一、Selinux 下匿名FTP的使用
1,确认已经启用了Selinux:
[root@sgzhang ~]# getenforce
Enforcing
2,启动FTP deamon:
[root@sgzhang ~]# ps -efZ |grep vs
ftpd
root:system_r:ftpd_t:s0 root 12636 1 0 20:13 ? 00:00:00 /usr/sbin/
vsftpd /etc/vsftpd/vsftpd.conf
3, 在匿名
访问目录下创建2个
文件进行测试,一个是在该目录下手动创建,这样
该文件会
自动继承/var/ftp/pub下的目录上下文的值,一个用mv
命令从root目录下移
动过来,这样的文件会保留root目录下的安全上下文,如下
[root@sgzhang pub]# pwd
/var/ftp/pub
[root@sgzhang pub]# echo "just a test" > test.txt
[root@sgzhang pub]# chmod 755 test.txt
[root@sgzhang pub]# ls -Z
-rwxr-xr-x root root root
bject_r:public_content_t:s0 test.txt
[root@sgzhang ~]# pwd
/root
[root@sgzhang ~]# echo "aaa123" > root.txt
[root@sgzhang ~]# chmod 755 /root/root.txt
[root@sgzhang ~]# mv root.txt /var/ftp/pub/
[root@sgzhang ~]# ls -Z /var/ftp/pub/
-rw-r-xr-x root root root
bject_r:user_home_t:s0 root.txt
-rwxr-xr-x root root root
bject_r:public_content_t:s0 test.txt
4、 使用匿名登录测试:
[root@sgzhang pub]# lftp localhost
lftp localhost:~> cd pub
cd ok, cwd=/pub
lftp localhost:/pub> ls
-rwxr-xr-x 1 0 0 12 Aug 23 12:19 test.txt
-rwxr-xr-x 1 0 0 910974 Aug 04 02:19 yum
lftp localhost:/pub>
发现这里看不到root.txt文件
5、已知
系统启动了Selinux,先查看系统
日志,有两个工具可以收集到Selinux产生的
日志,一个是setroubleshoot,对应的
软件包为setroubleshoot-server-2.0.5-5.el5
一个是audit,对应的软件包名称是audit-1.7.13-2.el5,先使用audit工具,使用方法
如下:
系统中提供了audit相关的命令,常用的有audit2why和audit2allow,audit产生的日志
放在/var/log/audit, 由于此文件记录的信息很多不宜直接查看,可以借助audit2why
命令,首先启动audit deamon
[root@sgzhang audit]# /etc/init.d/auditd status
auditd is stopped
[root@sgzhang audit]# /etc/init.d/auditd start
Starting auditd: [ OK ]
[root@sgzhang audit]# /etc/init.d/auditd status
auditd (pid 4013) is running...
6、在客户端登录FTP
服务器时会出发audit deamon产生日志:
[root@sgzhang audit]# audit2why < /var/log/audit/audit.log
type=AVC msg=audit(1282568240.414:26
: avc: denied { getattr } for pid=4061
comm="vsftpd" path="/pub/root.txt" dev=sda1 ino=3634111 scontext=root:system_r:ftpd_t:s0
tcontext=root
bject_r:user_home_t:s0 tclass=file
Was caused by:
Missing or disabled TE allow rule.
Allow rules may exist but be disabled by boolean settings; check boolean settings.
You can see the necessary allow rules by running audit2allow with this audit message as input.
AVC 是 access vector cache 的縮寫, 目的是記錄所有與 SELinux 有關的存取統
計資料。
7、根据日志中的建议,使用audit2allow命令查看给出的建议如下:
[root@sgzhang audit]# audit2allow < /var/log/audit/audit.log
#============= ftpd_t ==============
allow ftpd_t user_home_t:file getattr;
[root@sgzhang cnapp]# sesearch -a -s ftpd_t -t user_home_t
Found 8 av rules:
allow ftpd_t user_home_t : file { ioctl read write create getattr setattr lock append unlink link rename };
allow ftpd_t user_home_t : file { ioctl read getattr lock };
allow ftpd_t user_home_t : dir { ioctl read getattr lock search };
allow ftpd_t user_home_t : lnk_file { read create getattr setattr unlink link rename };
通过search策略集确实存在上述策略,但日志里面还有一个建议如下:
Allow rules may exist but be disabled by boolean settings; check boolean settings.
8、验证布尔值中有关FTP的定义
[root@sgzhang audit]# getsebool -a |grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
allow_tftp_anon_write --> off
ftp_home_dir --> off
ftpd_connect_db --> off
ftpd_disable_trans --> off
ftpd_is_daemon --> on
httpd_enable_ftp_server --> off
tftpd_disable_trans --> off
发现ftp_home_dir --> off,文件root.txt 的类型刚好是root
bject_r:user_home_t:s0
所以更改此bool值就可以
9、重新
设置该bool值:
[root@sgzhang audit]# setsebool -P ftp_home_dir 1
(-P是把该修改写到文件,下次启动仍然有效)
[root@sgzhang audit]# getsebool ftp_home_dir
ftp_home_dir --> on
客户端登录测试:
[root@sgzhang audit]# lftp localhost
lftp localhost:~> cd pub
cd ok, cwd=/pub
lftp localhost:/pub> ls
-rwxr-xr-x 1 0 0 7 Aug 23 12:35 root.txt
-rwxr-xr-x 1 0 0 12 Aug 23 12:19 test.txt
-rwxr-xr-x 1 0 0 910974 Aug 04 02:19 yum
10、通过
进程知道FTP服务启动后的主体名称是ftpd_t, 使用下面的方法可以知道这个
主体可以访问什么样类型的客体。
[root@sgzhang audit]# sesearch -a -s ftpd_t |head
Found 8989 av rules:
allow tftpd_t unconfined_t :
process sigchld ;
allow tftpd_t unconfined_t : fd use ;
allow tftpd_t syslogd_t :
unix_stream_
socket connectto ;
allow tftpd_t syslogd_t : unix_dgram_socket sendto ;
allow tftpd_t var_lib_t : dir { ioctl read getattr lock search };
allow tftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search };
allow tftpd_t winbind_t : unix_stream_socket connectto ;
allow tftpd_t tftpdir_t : file { read getattr };
allow tftpd_t tftpdir_t : dir { read getattr search };
可以看出一个定义了8989条策略,上面是其中的小部分。
11、既然/var/ftp/pub/test.txt可以访问,那么策略里肯定是allow的,且/var/ftp/pub/test.txt
的安全上下文如下:
-rwxr-xr-x root root root
bject_r:public_content_t:s0 /var/ftp/pub/test.txt
通过上面的命令验证一下策略集中是否有该定义
[root@sgzhang audit]# sesearch -a -s ftpd_t -t public_content_t | head 4
Found 14 av rules:
allow ftpd_t public_content_t : file { ioctl read getattr lock };
allow ftpd_t public_content_t : dir { ioctl read getattr lock search };
allow ftpd_t public_content_t : lnk_file { read getattr };
12、那么根据这个思路可以更改/var/ftp/pub/root.txt的安全上下文即可,可用chcon命令
先对刚才的改变进行还原:
[root@sgzhang audit]# setsebool -P ftp_home_dir 0
[root@sgzhang audit]# getsebool ftp_home_dir
ftp_home_dir --> off
[root@sgzhang audit]# ls /var/ftp/pub/root.txt -Z
-rwxr-xr-x root root root
bject_r:user_home_t:s0 /var/ftp/pub/root.txt
[root@sgzhang audit]# chcon -t public_content_t /var/ftp/pub/root.txt
[root@sgzhang audit]# ls /var/ftp/pub/root.txt -Z
-rwxr-xr-x root root root
bject_r:public_content_t:s0 /var/ftp/pub/root.txt
[root@sgzhang audit]# lftp localhost
lftp localhost:~> ls pub/root.txt
-rwxr-xr-x 1 0 0 7 Aug 23 12:35 root.txt
13、另外在系统启用了SElinux伪系统后的文件都有默认的安全上下文,既然在
/var/ftp/fub下创建的文件可以自动继承,那么下面其他不同安全上下文的文件
如果也继承了,那么就达到了目的,使用semanage 可以查看目录或文件的默认
定义的安全上下文
[root@sgzhang pub]# semanage fcontext -l |grep /var/ftp
/var/ftp(/.*)? all files system_u
bject_r:public_content_t:s0
/var/ftp/bin(/.*)? all files system_u
bject_r:bin_t:s0
/var/ftp/etc(/.*)? all files system_u:object_r:etc_t:s0
/var/ftp/lib(64)?(/.*)? all files system_u:object_r:lib_t:s0
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* regular file system_u:object_r:ld_so_t:s0
/var/ftp/lib(64)?/lib[^/]*\.so(\.[^/]*)* regular file system_u:object_r:shlib_t:s0
/var/ftp/bin/ls regular file system_u:object_r:ls_exec_t:s0
14、在体统中默认目录和文件默认的安全上下文的定义文件放在:
[root@sgzhang files]# cat /etc/selinux/targeted/contexts/files/file_contexts |grep /var/ftp
/var/ftp(/.*)? system_u:object_r:public_content_t:s0
/var/ftp/bin(/.*)? system_u:object_r:bin_t:s0
/var/ftp/etc(/.*)? system_u:object_r:etc_t:s0
/var/ftp/lib(64)?(/.*)? system_u:object_r:lib_t:s0
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t:s0
/var/ftp/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
/var/ftp/bin/ls -- system_u:object_r:ls_exec_t:s0
15、使用restorecon恢复系统定义的安全上下文
[root@sgzhang pub]# ls -Z
-rwxr-xr-x root root root:object_r:user_home_t:s0 root.txt
-rwxr-xr-x root root root:object_r:public_content_t:s0 test.txt
[root@sgzhang pub]# restorecon -Rv /var/ftp/
restorecon reset /var/ftp/pub/root.txt context root:object_r:user_home_t:s0->system_u:
object_r:public_content_t:s0
(其中R是递归,v是把操作显示在屏幕上)
[root@sgzhang pub]# ls -Z
-rwxr-xr-x root root system_u:object_r:public_content_t:s0 root.txt
-rwxr-xr-x root root root:object_r:public_content_t:s0 test.txt
[root@sgzhang files]# cat /etc/selinux/targeted/contexts/files/file_contexts |grep /var/ftp
/var/ftp(/.*)? system_u:object_r:public_content_t:s0
16、另外 使用chcon的另外一个参数 --reference也是可以的
[root@sgzhang pub]# ls -Z
-rwxr-xr-x root root system_u:object_r:user_home_t:s0 root.txt
-rwxr-xr-x root root root:object_r:public_content_t:s0 test.txt
[root@sgzhang pub]# chcon --reference /var/ftp/pub/test.txt /var/ftp/pub/root.txt
[root@sgzhang pub]# ls -Z
-rwxr-xr-x root root root:object_r:public_content_t:s0 root.txt
-rwxr-xr-x root root root:object_r:public_content_t:s0 test.txt
使用reference复制一份源( /var/ftp/pub/test.txt )的安全上下文给目的( /var/ftp/pub/root.txt )
17、创建一个帐号用于测试:
[root@sgzhang pub]# useradd -d /zsgd -m zsgd
[root@sgzhang pub]# passwd zsgd (密码是aaa123)
Changing password for user zsgd.
New UNIX password:
BAD PASSWORD: it does not contain enough DIFFERENT characters
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
18、用创建的帐号登录FTP服务器,登录是正常的,但ls等操作异常,如下:
[root@sgzhang pub]# lftp -u zsgd localhost
Password:
lftp zsgd@localhost:~> ls
ls: Login failed: 500 OOPS: cannot change directory:/zsgd
这是使用另外一个收集日志的工具setroubleshoot进行排查,首先启动setroubleshoot
的deamon:
[root@sgzhang init.d]# /etc/init.d/setroubleshoot status
setroubleshootd is stopped
[root@sgzhang init.d]# /etc/init.d/setroubleshoot start
Starting setroubleshootd: [ OK ]
[root@sgzhang init.d]# /etc/init.d/setroubleshoot status
setroubleshootd (pid 6021) is running...
19、使用zsgd用户登录,以便于产生日志记录
[root@sgzhang init.d]# lftp -u zsgd localhost
Password:
lftp zsgd@localhost:~> ls
ls: Login failed: 500 OOPS: cannot change directory:/zsgd
产生日志如下:
[root@sgzhang ~]# tail -f /var/log/messages |grep setroubleshoot
Aug 23 22:17:50 sgzhang setroubleshoot: SELinux is preventing access
to files with the default label, default_t. For complete SELinux messages.
run sealert -l ba5ee7cd-2d06-4dc7-9ee8-364332d90eb2
20、日志中提示使用sealert -l ba5ee7cd-2d06-4dc7-9ee8-364332d90eb2查看详细信息:
[root@sgzhang ~]# sealert -l ba5ee7cd-2d06-4dc7-9ee8-364332d90eb2 (下面是部分信息)
Host Name sgzhang
Platform Linux sgzhang 2.6.18-164.el5PAE #1 SMP Thu Sep 3
04:10:44 EDT 2009 i686 i686
Alert Count 5
First Seen Sun Aug 22 20:23:59 2010
Last Seen Mon Aug 23 22:17:50 2010
Local ID ba5ee7cd-2d06-4dc7-9ee8-364332d90eb2
Line Numbers
Raw Audit Messages
host=sgzhang type=AVC msg=audit(1282573070.455:1056): avc: denied { search } for pid=6130
comm="vsftpd" name="zsgd" dev=sda1 ino=9591650 scontext=root:system_r:ftpd_t:s0 tcontext=system_u:
object_r:default_t:s0 tclass=dir
host=sgzhang type=SYSCALL msg=audit(1282573070.455:1056): arch=40000003 syscall=12 success=
no exit=-13 a0=8ac0530 a1=1a1b a2=1b68fc a3=bfa1f014 items=0 ppid=6126 pid=6130 auid=0 uid=0
gid=0 euid=6683 suid=6683 fsuid=6683 egid=6683 sgid=6683 fsgid=6683 tty=(none) ses=9 comm="vsftpd"
exe="/usr/sbin/vsftpd" subj=root:system_r:ftpd_t:s0 key=(null)
21、但策略中已允许了ftpd_t的主体对default_t的客体访问,如下:
[root@sgzhang ~]# sesearch -a -s ftpd_t |grep default |tail -n 5
allow ftpd_t default_t : dir { ioctl read getattr lock search };
allow ftpd_t default_t : lnk_file { read create getattr setattr unlink link rename };
allow ftpd_t default_t : lnk_file { ioctl read getattr lock };
allow ftpd_t default_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename };
allow ftpd_t default_t : fifo_file { ioctl read write create getattr setattr lock append unlink link rename };
22、如果遇到这种情况,需要验证一下bool值,其实bool值是策略的补充,会发现
布尔值中已经定义了ftp访问home是disable
[root@sgzhang ~]# getsebool -a |grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
allow_tftp_anon_write --> off
ftp_home_dir --> off
ftpd_connect_db --> off
ftpd_disable_trans --> off
ftpd_is_daemon --> on
httpd_enable_ftp_server --> off
tftpd_disable_trans --> off
23、修改bool值:
[root@sgzhang ~]# setsebool -P ftp_home_dir 1
[root@sgzhang ~]# getsebool ftp_home_dir
ftp_home_dir --> on
测试:
[root@sgzhang ~]# lftp -u zsgd localhost
Password:
lftp zsgd@localhost:~> ls -a
drwx------ 4 6683 6683 4096 Aug 23 14:10 .
drwxr-xr-x 34 0 0 4096 Aug 23 14:10 ..
-rw-r--r-- 1 6683 6683 33 Aug 23 14:10 .bash_logout
-rw-r--r-- 1 6683 6683 176 Aug 23 14:10 .bash_profile
-rw-r--r-- 1 6683 6683 124 Aug 23 14:10 .bashrc
24、如何屏蔽SElinux对一个主体的保护:
[root@sgzhang ~]# getsebool -a |grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
allow_tftp_anon_write --> off
ftp_home_dir --> on
ftpd_connect_db --> off
ftpd_disable_trans --> off
ftpd_is_daemon --> on
httpd_enable_ftp_server --> off
tftpd_disable_trans --> off
25、如何屏蔽SElinux对一个主体的保护:
[root@sgzhang ~]# setsebool -P ftpd_disable_trans 1
[root@sgzhang ~]# getsebool -a |grep ftpd_disable_trans
ftpd_disable_trans --> on
重启相关的主体:
[root@sgzhang ~]# service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
发现主体的类型发上了变化:
[root@sgzhang ~]# ps -efZ |grep vsftpd
root:system_r:initrc_t:s0 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
26、测试:
[root@sgzhang ~]# lftp -u zsgd localhost
Password:
lftp zsgd@localhost:~> ls
lftp zsgd@localhost:~> ls -a
drwx------ 4 6683 6683 4096 Aug 23 14:10 .
drwxr-xr-x 34 0 0 4096 Aug 23 14:10 ..
-rw-r--r-- 1 6683 6683 33 Aug 23 14:10 .bash_logout
-rw-r--r-- 1 6683 6683 176 Aug 23 14:10 .bash_profile
-rw-r--r-- 1 6683 6683 124 Aug 23 14:10 .bashrc
-rw-r--r-- 1 6683 6683 515 Aug 23 14:10 .emacs
drwxr-xr-x 3 6683 6683 4096 Aug 23 14:10 .kde
drwxr-xr-x 4 6683 6683 4096 Aug 23 14:10 .mozilla
-rw-r--r-- 1 6683 6683 658 Aug 23 14:10 .zshrc
27、常见的问题就是存放页面的路径更换后,页面的安全上下文和httpd主体不匹配
造成页面无权访问,还有就是alias所指的路径下的文件
[root@sgzhang html]# echo test_httpd > index.html
[root@sgzhang html]# cd
[root@sgzhang ~]# pwd
/root
[root@sgzhang ~]# echo test_httpd > index2.html
[root@sgzhang ~]# mv index2.html /var/www/html/
[root@sgzhang ~]# cd /var/www/html/
[root@sgzhang html]# ls -Z
-rw------- root root root:object_r:user_home_t:s0 index2.html
-rw------- root root root:object_r:httpd_sys_content_t:s0 index.html
[root@sgzhang html]# chmod 755 *
[root@sgzhang html]# ls -Z
-rwxr-xr-x root root root:object_r:user_home_t:s0 index2.html
-rwxr-xr-x root root root:object_r:httpd_sys_content_t:s0 index.html
28、
![1.JPG]()
29、
Alias举例:
Alias /docs/ "/usr/share/doc/"
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
#
Alias /spool/ "/var/spool/"
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
30、
![2.JPG]()
31、
![3.JPG]()
32、原因:
[root@sgzhang spool]# ls -Z /usr/share/doc/ |head –n 3
drwxr-xr-x root root system_u:object_r:usr_t:s0 a2ps-4.13b
drwxr-xr-x root root system_u:object_r:usr_t:s0 aalib-1.4.0
drwxr-xr-x root root system_u:object_r:usr_t:s0 acl-2.2.39
[root@sgzhang spool]# sesearch -a -s httpd_t -t usr_t
Found 4 av rules:
allow httpd_t usr_t : file { ioctl read getattr lock };
allow httpd_t usr_t : dir { ioctl read getattr lock search };
dontaudit httpd_t usr_t : dir { ioctl read write getattr lock add_name remove_name search };
allow httpd_t usr_t : lnk_file { ioctl read getattr lock };
33、原因:
[root@sgzhang spool]# ls -Z /var/spool/
drwxr-xr-x root root system_u:object_r:system_cron_spool_t:s0 anacron
drwx------ daemon daemon system_u:object_r:cron_spool_t:s0 at
drwxr-xr-x daemon daemon system_u:object_r:var_spool_t:s0 authdaemon
drwxrwx--- smmsp smmsp system_u:object_r:mqueue_spool_t:s0 clientmqueue
[root@sgzhang var]# sesearch -a -s httpd_t -t system_cron_spool_t
这里就找不到对应的策略
34、共享文件:
[root@sgzhang var]# cat /etc/
samba/smb.conf |tail -n 10
[data]
path = /data
public = yes
writable = yes
[back]
path = /disk2/temp
public = yes
writable = yes
35、启动smb进程:
[root@sgzhang var]# ps -efZ |grep smb
root:system_r:smbd_t:s0 root 8955 1 0 Aug23 ? 00:00:00 smbd -D
root:system_r:smbd_t:s0 root 8959 8955 0 Aug23 ? 00:00:00 smbd -D
root:system_r:smbd_t:s0 root 9060 8955 0 00:02 ? 00:00:00 smbd –D
共享文件的安全上下文:
[root@sgzhang var]# ls -Z /disk2/|grep temp
drwxrwxrwx root root system_u:object_r:default_t:s0 temp
[root@sgzhang var]# ls -Z / |grep data
drwxrwxrwx root root system_u:object_r:default_t:s0 data
36、
![4.JPG]()
37、排错:
[root@sgzhang var]# sesearch -a -s smbd_t -t default_t
Found 8 av rules:
dontaudit smbd_t default_t : dir getattr ;
allow smbd_t default_t : file { ioctl read getattr lock };
allow smbd_t default_t : file { ioctl read write create getattr setattr lock append unlink link rename };
allow smbd_t default_t : dir { ioctl read getattr lock search };
allow smbd_t default_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name
发现
权限是允许的
38、看bool值:
[root@sgzhang var]# getsebool -a |grep samba
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_share_fusefs --> off
samba_share_nfs --> off
use_samba_home_dirs --> off
virt_use_samba --> off
这里ro和rw都是disable,问题出在这里
39、修改测试:发现可以读取了,但在smb.conf中定义的写权限无法使用
[root@sgzhang var]# setsebool -P samba_export_all_ro 1
[root@sgzhang var]# getsebool samba_export_all_ro
samba_export_all_ro --> on
40、再修改测试:发现可以了
[root@sgzhang temp]# setsebool -P samba_export_all_rw 1
[root@sgzhang temp]# getsebool samba_export_all_rw
samba_export_all_rw --> on
