知识屋:更实用的电脑技术知识网站
所在位置:首页 > 操作系统 > linux

RHEL6.1 vsftpd SELinux配置和开启本地用户上传

发布时间:2014-09-05 16:08:34作者:知识屋

RHEL6.1 vsftpd SELinux配置和开启本地用户上传
 
修改/etc/vsftpd.conf,设置anonymous_enable=NO,local_enable=YES。这样,我们就禁止了匿名
用户的访问并且允许了本地用户访问  www.zhishiwu.com  
==========================================================================================
将用户加入ftp组,并设置linux权限
[root@www ~]# usermod -aG ftp alexscript
[root@www ~]# groups alexscript
[root@www ~]# chown ftp:ftp /var/ftp/pub/ -R
[root@www ~]# ls -ld /var/ftp/pub/
drwxr-xr-x. 6 ftp ftp 4096 6月 16 14:48 /var/ftp/pub/
[root@www ~]# chmod 775 /var/ftp/pub/ -R
[root@www ~]# ls -ld /var/ftp/pub/
drwxrwxr-x. 6 ftp ftp 4096 6月 16 14:48 /var/ftp/pub/
 
===========================================================================================
SELinux设置
官方说明:
FTP must be allowed to write to a directory before users can upload files via FTP. 
SELinux allows FTP to write to directories labeled with the public_content_rw_t type.
就是说如果FTP要允许上传,类型要设置为public_content_rw_t
   www.zhishiwu.com  
1.查看类型
[root@localhost ~]# ls -dZ /var/ftp/
drwxr-xr-x. root root system_u:object_r:public_content_t:s0 /var/ftp/
目前是public_content_t,只能读取。
 
-------------------------------------------------------------------------------------------
2. 修改Type
[root@localhost ~]# semanage fcontext -a -t public_content_rw_t "/var/ftp(/.*)?"
-bash: semanage: command not found
遇到问题 命令不存在。官方文档说明
policycoreutils-python : provides utilities such as semanage, audit2allow, audit2why
and chcat, for operating and managing SELinux.
policycoreutils-python这个包提供了semanage命令。
 
3. 安装policycoreutils-python
挂载光驱
[root@localhost ~]# mkdir /cdrom
[root@localhost ~]# mount -o auto /dev/cdrom /cdrom
mount: block device /dev/sr0 is write-protected, mounting read-only
[root@localhost Packages]# rpm -ivh policycoreutils-python-2.0.83-19.8.el6_0.i686.rpm /
audit-libs-python-2.1-5.el6.i686.rpm /
libsemanage-python-2.0.43-4.el6.i686.rpm /
setools-libs-python-3.3.7-4.el6.i686.rpm /
setools-libs-3.3.7-4.el6.i686.rpm 
warning: policycoreutils-python-2.0.83-19.8.el6_0.i686.rpm: Header V3 RSA/SHA256 Signature,
key ID fd431d51: NOKEY  www.zhishiwu.com  
Preparing... ########################################### [100%]
1:setools-libs ########################################### [ 20%]
2:setools-libs-python ########################################### [ 40%]
3:libsemanage-python ########################################### [ 60%]
4:audit-libs-python ########################################### [ 80%]
5:policycoreutils-python ########################################### [100%]
 
4. 接着第2步,修改并应用标签
[root@localhost Packages]# semanage fcontext -a -t public_content_rw_t "/var/ftp(/.*)?"
libsemanage.dbase_llist_query: could not query record value (No such file or directory).
libsemanage.get_home_dirs: alex homedir /var/ftp or its parent directory conflicts with
a file context already specified in the policy. This usually indicates an incorrectly
defined system account. If it is a system account please make sure its uid is less than
500 or its login shell is /sbin/nologin.
[root@localhost Packages]# restorecon -R -v /var/ftp
restorecon reset /var/ftp context system_u:object_r:public_content_t:s0->system_u:object_r:public_content_rw_t:s0
restorecon reset /var/ftp/pub context system_u:object_r:public_content_t:s0->system_u:object_r:public_content_rw_t:s0
 
5. The allow_ftpd_anon_write Boolean must be on to allow vsftpd to write to files that
are labeled with the public_content_rw_t type. Run the following command as the root user
to turn this Boolean on:
allow_ftpd_anon_write Boolean 必须设置为on才能上传。
[root@localhost Packages]# setsebool -P allow_ftpd_anon_write on
libsemanage.get_home_dirs: alex homedir /var/ftp or its parent directory conflicts with
a file context already specified in the policy. This usually indicates an incorrectly
defined system account. If it is a system account please make sure its uid is less than
500 or its login shell is /sbin/nologin.
 
=========================================================================================
防火墙iptables设置:
设置了iptables的禁止所有的端口,只容许可能访问了策略后大部分情况下会出现ftp不能正常访问
的问题,因为ftp有主动和被动连接两种模式,少添加一些策略就会出问题。
 
1.首先加载模块  www.zhishiwu.com  
[root@localhost Packages]# cd /etc/sysconfig/
[root@localhost sysconfig]# vi iptables-config
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modprobe.conf.
IPTABLES_MODULES=""
IPTABLES_MODELES="ip_conntrack_ftp" // 这里是新增的两行
IPTABLES_MODELES="ip_nat_ftp"
 
2.然后加载策略
[root@localhost sysconfig]# vi iptables
###### vsftpd ######
-I INPUT -p tcp --dport 21 -j ACCEPT 
-I OUTPUT -p tcp --dport 21 -j ACCEPT
 
3. 重启防火墙
[root@localhost sysconfig]# service iptables restart
iptables:清除防火墙规则: [确定]
iptables:将链设置为政策 ACCEPT:filter [确定]
iptables:正在卸载模块: [确定]
iptables:应用防火墙规则: [确定]
 
=========================================================================================
说明:  www.zhishiwu.com  
连接时请设置为主动连接方式。
[root@localhost sysconfig]# service vsftpd start
为 vsftpd 启动 vsftpd: [确定]
[root@localhost sysconfig]# chkconfig --level 3 vsftpd on
 
========================================================================================
参考文档:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_
Services/sect-Managing_Confined_Services-File_Transfer_Protocol-Configuration_Examples.html
Red_Hat_Enterprise_Linux-6-Security_Guide-en-US.pdf 5.1.SELinux Packages
 
 
作者 大果粒
(免责声明:文章内容如涉及作品内容、版权和其它问题,请及时与我们联系,我们将在第一时间删除内容,文章内容仅供参考)
收藏
  • 人气文章
  • 最新文章
  • 下载排行榜
  • 热门排行榜