解决selinux的警告

最新推荐文章于 2024-05-13 11:53:26 发布
最新推荐文章于 2024-05-13 11:53:26 发布
阅读量7.4k 收藏 2
点赞数
分类专栏: nagios Linux 文章标签: nagios file system object sealert -l
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/xiangliangyu/article/details/7758824
版权
Linux 同时被 2 个专栏收录
172 篇文章 2 订阅
订阅专栏
nagios
8 篇文章 0 订阅
订阅专栏

以nagios为例子

Nagios  and SELinux

Nagios 3.2.0    CentOS 5.4
在开启SELinux的情况下,SELlinux不断警告:

tail /var/log/messages

Mar 9 23:58:53 wingwu setroubleshoot: SELinux is preventing ping (ping_t) "read write" to /usr/local/nagios/var/spool/checkresults/checkkbOyGH (usr_t). For complete SELinux messages. run sealert -l 19c87c57-986e-45e8-a573-cbb30aba0951


查看alert

[root@wingwu ~]# sealert -l 19c87c57-986e-45e8-a573-cbb30aba0951

Summary:

SELinux is preventing ping (ping_t) "read write" to
/usr/local/nagios/var/spool/checkresults/checkkbOyGH (usr_t).

Detailed Description:

SELinux denied access requested by ping. It is not expected that this access is
required by ping and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for
/usr/local/nagios/var/spool/checkresults/checkkbOyGH,

restorecon -'/usr/local/nagios/var/spool/checkresults/checkkbOyGH'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context system_u:system_r:ping_t
Target Context system_u:object_r:usr_t
Target Objects /usr/local/nagios/var/spool/checkresults/checkkbOy
                              GH [ file ]
Source ping
Source Path /bin/ping
Port <Unknown>
Host wingwu
Source RPM Packages iputils-20020927-46.el5
Target RPM Packages 
Policy RPM selinux-policy-2.4.6-255.el5_4.4
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name wingwu
Platform Linux wingwu 2.6.18-164.11.1.el5 #1 SMP
                              Wed Jan 20 07:39:04 EST 2010 i686 i686
Alert Count 1
First Seen Tue Mar 9 23:58:53 2010
Last Seen Tue Mar 9 23:58:53 2010
Local ID 19c87c57-986e-45e8-a573-cbb30aba0951
Line Numbers 

Raw Audit Messages 

host=wingwu type=AVC msg=audit(1268150333.223:229): avc: denied { read write } forpid=8372 comm="ping" path="/usr/local/nagios/var/spool/checkresults/checkkbOyGH" dev=hda8 ino=201256 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file

host=wingwu type=SYSCALL msg=audit(1268150333.223:229): arch=40000003 syscall=11 success=yes exit=0 a0=9343aa8 a1=9343b40 a2=bfd4dc74 a3=9343b40 items=0 ppid=8371 pid=8372 auid=4294967295 uid=506 gid=510 euid=0 suid=0 fsuid=0 egid=510 sgid=510 fsgid=510 tty=(none) ses=4294967295 comm="ping" exe="/bin/ping"subj=system_u:system_r:ping_t:s0 key=(null)


解决方法:
1.audit2allo创建一个对应的SElinux规则。
RawAudit Messages的两条信息添加到一个文本:

[root@wingwu ~]# cat /tmp/tmp-nagiosping 
host=wingwu type=AVC msg=audit(1268150163.171:228): avc: denied { read write } forpid=8345 comm="ping" path="/usr/local/nagios/var/spool/checkresults/checkQKStFR" dev=hda8 ino=201256 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
host=wingwu type=SYSCALL msg=audit(1268150163.171:228): arch=40000003 syscall=11 success=yes exit=0 a0=8d9eaa8 a1=8d9eb40 a2=bf9465e4 a3=8d9eb40 items=0 ppid=8344 pid=8345 auid=4294967295 uid=506 gid=510 euid=0 suid=0 fsuid=0 egid=510 sgid=510 fsgid=510 tty=(none) ses=4294967295 comm="ping" exe="/bin/ping"subj=system_u:system_r:ping_t:s0 key=(null)


然后创建.pp的规则包,并应用,这样就不会在有警告提示。

[root@wingwu ~]# audit2allow -M NagiosPing < /tmp/tmp-nagiosping 
[root@wingwu ~]# semodule -i NagiosPing.pp


2.使用创建适用nagios的context
nagios-local.te 

policy_module(nagios-local,1.5.0)

require {
  class fifo_file read;
  class fifo_file getattr;
  class fifo_file write;
  class file {create relabelto getattr};
  class lnk_file {read};
  class process { sigkill signal };
  class udp_socket node_bind;
  type restorecon_t;
  type httpd_t;
  type httpd_sys_content_t;
  type httpd_nagios_script_exec_t;
  type httpd_nagios_script_t;
  type nagios_cgi_t;
  type nagios_t;
  type nagios_etc_t;
  type ping_t;
  type sbin_t;
  type unlabeled_t;
  type inaddr_any_node_t;
  type usr_t;
  type mysqld_etc_t;
  role system_r;
};

# Create a nagios var type
type nagios_var_t;
domain_type(nagios_var_t)
files_type(nagios_var_t)

allow nagios_t sbin_t:dir search;

allow nagios_t nagios_var_t:dir rw_dir_perms;
allow nagios_t nagios_var_t:dir search_dir_perms;
allow nagios_t nagios_var_t:file rw_file_perms;
allow nagios_t nagios_var_t:file create_file_perms;

allow nagios_t nagios_var_t:fifo_file {create read write getattr};

allow ping_t nagios_var_t:fifo_file read;
allow ping_t nagios_var_t:file {read write};

nagios_read_config( httpd_nagios_script_exec_t );
nagios_read_config( httpd_nagios_script_t );
nagios_read_config( nagios_cgi_t );

allow httpd_t nagios_cgi_t:process { sigkill signal };

allow nagios_cgi_t nagios_var_t:fifo_file { getattr write read };
allow nagios_cgi_t nagios_var_t:dir search;

allow httpd_nagios_script_t nagios_var_t:fifo_file {getattr write };

allow httpd_nagios_script_t nagios_var_t:file r_file_perms;
allow httpd_nagios_script_t nagios_var_t:dir r_dir_perms;
allow httpd_nagios_script_t nagios_var_t:dir search_dir_perms;

allow restorecon_t nagios_var_t:file relabelto;

#
# Need this so check_dns will work
allow nagios_t inaddr_any_node_t:udp_socket node_bind;

#
# things that dont matter...
dontaudit httpd_nagios_script_t unlabeled_t:dir search;
dontaudit nagios_t httpd_sys_content_t:dir search;

# check_mysql...
dontaudit nagios_t mysqld_etc_t:file getattr;
dontaudit nagios_t usr_t:file getattr;

#
# rules to let nagios sendmail
allow nagios_t sbin_t:lnk_file read;


nagios-local.fc

/usr/local/nagios/var(/.*)? system_u:object_r:nagios_var_t:s0


参考资料:
http://wiki.nagios.org/index.php/Selinux
http://blog.pas.net.au/2009/05/fighting-with-selinux-and-nagios/
http://blogs.fedoraproject.org/wp/mgrepl/2010/01/22/selinuxnagios/

 

 

其实就是需要

require {
        type usr_t;
        type ping_t;
        class file { read write };
}

#============= ping_t ==============
allow ping_t usr_t:file { read write };

这样的规则给nagios

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

SELinux -troubleshooting file labeling issues

This is a follow-up to SELinux- dealing with exceptions.

First off, a few basics:

chcon should only be used for temporary changes. See SELinuxContexts - Labeling Files. Changes made with chcon will notsurvive a file system relabeling or use of the restorecon command.

/usr/sbin/semanage fcontext will permanently change the filecontext in a manner that will survive a relabel or restorecon. See 5.7.2.Persistent Changes: semanage fcontext in the Fedora 10 documentation.

How do I find out what file labels were defined already for a package?

This is a bit trickier, but the key lies in looking under the followingdirectory tree:

/etc/selinux/targeted/contexts/

For file labels, look at the file_context* files under:

/etc/selinux/targeted/contexts/files/

For example, I want to see what file contexts are defined for Nagios:

# grep -h "nagios"/etc/selinux/targeted/contexts/files/file_contexts*

/usr/lib(64)?/nagios/cgi(/.*)? system_u:object_r:httpd_nagios_script_exec_t:s0

/usr/lib(64)?/nagios/plugins(/.*)?      system_u:object_r:bin_t:s0

/usr/lib(64)?/nagios/cgi-bin(/.*)?     system_u:object_r:httpd_nagios_script_exec_t:s0

/usr/lib(64)?/cgi-bin/nagios(/.+)?     system_u:object_r:httpd_nagios_script_exec_t:s0

/usr/lib(64)?/cgi-bin/netsaint(/.*)?   system_u:object_r:httpd_nagios_script_exec_t:s0

/etc/nagios(/.*)?       system_u:object_r:nagios_etc_t:s0

/var/log/nagios(/.*)?   system_u:object_r:nagios_log_t:s0

/var/log/netsaint(/.*)?system_u:object_r:nagios_log_t:s0

/var/spool/nagios(/.*)?system_u:object_r:nagios_spool_t:s0

/usr/bin/nagios --      system_u:object_r:nagios_exec_t:s0

/etc/nagios/nrpe\.cfg   --     system_u:object_r:nrpe_etc_t:s0



You can also use the seinfo tool:

# seinfo -t | grep "nagios"
Rule loading disabled
nagios_spool_t
httpd_nagios_script_ra_t
httpd_nagios_script_ro_t
httpd_nagios_script_rw_t
nagios_t
httpd_nagios_script_t
nagios_tmp_t
httpd_nagios_htaccess_t
nagios_var_run_t
httpd_nagios_content_t
nagios_exec_t
httpd_nagios_script_exec_t
nagios_etc_t
nagios_log_t

Another tool is sesearch, i.e.: 

# sesearch -a | grep "nagios" | sort | uniq

Troubleshooting and fixing things

Thus, step #1 is generally that we need to figure out whether (A) the AVCdenial was caused by a mislabeled file. And if so, we need to change the filelabel.

Here's an example of what setroubleshoot log messages look like in the/var/log/messages file.

# grep "setroubleshoot" /var/log/messages
setroubleshoot: SELinux is preventing the status.cgi from using potentiallymislabeled files ./objects.cache (var_t). For complete SELinux messages. runsealert -l ce49f540-0b35-412c-862c-b901a274a421

setroubleshoot: SELinux is preventing ping (ping_t) "read write" to/var/nagios/spool/checkresults/checkZKmcmr (var_t). For complete SELinuxmessages. run sealert -l cf227199-1595-4775-9970-3935fc761b38

setroubleshoot: SELinux is preventing ping (ping_t) "read write" to/var/nagios/spool/checkresults/checke4tQgY (var_t). For complete SELinuxmessages. run sealert -l dbdc707e-193a-4f64-9bf2-0bb0d0a807e9

And here's what they look like in /var/log/audit:

# grep "AVC" /var/log/audit/audit.log | tail

type=AVC msg=audit(1233836684.122:15494): avc: denied { read } for pid=12081comm="status.cgi" name="objects.cache" dev=md1 ino=1306897scontext=system_u:system_r:httpd_nagios_script_t:s0tcontext=user_u:object_r:var_t:s0 tclass=file

type=AVC msg=audit(1233836426.120:15476): avc: denied { read write } forpid=7518 comm="ping"path="/var/nagios/spool/checkresults/checkZKmcmr" dev=md1 ino=1306899scontext=user_u:system_r:ping_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file

type=AVC msg=audit(1233836366.097:15454): avc: denied { read write } forpid=20671 comm="ping"path="/var/nagios/spool/checkresults/checke4tQgY" dev=md1 ino=1306899scontext=user_u:system_r:ping_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file

In this particular case, the fact that the target context is "var_t"generally indicates a labeling issue. The "var_t" file context ispretty generic and we don't want to give the source context(httpd_nagios_script_t) for status.cgi permissions to all files labeled withvar_t (which would be most of /var).

This means that using audit2allow is the wrong fix for thisparticular issue.

The correct solution is to either find out what file context should be used, orcreate a context and grant nagios access to those files.

References:

Fedora10 Security-Enhanced Linux User Guide

Top three things tounderstand in fixing SELinux problems. Reposted

Fedora SELinux Project Pages(wiki)

RedHat Enterprise Linux 4: Red Hat SELinux Guide

Howto: Install and Setup XEN Virtualization Software on CentOS Linux 5 -Covers how to use semanage to grant the Xen process access to a directory whereit will store the DomU storage as files.

Updates:

Earlier, I mentioned that audit2allow was really not the best way to approachfile context issues. Now that I've learned a bit more, I can point you in abetter direction. 

1) semanage fcontext -a -t (newcontext) /full/path/to/filename

The "semanage" tool creates (or updates) a file under/etc/selinux/targeted/contexts/files. (Replace the word "targeted"with the current SELinux policy that you are using.) The file it creates iscalled "file_contexts.local".

"semanage" is used to create file contexts that will survive a systemrelabeling. So to properly change the file context on a path, you will use the"semanage fcontext" command then use "restorecon -vv -F" tofix the file / directory.

Note that you must supply a full path with a leading slash, otherwise you mayfind that restorecon does the wrong thing in other directories to files thatalso happen to match the pattern.

2) Using semanage to see what the default context is for a particular file

# semanage fcontext -l | grep '/some/path'

Note that this will not tell you where / what policy (whether part of the baseSELinux package or whether it's a custom/local policy change). If you want tofigure out whether it is a local change, then you should grep the files under/etc/selinux/targeted/contexts/files.

3) Relabing using restorecon.

"restorecon -v" will tell you which files get relabeled.

"restorecon -vv" will additionally tell you about files that did notget relabeled.

"restorecon -F" can be used to force a file back to the correctcontext as defined in the SELinux policy files.

 

向良玉
关注
  • 0
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论
专栏目录
linux安装sealert工具,使用SELinux Alert Browser轻松解决SELinux问题
weixin_39640090的博客
05-11 627
原标题:使用SELinux Alert Browser轻松解决SELinux问题本篇文章作者:由悬镜安全实验室独家翻译,如需转载,请标注:如果你使用一个利用SELinux的Linux发行版,如CentOS,Red Hat,Fedora或SUSE,你就知道它可能是一个祝福和咒诅。 虽然SELinux是一个令人难以置信的强大的工具,这是一个很长的路要保持您的Linux驱动的机器安全,它可能是一个噩梦配...
linux chrome 启动后selinux 报错
weixin_34099526的博客
04-02 138
安装chrome浏览器后出现SELinux报错现象 SELinux is preventing /opt/google/chrome/chrome from execmod access on the file /opt/google/chrome/chrome. ***** Plugin allow_execmod (91.4 confidence) suggests...
导致SELinux警告的四个常见原因
01-09
本文主要介绍下四个导致 SELinux 警告产生的原因以及解决方案。   原因一:出现标注错误   SELinux 的核心概念是标注,无论是文件系统、目录、文件、文件启动描述符、端口、消息接口还是网络接口,所有的一切都需要标签,并且仅且仅能按照标签所赋予的权限执行。即使运行的 Apache 进程被黑客入侵且取得了 uid=0 root 权限,它依然无法访问某个用户主目录下的文件。因为标注为httpdt 的 Apache 进程所持有的无法访问标注为 userhome_t 的内容。   因此,如果标注有问题的话,SELinux 会弹出警告。如何处理此类,可以参看本站前文中关于seman
启动项目时出现SELinux is preventing
最新发布
weixin_61367575的博客
05-13 328
SELinux正在阻止systemd对文件AB.sevice进行读取访问。启动项目时出现SELinux is preventing****方法一:暂时禁用SELinux。方法二:禁用SELinux
Selinux阻止Chrome的问题
xinyu_tan的专栏
10-02 713
方法是很早前从别处摘抄整理得到的,现在已经不记得转载地址,望原作者见谅。 查看日志/var/log/audit/audit.log,发现其中有一条如下所示 type=AVC msg=audit(1341590269.564:31): avc:  denied  { execute } for  pid=2568 comm="chrome" name="nacl_helper_boots
linux安装sealert工具,求助,CentOS7的SELinux有几个Alert
weixin_34098296的博客
05-11 103
大家好,我刚刚重装的centos7版本是:Linux localhost.localdomain 3.10.0-327.3.1.el7.x86_64 #1 SMP Wed Dec 9 14:09:15 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux现在SELinux有几个Alert,过了一段时间后,我的光驱就弹出了. 不知道是不是被攻击?该怎么办?谢谢Alert 1...
RedHat SELinux系统简介及案例分析
08-10
在安装过程中,可以选择“激活”、“警告”或者“关闭”SELinux。默认设置为“激活”。安装之后,可以在“应用程序”-->“系统设置”-->“安全级别”,或者直接在控制台窗口输入“system-config-securitylevel”来...
SELinux For Android8.0 && SELinux 4.0
09-03
同时,对于普通用户,了解SELinux的基本概念也能帮助他们更好地理解和应对安全相关的警告和问题。 总的来说,这些资源将带领读者深入探索Android系统安全的核心,特别是Android 8.0及其后的版本。通过学习,我们...
操作系统安全与可信计算概述.pdf
10-13
其中,SELinux是一个由美国国家安全局开发的强制访问控制安全子系统,它实现了最小特权和角色基础访问控制(RBAC),并且可以在强制、警告和关闭三种运行模式下工作。 可信计算技术是近年来发展起来的一种安全概念...
centos6.5 编译安装lamp以及相关错误的解决方法
09-15
**注意**:在编译过程中,务必阅读任何警告和错误信息,以确保编译过程顺利。 3. **清理**: 使用`make clean`命令清理编译产生的临时文件。 4. **验证安装**: 检查每个组件的安装目录,确认安装文件存在。 *...
Linux SELinux
Null的博客
12-13 1167
  SELinuxSecurity Enhanced Linux) 系统资源都是通过进程来读取更改的,为了保证系统资源的安全,传统的Linux使用用户、文件权限的概念来限制资源的访问,通过对比进程的发起用户和文件权限以此来保证系统资源的安全,这是一种自由访问控制方式(DAC);但是随着系统资源安全性要求提高,出现了在Linux下的一种安全强化机制(SELinux),该机制为进程和文件加入了除...
selinux的配置,修改安全上下文,进程与进程之间的安全上下文,查看sealert警告提示修改功能项
l578900的博客
09-23 894
三、建立一个httpd服务的主页文件,并且尝试访问 启动selinux服务,临时启动:setenforce 1立即启动setenforcing 0立即关闭 用root账户在自己的家目录建立主页文件index.html ,然后mv到/var/www/html目录中,查看其结果为:无法访问 直接进入 /var/www/html 建立主页文件,并尝试访问,访问成功 4、通过2、3步可以看出文件的安全上下文不同,修改主页文件的上下文标签使其可以正常访问。 ①可以利用restorecon恢复sel
升级chrome出现SELinux问题的解决方法
Ytingone
09-03 2183
才安装了chrome,就获得了45版本的更新,使用proxychains工具通过yum升级之后,只要一打开就出现一堆插件崩溃提示,同时SELinux也发出警报,提示: SELinux is preventing /opt/google/chrome/chrome from using the setcap access on a process. 解决方法及分析如下:
【踩坑】CentOS7部署Vulhub靶场后,在启动漏洞容器时弹出SELinux警告,致使网站无法正常执行文件上传功能。
Fighting_hawk的博客
03-08 3479
CentOS7部署Vulhub靶场后,在启动漏洞容器时弹出SELinux警告,致使网站无法正常执行文件上传功能。
关于selinux模式更改警告模式
yanchenyu365的博客
03-03 672
在CentOS 7系统中部署SELinux非常简单,由于SELinux已经作为模块集成到内核中,默认SELinux已经处于激活状态。对管理员来说,更多的是需要配置与管理SELinux,CentOS 7系统中SELinux全局配置文件为/etc/sysconfig/selinux,内容如下: [root@centos7 ~]# gedit /etc/sysconfig/selinux 其中,disabled代表禁用SELinux功能,由于SELinux是内核模块功能,所以如果设置禁用,需要重启计算机。pe
linux安装sealert工具,selinux-setroubleshoot安装及详解
weixin_39647773的博客
05-11 496
selinux对超级管理员也有效安全加强型linux自主访问体制 :又大变小user group other\ | /file/ | \r w x强制访问体制 最小权限:由小该大打开SELINUXsestatus 查看slinux状态vi...
[翻译]SELinux之于MySQL
perljoker的博客
06-04 269
译序   这是本人被折磨2天以后,才定位到SELinux的问题,然后痛苦挣扎时候搜到的E文,觉得很好,于是翻译之,用来共享,同时感谢“她”帮我做的一部分翻译。   原文参见这里:SELinux and MySQL 作者是 Jeremy Smyth on Mar 22, 2013   以下是译文   =========================================...
setenforce: SELinux is disabled解决办法
05-30
如果您想启用SELinux,可以按照以下步骤操作: 1. 编辑SELinux配置文件/etc/selinux/config,将SELINUX的值改为enforcing。 ``` sudo vim /etc/selinux/config ``` 将SELINUX的值改为enforcing,保存并退出。 2. 重启系统使配置生效。 ``` sudo reboot ``` 3. 确认SELinux是否已经启用。 ``` getenforce ``` 如果输出结果为Enforcing,表示SELinux已经启用。 请注意,启用SELinux可能会影响系统的正常运行,需要根据实际情况进行调整和配置。如果您不确定如何正确配置SELinux,请咨询系统管理员或安全专家的建议。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

向良玉

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值