我试图在启用selinux的情况下在CentOS 6.4上运行OpenLDAP服务器,但是一旦通过/etc/init.d/slapd start , slapd就会死亡。 (初始化脚本报告确定;一切工作正常后setenforce 0 。
在/var/log/audit/audit.logfind这些消息:
type = AVC msg = audit(1372888328.397:3262):avc:denied {write} for pid = 1492 comm =“slapd”name =“slapd.log”dev = dm-0 ino = 4348 scontext = unconfined_u:system_r:slapd_t: s0 tcontext = unconfined_u:object_r:var_log_t:s0 tclass = file
type = SYSCALL msg = audit(1372888328.397:3262):arch = 40000003 syscall = 5 success = no exit = -13 a0 = 1bd1018 a1 = 241 a2 = 1b6 a3 = 7ea191 items = 0 ppid = 1491 pid = 1492 auid = 0 uid = 0 / usr / sbin / slapd“= 0 = gid = 0 euid = 0 suid = 0 fsuid = 0 egid = 0 sgid = 0 fsgid = 0 tty = pts1 ses = 337 comm =”slapd“ slapd_t:s0 key =(null)
avc:denied {sys_nice} for pid = 1492 comm =“slapd”capability = 23 scontext = unconfined_u:system_r:slapd_t:s0 tcontext = unconfined_u:system_r:slapd_t:s0 tclass =能力
type = SYSCALL msg = audit(1372888328.408:3263):arch = 40000003 syscall = 156 success = yes exit = 0 a0 = 5d4 a1 = 0 a2 = bfe64968 a3 = b787a6c0 items = 0 ppid = 1491 pid = 1492 auid = 0 uid = 0 gid = 0 euid = 0 suid = 0 fsuid = 0 egid = 0 sgid = 0 fsgid = 0 tty = pts1 ses = 337 comm =“slapd”exe =“/ usr / sbin / slapd”subj = unconfined_u:system_r:slapd_t :s0 key =(null)
avp:denied {read} for pid = 1493 comm =“slapd”name =“log.0000000001”dev = dm-0 ino = 263969 scontext = unconfined_u:system_r:slapd_t: s0 tcontext = unconfined_u:object_r:var_log_t:s0 tclass = file
type = SYSCALL msg = audit(1372888328.424:3264):arch = 40000003 syscall = 5 success = no exit = -13 a0 = 1c78270 a1 = 8000 a2 = 0 a3 = 0 items = 0 ppid = 1 pid = 1493 auid = 0 uid = 0 gid = 0 euid = 0 suid = 0 fsuid = 0 egid = 0 sgid = 0 fsgid = 0 tty =(none)ses = 337 comm =“slapd”exe =“/ usr / sbin / slapd”subj = unconfined_u: system_r:slapd_t:s0 key =(null)
然而,这让我不知道如何解决这个问题。 我如何告诉selinux允许LDAP守护进程运行?
我试过了
restorecon -v -F -R /etc/openldap restorecon -v -F -R /var/lib/ldap
但是这并不起作用(事实上, 即使禁用了selinux ,似乎也破坏了我启动slapd的能力)。 有很多消息像
restorecon reset / etc / openldap / cacerts上下文unconfined_u:object_r:etc_t:s0-> system_u:object_r:etc_t:s0
如果您通过audit2allow(1)和audit2why来过滤审计日志,那么您将得到正在发生的事情的大致概念:
#============= slapd_t ============== allow slapd_t self:capability sys_nice; allow slapd_t var_log_t:file { write read }; ------------------------------------ Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1372888328.408:3263): avc: denied { sys_nice } for pid=1492 comm=slapd capability=23 scontext=unconfined_u:system_r:slapd_t:s0 tcontext=unconfined_u:system_r:slapd_t:s0 tclass=capability Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1372888328.424:3264): avc: denied { read } for pid=1493 comm=slapd name=log.0000000001 dev=dm-0 ino=263969 scontext=unconfined_u:system_r:slapd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access.
如果SELinux处于宽容模式,标签恢复不太可能阻止您启动服务。 另外,为什么-F开关?
要知道是否必须恢复目录或文件的标签,请首先找出文件或目录应该具有的上下文:
# matchpathcon /etc/openldap/ /etc/openldap system_u:object_r:etc_t:s0
然后列出它的安全上下文:
# ls -ldZ /etc/openldap/ drwxr-xr-x. root root system_u:object_r:etc_t:s0 /etc/openldap//
在这个例子中,不需要进一步的操作。
关于您的问题,问题本身不是标签,而是一个缺less的type enforcement规则,例如允许标签进程从一个受限域转换到另一个的规则,或者读取带有特定标签的文件。
您可以尝试构build一个允许slapd_t执行audit.log的操作的模块。 您的代码很可能需要进一步调整。 使用audit2allow ,并为此任务。 所有的命令在他们各自的手册中都有很好的logging。 这个过程看起来就像这样(将相关消息复制到audit.txt ):
audit2allow -i audit.txt -m slapd -o slapd.te make -f /usr/share/selinux/devel/Makefile load
另外,请检查SELinux策略的错误报告是否已经存在。