我经常在Linux上遇到各种文件系统权限问题。 而现在SELinux有点复杂。 我正在寻找一个通用的方式来debugging这个。
在我的特殊情况下,我有一个chdir(2)系统调用失败:
chdir("/var/log/httpd") = -1 EACCES (Permission denied) 与ftrace我有一个更详细的graphics,但我缺less的参数和返回值。
# trace-cmd record -p function_graph -g sys_enter_chdir -P 26510 # trace-cmd report [...] smbd-26510 [001] 10861828.204161: funcgraph_entry: | sys_chdir() { smbd-26510 [001] 10861828.204162: funcgraph_entry: | user_path_at() { smbd-26510 [001] 10861828.204162: funcgraph_entry: | getname() { smbd-26510 [001] 10861828.204163: funcgraph_entry: | kmem_cache_alloc() { smbd-26510 [001] 10861828.204163: funcgraph_entry: 0.447 us | _cond_resched(); smbd-26510 [001] 10861828.204165: funcgraph_exit: 1.784 us | } smbd-26510 [001] 10861828.204165: funcgraph_entry: | strncpy_from_user() { smbd-26510 [001] 10861828.204166: funcgraph_entry: 0.454 us | _cond_resched(); smbd-26510 [001] 10861828.204167: funcgraph_exit: 1.473 us | } smbd-26510 [001] 10861828.204167: funcgraph_exit: 4.926 us | } smbd-26510 [001] 10861828.204168: funcgraph_entry: | filename_lookup() { smbd-26510 [001] 10861828.204168: funcgraph_entry: | path_init() { smbd-26510 [001] 10861828.204169: funcgraph_entry: 0.725 us | _read_lock(); smbd-26510 [001] 10861828.204170: funcgraph_exit: 1.928 us | } smbd-26510 [001] 10861828.204171: funcgraph_entry: | path_walk() { smbd-26510 [001] 10861828.204171: funcgraph_entry: | __link_path_walk() { smbd-26510 [001] 10861828.204172: funcgraph_entry: | acl_permission_check() { smbd-26510 [001] 10861828.204173: funcgraph_entry: | ext4_check_acl() { smbd-26510 [001] 10861828.204174: funcgraph_entry: 0.612 us | ext4_get_acl(); smbd-26510 [001] 10861828.204175: funcgraph_exit: 1.807 us | } smbd-26510 [001] 10861828.204175: funcgraph_entry: | in_group_p() { smbd-26510 [001] 10861828.204176: funcgraph_entry: 0.770 us | groups_search(); smbd-26510 [001] 10861828.204177: funcgraph_exit: 1.826 us | } smbd-26510 [001] 10861828.204177: funcgraph_exit: 5.527 us | } smbd-26510 [001] 10861828.204178: funcgraph_entry: | security_inode_permission() { smbd-26510 [001] 10861828.204179: funcgraph_entry: | selinux_inode_permission() { smbd-26510 [001] 10861828.204180: funcgraph_entry: | inode_has_perm() { smbd-26510 [001] 10861828.204180: funcgraph_entry: | avc_has_perm() { smbd-26510 [001] 10861828.204181: funcgraph_entry: 1.443 us | avc_has_perm_noaudit(); smbd-26510 [001] 10861828.204183: funcgraph_entry: 0.593 us | avc_audit(); smbd-26510 [001] 10861828.204184: funcgraph_exit: 3.735 us | } smbd-26510 [001] 10861828.204184: funcgraph_exit: 4.892 us | } smbd-26510 [001] 10861828.204185: funcgraph_exit: 5.910 us | } smbd-26510 [001] 10861828.204185: funcgraph_exit: 7.219 us | } smbd-26510 [001] 10861828.204186: funcgraph_entry: | do_lookup() { smbd-26510 [001] 10861828.204187: funcgraph_entry: | __d_lookup() { smbd-26510 [001] 10861828.204208: funcgraph_entry: + 19.857 us | _spin_lock(); smbd-26510 [001] 10861828.204210: funcgraph_exit: + 23.168 us | } smbd-26510 [001] 10861828.204210: funcgraph_entry: | follow_managed() { smbd-26510 [001] 10861828.204211: funcgraph_entry: | lookup_mnt() { smbd-26510 [001] 10861828.204211: funcgraph_entry: 0.496 us | _spin_lock(); smbd-26510 [001] 10861828.204212: funcgraph_entry: 1.007 us | __lookup_mnt(); smbd-26510 [001] 10861828.204214: funcgraph_exit: 3.066 us | } smbd-26510 [001] 10861828.204215: funcgraph_entry: 0.601 us | dput(); smbd-26510 [001] 10861828.204216: funcgraph_exit: 5.659 us | } smbd-26510 [001] 10861828.204217: funcgraph_exit: + 30.543 us | } smbd-26510 [001] 10861828.204218: funcgraph_entry: 0.519 us | dput(); smbd-26510 [001] 10861828.204219: funcgraph_entry: 0.485 us | mntput_no_expire(); smbd-26510 [001] 10861828.204220: funcgraph_entry: | acl_permission_check() { smbd-26510 [001] 10861828.204221: funcgraph_entry: | ext4_check_acl() { smbd-26510 [001] 10861828.204221: funcgraph_entry: 0.751 us | ext4_get_acl(); smbd-26510 [001] 10861828.204222: funcgraph_exit: 1.660 us | } smbd-26510 [001] 10861828.204223: funcgraph_entry: | in_group_p() { smbd-26510 [001] 10861828.204223: funcgraph_entry: 0.530 us | groups_search(); smbd-26510 [001] 10861828.204224: funcgraph_exit: 1.455 us | } smbd-26510 [001] 10861828.204225: funcgraph_exit: 4.949 us | } smbd-26510 [001] 10861828.204225: funcgraph_entry: | security_inode_permission() { smbd-26510 [001] 10861828.204226: funcgraph_entry: | selinux_inode_permission() { smbd-26510 [001] 10861828.204226: funcgraph_entry: | inode_has_perm() { smbd-26510 [001] 10861828.204227: funcgraph_entry: | avc_has_perm() { smbd-26510 [001] 10861828.204228: funcgraph_entry: 0.849 us | avc_has_perm_noaudit(); smbd-26510 [001] 10861828.204229: funcgraph_entry: 0.496 us | avc_audit(); smbd-26510 [001] 10861828.204230: funcgraph_exit: 2.754 us | } smbd-26510 [001] 10861828.204231: funcgraph_exit: 4.186 us | } smbd-26510 [001] 10861828.204231: funcgraph_exit: 5.159 us | } smbd-26510 [001] 10861828.204231: funcgraph_exit: 6.132 us | } smbd-26510 [001] 10861828.204232: funcgraph_entry: | do_lookup() { smbd-26510 [001] 10861828.204232: funcgraph_entry: | __d_lookup() { smbd-26510 [001] 10861828.204234: funcgraph_entry: 0.451 us | _spin_lock(); smbd-26510 [001] 10861828.204235: funcgraph_exit: 2.446 us | } smbd-26510 [001] 10861828.204235: funcgraph_entry: 0.503 us | follow_managed(); smbd-26510 [001] 10861828.204236: funcgraph_exit: 4.343 us | } smbd-26510 [001] 10861828.204237: funcgraph_entry: 0.462 us | dput(); smbd-26510 [001] 10861828.204238: funcgraph_entry: | acl_permission_check() { smbd-26510 [001] 10861828.204239: funcgraph_entry: | ext4_check_acl() { smbd-26510 [001] 10861828.204239: funcgraph_entry: 0.579 us | ext4_get_acl(); smbd-26510 [001] 10861828.204240: funcgraph_exit: 1.484 us | } smbd-26510 [001] 10861828.204241: funcgraph_entry: | in_group_p() { smbd-26510 [001] 10861828.204241: funcgraph_entry: 0.481 us | groups_search(); smbd-26510 [001] 10861828.204242: funcgraph_exit: 1.383 us | } smbd-26510 [001] 10861828.204243: funcgraph_exit: 4.479 us | } smbd-26510 [001] 10861828.204243: funcgraph_entry: | security_inode_permission() { smbd-26510 [001] 10861828.204244: funcgraph_entry: | selinux_inode_permission() { smbd-26510 [001] 10861828.204244: funcgraph_entry: | inode_has_perm() { smbd-26510 [001] 10861828.204245: funcgraph_entry: | avc_has_perm() { smbd-26510 [001] 10861828.204245: funcgraph_entry: 0.786 us | avc_has_perm_noaudit(); smbd-26510 [001] 10861828.204246: funcgraph_entry: 0.461 us | avc_audit(); smbd-26510 [001] 10861828.204247: funcgraph_exit: 2.638 us | } smbd-26510 [001] 10861828.204248: funcgraph_exit: 3.814 us | } smbd-26510 [001] 10861828.204248: funcgraph_exit: 4.727 us | } smbd-26510 [001] 10861828.204249: funcgraph_exit: 5.647 us | } smbd-26510 [001] 10861828.204249: funcgraph_entry: | do_lookup() { smbd-26510 [001] 10861828.204250: funcgraph_entry: | __d_lookup() { smbd-26510 [001] 10861828.204253: funcgraph_entry: 0.451 us | _spin_lock(); smbd-26510 [001] 10861828.204254: funcgraph_exit: 4.645 us | } smbd-26510 [001] 10861828.204255: funcgraph_entry: 0.466 us | follow_managed(); smbd-26510 [001] 10861828.204256: funcgraph_exit: 6.492 us | } smbd-26510 [001] 10861828.204257: funcgraph_entry: | path_to_nameidata() { smbd-26510 [001] 10861828.204257: funcgraph_entry: 0.466 us | dput(); smbd-26510 [001] 10861828.204258: funcgraph_exit: 1.402 us | } smbd-26510 [001] 10861828.204272: funcgraph_exit: + 87.715 us | } smbd-26510 [001] 10861828.204273: funcgraph_entry: | path_put() { smbd-26510 [001] 10861828.204273: funcgraph_entry: 0.508 us | dput(); smbd-26510 [001] 10861828.204274: funcgraph_entry: 0.481 us | mntput_no_expire(); smbd-26510 [001] 10861828.204275: funcgraph_exit: 2.544 us | } smbd-26510 [001] 10861828.204276: funcgraph_exit: ! 105.077 us | } smbd-26510 [001] 10861828.204276: funcgraph_entry: | path_put() { smbd-26510 [001] 10861828.204277: funcgraph_entry: 0.462 us | dput(); smbd-26510 [001] 10861828.204277: funcgraph_entry: 0.459 us | mntput_no_expire(); smbd-26510 [001] 10861828.204278: funcgraph_exit: 2.270 us | } smbd-26510 [001] 10861828.204279: funcgraph_exit: ! 111.221 us | } smbd-26510 [001] 10861828.204279: funcgraph_entry: | putname() { smbd-26510 [001] 10861828.204280: funcgraph_entry: | final_putname() { smbd-26510 [001] 10861828.204280: funcgraph_entry: 0.567 us | kmem_cache_free(); smbd-26510 [001] 10861828.204281: funcgraph_exit: 1.499 us | } smbd-26510 [001] 10861828.204282: funcgraph_exit: 2.431 us | } smbd-26510 [001] 10861828.204282: funcgraph_exit: ! 120.501 us | } smbd-26510 [001] 10861828.204283: funcgraph_entry: | inode_permission() { smbd-26510 [001] 10861828.204283: funcgraph_entry: | generic_permission() { smbd-26510 [001] 10861828.204284: funcgraph_entry: | acl_permission_check() { smbd-26510 [001] 10861828.204285: funcgraph_entry: | in_group_p() { smbd-26510 [001] 10861828.204285: funcgraph_entry: 0.533 us | groups_search(); smbd-26510 [001] 10861828.204286: funcgraph_exit: 1.416 us | } smbd-26510 [001] 10861828.204286: funcgraph_exit: 2.570 us | } smbd-26510 [001] 10861828.204287: funcgraph_entry: | capable() { smbd-26510 [001] 10861828.204287: funcgraph_entry: | security_capable() { smbd-26510 [001] 10861828.204288: funcgraph_entry: | selinux_capable() { smbd-26510 [001] 10861828.204288: funcgraph_entry: 0.463 us | cap_capable(); smbd-26510 [001] 10861828.204289: funcgraph_exit: 1.390 us | } smbd-26510 [001] 10861828.204290: funcgraph_exit: 2.409 us | } smbd-26510 [001] 10861828.204290: funcgraph_exit: 3.351 us | } smbd-26510 [001] 10861828.204291: funcgraph_entry: | capable() { smbd-26510 [001] 10861828.204291: funcgraph_entry: | security_capable() { smbd-26510 [001] 10861828.204292: funcgraph_entry: | selinux_capable() { smbd-26510 [001] 10861828.204292: funcgraph_entry: 0.451 us | cap_capable(); smbd-26510 [001] 10861828.204293: funcgraph_exit: 1.349 us | } smbd-26510 [001] 10861828.204293: funcgraph_exit: 2.232 us | } smbd-26510 [001] 10861828.204294: funcgraph_exit: 3.114 us | } smbd-26510 [001] 10861828.204294: funcgraph_exit: + 10.922 us | } smbd-26510 [001] 10861828.204295: funcgraph_exit: + 12.024 us | } smbd-26510 [001] 10861828.204295: funcgraph_entry: | path_put() { smbd-26510 [001] 10861828.204296: funcgraph_entry: 0.455 us | dput(); smbd-26510 [001] 10861828.204297: funcgraph_entry: 0.455 us | mntput_no_expire(); smbd-26510 [001] 10861828.204297: funcgraph_exit: 2.243 us | } smbd-26510 [001] 10861828.204298: funcgraph_exit: ! 136.819 us | } [...]
现在真正的问题脚踏实地问题。 我有一个与SELinux启用和强制的RHEL 6.5 64位。 我想通过一个只读的samba共享来共享httpd日志。 我试图给与apache和桑巴适当的访问与:
setsebool -P allow_httpd_anon_write=1 semanage fcontext -a -t public_content_rw_t '/var/log/httpd(/.*)?' restorecon -R /var/log/httpd
这个特定共享的samba共享configuration是:
[apache-logs] path = /var/log/httpd/ writable = no
这个chdir(2)没有在SELinux审计文件/var/log/audit/audit.log中logging。 任何帮助将不胜感激。
SELinux中的一些拒绝(有时是令人沮丧的)在审计日志中没有被审计。
我有兴趣知道,如果你也遇到这个问题没有数据发生,如果你运行semanage dontaudit off 。
这将改变SELinux的规则甚至审计dontaudit规则。 请注意,保持此状态可能非常琐碎。
还要注意,在MAC(SELinux,在这种情况下)之前检查DAC(传统文件系统权限),所以如果问题是path不被允许,或者path树中的目录由于文件所有权或模式而不允许,那么你将不会得到关于它的日志报告。
另外,在search审计日志时,请使用ausearch 。 应该包含所有归属于SELinux的结果的规则是:
ausearch -m avc -m user_avc -m selinux_err
avc报告标准的SELinux权限问题,比如当策略不允许时, user_avc报告用户空间AVC错误,比如dbus或者systemd和selinux_err报告错误' selinux_err ',比如通常允许的types,但angular色是不允许的types – 或angular色是允许的,但用户不允许在这个angular色。
在SELinux中,angular色和用户通常都会被掩盖,因为他们通常没有被使用,但是由于他们的原因,很可能会出现问题。
所以,如果你觉得SELinux相关的问题 – 这将有助于确定问题。
为了避免怀疑(以及系统不足以保证系统),可以运行setenforce 0来禁用SELinux,然后重试以确定问题是否与SELinux相关。 你完成后可以setenforce 1 。 但请注意,在这种情况下,“超级政策”问题仍然会失败,因为策略的运行时错误试图设置不存在的标签。