RHEL6.1 vsftpd SELinux配置和开启本地用户上传
来源:岁月联盟
时间:2012-06-22
用户的访问并且允许了本地用户访问 www.2cto.com ==========================================================================================将用户加入ftp组,并设置linux权限[root@www ~]# usermod -aG ftp alexscript[root@www ~]# groups alexscript[root@www ~]# chown ftp:ftp /var/ftp/pub/ -R[root@www ~]# ls -ld /var/ftp/pub/drwxr-xr-x. 6 ftp ftp 4096 6月 16 14:48 /var/ftp/pub/[root@www ~]# chmod 775 /var/ftp/pub/ -R[root@www ~]# ls -ld /var/ftp/pub/drwxrwxr-x. 6 ftp ftp 4096 6月 16 14:48 /var/ftp/pub/ ===========================================================================================SELinux设置官方说明:FTP must be allowed to write to a directory before users can upload files via FTP. SELinux allows FTP to write to directories labeled with the public_content_rw_t type.就是说如果FTP要允许上传,类型要设置为public_content_rw_t www.2cto.com 1.查看类型[root@localhost ~]# ls -dZ /var/ftp/drwxr-xr-x. root root system_u:object_r:public_content_t:s0 /var/ftp/目前是public_content_t,只能读取。 -------------------------------------------------------------------------------------------2. 修改Type[root@localhost ~]# semanage fcontext -a -t public_content_rw_t "/var/ftp(/.*)?"-bash: semanage: command not found遇到问题 命令不存在。官方文档说明policycoreutils-python : provides utilities such as semanage, audit2allow, audit2why
and chcat, for operating and managing SELinux.policycoreutils-python这个包提供了semanage命令。 3. 安装policycoreutils-python挂载光驱[root@localhost ~]# mkdir /cdrom[root@localhost ~]# mount -o auto /dev/cdrom /cdrommount: block device /dev/sr0 is write-protected, mounting read-only[root@localhost Packages]# rpm -ivh policycoreutils-python-2.0.83-19.8.el6_0.i686.rpm /audit-libs-python-2.1-5.el6.i686.rpm /libsemanage-python-2.0.43-4.el6.i686.rpm /setools-libs-python-3.3.7-4.el6.i686.rpm /setools-libs-3.3.7-4.el6.i686.rpm warning: policycoreutils-python-2.0.83-19.8.el6_0.i686.rpm: Header V3 RSA/SHA256 Signature,
key ID fd431d51: NOKEY www.2cto.com Preparing... ########################################### [100%]1:setools-libs ########################################### [ 20%]2:setools-libs-python ########################################### [ 40%]3:libsemanage-python ########################################### [ 60%]4:audit-libs-python ########################################### [ 80%]5:policycoreutils-python ########################################### [100%] 4. 接着第2步,修改并应用标签[root@localhost Packages]# semanage fcontext -a -t public_content_rw_t "/var/ftp(/.*)?"libsemanage.dbase_llist_query: could not query record value (No such file or directory).libsemanage.get_home_dirs: alex homedir /var/ftp or its parent directory conflicts with
a file context already specified in the policy. This usually indicates an incorrectly
defined system account. If it is a system account please make sure its uid is less than
500 or its login shell is /sbin/nologin.[root@localhost Packages]# restorecon -R -v /var/ftprestorecon reset /var/ftp context system_u:object_r:public_content_t:s0->system_u:object_r:public_content_rw_t:s0restorecon reset /var/ftp/pub context system_u:object_r:public_content_t:s0->system_u:object_r:public_content_rw_t:s0 5. The allow_ftpd_anon_write Boolean must be on to allow vsftpd to write to files that
are labeled with the public_content_rw_t type. Run the following command as the root user
to turn this Boolean on:allow_ftpd_anon_write Boolean 必须设置为on才能上传。[root@localhost Packages]# setsebool -P allow_ftpd_anon_write onlibsemanage.get_home_dirs: alex homedir /var/ftp or its parent directory conflicts with
a file context already specified in the policy. This usually indicates an incorrectly
defined system account. If it is a system account please make sure its uid is less than
500 or its login shell is /sbin/nologin. =========================================================================================防火墙iptables设置:设置了iptables的禁止所有的端口,只容许可能访问了策略后大部分情况下会出现ftp不能正常访问
的问题,因为ftp有主动和被动连接两种模式,少添加一些策略就会出问题。
1.首先加载模块 www.2cto.com [root@localhost Packages]# cd /etc/sysconfig/[root@localhost sysconfig]# vi iptables-config# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which# are loaded after the firewall rules are applied. Options for the helpers are# stored in /etc/modprobe.conf.IPTABLES_MODULES=""IPTABLES_MODELES="ip_conntrack_ftp" // 这里是新增的两行IPTABLES_MODELES="ip_nat_ftp" 2.然后加载策略[root@localhost sysconfig]# vi iptables###### vsftpd ######-I INPUT -p tcp --dport 21 -j ACCEPT -I OUTPUT -p tcp --dport 21 -j ACCEPT 3. 重启防火墙[root@localhost sysconfig]# service iptables restartiptables:清除防火墙规则: [确定]iptables:将链设置为政策 ACCEPT:filter [确定]iptables:正在卸载模块: [确定]iptables:应用防火墙规则: [确定] =========================================================================================说明: www.2cto.com 连接时请设置为主动连接方式。[root@localhost sysconfig]# service vsftpd start为 vsftpd 启动 vsftpd: [确定][root@localhost sysconfig]# chkconfig --level 3 vsftpd on ========================================================================================参考文档:http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_
Services/sect-Managing_Confined_Services-File_Transfer_Protocol-Configuration_Examples.htmlRed_Hat_Enterprise_Linux-6-Security_Guide-en-US.pdf 5.1.SELinux Packages 作者 大果粒
上一篇:Vim编辑移动命令
