Linux Kernel Firewall Selinux

Status view and modification of selinux

 getenforce                                         ###View Status
 setenforce 0|1                                     ###0:permissive warning mode 1:enforcing forced mode 
 vim /etc/sysconfig/selinux
 SELINUX=
 enforcing                                          ###Force mode
 permissive                                         ###Warning mode
 disabled                                           ###Off mode

View Security Context

 [root@dream ~]# ls -dZ /mnt
 drwxr-xr-x. root root system_u:object_r:mnt_t:s0       /mnt

Temporarily modify security context

 **Process: Create a new file and modify the security context, move files from other directories to refresh the directory, and find that the security context of the transferred files has not changed**
 [root@dream pub]# ls -Zd /var/ftp/pub/                   
 drwxr-xr-x. root root system_u:object_r:public_content_t:s0 /var/ftp/pub/
 [root@dream ~]# mkdir /dream
 [root@dream /]# ls -Zd /dream
 drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /dream
 [root@dream /]# chcon -t public_content_t /dream/        ###Change/dream security context
 [root@dream /]# ls -Zd /dream
 drwxr-xr-x. root root unconfined_u:object_r:public_content_t:s0 /dream
 [root@dream /]# touch /mnt/aa
 [root@dream /]# ls -Z /mnt/aa
 -rw-r--r--. root root unconfined_u:object_r:mnt_t:s0   /mnt/aa
 [root@dream /]# mv /mnt/aa /dream
 [root@dream /]# restorecon -Rvvf                         ###Refresh security context vv: Show process                  
 [root@dream /]# ls -Z /dream
 -rw-r--r--. root root unconfined_u:object_r:mnt_t:s0   aa

Permanently modify security context

 [root@dream /]# semanage fcontext -l|grep /var/ftp/                 ###Can we know how directory security context is written/var/ftp/bin(/. *)? All files system_u:object_r:bin_t:s0 
 [root@dream dream_ya]# semanage fcontext -a -t public_content_t '/dream_ya(/.*)?'                        ###Permanently change security context
 [root@dream dream_ya]# restorecon -RvvF /dream_ya         

You can see that when refreshed, the security context of files moved from other places is the same as that of the directory

Opening Read and Write Permissions

 systemctl restart vsftpd
 vim /etc/vsftpd/vsftpd.conf                     ###Turn on read and write permissions for anonymous users
 systemctl restart vsftpd
 ll /var/ftp/pub/
 chown ftp /var/ftp/pub/
 ll /var/ftp
 chown .ftp /var/ftp/pub/
 chmod 775 /var/ftp/pub/
 setenforce 0                                    ###Discover Read-Write
 setenforce 1                                    ###Turn off not readable and writable
 ls -Zd /var/ftp/pub/
 chcon -t public_content_rw_t /var/ftp/pub/
 getsebool -a |grep ftp                          ###View Boolean Values
 setsebool -P ftpd_anon_write on                 ###Open Write Permissions

Kernel Analysis Software

Kernel-induced errors do not provide a solution without kernel analysis software

 setsebool -P ftp_home_dir off                            ###Local user cannot upload
 > /var/log/audit/audit.log 
 > /var/log/messages 
 lftp 172.25.254.225 -u dream
 cat  /var/log/messages 
 rpm -qa |grep setrouble
 yum remove setroubleshoot-server-3.2.17-2.el7.x86_64     ###Uninstall Kernel Analysis Software
 > /var/log/messages 
 > /var/log/audit/audit.loglog 
 lftp 172.25.254.225 -u dream
 cat  /var/log/messages 
 cat /var/log/audit/audit.log
 yum install setroubleshoot-server-3.2.17-2.el7.x86_64 -y
 >  /var/log/messages 
 > /var/log/audit/audit.loglog 
 lftp 172.25.254.225 -u dream
 cat /var/log/messages

Tags: ftp vsftpd SELinux vim

Posted on Tue, 21 Apr 2020 13:06:04 -0400 by casey_00