zabbix selinux audit2allow 问题

he following example demonstrates using audit2allow to create a policy module:
  • A denial and the associated system call are logged to /var/log/audit/audit.log
    type=AVC msg=audit(1226270358.848:238): avc:  denied  { write } for  pid=13349 comm="certwatch" name="cache" dev=dm-0 ino=218171 scontext=system_u:system_r:certwatch_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
    
    type=SYSCALL msg=audit(1226270358.848:238): arch=40000003 syscall=39 success=no exit=-13 a0=39a2bf a1=3ff a2=3a0354 a3=94703c8 items=0 ppid=13344 pid=13349 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="certwatch" exe="/usr/bin/certwatch" subj=system_u:system_r:certwatch_t:s0 key=(null)

 

In this example, certwatch (comm="certwatch") was denied write access ({ write }) to a directory labeled with the var_t type (tcontext=system_u:object_r:var_t:s0). Analyze the denial as per Section 8.3.7, “sealert Messages”. If no label changes or Booleans allowed access, use audit2allow to create a local policy module.

 

  • With a denial logged, such as the certwatch denial in step 1, run the audit2allow -w -a command to produce a human-readable description of why access was denied. The -a option causes all audit logs to be read. The -w option produces the human-readable description. The audit2allow utility accesses /var/log/audit/audit.log, and as such, must be run as the Linux root user:
    ~]# audit2allow -w -a
    type=AVC msg=audit(1226270358.848:238): avc:  denied  { write } for  pid=13349 comm="certwatch" name="cache" dev=dm-0 ino=218171 scontext=system_u:system_r:certwatch_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
        Was caused by:
            Missing type enforcement (TE) allow rule.
    
        You can use audit2allow to generate a loadable module to allow this access.
    • As shown, access was denied due to a missing Type Enforcement rule.
    • Run the audit2allow -a command to view the Type Enforcement rule that allows the denied access:
      ~]# audit2allow -a
      
      
      #============= certwatch_t ==============
      allow certwatch_t var_t:dir write;

      *****

      Missing Type Enforcement rules are usually caused by bugs in SELinux policy, and should be reported in Red Hat Bugzilla. For Red Hat Enterprise Linux, create bugs against the Red Hat Enterprise Linux product, and select the selinux-policy component. Include the output of the audit2allow -w -a and audit2allow -a commands in such bug reports.

      ****

      To use the rule displayed by audit2allow -a, run the audit2allow -a -M mycertwatch command as the Linux root user to create custom module. The -M option creates a Type Enforcement file (.te) with the name specified with -M, in your current working directory:

      ~]# audit2allow -a -M mycertwatch
      
      ******************** IMPORTANT ***********************
      To make this policy package active, execute:
      
      semodule -i mycertwatch.pp
      
      ~]# ls
      mycertwatch.pp  mycertwatch.te

      Also, audit2allow compiles the Type Enforcement rule into a policy package (.pp). To install the module, run the semodule -i mycertwatch.pp command as the Linux root user.

       

      *****

      Modules created with audit2allow may allow more access than required. It is recommended that policy created with audit2allow be posted to an SELinux list, such as fedora-selinux-list, for review. If you believe their is a bug in policy, create a bug in Red Hat Bugzilla.

      *****

       

      If you have multiple denials from multiple processes, but only want to create a custom policy for a single process, use the grep command to narrow down the input for audit2allow. The following example demonstrates using grep to only send denials related to certwatch through audit2allow:

      ~]# grep certwatch /var/log/audit/audit.log | audit2allow -M mycertwatch2
      ******************** IMPORTANT ***********************
      To make this policy package active, execute:
      
      ~]# semodule -i mycertwatch2.pp

      Refer to Dan Walsh's "Using audit2allow to build policy modules. Revisited." blog entry for further information about using audit2allow to build policy modules.

posted @ 2017-06-09 16:49  Fatt  阅读(863)  评论(1编辑  收藏  举报