http://linux.vbird.org/linux_basic/0440processcontrol.php
http://www.ibm.com/developerworks/cn/linux/l-selinux/
正文来源:http://wiki.eri.ucsb.edu/sysadm/SELinux
SELinux is a set of extra security restrictions on top of the normal Linux security tools. It gives the systems administrator a finer grain of control than what the kernel typically provides. But SELinux can sometimes get in your way.
install the policy utils:
yum install policycoreutilsInstall the management GUI:
yum install policycoreutils-guiThen run it with:
ssh -Y root@host.name.edu /usr/bin/system-config-selinux &and then under the Boolean tab, add what you need, like "Allow httpd to access NFS directories".
in CentOS 5.x audit2allow is part of the policycoreutils package.. As of CentOS-6.x its now in: policycoreutils-python
Logging is done primarily to the /var/log/audit/audit.log file, but sometimes /var/log/messages sees them as well.
Temporarily turn selinux off:
echo 0 > /selinux/enforceTemporarily turn selinux on:
echo 1 > /selinux/enforceEdit /etc/sysconfig/selinux - look for a line like
SELINUX=enforcingAnd change to
SELINUX=disabledLooks like much of the SELinux config in CentOS is in /etc/selinux.
Found a neat util audit2allow from thehttp://www.crypt.gen.nz/selinux/faq.html#BSP.1website.
Make the errors occur and then:
% cd /var/log % tail messages | audit2allow #============= httpd_t ============== allow httpd_t nfs_t:dir search; allow httpd_t nfs_t:file read; %Still trying to figure out what to do with the output (what file to put that in).
and to allow anon incoming writes:
setsebool -P allow_ftpd_anon_write 1This resolved access to the nfs mounted icess pages.... Not sure if I need to do this again or what.
setsebool -P httpd_use_nfs onIssues with regular httpd on local filesys good info athttp://beginlinux.com/server_training/web-server/976-apache-and-selinuxBut still no obvious, simple solution and no luck with google yet. I wouldn't mind creating the correct module to make it work, but its not clear how to do that or where to put it as the man pages reflect a different directory structure.
getsebool -a | grep httpdtried this in /var/www/vhosts/d6
chcon -t httpd_sys_script_exec_t *.phpCentOS 6 seems to be a little more rigid about selinux stuff... Manually set this way...
chcon -v -u system_u drupa* chown root:root drupal-7.7 chcon -R -v -u system_u drupal-7.7 chcon -v -R -t httpd_sys_content_t drupal-7.7I think the better approach is to do the following:
semanage fcontext -a -t httpd_sys_content_t "/var/www/vhosts(/.*)?" # specifies a rule for the /var/www/vhosts directory hierarchy restorecon -Rv /var/www/vhosts # to update the entire tree restorecon -v /var/www/vhosts/drupal-7.7/index.html # change one specific file restorecon -Rv -n /var/www/vhosts # examine without making changeshttp://www.webhostingbuzz.com/wiki/How_to_find_the_correct_SELinux_Boolean_for_your_problem_on_CentOS_5- Managing settings
[root@ldap ~]# getsebool -a | grep slapd slapd_disable_trans --> off [root@ldap ~]# setsebool -P slapd_disable_trans on [root@ldap ~]# getsebool -a | grep slapd slapd_disable_trans --> on [root@ldap ~]# setsebool -P slapd_disable_trans offAs of CentOS-6 audit to allow is part of a new package (noted above as well)
yum install policycoreutils-pythonThe -w flag is very nice as it provides a usable description of the error and possible solutions...
audit2allow -a -wLooks like semanage allows adjustments to policies without recompiling them. Manage users etc...
semanage user -l # show list of SElinux usersDiscovered the following link:http://permalink.gmane.org/gmane.linux.redhat.fedora.selinux/8690trying to resolve an selinux issue with our named server. It might provide some interesting fixes to some of our other issues.j
Just checked a new entry... Looks like the audit2allow -M mypol creates a plain text file mypol.te in the current directory as well as a binary mypol.pp file. So it looks like the mypol.te file coult be modified (it has a version number as well as the rules required).... Need a bit more research on that
Looks like modules are maintained here.
/etc/selinux/targeted/modules/active/modules/Use -r on semodule to unload
semodule -r erinsmarpwatchUse -l on semodule to list
semodule -lHave seen ssh login issues with CentOS-6.x (could not set up DSA key autologin). After adding a loadable module, PAM would complain and kick me out of the system entirely. Resolved with this tip to get a system to relabel its security contexts (requires reboot):
touch /.autorelabel shutdown -r nowBelow is the script I built at nsm://opt/local/sbin/avccollect. This is hardwired for erins3 module as a name. I will likely modify it to make the module name an argument or flag of some type.
#!/bin/sh t=/tmp/avccollect-temp d=/tmp/avccollect-diff u=/tmp/avccollect-un mod=erins3 e=/tmp/$mod tail -500 /var/log/messages | grep avc | grep -v ' received policyload notice' > $t if [ -f $e ]; then cat $e $t | sort | uniq > $u else cat $t | sort | uniq > $u fi diff $u $e > $d cp $u $e echo "###################################" echo "log messages used to create the module $mod:" cat $e echo "" echo "###################################" echo "diff of output of last two passes:" cat $e | audit2allow -M $mod semodule -i $mod.ppThen looped through the following sequence until things were working... Could fix this up to check for when changes stop happening...
sendmail -t < /tmp/ti # submit an email as if from arpwatch /opt/local/sbin/avccollect # run scriptstill had problems after using above... got the next error combined in same file and generated new module... Possibly better ways to handle this, by setting the selinux attributes to allow postfix to deal with it, but not sure how to do that yet.
Jan 21 17:56:13 nsm kernel: type=1400 audit(1295661373.741:1565961): avc: denied { getattr } for pid=23857 comm="local" path="/opt/local/home/arpwatch/.forward" dev=dm-0 ino=1930179 scontext=system_u:system_r:postfix_local_t:s0 tcontext=root:object_r:usr_t:s0 tclass=file Jan 21 18:56:20 nsm kernel: type=1400 audit(1295664980.193:1565965): avc: denied { read } for pid=24127 comm="local" name=".forward" dev=dm-0 ino=1930179 scontext=system_u:system_r:postfix_local_t:s0 tcontext=root:object_r:usr_t:s0 tclass=file [root@nsm tmp]# cat eriarp | audit2allow -M erinsmarpwatch ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i erinsmarpwatch.pp [root@nsm tmp]# cat erinsmarpwatch.te module erinsmarpwatch 1.0; require { type postfix_local_t; type usr_t; class file { read getattr }; } #============= postfix_local_t ============== allow postfix_local_t usr_t:file { read getattr };So, this got me further, but then I had issues with the the ~arpwatch procmail stuff. Set /selinux/enforce to 0 to see if things worked and then gathered up the avc messages and did this. Again... There should be a way to set the files I am concerned about to some other value using chcon or chcat...
[root@nsm tmp]# cat erinsmarpwatch.te module erinsmarpwatch 1.0; require { type unconfined_t; type var_log_t; type tmp_t; type usr_t; type arpwatch_data_t; type var_t; type arpwatch_t; type postfix_master_t; type procmail_t; type postfix_local_t; class dir { write relabelto search add_name remove_name }; class file { execute read create execute_no_trans write getattr link relabelto unlink append }; } #============= arpwatch_t ============== allow arpwatch_t var_t:file read; #============= postfix_local_t ============== allow postfix_local_t usr_t:file { read getattr }; #============= procmail_t ============== allow procmail_t arpwatch_data_t:dir search; allow procmail_t tmp_t:file getattr; allow procmail_t usr_t:dir { write remove_name add_name }; allow procmail_t usr_t:file { write execute link append create unlink execute_no_trans }; allow procmail_t var_log_t:file { getattr append }; #============= unconfined_t ============== allow unconfined_t postfix_master_t:dir relabelto; allow unconfined_t postfix_master_t:file relabelto;This got me further, but then started seeing avc issues with running snmpwalk and other stuff associated with the switch search... Yeeeshhhhh.
Was having some issue with local home directories on CentOS 6. Fudged the results by using an autofs_t, but the proper setting seems to be the one below.
chcon -t user_home_dir_t <homedir>On CentOS-6, I have not yet figured out how to get a direct autofs mount to work with httpd. Have had to resort to creating an auto.home entry to do that. Interestingly, dont need an actual account, just a map key and a place to mount from.
相关资源:微信小程序源码-合集3.rar