Next: 自訂 SELinux 策略三 Up: CHROOT Previous: 自訂 SELinux 策略一 Contents DYWANG_HOME

自訂 SELinux 策略二

拒絕的紀錄存放在 /var/log/audit/audit.log。

[root@ip180 ~]# echo '' > /var/log/audit/audit.log 
[root@ip180 ~]# /etc/init.d/auditd restart
Stopping auditd:                                           [  OK  ]
Starting auditd:                                           [  OK  ]

打開網頁執行原被 SELinux 限制的網頁動作，此時應可正常工作。
```
 <run the sudo from web>
```

查看 audit.log。

[root@ip180 ~]# tail /var/log/audit/audit.log 

type=DAEMON_END msg=audit(1404221420.181:5879): auditd normal halt, sending auid=0
 pid=1615 subj=unconfined_u:system_r:initrc_t:s0 res=success
type=DAEMON_START msg=audit(1404221420.352:2229): auditd start, ver=2.2 format=raw
 kernel=2.6.32-279.el6.i686 auid=0 pid=1635 subj=unconfined_u:system_r:auditd_t:s0 res=success
type=CONFIG_CHANGE msg=audit(1404221420.468:101): audit_backlog_limit=320 old=320
 auid=0 ses=2 subj=unconfined_u:system_r:auditctl_t:s0 res=1
type=AVC msg=audit(1404221427.100:102): avc:  denied  { setuid } for  pid=1646 comm="sudo"
 capability=7  scontext=system_u:system_r:httpd_sys_script_t:s0
 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=capability
type=SYSCALL msg=audit(1404221427.100:102): arch=40000003 syscall=208 success=yes
 exit=0 a0=0 a1=ffffffff a2=ffffffff a3=d0 items=0 ppid=1645 pid=1646 auid=4294967295
 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
 comm="sudo" exe="/usr/bin/sudo" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(1404221427.101:103): avc:  denied  { setgid } for  pid=1646 comm="sudo"
 capability=6  scontext=system_u:system_r:httpd_sys_script_t:s0
 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=capability
type=SYSCALL msg=audit(1404221427.101:103): arch=40000003 syscall=210 success=no exit=-1
 a0=ffffffff a1=0 a2=ffffffff a3=d2 items=0 ppid=1645 pid=1646 auid=4294967295 uid=0
 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sudo"
 exe="/usr/bin/sudo" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)

使用 audit2allow -w -a 查看拒絕的原因，-a 表示所有 audit logs，-w 產生讓人容易讀的敘述。

[root@ip180 ~]# audit2allow -w -a
type=AVC msg=audit(1404221427.101:103): avc:  denied  { setgid } for  pid=1646 comm="sudo"
 capability=6  scontext=system_u:system_r:httpd_sys_script_t:s0
 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=capability
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1404221427.100:102): avc:  denied  { setuid } for  pid=1646 comm="sudo"
 capability=7  scontext=system_u:system_r:httpd_sys_script_t:s0
 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=capability
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

執行 audit2allow -a 得知允許此拒絕的策略。

[root@ip180 ~]# audit2allow -a


#============= httpd_sys_script_t ==============
allow httpd_sys_script_t self:capability { setuid setgid };

產生 SELinux 允許的策略模組。

[root@ip180 ~]# audit2allow -a -M mycertwatch
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mycertwatch.pp

查看產生的模組。

[root@ip180 ~]# ll mycertwatch*
-rw-r--r--. 1 root root 885 Jul  1 09:39 mycertwatch.pp
-rw-r--r--. 1 root root 211 Jul  1 09:39 mycertwatch.te

加入新產生的 SELinux 策略模組。

[root@ip180 ~]# semodule -i mycertwatch.pp

查詢 SELinux 模組

[root@ip180 ~]# semodule -l | grep mycert
mycertwatch	1.0

上述的策略允許某一拒絕，執行時可能還會出現新的拒絕。依同樣的方式再做一次，直到可以為止。

[root@ip180 ~]# audit2allow -a -M mycertwatch2
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mycertwatch2.pp

[root@ip180 ~]# semodule -i mycertwatch2.pp

De-Yu Wang 2020-05-19