解决selinux的警告

以nagios为例子

Nagios  and SELinux

Nagios 3.2.0    CentOS 5.4
在开启SELinux的情况下，SELlinux不断警告：

tail /var/log/messages Mar 9 23:58:53 wingwu setroubleshoot: SELinux is preventing ping (ping_t) "read write" to /usr/local/nagios/var/spool/checkresults/checkkbOyGH (usr_t). For complete SELinux messages. run sealert -l 19c87c57-986e-45e8-a573-cbb30aba0951

查看alert

[root@wingwu ~]# sealert -l 19c87c57-986e-45e8-a573-cbb30aba0951 Summary: SELinux is preventing ping (ping_t) "read write" to /usr/local/nagios/var/spool/checkresults/checkkbOyGH (usr_t). Detailed Description: SELinux denied access requested by ping. It is not expected that this access is required by ping and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /usr/local/nagios/var/spool/checkresults/checkkbOyGH, restorecon -v '/usr/local/nagios/var/spool/checkresults/checkkbOyGH' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:ping_t Target Context system_u:object_r:usr_t Target Objects /usr/local/nagios/var/spool/checkresults/checkkbOy                               GH [ file ] Source ping Source Path /bin/ping Port <Unknown> Host wingwu Source RPM Packages iputils-20020927-46.el5 Target RPM Packages  Policy RPM selinux-policy-2.4.6-255.el5_4.4 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name wingwu Platform Linux wingwu 2.6.18-164.11.1.el5 #1 SMP                               Wed Jan 20 07:39:04 EST 2010 i686 i686 Alert Count 1 First Seen Tue Mar 9 23:58:53 2010 Last Seen Tue Mar 9 23:58:53 2010 Local ID 19c87c57-986e-45e8-a573-cbb30aba0951 Line Numbers  Raw Audit Messages  host=wingwu type=AVC msg=audit(1268150333.223:229): avc: denied { read write } forpid=8372 comm="ping" path="/usr/local/nagios/var/spool/checkresults/checkkbOyGH" dev=hda8 ino=201256 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file host=wingwu type=SYSCALL msg=audit(1268150333.223:229): arch=40000003 syscall=11 success=yes exit=0 a0=9343aa8 a1=9343b40 a2=bfd4dc74 a3=9343b40 items=0 ppid=8371 pid=8372 auid=4294967295 uid=506 gid=510 euid=0 suid=0 fsuid=0 egid=510 sgid=510 fsgid=510 tty=(none) ses=4294967295 comm="ping" exe="/bin/ping"subj=system_u:system_r:ping_t:s0 key=(null)

解决方法：
1.用audit2allo创建一个对应的SElinux规则。
将RawAudit Messages的两条信息添加到一个文本：

[root@wingwu ~]# cat /tmp/tmp-nagiosping  host=wingwu type=AVC msg=audit(1268150163.171:228): avc: denied { read write } forpid=8345 comm="ping" path="/usr/local/nagios/var/spool/checkresults/checkQKStFR" dev=hda8 ino=201256 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file host=wingwu type=SYSCALL msg=audit(1268150163.171:228): arch=40000003 syscall=11 success=yes exit=0 a0=8d9eaa8 a1=8d9eb40 a2=bf9465e4 a3=8d9eb40 items=0 ppid=8344 pid=8345 auid=4294967295 uid=506 gid=510 euid=0 suid=0 fsuid=0 egid=510 sgid=510 fsgid=510 tty=(none) ses=4294967295 comm="ping" exe="/bin/ping"subj=system_u:system_r:ping_t:s0 key=(null)

然后创建.pp的规则包，并应用，这样就不会在有警告提示。

[root@wingwu ~]# audit2allow -M NagiosPing < /tmp/tmp-nagiosping  [root@wingwu ~]# semodule -i NagiosPing.pp

2.使用创建适用nagios的context
nagios-local.te 

policy_module(nagios-local,1.5.0) require {   class fifo_file read;   class fifo_file getattr;   class fifo_file write;   class file {create relabelto getattr};   class lnk_file {read};   class process { sigkill signal };   class udp_socket node_bind;   type restorecon_t;   type httpd_t;   type httpd_sys_content_t;   type httpd_nagios_script_exec_t;   type httpd_nagios_script_t;   type nagios_cgi_t;   type nagios_t;   type nagios_etc_t;   type ping_t;   type sbin_t;   type unlabeled_t;   type inaddr_any_node_t;   type usr_t;   type mysqld_etc_t;   role system_r; }; # Create a nagios var type type nagios_var_t; domain_type(nagios_var_t) files_type(nagios_var_t) allow nagios_t sbin_t:dir search; allow nagios_t nagios_var_t:dir rw_dir_perms; allow nagios_t nagios_var_t:dir search_dir_perms; allow nagios_t nagios_var_t:file rw_file_perms; allow nagios_t nagios_var_t:file create_file_perms; allow nagios_t nagios_var_t:fifo_file {create read write getattr}; allow ping_t nagios_var_t:fifo_file read; allow ping_t nagios_var_t:file {read write}; nagios_read_config( httpd_nagios_script_exec_t ); nagios_read_config( httpd_nagios_script_t ); nagios_read_config( nagios_cgi_t ); allow httpd_t nagios_cgi_t:process { sigkill signal }; allow nagios_cgi_t nagios_var_t:fifo_file { getattr write read }; allow nagios_cgi_t nagios_var_t:dir search; allow httpd_nagios_script_t nagios_var_t:fifo_file {getattr write }; allow httpd_nagios_script_t nagios_var_t:file r_file_perms; allow httpd_nagios_script_t nagios_var_t:dir r_dir_perms; allow httpd_nagios_script_t nagios_var_t:dir search_dir_perms; allow restorecon_t nagios_var_t:file relabelto; # # Need this so check_dns will work allow nagios_t inaddr_any_node_t:udp_socket node_bind; # # things that dont matter... dontaudit httpd_nagios_script_t unlabeled_t:dir search; dontaudit nagios_t httpd_sys_content_t:dir search; # check_mysql... dontaudit nagios_t mysqld_etc_t:file getattr; dontaudit nagios_t usr_t:file getattr; # # rules to let nagios sendmail allow nagios_t sbin_t:lnk_file read;

nagios-local.fc

/usr/local/nagios/var(/.*)? system_u:object_r:nagios_var_t:s0

参考资料：
http://wiki.nagios.org/index.php/Selinux
http://blog.pas.net.au/2009/05/fighting-with-selinux-and-nagios/
http://blogs.fedoraproject.org/wp/mgrepl/2010/01/22/selinuxnagios/

 

 

其实就是需要

require {
        type usr_t;
        type ping_t;
        class file { read write };
}

#============= ping_t ==============
allow ping_t usr_t:file { read write };

这样的规则给nagios

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

SELinux -troubleshooting file labeling issues

This is a follow-up to SELinux- dealing with exceptions.

First off, a few basics:

chcon should only be used for temporary changes. See SELinuxContexts - Labeling Files. Changes made with chcon will notsurvive a file system relabeling or use of the restorecon command.

/usr/sbin/semanage fcontext will permanently change the filecontext in a manner that will survive a relabel or restorecon. See 5.7.2.Persistent Changes: semanage fcontext in the Fedora 10 documentation.

How do I find out what file labels were defined already for a package?

This is a bit trickier, but the key lies in looking under the followingdirectory tree:

/etc/selinux/targeted/contexts/

For file labels, look at the file_context* files under:

/etc/selinux/targeted/contexts/files/

For example, I want to see what file contexts are defined for Nagios:

# grep -h "nagios"/etc/selinux/targeted/contexts/files/file_contexts*

/usr/lib(64)?/nagios/cgi(/.*)? system_u:object_r:httpd_nagios_script_exec_t:s0

/usr/lib(64)?/nagios/plugins(/.*)?      system_u:object_r:bin_t:s0

/usr/lib(64)?/nagios/cgi-bin(/.*)?     system_u:object_r:httpd_nagios_script_exec_t:s0

/usr/lib(64)?/cgi-bin/nagios(/.+)?     system_u:object_r:httpd_nagios_script_exec_t:s0

/usr/lib(64)?/cgi-bin/netsaint(/.*)?   system_u:object_r:httpd_nagios_script_exec_t:s0

/etc/nagios(/.*)?       system_u:object_r:nagios_etc_t:s0

/var/log/nagios(/.*)?   system_u:object_r:nagios_log_t:s0

/var/log/netsaint(/.*)?system_u:object_r:nagios_log_t:s0

/var/spool/nagios(/.*)?system_u:object_r:nagios_spool_t:s0

/usr/bin/nagios --      system_u:object_r:nagios_exec_t:s0

/etc/nagios/nrpe\.cfg   --     system_u:object_r:nrpe_etc_t:s0

You can also use the seinfo tool:

# seinfo -t | grep "nagios"
Rule loading disabled
nagios_spool_t
httpd_nagios_script_ra_t
httpd_nagios_script_ro_t
httpd_nagios_script_rw_t
nagios_t
httpd_nagios_script_t
nagios_tmp_t
httpd_nagios_htaccess_t
nagios_var_run_t
httpd_nagios_content_t
nagios_exec_t
httpd_nagios_script_exec_t
nagios_etc_t
nagios_log_t

Another tool is sesearch, i.e.: 

# sesearch -a | grep "nagios" | sort | uniq

Troubleshooting and fixing things

Thus, step #1 is generally that we need to figure out whether (A) the AVCdenial was caused by a mislabeled file. And if so, we need to change the filelabel.

Here's an example of what setroubleshoot log messages look like in the/var/log/messages file.

# grep "setroubleshoot" /var/log/messages
setroubleshoot: SELinux is preventing the status.cgi from using potentiallymislabeled files ./objects.cache (var_t). For complete SELinux messages. runsealert -l ce49f540-0b35-412c-862c-b901a274a421

setroubleshoot: SELinux is preventing ping (ping_t) "read write" to/var/nagios/spool/checkresults/checkZKmcmr (var_t). For complete SELinuxmessages. run sealert -l cf227199-1595-4775-9970-3935fc761b38

setroubleshoot: SELinux is preventing ping (ping_t) "read write" to/var/nagios/spool/checkresults/checke4tQgY (var_t). For complete SELinuxmessages. run sealert -l dbdc707e-193a-4f64-9bf2-0bb0d0a807e9

And here's what they look like in /var/log/audit:

# grep "AVC" /var/log/audit/audit.log | tail

type=AVC msg=audit(1233836684.122:15494): avc: denied { read } for pid=12081comm="status.cgi" name="objects.cache" dev=md1 ino=1306897scontext=system_u:system_r:httpd_nagios_script_t:s0tcontext=user_u:object_r:var_t:s0 tclass=file

type=AVC msg=audit(1233836426.120:15476): avc: denied { read write } forpid=7518 comm="ping"path="/var/nagios/spool/checkresults/checkZKmcmr" dev=md1 ino=1306899scontext=user_u:system_r:ping_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file

type=AVC msg=audit(1233836366.097:15454): avc: denied { read write } forpid=20671 comm="ping"path="/var/nagios/spool/checkresults/checke4tQgY" dev=md1 ino=1306899scontext=user_u:system_r:ping_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file

In this particular case, the fact that the target context is "var_t"generally indicates a labeling issue. The "var_t" file context ispretty generic and we don't want to give the source context(httpd_nagios_script_t) for status.cgi permissions to all files labeled withvar_t (which would be most of /var).

This means that using audit2allow is the wrong fix for thisparticular issue.

The correct solution is to either find out what file context should be used, orcreate a context and grant nagios access to those files.

References:

Fedora10 Security-Enhanced Linux User Guide

Top three things tounderstand in fixing SELinux problems. Reposted

Fedora SELinux Project Pages(wiki)

RedHat Enterprise Linux 4: Red Hat SELinux Guide

Howto: Install and Setup XEN Virtualization Software on CentOS Linux 5 -Covers how to use semanage to grant the Xen process access to a directory whereit will store the DomU storage as files.

Updates:

Earlier, I mentioned that audit2allow was really not the best way to approachfile context issues. Now that I've learned a bit more, I can point you in abetter direction. 

1) semanage fcontext -a -t (newcontext) /full/path/to/filename

The "semanage" tool creates (or updates) a file under/etc/selinux/targeted/contexts/files. (Replace the word "targeted"with the current SELinux policy that you are using.) The file it creates iscalled "file_contexts.local".

"semanage" is used to create file contexts that will survive a systemrelabeling. So to properly change the file context on a path, you will use the"semanage fcontext" command then use "restorecon -vv -F" tofix the file / directory.

Note that you must supply a full path with a leading slash, otherwise you mayfind that restorecon does the wrong thing in other directories to files thatalso happen to match the pattern.

2) Using semanage to see what the default context is for a particular file

# semanage fcontext -l | grep '/some/path'

Note that this will not tell you where / what policy (whether part of the baseSELinux package or whether it's a custom/local policy change). If you want tofigure out whether it is a local change, then you should grep the files under/etc/selinux/targeted/contexts/files.

3) Relabing using restorecon.

"restorecon -v" will tell you which files get relabeled.

"restorecon -vv" will additionally tell you about files that did notget relabeled.

"restorecon -F" can be used to force a file back to the correctcontext as defined in the SELinux policy files.