SELinux 相关学习资料

http://linux.vbird.org/linux_basic/0440processcontrol.php

http://www.ibm.com/developerworks/cn/linux/l-selinux/

正文来源：http://wiki.eri.ucsb.edu/sysadm/SELinux

Introduction

SELinux is a set of extra security restrictions on top of the normal Linux security tools. It gives the systems administrator a finer grain of control than what the kernel typically provides. But SELinux can sometimes get in your way.

install the policy utils:

yum install policycoreutils

Install the management GUI:

yum install policycoreutils-gui

Then run it with:

ssh -Y [email protected]
/usr/bin/system-config-selinux &

and then under the Boolean tab, add what you need, like "Allow httpd to access NFS directories".

audit2allow

in CentOS 5.x audit2allow is part of the policycoreutils package.. As of CentOS-6.x its now in: policycoreutils-python

Logging

Logging is done primarily to the /var/log/audit/audit.log file, but sometimes /var/log/messages sees them as well.

Some Issues caused by SELinux

• postfix - switching to permissive mode gets around the following errors (seen on trying to install on post)

sendmail -t < /tmp/tt
sendmail: warning: premature end-of-input on /usr/sbin/postdrop -r while reading input attribute name
sendmail: fatal: root(0): unable to execute /usr/sbin/postdrop -r: Success

• various issues with named - zone transfers - DDNS

Related Docs

• http://wiki.centos.org/HowTos/SELinux - CentOS Wiki HowTo.
• http://www.revsys.com/writings/quicktips/turn-off-selinux.html - how to disable or change levels
• http://centos.org/docs/5/html/Deployment_Guide-en-US/ch-selinux.html - CentOS docs
• http://www.nsa.gov/research/selinux/index.shtml - NSA's page
• http://selinux.sourceforge.net/ - Sourceforge page
• http://docs.fedoraproject.org/selinux-faq/ - Fedora SElinux faq
• http://www.crypt.gen.nz/selinux/faq.html - Unofficial SELinux faq
• http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html - shows some common selinux context variables
• http://www.linuxtopia.org/online_books/rhel6/rhel_6_selinux/rhel_6_selinux_sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html - SELinux on RHEL 6

Enabling/Disabling

Temporarily turn selinux off:

echo 0 > /selinux/enforce

Temporarily turn selinux on:

echo 1 > /selinux/enforce

Edit /etc/sysconfig/selinux - look for a line like

 SELINUX=enforcing

And change to

SELINUX=disabled

Configuration

Looks like much of the SELinux config in CentOS is in /etc/selinux.

Found a neat util audit2allow from the http://www.crypt.gen.nz/selinux/faq.html#BSP.1 website.

Make the errors occur and then:

% cd /var/log
% tail messages | audit2allow

#============= httpd_t ==============
allow httpd_t nfs_t:dir search;
allow httpd_t nfs_t:file read;
%

Still trying to figure out what to do with the output (what file to put that in).

FTP

setsebool -P allow_ftpd_use_nfs 1

and to allow anon incoming writes:

setsebool -P allow_ftpd_anon_write 1

HTTPD

This resolved access to the nfs mounted icess pages.... Not sure if I need to do this again or what.

setsebool -P httpd_use_nfs on

Issues with regular httpd on local filesys good info at http://beginlinux.com/server_training/web-server/976-apache-and-selinux But still no obvious, simple solution and no luck with google yet. I wouldn't mind creating the correct module to make it work, but its not clear how to do that or where to put it as the man pages reflect a different directory structure.

getsebool -a | grep httpd

tried this in /var/www/vhosts/d6

  chcon -t httpd_sys_script_exec_t *.php

HTTPD on CentOS-6

CentOS 6 seems to be a little more rigid about selinux stuff... Manually set this way...

chcon -v -u system_u drupa*
chown root:root drupal-7.7
chcon -R -v -u system_u drupal-7.7
chcon -v -R -t httpd_sys_content_t drupal-7.7

I think the better approach is to do the following:

semanage fcontext -a -t httpd_sys_content_t  "/var/www/vhosts(/.*)?"    # specifies a rule for the /var/www/vhosts directory hierarchy
restorecon -Rv /var/www/vhosts    # to update the entire tree
restorecon -v /var/www/vhosts/drupal-7.7/index.html       # change one specific file
restorecon -Rv -n /var/www/vhosts     # examine without making changes

SAMBA/SMB

for i in samba_enable_home_dirs samba_export_all_ro samba_export_all_rw samba_share_nfs use_samba_home_dirs ; do setsebool -P $i on ; done

Utilities

http://www.webhostingbuzz.com/wiki/How_to_find_the_correct_SELinux_Boolean_for_your_problem_on_CentOS_5 - Managing settings

[root@ldap ~]# getsebool -a | grep slapd
slapd_disable_trans --> off
[root@ldap ~]# setsebool -P slapd_disable_trans on
[root@ldap ~]# getsebool -a | grep slapd
slapd_disable_trans --> on
[root@ldap ~]# setsebool -P slapd_disable_trans off

audit2allow

As of CentOS-6 audit to allow is part of a new package (noted above as well)

yum install policycoreutils-python

The -w flag is very nice as it provides a usable description of the error and possible solutions...

audit2allow -a -w

To allow httpd to use nfs dirs in CentOS-6

setsebool -P httpd_use_nfs 1
setsebool -P httpd_enable_homedirs 1

semanage

Looks like semanage allows adjustments to policies without recompiling them. Manage users etc...

semanage user -l   # show list of SElinux users

Creating SELinux configuration modules

Discovered the following link: http://permalink.gmane.org/gmane.linux.redhat.fedora.selinux/8690 trying to resolve an selinux issue with our named server. It might provide some interesting fixes to some of our other issues.j

Creating a module from syslog avc entries

• get the avc messages in question into a single location
• run audit2allow on just the avc lines in question
  • The -M argument seems to create a module
• run semodule -i to activate
  • The -i flag is to install/replace a module

# tail -1000 /var/log/messages | grep avc | audit2allow -M mypol
# semodule -i mypol.pp

Just checked a new entry... Looks like the audit2allow -M mypol creates a plain text file mypol.te in the current directory as well as a binary mypol.pp file. So it looks like the mypol.te file coult be modified (it has a version number as well as the rules required).... Need a bit more research on that

Location

Looks like modules are maintained here.

/etc/selinux/targeted/modules/active/modules/

New tidbits

Use checkmodule to recompile a .te file (but I had issues with magic numbers on this, got close though)...
 checkmodule -M -m erinsmarpwatch.te -o erinsmarpwatch.pp

Use -r on semodule to unload

 semodule -r erinsmarpwatch

Use -l on semodule to list

 semodule -l

Have seen ssh login issues with CentOS-6.x (could not set up DSA key autologin). After adding a loadable module, PAM would complain and kick me out of the system entirely. Resolved with this tip to get a system to relabel its security contexts (requires reboot):

touch /.autorelabel
shutdown -r now

Example script for semi automation of building a module

Below is the script I built at nsm://opt/local/sbin/avccollect. This is hardwired for erins3 module as a name. I will likely modify it to make the module name an argument or flag of some type.

#!/bin/sh

t=/tmp/avccollect-temp
d=/tmp/avccollect-diff
u=/tmp/avccollect-un
mod=erins3
e=/tmp/$mod

tail -500 /var/log/messages | grep avc | grep -v ' received policyload notice' > $t
if [ -f $e ]; then
  cat $e $t | sort | uniq > $u
else 
  cat $t | sort | uniq > $u
fi

diff $u $e > $d
cp $u $e

echo "###################################"
echo "log messages used to create the module $mod:"
cat $e

echo ""
echo "###################################"
echo "diff of output of last two passes:"

cat $e | audit2allow -M $mod
semodule -i $mod.pp

Then looped through the following sequence until things were working... Could fix this up to check for when changes stop happening...

sendmail -t < /tmp/ti       # submit an email as if from arpwatch
/opt/local/sbin/avccollect    # run script

Audit2allow entries

dub-icess 2011-01-12

Jan 12 13:45:09 dub-icess kernel: type=1400 audit(1294868709.069:90): avc:  denied  { read } for  pid=27505 comm="automount" name="hosts" dev=dm-0 ino=2488004 scontext=system_u:system_r:automount_t:s0 tcontext=root:object_r:tmp_t:s0 tclass=file
Jan 12 13:45:15 dub-icess automount[1085]: key "biogeog" not found in map source(s).
Jan 12 14:19:15 dub-icess kernel: type=1400 audit(1294870755.878:91): avc:  denied  { read } for  pid=27682 comm="automount" name="hosts" dev=dm-0 ino=2488004 scontext=system_u:system_r:automount_t:s0 tcontext=root:object_r:tmp_t:s0 tclass=file
Jan 12 14:20:13 dub-icess automount[27741]: lookup_read_master: lookup(nisplus): couldn't locate nis+ table auto.master
Jan 12 14:20:17 dub-icess kernel: type=1400 audit(1294870817.451:92): avc:  denied  { read } for  pid=27752 comm="automount" name="hosts" dev=dm-0 ino=2488004 scontext=root:system_r:automount_t:s0 tcontext=root:object_r:tmp_t:s0 tclass=file
Jan 12 14:21:32 dub-icess kernel: type=1400 audit(1294870892.970:93): avc:  denied  { getattr } for  pid=27780 comm="httpd" path="/etc/httpd/conf.d/vhost-ccber.ucsb.edu.conf" dev=dm-0 ino=4386800 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:tmp_t:s0 tclass=file
Jan 12 14:21:32 dub-icess kernel: type=1400 audit(1294870892.970:94): avc:  denied  { read } for  pid=27780 comm="httpd" name="vhost-ccber.ucsb.edu.conf" dev=dm-0 ino=4386800 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:tmp_t:s0 tclass=file
Jan 12 14:21:32 dub-icess kernel: type=1400 audit(1294870892.982:95): avc:  denied  { read } for  pid=27781 comm="automount" name="hosts" dev=dm-0 ino=2488004 scontext=root:system_r:automount_t:s0 tcontext=root:object_r:tmp_t:s0 tclass=file
Jan 12 14:35:58 dub-icess kernel: type=1400 audit(1294871758.116:96): avc:  denied  { getattr } for  pid=27897 comm="httpd" path="/etc/httpd/conf.d/vhost-biogeog.ucsb.edu.conf" dev=dm-0 ino=2488012 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:tmp_t:s0 tclass=file
Jan 12 14:35:58 dub-icess kernel: type=1400 audit(1294871758.116:97): avc:  denied  { read } for  pid=27897 comm="httpd" name="vhost-biogeog.ucsb.edu.conf" dev=dm-0 ino=2488012 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:tmp_t:s0 tclass=file
[

Tracking .te files

zanj: arpwatch

[root@zanj tmp]# cat eriarpwatch.te

module eriarpwatch 1.0;

require {
        type user_tmp_t;
        type arpwatch_t;
        class file { rename unlink };
}

#============= arpwatch_t ==============
allow arpwatch_t user_tmp_t:file { rename unlink };

nsm: arpwatch

[root@nsm tmp]# cat erinsmarpwatch.te

module erinsmarpwatch 1.0;

require {
        type postfix_local_t;
        type usr_t;
        class file getattr;
}

#============= postfix_local_t ==============
allow postfix_local_t usr_t:file getattr;

still had problems after using above... got the next error combined in same file and generated new module... Possibly better ways to handle this, by setting the selinux attributes to allow postfix to deal with it, but not sure how to do that yet.

Jan 21 17:56:13 nsm kernel: type=1400 audit(1295661373.741:1565961): avc:  denied  { getattr } for  pid=23857 comm="local" path="/opt/local/home/arpwatch/.forward" dev=dm-0 ino=1930179 scontext=system_u:system_r:postfix_local_t:s0 tcontext=root:object_r:usr_t:s0 tclass=file
Jan 21 18:56:20 nsm kernel: type=1400 audit(1295664980.193:1565965): avc:  denied  { read } for  pid=24127 comm="local" name=".forward" dev=dm-0 ino=1930179 scontext=system_u:system_r:postfix_local_t:s0 tcontext=root:object_r:usr_t:s0 tclass=file

[root@nsm tmp]# cat eriarp | audit2allow -M erinsmarpwatch
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i erinsmarpwatch.pp

[root@nsm tmp]# cat erinsmarpwatch.te

module erinsmarpwatch 1.0;

require {
        type postfix_local_t;
        type usr_t;
        class file { read getattr };
}

#============= postfix_local_t ==============
allow postfix_local_t usr_t:file { read getattr };

So, this got me further, but then I had issues with the the ~arpwatch procmail stuff. Set /selinux/enforce to 0 to see if things worked and then gathered up the avc messages and did this. Again... There should be a way to set the files I am concerned about to some other value using chcon or chcat...

[root@nsm tmp]# cat  erinsmarpwatch.te

module erinsmarpwatch 1.0;

require {
        type unconfined_t;
        type var_log_t;
        type tmp_t;
        type usr_t;
        type arpwatch_data_t;
        type var_t;
        type arpwatch_t;
        type postfix_master_t;
        type procmail_t;
        type postfix_local_t;
        class dir { write relabelto search add_name remove_name };
        class file { execute read create execute_no_trans write getattr link relabelto unlink append };
}

#============= arpwatch_t ==============
allow arpwatch_t var_t:file read;

#============= postfix_local_t ==============
allow postfix_local_t usr_t:file { read getattr };

#============= procmail_t ==============
allow procmail_t arpwatch_data_t:dir search;
allow procmail_t tmp_t:file getattr;
allow procmail_t usr_t:dir { write remove_name add_name };
allow procmail_t usr_t:file { write execute link append create unlink execute_no_trans };
allow procmail_t var_log_t:file { getattr append };

#============= unconfined_t ==============
allow unconfined_t postfix_master_t:dir relabelto;
allow unconfined_t postfix_master_t:file relabelto;

This got me further, but then started seeing avc issues with running snmpwalk and other stuff associated with the switch search... Yeeeshhhhh.

Home Directories

Was having some issue with local home directories on CentOS 6. Fudged the results by using an autofs_t, but the proper setting seems to be the one below.

chcon  -t user_home_dir_t <homedir>

Mounting NFS with selinux options

cat /etc/auto.direct
/krust/projects   -rw,context=system_u:object_r:httpd_sys_content_t     krust:/raid/crustal/mirrors/shale/web/projects/

HTTPD issues with NFS mounts

On CentOS-6, I have not yet figured out how to get a direct autofs mount to work with httpd. Have had to resort to creating an auto.home entry to do that. Interestingly, dont need an actual account, just a map key and a place to mount from.