Linux Kernel Firewall Selinux

Status view and modification of selinux getenforce ###View Status setenforce 0|1 ###0:permissive warning mode 1:enforci...
Status view and modification of selinux

Status view and modification of selinux

getenforce ###View Status setenforce 0|1 ###0:permissive warning mode 1:enforcing forced mode vim /etc/sysconfig/selinux SELINUX= enforcing ###Force mode permissive ###Warning mode disabled ###Off mode

View Security Context

[root@dream ~]# ls -dZ /mnt drwxr-xr-x. root root system_u:object_r:mnt_t:s0 /mnt

Temporarily modify security context

**Process: Create a new file and modify the security context, move files from other directories to refresh the directory, and find that the security context of the transferred files has not changed**
[root@dream pub]# ls -Zd /var/ftp/pub/ drwxr-xr-x. root root system_u:object_r:public_content_t:s0 /var/ftp/pub/ [root@dream ~]# mkdir /dream [root@dream /]# ls -Zd /dream drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /dream [root@dream /]# chcon -t public_content_t /dream/ ###Change/dream security context [root@dream /]# ls -Zd /dream drwxr-xr-x. root root unconfined_u:object_r:public_content_t:s0 /dream [root@dream /]# touch /mnt/aa [root@dream /]# ls -Z /mnt/aa -rw-r--r--. root root unconfined_u:object_r:mnt_t:s0 /mnt/aa [root@dream /]# mv /mnt/aa /dream [root@dream /]# restorecon -Rvvf ###Refresh security context vv: Show process [root@dream /]# ls -Z /dream -rw-r--r--. root root unconfined_u:object_r:mnt_t:s0 aa

Permanently modify security context

[root@dream /]# semanage fcontext -l|grep /var/ftp/ ###Can we know how directory security context is written/var/ftp/bin(/. *)? All files system_u:object_r:bin_t:s0 [root@dream dream_ya]# semanage fcontext -a -t public_content_t '/dream_ya(/.*)?' ###Permanently change security context [root@dream dream_ya]# restorecon -RvvF /dream_ya

You can see that when refreshed, the security context of files moved from other places is the same as that of the directory

Opening Read and Write Permissions

systemctl restart vsftpd vim /etc/vsftpd/vsftpd.conf ###Turn on read and write permissions for anonymous users systemctl restart vsftpd ll /var/ftp/pub/ chown ftp /var/ftp/pub/ ll /var/ftp chown .ftp /var/ftp/pub/ chmod 775 /var/ftp/pub/ setenforce 0 ###Discover Read-Write setenforce 1 ###Turn off not readable and writable ls -Zd /var/ftp/pub/ chcon -t public_content_rw_t /var/ftp/pub/ getsebool -a |grep ftp ###View Boolean Values setsebool -P ftpd_anon_write on ###Open Write Permissions

Kernel Analysis Software

Kernel-induced errors do not provide a solution without kernel analysis software

setsebool -P ftp_home_dir off ###Local user cannot upload > /var/log/audit/audit.log > /var/log/messages lftp 172.25.254.225 -u dream cat /var/log/messages rpm -qa |grep setrouble yum remove setroubleshoot-server-3.2.17-2.el7.x86_64 ###Uninstall Kernel Analysis Software > /var/log/messages > /var/log/audit/audit.loglog lftp 172.25.254.225 -u dream cat /var/log/messages cat /var/log/audit/audit.log yum install setroubleshoot-server-3.2.17-2.el7.x86_64 -y > /var/log/messages > /var/log/audit/audit.loglog lftp 172.25.254.225 -u dream cat /var/log/messages

21 April 2020, 13:06 | Views: 6564

Add new comment

For adding a comment, please log in
or create account

0 comments