next up previous contents
Next: 自訂 SELinux 政策三 Up: CHROOT Previous: 自訂 SELinux 政策一   Contents

自訂 SELinux 政策二

  1. 拒絕的紀錄存放在 /var/log/audit/audit.log。
    [root@ip180 ~]# echo '' > /var/log/audit/audit.log 
    [root@ip180 ~]# /etc/init.d/auditd restart
    Stopping auditd:                                           [  OK  ]
    Starting auditd:                                           [  OK  ]
    
  2. 打開網頁執行原被 SELinux 限制的網頁動作,此時應可正常工作。
     <run the sudo from web>
    
  3. 查看 audit.log。
    [root@ip180 ~]# tail /var/log/audit/audit.log 
    
    type=DAEMON_END msg=audit(1404221420.181:5879): auditd normal halt, sending auid=0 pid=1615 subj=unconfined_u:system_r:initrc_t:s0 res=success
    type=DAEMON_START msg=audit(1404221420.352:2229): auditd start, ver=2.2 format=raw kernel=2.6.32-279.el6.i686 auid=0 pid=1635 subj=unconfined_u:system_r:auditd_t:s0 res=success
    type=CONFIG_CHANGE msg=audit(1404221420.468:101): audit_backlog_limit=320 old=320 auid=0 ses=2 subj=unconfined_u:system_r:auditctl_t:s0 res=1
    type=AVC msg=audit(1404221427.100:102): avc:  denied  { setuid } for  pid=1646 comm="sudo" capability=7  scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=capability
    type=SYSCALL msg=audit(1404221427.100:102): arch=40000003 syscall=208 success=yes exit=0 a0=0 a1=ffffffff a2=ffffffff a3=d0 items=0 ppid=1645 pid=1646 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sudo" exe="/usr/bin/sudo" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
    type=AVC msg=audit(1404221427.101:103): avc:  denied  { setgid } for  pid=1646 comm="sudo" capability=6  scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=capability
    type=SYSCALL msg=audit(1404221427.101:103): arch=40000003 syscall=210 success=no exit=-1 a0=ffffffff a1=0 a2=ffffffff a3=d2 items=0 ppid=1645 pid=1646 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sudo" exe="/usr/bin/sudo" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
    
  4. 使用 audit2allow -w -a 查看拒絕的原因,-a 表示所有 audit logs,-w 產生讓人容易讀的敘述。
    [root@ip180 ~]# audit2allow -w -a
    type=AVC msg=audit(1404221427.101:103): avc:  denied  { setgid } for  pid=1646 comm="sudo" capability=6  scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=capability
    	Was caused by:
    		Missing type enforcement (TE) allow rule.
    
    		You can use audit2allow to generate a loadable module to allow this access.
    
    type=AVC msg=audit(1404221427.100:102): avc:  denied  { setuid } for  pid=1646 comm="sudo" capability=7  scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=capability
    	Was caused by:
    		Missing type enforcement (TE) allow rule.
    
    		You can use audit2allow to generate a loadable module to allow this access.
    
  5. 執行 audit2allow -a 得知允許此拒絕的政策。
    [root@ip180 ~]# audit2allow -a
    
    
    #============= httpd_sys_script_t ==============
    allow httpd_sys_script_t self:capability { setuid setgid };
    
  6. 產生 SELinux 允許的政策模組。
    [root@ip180 ~]# audit2allow -a -M mycertwatch
    ******************** IMPORTANT ***********************
    To make this policy package active, execute:
    
    semodule -i mycertwatch.pp
    
  7. 查看產生的模組。
    [root@ip180 ~]# ll mycertwatch*
    -rw-r--r--. 1 root root 885 Jul  1 09:39 mycertwatch.pp
    -rw-r--r--. 1 root root 211 Jul  1 09:39 mycertwatch.te
    
  8. 加入新產生的 SELinux 政策模組。
    [root@ip180 ~]# semodule -i mycertwatch.pp
    
  9. 查詢 SELinux 模組
    [root@ip180 ~]# semodule -l | grep mycert
    mycertwatch	1.0
    
  10. 上述的政策允許某一拒絕,執行時可能還會出現新的拒絕。依同樣的方式再做一次,直到可以為止。
    [root@ip180 ~]# audit2allow -a -M mycertwatch2
    ******************** IMPORTANT ***********************
    To make this policy package active, execute:
    
    semodule -i mycertwatch2.pp
    
    [root@ip180 ~]# semodule -i mycertwatch2.pp
    



2018-03-08