RHEL6.1 vsftpd SELinux配置和开启本地用户上传

修改/etc/vsftpd.conf，设置anonymous_enable=NO，local_enable=YES。这样，我们就禁止了匿名
用户的访问并且允许了本地用户访问 www.2cto.com

==========================================================================================

将用户加入ftp组，并设置linux权限

[root@www ~]# usermod -aG ftp alexscript

[root@www ~]# groups alexscript

[root@www ~]# chown ftp:ftp /var/ftp/pub/ -R

[root@www ~]# ls -ld /var/ftp/pub/

drwxr-xr-x. 6 ftp ftp 4096 6月 16 14:48 /var/ftp/pub/

[root@www ~]# chmod 775 /var/ftp/pub/ -R

[root@www ~]# ls -ld /var/ftp/pub/

drwxrwxr-x. 6 ftp ftp 4096 6月 16 14:48 /var/ftp/pub/

===========================================================================================

SELinux设置

官方说明：

FTP must be allowed to write to a directory before users can upload files via FTP.

SELinux allows FTP to write to directories labeled with the public_content_rw_t type.

就是说如果FTP要允许上传，类型要设置为public_content_rw_t

www.2cto.com

1.查看类型

[root@localhost ~]# ls -dZ /var/ftp/

drwxr-xr-x. root root system_u:object_r:public_content_t:s0 /var/ftp/

目前是public_content_t，只能读取。

-------------------------------------------------------------------------------------------

2. 修改Type

[root@localhost ~]# semanage fcontext -a -t public_content_rw_t "/var/ftp(/.*)?"

-bash: semanage: command not found

遇到问题命令不存在。官方文档说明

policycoreutils-python : provides utilities such as semanage, audit2allow, audit2why
and chcat, for operating and managing SELinux.

policycoreutils-python这个包提供了semanage命令。

3. 安装policycoreutils-python

挂载光驱

[root@localhost ~]# mkdir /cdrom

[root@localhost ~]# mount -o auto /dev/cdrom /cdrom

mount: block device /dev/sr0 is write-protected, mounting read-only

[root@localhost Packages]# rpm -ivh policycoreutils-python-2.0.83-19.8.el6_0.i686.rpm \

audit-libs-python-2.1-5.el6.i686.rpm \

libsemanage-python-2.0.43-4.el6.i686.rpm \

setools-libs-python-3.3.7-4.el6.i686.rpm \

setools-libs-3.3.7-4.el6.i686.rpm

warning: policycoreutils-python-2.0.83-19.8.el6_0.i686.rpm: Header V3 RSA/SHA256 Signature,
key ID fd431d51: NOKEY www.2cto.com

Preparing... ########################################### [100%]

1:setools-libs ########################################### [ 20%]

2:setools-libs-python ########################################### [ 40%]

3:libsemanage-python ########################################### [ 60%]

4:audit-libs-python ########################################### [ 80%]

5:policycoreutils-python ########################################### [100%]

4. 接着第2步，修改并应用标签

[root@localhost Packages]# semanage fcontext -a -t public_content_rw_t "/var/ftp(/.*)?"

libsemanage.dbase_llist_query: could not query record value (No such file or directory).

libsemanage.get_home_dirs: alex homedir /var/ftp or its parent directory conflicts with
a file context already specified in the policy. This usually indicates an incorrectly
defined system account. If it is a system account please make sure its uid is less than
500 or its login shell is /sbin/nologin.

[root@localhost Packages]# restorecon -R -v /var/ftp

5. The allow_ftpd_anon_write Boolean must be on to allow vsftpd to write to files that
are labeled with the public_content_rw_t type. Run the following command as the root user
to turn this Boolean on:

allow_ftpd_anon_write Boolean 必须设置为on才能上传。

[root@localhost Packages]# setsebool -P allow_ftpd_anon_write on

=========================================================================================

防火墙iptables设置：

设置了iptables的禁止所有的端口，只容许可能访问了策略后大部分情况下会出现ftp不能正常访问
的问题，因为ftp有主动和被动连接两种模式，少添加一些策略就会出问题。

1.首先加载模块 www.2cto.com

[root@localhost Packages]# cd /etc/sysconfig/

[root@localhost sysconfig]# vi iptables-config

# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which

# are loaded after the firewall rules are applied. Options for the helpers are

# stored in /etc/modprobe.conf.

IPTABLES_MODULES=""

IPTABLES_MODELES="ip_conntrack_ftp" // 这里是新增的两行

IPTABLES_MODELES="ip_nat_ftp"

2.然后加载策略

[root@localhost sysconfig]# vi iptables

###### vsftpd ######

-I INPUT -p tcp --dport 21 -j ACCEPT

-I OUTPUT -p tcp --dport 21 -j ACCEPT

3. 重启防火墙

[root@localhost sysconfig]# service iptables restart

iptables：清除防火墙规则： [确定]

iptables：将链设置为政策 ACCEPT：filter [确定]

iptables：正在卸载模块： [确定]

iptables：应用防火墙规则： [确定]

=========================================================================================

说明： www.2cto.com

连接时请设置为主动连接方式。

[root@localhost sysconfig]# service vsftpd start

为 vsftpd 启动 vsftpd： [确定]

[root@localhost sysconfig]# chkconfig --level 3 vsftpd on

========================================================================================

参考文档:

http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/ html /Managing_Confined_
Services/sect-Managing_Confined_Services-File_Transfer_Protocol-Configuration_Examples.html

Red_Hat_Enterprise_ Linux -6-Security_Guide-en-US.pdf 5.1.SELinux Packages

作者大果粒

声明：本文来自网络，不代表【好得很程序员自学网】立场，转载请注明出处：http://haodehen.cn/did21358

更新时间：2022-09-14 阅读：52次

RHEL6.1 vsftpd SELinux配置和开启本地用户上传 - Lin