Nie jesteś zalogowany.
Jeśli nie posiadasz konta, zarejestruj je już teraz! Pozwoli Ci ono w pełni korzystać z naszego serwisu. Spamerom dziękujemy!
Ogłoszenie
Prosimy o pomoc dla małej Julki — przekaż 1% podatku na Fundacji Dzieciom zdazyć z Pomocą.
Więcej informacji na dug.net.pl/pomagamy/.
#1 2011-12-09 13:11:37
Grzeslaw - 
Użytkownik
- Grzeslaw
- Użytkownik
- Zarejestrowany: 2008-02-12
SELinux i debugowanie problemów polityk
Witam,
Ostatnio na nowo zainstalowanym serwerku postanowiłem wdrożyć SELinuxa. Troszkę poczytałem o tym, i wiem miej więcej jak to działa, czym są użytkownicy, role typy etc.. Miałem problem z cronem na początku, jak wybadałem z logów że nie tak są uprawnienia i pomogło ustawienie w uprawnień z pliku /var/spool/cron/crontabs/root w pliku /etc/selinux/default/contexts/files/file_contexts
Jednak wciąż nie mogę do końca zrozumieć wszystkich błędów w audit.log..
Na serwerze zainstalowane jest troszkę usług poczta(postfix/amavis/clam/spam/dovecot) oprócz tego bind i LAMP. Całość działa bardzo sprawie. Samego debiana zhardenowałem jak mogłem najlepiej. Jednak to czego mi brakt o własnie SELinux..
Powyłączałem wszystkie usługi z rc2.d oprócz sshd, aktywowałem selinuxa i zrobiłem restarcik..
Pakiety po instalowane:
Kod:
ii libselinux1 2.0.96-1 SELinux runtime shared libraries ii python-selinux 2.0.96-1 Python bindings to SELinux shared libraries ii selinux-basics 0.3.7 SELinux basic support ii selinux-policy-default 2:0.2.20100524-7+squeeze1 Strict and Targeted variants of the SELinux policy ii selinux-utils 2.0.96-1 SELinux utility programs
SELinux ustawiony w trybie permissive. Po restarcie, jeśli nie działa żadna usługa to powinien być spokój wg selinux-policy-basic wg mnie.. Jednak nie jest.. W logach mam teraz np:
Kod:
type=DAEMON_END msg=audit(1323432032.713:7591): auditd normal halt, sending auid=0 pid=4011 subj=system_u:system_r:initrc_t:s0 res=success
type=DAEMON_START msg=audit(1323432162.445:9521): auditd start, ver=1.7.13 format=raw kernel=2.6.32-5-amd64 auid=4294967295 pid=1169 subj=system_u:system_r:auditd_t:s0 res=success
type=AVC msg=audit(1323432162.454:12): avc: denied { search } for pid=1159 comm="rsyslogd" name="spool" dev=sda6 ino=147457 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
type=AVC msg=audit(1323432162.458:13): avc: denied { search } for pid=1159 comm="rsyslogd" name="postfix" dev=sda6 ino=147472 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir
type=AVC msg=audit(1323432162.462:14): avc: denied { write } for pid=1159 comm="rsyslogd" name="dev" dev=sda6 ino=147484 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir
type=AVC msg=audit(1323432162.462:15): avc: denied { add_name } for pid=1159 comm="rsyslogd" name="log" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir
type=AVC msg=audit(1323432162.462:16): avc: denied { create } for pid=1159 comm="rsyslogd" name="log" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=sock_file
type=AVC msg=audit(1323432162.466:17): avc: denied { setattr } for pid=1159 comm="rsyslogd" name="log" dev=sda6 ino=147461 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=sock_file
type=AVC msg=audit(1323432162.522:18): avc: denied { read } for pid=1192 comm="rndc" name="bind" dev=sda1 ino=268885 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:named_zone_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1323432162.522:18): arch=c000003e syscall=4 success=no exit=-2 a0=7fb5a34b3e22 a1=7fff22566c10 a2=7fff22566c10 a3=7fb5a16e4fb0 items=0 ppid=1191 pid=1192 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rndc" exe="/usr/sbin/rndc" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1323432162.522:19): avc: denied { getattr } for pid=1192 comm="rndc" path="/var/chroot/bind9/etc/bind/rndc.key" dev=sda6 ino=917521 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file
type=SYSCALL msg=audit(1323432162.522:19): arch=c000003e syscall=4 success=yes exit=0 a0=7fb5a34b3e36 a1=7fff22566c10 a2=7fff22566c10 a3=7fb5a16e4fb0 items=0 ppid=1191 pid=1192 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rndc" exe="/usr/sbin/rndc" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1323432162.525:20): avc: denied { read } for pid=1192 comm="rndc" name="rndc.key" dev=sda6 ino=917521 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1323432162.525:20): avc: denied { open } for pid=1192 comm="rndc" name="rndc.key" dev=sda6 ino=917521 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file
type=SYSCALL msg=audit(1323432162.525:20): arch=c000003e syscall=2 success=no exit=-131923471007784 a0=7fb5a34b3e36 a1=0 a2=1b6 a3=0 items=0 ppid=1191 pid=1192 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rndc" exe="/usr/sbin/rndc" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1323432162.525:21): avc: denied { node_bind } for pid=1200 comm="rndc" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:node_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1323432162.525:21): arch=c000003e syscall=49 success=yes exit=0 a0=14 a1=7fb5a36b5a00 a2=10 a3=6 items=0 ppid=1191 pid=1200 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rndc" exe="/usr/sbin/rndc" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1323432162.525:22): avc: denied { name_connect } for pid=1200 comm="rndc" dest=953 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rndc_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1323432162.525:22): arch=c000003e syscall=42 success=no exit=-115 a0=14 a1=7fb5a36b54a0 a2=10 a3=7fb5a3467f70 items=0 ppid=1191 pid=1200 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rndc" exe="/usr/sbin/rndc" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1323432162.530:23): avc: denied { search } for pid=1203 comm="clamav-freshcla" name="clamav" dev=sda6 ino=124405 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:clamd_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1323432162.530:23): arch=c000003e syscall=4 success=no exit=-2 a0=220fe88 a1=7ffffbcc4460 a2=7ffffbcc4460 a3=8 items=0 ppid=1188 pid=1203 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="clamav-freshcla" exe="/bin/bash" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1323432162.546:24): avc: denied { append } for pid=1160 comm=72733A6D61696E20513A526567 name="kern.log" dev=sda7 ino=185 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
type=AVC msg=audit(1323432162.546:25): avc: denied { open } for pid=1160 comm=72733A6D61696E20513A526567 name="kern.log" dev=sda7 ino=185 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
type=AVC msg=audit(1323432162.546:26): avc: denied { ioctl } for pid=1160 comm=72733A6D61696E20513A526567 path="/var/log/kern.log" dev=sda7 ino=185 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
type=AVC msg=audit(1323432162.546:27): avc: denied { getattr } for pid=1160 comm=72733A6D61696E20513A526567 path="/var/log/kern.log" dev=sda7 ino=185 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
type=CONFIG_CHANGE msg=audit(1323432162.869:28): audit_backlog_limit=320 old=64 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditctl_t:s0 res=1
type=AVC msg=audit(1323432163.301:29): avc: denied { read } for pid=1279 comm="hostname" path="pipe:[6710]" dev=pipefs ino=6710 scontext=system_u:system_r:hostname_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
type=SYSCALL msg=audit(1323432163.301:29): arch=c000003e syscall=59 success=yes exit=0 a0=17bc1a8 a1=17b4008 a2=179cc08 a3=0 items=0 ppid=1278 pid=1279 auid=4294967295 uid=105 gid=109 euid=105 suid=105 fsuid=105 egid=109 sgid=109 fsgid=109 tty=(none) ses=4294967295 comm="hostname" exe="/bin/hostname" subj=system_u:system_r:hostname_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1323432244.317:30): avc: denied { read write } for pid=2343 comm="sshd" name="secrets.tdb" dev=sda6 ino=132300 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1323432244.317:30): avc: denied { open } for pid=2343 comm="sshd" name="secrets.tdb" dev=sda6 ino=132300 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1323432244.317:30): arch=c000003e syscall=2 success=yes exit=4 a0=7f3a089a6830 a1=42 a2=180 a3=0 items=0 ppid=1226 pid=2343 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1323432244.326:31): avc: denied { lock } for pid=2343 comm="sshd" path="/var/lib/samba/secrets.tdb" dev=sda6 ino=132300 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1323432244.326:31): arch=c000003e syscall=72 success=yes exit=0 a0=4 a1=7 a2=7fff978f41f0 a3=0 items=0 ppid=1226 pid=2343 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1323432244.326:32): avc: denied { getattr } for pid=2343 comm="sshd" path="/var/lib/samba/secrets.tdb" dev=sda6 ino=132300 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1323432244.326:32): arch=c000003e syscall=5 success=yes exit=0 a0=4 a1=7fff978f4270 a2=7fff978f4270 a3=0 items=0 ppid=1226 pid=2343 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1323432244.342:33): avc: denied { setattr } for pid=2343 comm="sshd" name="group_mapping.ldb" dev=sda6 ino=132303 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1323432244.342:33): arch=c000003e syscall=90 success=yes exit=0 a0=7f3a089a8670 a1=180 a2=ffffffffffffffa0 a3=c items=0 ppid=1226 pid=2343 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)audit2allow mówi:
Kod:
#============= hostname_t ==============
allow hostname_t crond_t:fifo_file read;
#============= sshd_t ==============
allow sshd_t var_lib_t:file { write getattr setattr read lock open };
#============= syslogd_t ==============
allow syslogd_t file_t:file { ioctl open getattr append };
allow syslogd_t postfix_spool_t:dir { write search add_name };
allow syslogd_t postfix_spool_t:sock_file { create setattr };
allow syslogd_t var_spool_t:dir search;
#============= udev_t ==============
allow udev_t clamd_var_lib_t:dir search;
allow udev_t named_zone_t:lnk_file read;
allow udev_t node_t:tcp_socket node_bind;
allow udev_t rndc_port_t:tcp_socket name_connect;
allow udev_t var_t:file { read getattr open };
#============= unconfined_cronjob_t ==============
allow unconfined_cronjob_t self:process execmem;
#============= ROLES ==============
role system_r types unconfined_cronjob_t;No i teraz może ktoś mądrzejszy i uprzejmy byłby wstanie mnie nakierować na schemat jak dochodzić do powodów tych problemów..
Bardzo byłbym dzwięczny gdyby ktoś mi to jakoś wyjaśnił.. Bo nie wszystko jest takie proste na początku..
Pozdrawiam!
Offline
#2 2011-12-09 13:39:29
Jacekalex - Podobno człowiek...;)
- Jacekalex
- Podobno człowiek...;)
- Skąd: /dev/urandom
- Zarejestrowany: 2008-01-07
Re: SELinux i debugowanie problemów polityk
U mnie w konsoli Selinux działa, za to na włączonym nie mogę się zalogować do X-serwera.
Tutaj jest fajna dokumentacja: http://www.gentoo.org/proj/pl/hardened/selinux/selinux-handbook.xml
W demokracji każdy naród ma taką władzę, na jaką zasługuje ;)
Si vis pacem para bellum ;) | Pozdrawiam :)
Offline
#3 2011-12-09 15:06:20
Grzeslaw - Użytkownik
- Grzeslaw
- Użytkownik
- Zarejestrowany: 2008-02-12
Re: SELinux i debugowanie problemów polityk
Znam to... dzieki ;)
Chodzi mi i o wyjaśnienie skąd się biorą te niespełnione reguły w logach audit.log.. Chciałbym to zrozumieć..
Offline
Informacje debugowania
| Time (s) | Query |
|---|---|
| 0.00009 | SET CHARSET latin2 |
| 0.00003 | SET NAMES latin2 |
| 0.00099 | SELECT u.*, g.*, o.logged FROM punbb_users AS u INNER JOIN punbb_groups AS g ON u.group_id=g.g_id LEFT JOIN punbb_online AS o ON o.ident='18.224.31.90' WHERE u.id=1 |
| 0.00070 | REPLACE INTO punbb_online (user_id, ident, logged) VALUES(1, '18.224.31.90', 1732217278) |
| 0.00039 | SELECT * FROM punbb_online WHERE logged<1732216978 |
| 0.00073 | SELECT topic_id FROM punbb_posts WHERE id=187515 |
| 0.00082 | SELECT id FROM punbb_posts WHERE topic_id=20211 ORDER BY posted |
| 0.00060 | SELECT t.subject, t.closed, t.num_replies, t.sticky, f.id AS forum_id, f.forum_name, f.moderators, fp.post_replies, 0 FROM punbb_topics AS t INNER JOIN punbb_forums AS f ON f.id=t.forum_id LEFT JOIN punbb_forum_perms AS fp ON (fp.forum_id=f.id AND fp.group_id=3) WHERE (fp.read_forum IS NULL OR fp.read_forum=1) AND t.id=20211 AND t.moved_to IS NULL |
| 0.00007 | SELECT search_for, replace_with FROM punbb_censoring |
| 0.00110 | SELECT u.email, u.title, u.url, u.location, u.use_avatar, u.signature, u.email_setting, u.num_posts, u.registered, u.admin_note, p.id, p.poster AS username, p.poster_id, p.poster_ip, p.poster_email, p.message, p.hide_smilies, p.posted, p.edited, p.edited_by, g.g_id, g.g_user_title, o.user_id AS is_online FROM punbb_posts AS p INNER JOIN punbb_users AS u ON u.id=p.poster_id INNER JOIN punbb_groups AS g ON g.g_id=u.group_id LEFT JOIN punbb_online AS o ON (o.user_id=u.id AND o.user_id!=1 AND o.idle=0) WHERE p.topic_id=20211 ORDER BY p.id LIMIT 0,25 |
| 0.00103 | UPDATE punbb_topics SET num_views=num_views+1 WHERE id=20211 |
| Total query time: 0.00655 s | |