# yum install vsftpd
Loaded plugins: fastestmirror, priorities, refresh-packagekit, security
Loading mirror speeds from cached hostfile
* base: ftp.iij.ad.jp
* extras: centos.usonyx.net
* jpackage: ftp.heanet.ie
* updates: centos.usonyx.net
212 packages excluded due to repository priority protections
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package vsftpd.x86_64 0:2.2.2-14.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
vsftpd x86_64 2.2.2-14.el6 base 152 k
Transaction Summary
================================================================================
Install 1 Package(s)
Total download size: 152 k
Installed size: 332 k
Is this ok [y/N]: y
Downloading Packages:
vsftpd-2.2.2-14.el6.x86_64.rpm | 152 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : vsftpd-2.2.2-14.el6.x86_64 1/1
Verifying : vsftpd-2.2.2-14.el6.x86_64 1/1
Installed:
vsftpd.x86_64 0:2.2.2-14.el6
Complete!
# service vsftpd status
vsftpd は停止しています
# chkconfig vsftpd on
# chkconfig --list vsftpd
vsftpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
# service vsftpd start
vsftpd 用の vsftpd を起動中: [ OK ]
# service vsftpd status
vsftpd (pid 4705) を実行中...
C:\WINDOWS\system32>ftp chef-client-selinux.openam.net
chef-client-selinux.openam.net に接続しました。
220 (vsFTPd 2.2.2)
200 Always in UTF8 mode.
ユーザー (chef-client-selinux.openam.net:(none)): goodjob
331 Please specify the password.
パスワード:
500 OOPS: cannot change directory:/home/goodjob
500 OOPS: priv_sock_get_cmd
接続がリモート ホストによって閉じられました。
ftp> quit
# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_connect_db --> off
ftpd_use_fusefs --> off
ftpd_use_passive_mode --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
tftp_use_cifs --> off
tftp_use_nfs --> off
# setsebool -P ftp_home_dir on
# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> on
ftpd_connect_db --> off
ftpd_use_fusefs --> off
ftpd_use_passive_mode --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
tftp_use_cifs --> off
tftp_use_nfs --> off
C:\WINDOWS\system32>ftp chef-client-selinux.openam.net
chef-client-selinux.openam.net に接続しました。
220 (vsFTPd 2.2.2)
200 Always in UTF8 mode.
ユーザー (chef-client-selinux.openam.net:(none)): goodjob
331 Please specify the password.
パスワード:
230 Login successful.
ftp> quit
# cd /usr/share/selinux/devel
# audit2allow -i /var/log/audit/audit.log -m vsftpd
~~ ここから ~~
module vsftpd 1.0;
require {
type slapd_t;
type bluetooth_conf_t;
type system_cron_spool_t;
type portreserve_etc_t;
type initrc_t;
type initrc_tmp_t;
type adjtime_t;
type insmod_t;
type locate_t;
type syslog_conf_t;
type postfix_master_t;
type httpd_config_t;
type modules_conf_t;
type etc_aliases_t;
type cupsd_t;
type NetworkManager_var_lib_t;
type udev_t;
type selinux_config_t;
type nscd_t;
type hald_t;
type ftpd_t;
type prelink_cache_t;
type auditd_etc_t;
class process signull;
class dir { read getattr };
class file { getattr open };
}
#============= cupsd_t ==============
allow cupsd_t hald_t:process signull;
allow cupsd_t initrc_t:process signull;
allow cupsd_t insmod_t:process signull;
allow cupsd_t nscd_t:process signull;
allow cupsd_t postfix_master_t:process signull;
allow cupsd_t slapd_t:process signull;
allow cupsd_t udev_t:process signull;
#============= ftpd_t ==============
#!!!! This avc can be allowed using the boolean 'allow_ftpd_full_access'
allow ftpd_t NetworkManager_var_lib_t:dir getattr;
#!!!! This avc can be allowed using the boolean 'allow_ftpd_full_access'
allow ftpd_t adjtime_t:file getattr;
#!!!! This avc can be allowed using the boolean 'allow_ftpd_full_access'
allow ftpd_t auditd_etc_t:dir getattr;
#!!!! This avc can be allowed using the boolean 'allow_ftpd_full_access'
allow ftpd_t bluetooth_conf_t:dir getattr;
#!!!! This avc can be allowed using the boolean 'allow_ftpd_full_access'
allow ftpd_t etc_aliases_t:file getattr;
#!!!! This avc can be allowed using the boolean 'allow_ftpd_full_access'
allow ftpd_t httpd_config_t:dir getattr;
#!!!! This avc can be allowed using the boolean 'allow_ftpd_full_access'
allow ftpd_t modules_conf_t:dir getattr;
#!!!! This avc can be allowed using the boolean 'allow_ftpd_full_access'
allow ftpd_t portreserve_etc_t:dir getattr;
#!!!! This avc can be allowed using the boolean 'allow_ftpd_full_access'
allow ftpd_t prelink_cache_t:file getattr;
#!!!! This avc can be allowed using the boolean 'allow_ftpd_full_access'
allow ftpd_t selinux_config_t:dir read;
#!!!! This avc can be allowed using the boolean 'allow_ftpd_full_access'
allow ftpd_t syslog_conf_t:dir getattr;
#!!!! This avc can be allowed using the boolean 'allow_ftpd_full_access'
allow ftpd_t syslog_conf_t:file getattr;
#!!!! This avc can be allowed using the boolean 'allow_ftpd_full_access'
allow ftpd_t system_cron_spool_t:dir getattr;
#!!!! This avc can be allowed using the boolean 'allow_ftpd_full_access'
allow ftpd_t system_cron_spool_t:file getattr;
#============= locate_t ==============
allow locate_t initrc_tmp_t:file open;
~~ ここまで ~~
# audit2allow -i /var/log/audit/audit.log -M vsftp
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i vsftp.pp
# ls -l vsftp.*
-rw-r--r--. 1 root root 4732 12月 30 23:48 2015 vsftp.pp
-rw-r--r--. 1 root root 2638 12月 30 23:48 2015 vsftp.te
# semodule -i vsftp.pp
# semodule -l | grep vsftp
vsftp 1.0
0 件のコメント:
コメントを投稿