在SELinux运行强制的情况下,将系统从CentOS6迁移到RHEL7。 一个php脚本调用/usr/bin/processdata.sh来在后台生成一些数据。 这与旧的系统工作正常,但PHP调用与SELinux设置为启用扼stream圈。
这是sh许可
-rwxrwx--x. root root unconfined_u:object_r:bin_t:s0 /usr/bin/process_data.sh
这个审计错误是在调用php页面的同时看到的:
ausearch -l -i | grep httpd
type = SYSCALL msg = audit(02/27/2016 14:07:52.662:23480):arch = x86_64 syscall = socket success = no exit = -97(协议不支持地址族)a0 = inet6 a1 = SOCK_DGRAM a2 = ip a3 = 0x672e76656473626e items = 0 ppid = 15686 pid = 3852 auid = unset uid = apache gid = apache euid = apache suid = apache fsuid = apache egid = apache sgid = apache fsgid = apache tty =(none)ses = unset comm = httpd exe = / usr / sbin / httpd subj = system_u:system_r:httpd_t:s0 key =(null)type = AVC msg = audit(02/27/2016 14:07:52.662:23480):avc:denied {module_request}对于pid = 3852 comm = httpd kmod =“net-pf-10”scontext = system_u:system_r:httpd_t:s0 tcontext = system_u:system_r:kernel_t:s0 tclass = system
这里是我目前的httpd布尔:
httpd_can_network_relay (off , off) Allow httpd to can network relay httpd_can_connect_mythtv (off , off) Allow httpd to can connect mythtv httpd_can_network_connect_db (off , off) Allow httpd to can network connect db httpd_use_gpg (off , off) Allow httpd to use gpg httpd_dbus_sssd (off , off) Allow httpd to dbus sssd httpd_enable_cgi (on , on) Allow httpd to enable cgi httpd_verify_dns (off , off) Allow httpd to verify dns httpd_dontaudit_search_dirs (off , off) Allow httpd to dontaudit search dirs httpd_anon_write (off , off) Allow httpd to anon write httpd_use_cifs (off , off) Allow httpd to use cifs httpd_enable_homedirs (off , off) Allow httpd to enable homedirs httpd_unified (off , off) Allow httpd to unified httpd_mod_auth_pam (off , off) Allow httpd to mod auth pam httpd_run_stickshift (off , off) Allow httpd to run stickshift httpd_use_fusefs (off , off) Allow httpd to use fusefs httpd_can_connect_ldap (off , off) Allow httpd to can connect ldap httpd_can_network_connect (on , on) Allow httpd to can network connect httpd_mod_auth_ntlm_winbind (off , off) Allow httpd to mod auth ntlm winbind httpd_tty_comm (off , off) Allow httpd to tty comm httpd_sys_script_anon_write (off , off) Allow httpd to sys script anon write httpd_graceful_shutdown (on , on) Allow httpd to graceful shutdown httpd_can_connect_ftp (off , off) Allow httpd to can connect ftp httpd_run_ipa (off , off) Allow httpd to run ipa httpd_read_user_content (off , off) Allow httpd to read user content httpd_use_nfs (off , off) Allow httpd to use nfs httpd_can_connect_zabbix (off , off) Allow httpd to can connect zabbix httpd_tmp_exec (off , off) Allow httpd to tmp exec httpd_run_preupgrade (off , off) Allow httpd to run preupgrade httpd_manage_ipa (off , off) Allow httpd to manage ipa httpd_can_sendmail (on , on) Allow httpd to can sendmail httpd_builtin_scripting (on , on) Allow httpd to builtin scripting httpd_dbus_avahi (off , off) Allow httpd to dbus avahi httpd_can_check_spam (off , off) Allow httpd to can check spam httpd_can_network_memcache (off , off) Allow httpd to can network memcache httpd_can_network_connect_cobbler (off , off) Allow httpd to can network connect cobbler httpd_use_sasl (off , off) Allow httpd to use sasl httpd_serve_cobbler_files (off , off) Allow httpd to serve cobbler files httpd_execmem (off , off) Allow httpd to execmem httpd_ssi_exec (off , off) Allow httpd to ssi exec httpd_use_openstack (off , off) Allow httpd to use openstack httpd_enable_ftp_server (off , off) Allow httpd to enable ftp server httpd_setrlimit (off , off) Allow httpd to setrlimit
是不是在我的selinuxconfiguration中,我没有看到?
是不是在我的selinuxconfiguration中,我没有看到?
你向我们展示了你的SELinuxconfiguration看起来“正常”,但这并不是说它不需要调整来满足你的具体工作量。
我在这里要做的是把SELinux放在允许模式( setenforce 0 ),然后让auditd启动一个新的日志文件( kill -USR1 <auditd>的PID,然后进行正常的业务,SELinux会生成消息供以后分析。
当您在“允许”模式下运行“一段时间”时,您可以使用标准工具来调查SELinux消息。
audit2why实用程序可以logging日志消息,也可以给出build议,例如,对于您发布的代码段,可以这样说。
avc: denied { module_request } for pid=3852 comm=httpd kmod="net-pf-10" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system Was caused by: The boolean domain_kernel_load_modules was set incorrectly. Description: Allow all domains to have the kernel load modules Allow access by executing: # setsebool -P domain_kernel_load_modules 1
由于您目前正在执行模式下运行,只有第一次拒绝被logging,如果您要解决,您可能会发现更多,这就是为什么你应该暂时在Permissive模式下运行,所有拒绝login。
有时audit2why不是很有帮助。 在这些情况下,对SELinux的深入了解可能会有帮助。 例如,您可以通过audit2allow运行审计日志,并生成一个可以使用semodule应用的本地策略。 这应该尽可能审慎,因为你可以给你比你需要更多的东西。
要允许lighttpd执行文件,请启用SELinux bool http_execmem 。
然后更改文件types以允许执行lighttpd: chcon system_u:object_r:httpd_exec_t:s0 [file] 。
通过使用semanage fcontext -a -t httpd_exec_t [file]来保持内核持久化。