httpd、vsftpd 和烦人的 selinux

tag-icon tag-icon httpd centos6 selinux ftp
httpd、vsftpd 和烦人的 selinux

我安装了 CentOS 6.3 并httpd正在运行,vsftpd但我无法平衡用户通过 ftp 上传和其网站运行之间的权限。

我做什么:

I create a user with their home directory as `/home/username` 
I create a sub folder called `html` for their website
I chown their directory `chown -R username:apache /home/username`
I chmod their directory `chmod -R 750 /home/username`
I chcon their directory `chcon -R -t httpd_sys_rw_content_t /home/username`

他们的网站加载正常,但无法进行 FTP,但如果我执行以下操作,他们可以使用 FTP,但他们的网站无法加载:

chcon -R -t user_home_dir_t /home/username

如果我禁用 selinux,用户可以使用 ftp,并且网站可以加载。那么保留 selinux 的答案是什么?

编辑

有趣的是,我按照 Michael 的以下评论操作,然后运行restorecon,它就成功了。但后来我重新启动,现在 vsftp 正常,httpd 可以正常读取,但 httpd 无法写入。

这是我的ls -Z回应

drwxr-x---. itmanx apache unconfined_u:object_r:user_home_dir_t:s0 itmanx

这些是设置的布尔值

allow_console_login                         on
allow_daemons_dump_core                     on
allow_daemons_use_tty                       on
allow_domain_fd_use                         on
allow_execmem                               on
allow_execmod                               on
allow_execstack                             on
allow_gssd_read_tmp                         on
allow_kerberos                              on
allow_mount_anyfile                         on
allow_nsplugin_execmem                      on
allow_postfix_local_write_mail_spool        on
allow_staff_exec_content                    on
allow_sysadm_exec_content                   on
allow_user_exec_content                     on
allow_zebra_write_config                    on
ftp_home_dir                                on
httpd_builtin_scripting                     on
httpd_can_network_connect_db                on
httpd_can_sendmail                          on
httpd_dbus_avahi                            on
httpd_enable_cgi                            on
httpd_enable_homedirs                       on
httpd_tty_comm                              on
httpd_unified                               on
init_upstart                                on
nscd_use_shm                                on
nsplugin_can_network                        on
openvpn_enable_homedirs                     on
privoxy_connect_any                         on
qemu_full_network                           on
qemu_use_cifs                               on
qemu_use_nfs                                on
qemu_use_usb                                on
sepgsql_enable_users_ddl                    on
sepgsql_unconfined_dbadm                    on
spamd_enable_home_dirs                      on
squid_connect_any                           on
unconfined_login                            on
use_nfs_home_dirs                           on
user_direct_dri                             on
user_ping                                   on
user_rw_noexattrfile                        on
user_setrlimit                              on
virt_use_sysfs                              on
virt_use_usb                                on
xguest_connect_network                      on
xguest_mount_media                          on
xguest_use_bluetooth                        on

审计日志

type=SYSCALL msg=audit(1350111166.254:3204): arch=40000003 syscall=4 success=yes exit=2 a0=1 a1=b778e000 a2=2 a3=2 items=0 ppid=4114 pid=4119 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=96 comm="bash" exe="/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1350111180.584:3205): avc:  denied  { write } for  pid=2376 comm="httpd" name="cache" dev=dm-2 ino=11012856 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1350111180.584:3205): arch=40000003 syscall=10 success=no exit=-13 a0=b5ef0e64 a1=3234 a2=b776cad8 a3=b5ef0e64 items=0 ppid=2372 pid=2376 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=2 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1350111180.584:3206): avc:  denied  { write } for  pid=2376 comm="httpd" name="logs" dev=dm-2 ino=11012903 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1350111180.584:3206): arch=40000003 syscall=5 success=no exit=-13 a0=b5e6fcfc a1=442 a2=1b6 a3=b5e6fcfc items=0 ppid=2372 pid=2376 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=2 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1350111180.586:3207): avc:  denied  { write } for  pid=2376 comm="httpd" name="cache" dev=dm-2 ino=11012856 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1350111180.586:3207): arch=40000003 syscall=10 success=no exit=-13 a0=b5ef0e64 a1=3234 a2=b776cad8 a3=b5ef0e64 items=0 ppid=2372 pid=2376 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=2 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1350111180.586:3208): avc:  denied  { write } for  pid=2376 comm="httpd" name="logs" dev=dm-2 ino=11012903 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1350111180.586:3208): arch=40000003 syscall=5 success=no exit=-13 a0=b5e6b9a0 a1=442 a2=1b6 a3=b5e6b9a0 items=0 ppid=2372 pid=2376 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=2 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1350111180.586:3209): avc:  denied  { write } for  pid=2376 comm="httpd" name="cache" dev=dm-2 ino=11012856 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1350111180.586:3209): arch=40000003 syscall=5 success=no exit=-13 a0=b5f05f5c a1=241 a2=1b6 a3=b5f05f5c items=0 ppid=2372 pid=2376 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=2 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1350111180.587:3210): avc:  denied  { write } for  pid=2376 comm="httpd" name="logs" dev=dm-2 ino=11012903 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1350111180.587:3210): arch=40000003 syscall=5 success=no exit=-13 a0=b5e6d9d0 a1=442 a2=1b6 a3=b5e6d9d0 items=0 ppid=2372 pid=2376 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=2 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1350111180.587:3211): avc:  denied  { write } for  pid=2376 comm="httpd" name="logs" dev=dm-2 ino=11012903 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1350111180.587:3211): arch=40000003 syscall=5 success=no exit=-13 a0=b5e6d9d0 a1=442 a2=1b6 a3=b5e6d9d0 items=0 ppid=2372 pid=2376 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=2 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1350111180.587:3212): avc:  denied  { write } for  pid=2376 comm="httpd" name="logs" dev=dm-2 ino=11012903 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1350111180.587:3212): arch=40000003 syscall=5 success=no exit=-13 a0=b5e6d9d0 a1=442 a2=1b6 a3=b5e6d9d0 items=0 ppid=2372 pid=2376 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=2 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1350111180.588:3213): avc:  denied  { write } for  pid=2376 comm="httpd" name="cache" dev=dm-2 ino=11012856 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1350111180.588:3213): arch=40000003 syscall=10 success=no exit=-13 a0=b5ef0e64 a1=3430 a2=b776cad8 a3=b5ef0e64 items=0 ppid=2372 pid=2376 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=2 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1350111180.588:3214): avc:  denied  { write } for  pid=2376 comm="httpd" name="logs" dev=dm-2 ino=11012903 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1350111180.588:3214): arch=40000003 syscall=5 success=no exit=-13 a0=b5e6d9d0 a1=442 a2=1b6 a3=b5e6d9d0 items=0 ppid=2372 pid=2376 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=2 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1350111180.592:3215): avc:  denied  { write } for  pid=2376 comm="httpd" name="cache" dev=dm-2 ino=11012856 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1350111180.592:3215): arch=40000003 syscall=10 success=no exit=-13 a0=b5ef0e64 a1=3234 a2=b776cad8 a3=b5ef0e64 items=0 ppid=2372 pid=2376 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=2 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1350111180.592:3216): avc:  denied  { write } for  pid=2376 comm="httpd" name="logs" dev=dm-2 ino=11012903 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1350111180.592:3216): arch=40000003 syscall=5 success=no exit=-13 a0=b5e6af14 a1=442 a2=1b6 a3=b5e6af14 items=0 ppid=2372 pid=2376 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=2 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1350111180.593:3217): avc:  denied  { write } for  pid=2376 comm="httpd" name="cache" dev=dm-2 ino=11012856 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1350111180.593:3217): arch=40000003 syscall=10 success=no exit=-13 a0=b5ef0e64 a1=3234 a2=b776cad8 a3=b5ef0e64 items=0 ppid=2372 pid=2376 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=2 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1350111180.593:3218): avc:  denied  { write } for  pid=2376 comm="httpd" name="logs" dev=dm-2 ino=11012903 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1350111180.593:3218): arch=40000003 syscall=5 success=no exit=-13 a0=b5e6aaf0 a1=442 a2=1b6 a3=b5e6aaf0 items=0 ppid=2372 pid=2376 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=2 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1350111180.594:3219): avc:  denied  { write } for  pid=2376 comm="httpd" name="cache" dev=dm-2 ino=11012856 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1350111180.594:3219): arch=40000003 syscall=5 success=no exit=-13 a0=b5f05f5c a1=241 a2=1b6 a3=b5f05f5c items=0 ppid=2372 pid=2376 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=2 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

答案1

以上都不是。

设置 SELinux 布尔值允许 httpd 和 vsftpd 访问用户主目录。

setsebool -P httpd_enable_homedirs on
setsebool -P ftp_home_dir on

在你搞砸了所有事情之后,你可能需要修复混乱的安全上下文:

restorecon -r -v /home

相关内容