Status view and modification of selinux
getenforce ###View Status setenforce 0|1 ###0:permissive warning mode 1:enforcing forced mode vim /etc/sysconfig/selinux SELINUX= enforcing ###Force mode permissive ###Warning mode disabled ###Off mode
View Security Context
[root@dream ~]# ls -dZ /mnt drwxr-xr-x. root root system_u:object_r:mnt_t:s0 /mnt
Temporarily modify security context
**Process: Create a new file and modify the security context, move files from other directories to refresh the directory, and find that the security context of the transferred files has not changed**[root@dream pub]# ls -Zd /var/ftp/pub/ drwxr-xr-x. root root system_u:object_r:public_content_t:s0 /var/ftp/pub/ [root@dream ~]# mkdir /dream [root@dream /]# ls -Zd /dream drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /dream [root@dream /]# chcon -t public_content_t /dream/ ###Change/dream security context [root@dream /]# ls -Zd /dream drwxr-xr-x. root root unconfined_u:object_r:public_content_t:s0 /dream [root@dream /]# touch /mnt/aa [root@dream /]# ls -Z /mnt/aa -rw-r--r--. root root unconfined_u:object_r:mnt_t:s0 /mnt/aa [root@dream /]# mv /mnt/aa /dream [root@dream /]# restorecon -Rvvf ###Refresh security context vv: Show process [root@dream /]# ls -Z /dream -rw-r--r--. root root unconfined_u:object_r:mnt_t:s0 aa
Permanently modify security context
[root@dream /]# semanage fcontext -l|grep /var/ftp/ ###Can we know how directory security context is written/var/ftp/bin(/. *)? All files system_u:object_r:bin_t:s0 [root@dream dream_ya]# semanage fcontext -a -t public_content_t '/dream_ya(/.*)?' ###Permanently change security context [root@dream dream_ya]# restorecon -RvvF /dream_ya
You can see that when refreshed, the security context of files moved from other places is the same as that of the directory
Opening Read and Write Permissions
systemctl restart vsftpd vim /etc/vsftpd/vsftpd.conf ###Turn on read and write permissions for anonymous users systemctl restart vsftpd ll /var/ftp/pub/ chown ftp /var/ftp/pub/ ll /var/ftp chown .ftp /var/ftp/pub/ chmod 775 /var/ftp/pub/ setenforce 0 ###Discover Read-Write setenforce 1 ###Turn off not readable and writable ls -Zd /var/ftp/pub/ chcon -t public_content_rw_t /var/ftp/pub/ getsebool -a |grep ftp ###View Boolean Values setsebool -P ftpd_anon_write on ###Open Write Permissions
Kernel Analysis Software
Kernel-induced errors do not provide a solution without kernel analysis software
setsebool -P ftp_home_dir off ###Local user cannot upload > /var/log/audit/audit.log > /var/log/messages lftp 172.25.254.225 -u dream cat /var/log/messages rpm -qa |grep setrouble yum remove setroubleshoot-server-3.2.17-2.el7.x86_64 ###Uninstall Kernel Analysis Software > /var/log/messages > /var/log/audit/audit.loglog lftp 172.25.254.225 -u dream cat /var/log/messages cat /var/log/audit/audit.log yum install setroubleshoot-server-3.2.17-2.el7.x86_64 -y > /var/log/messages > /var/log/audit/audit.loglog lftp 172.25.254.225 -u dream cat /var/log/messages