linux下的selinux安全阻止问题及解决方案
<br />今天搭建好FTP后,我用创建的linux用户不能登陆,回显的结果是:<br />500 OOPS: cannot change directory:/home/linux<br />查了下原因,原来是SElinux的配置问题,SELinux阻止vsftp用户访问主目录<br />下面是解决方法:<br />如果启用了SELinux,则本地用户通过ftp访问服务器时,将会发生如下错误:<
今天搭建好FTP后,我用创建的linux用户不能登陆,回显的结果是:
500 OOPS: cannot change directory:/home/linux
查了下原因,原来是SElinux的配置问题,SELinux阻止vsftp用户访问主目录
下面是解决方法:
如果启用了SELinux,则本地用户通过ftp访问服务器时,将会发生如下错误:
500 OOPS: cannot change directory:/home/user
Login failed.
在系统日志中也可以看到如下信息:
[root@web ~]# tail /var/log/messages
Sep 5 08:30:59 web setroubleshoot: SELinux is preventing the ftp daemon from reading users home directories (./home). For complete SELinux messages. run sealert -l 81cf3268-4d97-449a-9949-3a08ceef49b6
按照其中所述,运行
[root@web ~]# sealert -l 81cf3268-4d97-449a-9949-3a08ceef49b6
Summary:
SELinux is preventing the ftp daemon from reading users home directories (./home).
Detailed Description:
SELinux has denied the ftp daemon access to users home directories (./home). Someone is attempting to login via your ftp daemon to a user account. If you only setup ftp to allow anonymous ftp, this could signal a intrusion attempt.
Allowing Access:
If you want ftp to allow users access to their home directories you need to turn on the ftp_home_dir boolean: "setsebool -P ftp_home_dir=1"
The following command will allow this access:
setsebool -P ftp_home_dir=1
按照其中描述,执行该命令:
[root@web ~]# setsebool -P ftp_home_dir=1
之后本地用户就可以用FTP登录该服务器了。
=================================================================================
下面是SELINUX -- setsebool的常用设置
===ftp===
//If you want to share files anonymously
chcon -R -t public_content_t /var/ftp
//If you want to setup a directory where you can upload files
chcon -t public_content_rw_t /var/ftp/incoming
You must also turn on the boolean allow_ftpd_anon_write
setsebool -P allow_ftpd_anon_write=1
//If you are setting up this machine as a ftpd server and wish to allow users to access their home directorories
setsebool -P ftp_home_dir 1
//If you want to run ftpd as a daemon
setsebool -P ftpd_is_daemon 1
//You can disable SELinux protection for the ftpd daemon
setsebool -P ftpd_disable_trans 1
===httpd===
//If you want a particular domain to write to the public_content_rw_t domain
setsebool -P allow_httpd_anon_write=1
or
setsebool -P allow_httpd_sys_script_anon_write=1
//httpd can be setup to allow cgi scripts to be executed
setsebool -P httpd_enable_cgi 1
//If you want to allow access to users home directories
setsebool -P httpd_enable_homedirs 1
chcon -R -t httpd_sys_content_t ~user/public_html
//httpd is allowed access to the controling terminal
setsebool -P httpd_tty_comm 1
//such that one httpd service can not interfere with another
setsebool -P httpd_unified 0
//loadable modules run under the same context as httpd
setsebool -P httpd_builtin_scripting 0
//httpd scripts are allowed to connect out to the network
setsebool -P httpd_can_network_connect 1
// You can disable suexec transition
setsebool -P httpd_suexec_disable_trans 1
//You can disable SELinux protection for the httpd daemon by executing
setsebool -P httpd_disable_trans 1
service httpd restart
===named===
//If you want to have named update the master zone files
setsebool -P named_write_master_zones 1
//You can disable SELinux protection for the named daemon by executing
setsebool -P named_disable_trans 1
service named restart
===nfs===
//If you want to setup this machine to share nfs partitions read only
setsebool -P nfs_export_all_ro 1
//If you want to share files read/write
setsebool -P nfs_export_all_rw 1
//If you want to use a remote NFS server for the home directories on this machine
setsebool -P use_nfs_home_dirs 1
===samba===
//If you want to share files other than home directorie
chcon -t samba_share_t /directory
//If you want to share files with multiple domains
setsebool -P allow_smbd_anon_write=1
//If you are setting up this machine as a Samba server and wish to share the home directories
setsebool -P samba_enable_home_dirs 1
//If you want to use a remote Samba server for the home directories on this machine
setsebool -P use_samba_home_dirs 1
//You can disable SELinux protection for the samba daemon by executing
setsebool -P smbd_disable_trans 1
service smb restart
===rsync===
//If you want to share files using the rsync daemon
chcon -t public_content_t /directories
//If you want to share files with multiple domains
setsebool -P allow_rsync_anon_write=1
//You can disable SELinux protection for the rsync daemon by executing
setsebool -P rsync_disable_trans 1
===kerberos===
//allow your system to work properly in a Kerberos environment
setsebool -P allow_kerberos 1
//If you are running Kerberos daemons kadmind or krb5kdc
setsebool -P krb5kdc_disable_trans 1
service krb5kdc restart
setsebool -P kadmind_disable_trans 1
service kadmind restart
===nis===
Allow your system to work properly in a NIS environment
setsebool -P allow_ypbind 1
更多推荐
所有评论(0)