-22 22:29  点击:
RHEL6.1 vsftpd SE配置和开启本地用户上传修改/etc/vsftpd.conf,设置anonymous_enable=NO,local_enable=YES。这样,我们就禁止了匿名 用户的访问并且允许了本地用户访问 www.cit.cn =====================================================================
RHEL6.1 vsftpd SE配置和开启本地用户上传   修改/etc/vsftpd.conf,设置anonymous_enable=NO,local_enable=YES。这样,我们就禁止了匿名
用户的访问并且允许了本地用户访问  www.cit.cn   ========================================================================================== 将用户加入ftp组,并设置linux权限 [root@www ~]# usermod -aG ftp alexscript [root@www ~]# groups alexscript [root@www ~]# chown ftp:ftp /var/ftp/pub/ -R [root@www ~]# ls -ld /var/ftp/pub/ drwxr-xr-x. 6 ftp ftp 4096 6月 16 14:48 /var/ftp/pub/ [root@www ~]# chmod 775 /var/ftp/pub/ -R [root@www ~]# ls -ld /var/ftp/pub/ drwxrwxr-x. 6 ftp ftp 4096 6月 16 14:48 /var/ftp/pub/   =========================================================================================== SELinux设置 官方说明: FTP must be allowed to write to a directory before users can upload files via FTP.  SELinux allows FTP to write to directories labeled with the public_content_rw_t type. 就是说如果FTP要允许上传,类型要设置为public_content_rw_t    www.cit.cn   1.查看类型 [root@localhost ~]# ls -dZ /var/ftp/ drwxr-xr-x. root root system_u:object_r:public_content_t:s0 /var/ftp/ 目前是public_content_t,只能读取。   ------------------------------------------------------------------------------------------- 2. 修改Type [root@localhost ~]# semanage fcontext -a -t public_content_rw_t "/var/ftp(/.*)?" -bash: semanage: command not found 遇到问题 命令不存在。官方文档说明 policycoreutils-python : provides utilities such as semanage, audit2allow, audit2why
and chcat, for operating and managing SELinux. policycoreutils-python这个包提供了semanage命令。   3. 安装policycoreutils-python 挂载光驱 [root@localhost ~]# mkdir /cdrom [root@localhost ~]# mount -o auto /dev/cdrom /cdrom mount: block device /dev/sr0 is write-protected, mounting read-only [root@localhost Packages]# rpm -ivh policycoreutils-python-2.0.83-19.8.el6_0.i686.rpm \ audit-libs-python-2.1-5.el6.i686.rpm \ libsemanage-python-2.0.43-4.el6.i686.rpm \ setools-libs-python-3.3.7-4.el6.i686.rpm \ setools-libs-3.3.7-4.el6.i686.rpm  warning: policycoreutils-python-2.0.83-19.8.el6_0.i686.rpm: Header V3 RSA/SHA256 Signature,
key ID fd431d51: NOKEY  www.cit.cn   Preparing... ########################################### [100%] 1:setools-libs ########################################### [ 20%] 2:setools-libs-python ########################################### [ 40%] 3:libsemanage-python ########################################### [ 60%] 4:audit-libs-python ########################################### [ 80%] 5:policycoreutils-python ########################################### [100%]   4. 接着第2步,修改并应用标签 [root@localhost Packages]# semanage fcontext -a -t public_content_rw_t "/var/ftp(/.*)?" libsemanage.dbase_llist_query: could not query record value (No such file or directory). libsemanage.get_home_dirs: alex homedir /var/ftp or its parent directory conflicts with
a file context already specified in the policy. This usually indicates an incorrectly
defined system account. If it is a system account please make sure its uid is less than
500 or its login shell is /sbin/nologin. [root@localhost Packages]# restorecon -R -v /var/ftp restorecon reset /var/ftp context system_u:object_r:public_content_t:s0->system_u:object_r:public_content_rw_t:s0 restorecon reset /var/ftp/pub context system_u:object_r:public_content_t:s0->system_u:object_r:public_content_rw_t:s0   5. The allow_ftpd_anon_write Boolean must be on to allow vsftpd to write to files that
are labeled with the public_content_rw_t type. Run the following command as the root user
to turn this Boolean on: allow_ftpd_anon_write Boolean 必须设置为on才能上传。 [root@localhost Packages]# setsebool -P allow_ftpd_anon_write on libsemanage.get_home_dirs: alex homedir /var/ftp or its parent directory conflicts with
a file context already specified in the policy. This usually indicates an incorrectly
defined system account. If it is a system account please make sure its uid is less than
500 or its login shell is /sbin/nologin.   ========================================================================================= 防火墙iptables设置: 设置了iptables的禁止所有的端口,只容许可能访问了策略后大部分情况下会出现ftp不能正常访问
的问题,因为ftp有主动和被动连接两种模式,少添加一些策略就会出问题。
  1.首先加载模块  www.cit.cn   [root@localhost Packages]# cd /etc/sysconfig/ [root@localhost sysconfig]# vi iptables-config # Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which # are loaded after the firewall rules are applied. Options for the helpers are # stored in /etc/modprobe.conf. IPTABLES_MODULES="" IPTABLES_MODELES="ip_conntrack_ftp" // 这里是新增的两行 IPTABLES_MODELES="ip_nat_ftp"   2.然后加载策略 [root@localhost sysconfig]# vi iptables ###### vsftpd ###### -I INPUT -p tcp --dport 21 -j ACCEPT  -I OUTPUT -p tcp --dport 21 -j ACCEPT   3. 重启防火墙 [root@localhost sysconfig]# service iptables restart iptables:清除防火墙规则: [确定] iptables:将链设置为政策 ACCEPT:filter [确定] iptables:正在卸载模块: [确定] iptables:应用防火墙规则: [确定]   ========================================================================================= 说明:  www.cit.cn   连接时请设置为主动连接方式。 [root@localhost sysconfig]# service vsftpd start 为 vsftpd 启动 vsftpd: [确定] [root@localhost sysconfig]# chkconfig --level 3 vsftpd on   ======================================================================================== 参考文档: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_
Services/sect-Managing_Confined_Services-File_Transfer_Protocol-Configuration_Examples.html Red_Hat_Enterprise_Linux-6-Security_Guide-en-US.pdf 5.1.SELinux Packages     作者 大果粒

    有帮助
    (3)
    100%
    没帮助
    (0)
    0%