Nie jesteś zalogowany.
Jeśli nie posiadasz konta, zarejestruj je już teraz! Pozwoli Ci ono w pełni korzystać z naszego serwisu. Spamerom dziękujemy!

Ogłoszenie

Prosimy o pomoc dla małej Julki — przekaż 1% podatku na Fundacji Dzieciom zdazyć z Pomocą.
Więcej informacji na dug.net.pl/pomagamy/.

#1  2011-12-09 13:11:37

  Grzeslaw - Użytkownik

Grzeslaw
Użytkownik
Zarejestrowany: 2008-02-12

SELinux i debugowanie problemów polityk

Witam,

Ostatnio na nowo zainstalowanym serwerku postanowiłem wdrożyć SELinuxa. Troszkę poczytałem o tym, i wiem miej więcej jak to działa, czym są użytkownicy, role typy etc..  Miałem problem z cronem na początku, jak wybadałem z logów że nie tak są uprawnienia i pomogło ustawienie w uprawnień z pliku /var/spool/cron/crontabs/root w pliku /etc/selinux/default/contexts/files/file_contexts
Jednak wciąż nie mogę do końca zrozumieć wszystkich błędów w audit.log..

Na serwerze zainstalowane jest troszkę usług poczta(postfix/amavis/clam/spam/dovecot) oprócz tego bind i LAMP. Całość działa bardzo sprawie. Samego debiana zhardenowałem jak mogłem najlepiej. Jednak to czego mi brakt o własnie SELinux..
Powyłączałem wszystkie usługi z rc2.d oprócz sshd, aktywowałem selinuxa i zrobiłem restarcik..
Pakiety po instalowane:

Kod:

ii  libselinux1                         2.0.96-1                     SELinux runtime shared libraries
ii  python-selinux                      2.0.96-1                     Python bindings to SELinux shared libraries
ii  selinux-basics                      0.3.7                        SELinux basic support
ii  selinux-policy-default              2:0.2.20100524-7+squeeze1    Strict and Targeted variants of the SELinux policy
ii  selinux-utils                       2.0.96-1                     SELinux utility programs

SELinux ustawiony w trybie permissive. Po restarcie, jeśli nie działa żadna usługa to powinien być spokój wg selinux-policy-basic wg mnie.. Jednak nie jest.. W logach mam teraz np:

Kod:

type=DAEMON_END msg=audit(1323432032.713:7591): auditd normal halt, sending auid=0 pid=4011 subj=system_u:system_r:initrc_t:s0 res=success
type=DAEMON_START msg=audit(1323432162.445:9521): auditd start, ver=1.7.13 format=raw kernel=2.6.32-5-amd64 auid=4294967295 pid=1169 subj=system_u:system_r:auditd_t:s0 res=success
type=AVC msg=audit(1323432162.454:12): avc:  denied  { search } for  pid=1159 comm="rsyslogd" name="spool" dev=sda6 ino=147457 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
type=AVC msg=audit(1323432162.458:13): avc:  denied  { search } for  pid=1159 comm="rsyslogd" name="postfix" dev=sda6 ino=147472 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir
type=AVC msg=audit(1323432162.462:14): avc:  denied  { write } for  pid=1159 comm="rsyslogd" name="dev" dev=sda6 ino=147484 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir
type=AVC msg=audit(1323432162.462:15): avc:  denied  { add_name } for  pid=1159 comm="rsyslogd" name="log" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir
type=AVC msg=audit(1323432162.462:16): avc:  denied  { create } for  pid=1159 comm="rsyslogd" name="log" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=sock_file
type=AVC msg=audit(1323432162.466:17): avc:  denied  { setattr } for  pid=1159 comm="rsyslogd" name="log" dev=sda6 ino=147461 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=sock_file
type=AVC msg=audit(1323432162.522:18): avc:  denied  { read } for  pid=1192 comm="rndc" name="bind" dev=sda1 ino=268885 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:named_zone_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1323432162.522:18): arch=c000003e syscall=4 success=no exit=-2 a0=7fb5a34b3e22 a1=7fff22566c10 a2=7fff22566c10 a3=7fb5a16e4fb0 items=0 ppid=1191 pid=1192 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rndc" exe="/usr/sbin/rndc" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1323432162.522:19): avc:  denied  { getattr } for  pid=1192 comm="rndc" path="/var/chroot/bind9/etc/bind/rndc.key" dev=sda6 ino=917521 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file
type=SYSCALL msg=audit(1323432162.522:19): arch=c000003e syscall=4 success=yes exit=0 a0=7fb5a34b3e36 a1=7fff22566c10 a2=7fff22566c10 a3=7fb5a16e4fb0 items=0 ppid=1191 pid=1192 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rndc" exe="/usr/sbin/rndc" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1323432162.525:20): avc:  denied  { read } for  pid=1192 comm="rndc" name="rndc.key" dev=sda6 ino=917521 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1323432162.525:20): avc:  denied  { open } for  pid=1192 comm="rndc" name="rndc.key" dev=sda6 ino=917521 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file
type=SYSCALL msg=audit(1323432162.525:20): arch=c000003e syscall=2 success=no exit=-131923471007784 a0=7fb5a34b3e36 a1=0 a2=1b6 a3=0 items=0 ppid=1191 pid=1192 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rndc" exe="/usr/sbin/rndc" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1323432162.525:21): avc:  denied  { node_bind } for  pid=1200 comm="rndc" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:node_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1323432162.525:21): arch=c000003e syscall=49 success=yes exit=0 a0=14 a1=7fb5a36b5a00 a2=10 a3=6 items=0 ppid=1191 pid=1200 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rndc" exe="/usr/sbin/rndc" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1323432162.525:22): avc:  denied  { name_connect } for  pid=1200 comm="rndc" dest=953 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rndc_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1323432162.525:22): arch=c000003e syscall=42 success=no exit=-115 a0=14 a1=7fb5a36b54a0 a2=10 a3=7fb5a3467f70 items=0 ppid=1191 pid=1200 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rndc" exe="/usr/sbin/rndc" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1323432162.530:23): avc:  denied  { search } for  pid=1203 comm="clamav-freshcla" name="clamav" dev=sda6 ino=124405 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:clamd_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1323432162.530:23): arch=c000003e syscall=4 success=no exit=-2 a0=220fe88 a1=7ffffbcc4460 a2=7ffffbcc4460 a3=8 items=0 ppid=1188 pid=1203 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="clamav-freshcla" exe="/bin/bash" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1323432162.546:24): avc:  denied  { append } for  pid=1160 comm=72733A6D61696E20513A526567 name="kern.log" dev=sda7 ino=185 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
type=AVC msg=audit(1323432162.546:25): avc:  denied  { open } for  pid=1160 comm=72733A6D61696E20513A526567 name="kern.log" dev=sda7 ino=185 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
type=AVC msg=audit(1323432162.546:26): avc:  denied  { ioctl } for  pid=1160 comm=72733A6D61696E20513A526567 path="/var/log/kern.log" dev=sda7 ino=185 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
type=AVC msg=audit(1323432162.546:27): avc:  denied  { getattr } for  pid=1160 comm=72733A6D61696E20513A526567 path="/var/log/kern.log" dev=sda7 ino=185 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
type=CONFIG_CHANGE msg=audit(1323432162.869:28): audit_backlog_limit=320 old=64 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditctl_t:s0 res=1
type=AVC msg=audit(1323432163.301:29): avc:  denied  { read } for  pid=1279 comm="hostname" path="pipe:[6710]" dev=pipefs ino=6710 scontext=system_u:system_r:hostname_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
type=SYSCALL msg=audit(1323432163.301:29): arch=c000003e syscall=59 success=yes exit=0 a0=17bc1a8 a1=17b4008 a2=179cc08 a3=0 items=0 ppid=1278 pid=1279 auid=4294967295 uid=105 gid=109 euid=105 suid=105 fsuid=105 egid=109 sgid=109 fsgid=109 tty=(none) ses=4294967295 comm="hostname" exe="/bin/hostname" subj=system_u:system_r:hostname_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1323432244.317:30): avc:  denied  { read write } for  pid=2343 comm="sshd" name="secrets.tdb" dev=sda6 ino=132300 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1323432244.317:30): avc:  denied  { open } for  pid=2343 comm="sshd" name="secrets.tdb" dev=sda6 ino=132300 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1323432244.317:30): arch=c000003e syscall=2 success=yes exit=4 a0=7f3a089a6830 a1=42 a2=180 a3=0 items=0 ppid=1226 pid=2343 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1323432244.326:31): avc:  denied  { lock } for  pid=2343 comm="sshd" path="/var/lib/samba/secrets.tdb" dev=sda6 ino=132300 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1323432244.326:31): arch=c000003e syscall=72 success=yes exit=0 a0=4 a1=7 a2=7fff978f41f0 a3=0 items=0 ppid=1226 pid=2343 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1323432244.326:32): avc:  denied  { getattr } for  pid=2343 comm="sshd" path="/var/lib/samba/secrets.tdb" dev=sda6 ino=132300 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1323432244.326:32): arch=c000003e syscall=5 success=yes exit=0 a0=4 a1=7fff978f4270 a2=7fff978f4270 a3=0 items=0 ppid=1226 pid=2343 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1323432244.342:33): avc:  denied  { setattr } for  pid=2343 comm="sshd" name="group_mapping.ldb" dev=sda6 ino=132303 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1323432244.342:33): arch=c000003e syscall=90 success=yes exit=0 a0=7f3a089a8670 a1=180 a2=ffffffffffffffa0 a3=c items=0 ppid=1226 pid=2343 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)

audit2allow mówi:

Kod:

#============= hostname_t ==============
allow hostname_t crond_t:fifo_file read;

#============= sshd_t ==============
allow sshd_t var_lib_t:file { write getattr setattr read lock open };

#============= syslogd_t ==============
allow syslogd_t file_t:file { ioctl open getattr append };
allow syslogd_t postfix_spool_t:dir { write search add_name };
allow syslogd_t postfix_spool_t:sock_file { create setattr };
allow syslogd_t var_spool_t:dir search;

#============= udev_t ==============
allow udev_t clamd_var_lib_t:dir search;
allow udev_t named_zone_t:lnk_file read;
allow udev_t node_t:tcp_socket node_bind;
allow udev_t rndc_port_t:tcp_socket name_connect;
allow udev_t var_t:file { read getattr open };

#============= unconfined_cronjob_t ==============
allow unconfined_cronjob_t self:process execmem;
#============= ROLES ==============
role system_r types unconfined_cronjob_t;

No i teraz może ktoś mądrzejszy i uprzejmy byłby wstanie mnie nakierować na schemat jak dochodzić do powodów tych problemów..
Bardzo byłbym dzwięczny gdyby ktoś mi to jakoś wyjaśnił.. Bo nie wszystko jest takie proste na początku..


Pozdrawiam!

Offline

 

#2  2011-12-09 13:39:29

  Jacekalex - Podobno człowiek...;)

Jacekalex
Podobno człowiek...;)
Skąd: /dev/urandom
Zarejestrowany: 2008-01-07

Re: SELinux i debugowanie problemów polityk

U mnie w konsoli Selinux działa, za to na włączonym nie mogę się zalogować do X-serwera.
Tutaj jest fajna dokumentacja: http://www.gentoo.org/proj/pl/hardened/selinux/selinux-handbook.xml


W demokracji każdy naród ma taką władzę, na jaką zasługuje ;)
Si vis pacem  para bellum  ;)       |       Pozdrawiam :)

Offline

 

#3  2011-12-09 15:06:20

  Grzeslaw - Użytkownik

Grzeslaw
Użytkownik
Zarejestrowany: 2008-02-12

Re: SELinux i debugowanie problemów polityk

Znam to... dzieki ;)

Chodzi mi i o wyjaśnienie skąd się biorą te niespełnione reguły w logach audit.log.. Chciałbym to zrozumieć..

Offline

 

Stopka forum

Powered by PunBB
© Copyright 2002–2005 Rickard Andersson
Możesz wyłączyć AdBlock — tu nie ma reklam ;-)

[ Generated in 0.008 seconds, 9 queries executed ]

Informacje debugowania

Time (s) Query
0.00010 SET CHARSET latin2
0.00004 SET NAMES latin2
0.00103 SELECT u.*, g.*, o.logged FROM punbb_users AS u INNER JOIN punbb_groups AS g ON u.group_id=g.g_id LEFT JOIN punbb_online AS o ON o.ident='3.138.121.79' WHERE u.id=1
0.00093 REPLACE INTO punbb_online (user_id, ident, logged) VALUES(1, '3.138.121.79', 1732218919)
0.00061 SELECT * FROM punbb_online WHERE logged<1732218619
0.00056 SELECT t.subject, t.closed, t.num_replies, t.sticky, f.id AS forum_id, f.forum_name, f.moderators, fp.post_replies, 0 FROM punbb_topics AS t INNER JOIN punbb_forums AS f ON f.id=t.forum_id LEFT JOIN punbb_forum_perms AS fp ON (fp.forum_id=f.id AND fp.group_id=3) WHERE (fp.read_forum IS NULL OR fp.read_forum=1) AND t.id=20211 AND t.moved_to IS NULL
0.00007 SELECT search_for, replace_with FROM punbb_censoring
0.00176 SELECT u.email, u.title, u.url, u.location, u.use_avatar, u.signature, u.email_setting, u.num_posts, u.registered, u.admin_note, p.id, p.poster AS username, p.poster_id, p.poster_ip, p.poster_email, p.message, p.hide_smilies, p.posted, p.edited, p.edited_by, g.g_id, g.g_user_title, o.user_id AS is_online FROM punbb_posts AS p INNER JOIN punbb_users AS u ON u.id=p.poster_id INNER JOIN punbb_groups AS g ON g.g_id=u.group_id LEFT JOIN punbb_online AS o ON (o.user_id=u.id AND o.user_id!=1 AND o.idle=0) WHERE p.topic_id=20211 ORDER BY p.id LIMIT 0,25
0.00080 UPDATE punbb_topics SET num_views=num_views+1 WHERE id=20211
Total query time: 0.0059 s