7--SElinux--实验文档--提交版
selinux context&boolean
实验目的
一、通过httpd访问文件来学习context
1.查看selinux上下文
2.通过日志文件排错
3.根据排错调整相应的context来实现httpd可以访问剪切的文件
二、通过vsftpd查看文件来学习boolean
1.查看布尔值
2.查看日志排错
3.根据日志内容调整布尔值
4.ftp能够访问剪切到Pub下的文件
新建对照组
[root@selinux ~]# ls -ldZ /root/
dr-xr-x---. root root system_u:object_r:admin_home_t:s0 /root/
[root@selinux ~]# echo "this is test for test1.html" > /root/test1.html
[root@selinux ~]# echo "this is test for test2.html" > /root/test2.html
查看新建的两个文件的context
[root@selinux ~]# ls -lZ /root/test*html
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /root/test1.html
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /root/test2.html
[root@selinux ~]#
复制test2.html文件到/var/www/html目录下,剪切test1.html文件到/var/www/html目录下
[root@selinux ~]# mv /root/test1.html /var/www/html/
[root@selinux ~]# cp /root/test2.html /var/www/html/
查看html目录下文件的安全上下文
[root@selinux ~]# ls -lZ /var/www/html/
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 test1.html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 test2.html
[root@selinux ~]#
- test1的context没有改变
- test2的context继承了html目录的context
通过浏览器访问这两个网页文件
- test1被禁止
- test2正常访问
查看文件权限(DAC)
[root@selinux ~]# ls /var/www/html/ -l
total 8
-rw-r--r--. 1 root root 28 Jul 19 11:11 test1.html
-rw-r--r--. 1 root root 28 Jul 19 11:13 test2.html
[root@selinux ~]#
原因就是httpd进程不能访问域类型标签是admin_home_t的资源,被selinux将访问拒绝了。
查看/var/log/audit/audit.log
[root@selinux ~]# tail /var/log/audit/audit.log | grep httpd
type=AVC msg=audit(1468898414.527:903): avc: denied { getattr } for pid=13679 comm="httpd" path="/var/www/html/test1.html" dev="dm-0" ino=201327593 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
audit2way
[root@selinux ~]# audit2why < /var/log/audit/audit.log
type=AVC msg=audit(1468079955.708:417): avc: denied { create } for pid=12318 comm="gdm-session-wor" name=".cache" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
Was caused by:
The boolean polyinstantiation_enabled was set incorrectly.
Description:
Allow polyinstantiation to enabled
Allow access by executing:
# setsebool -P polyinstantiation_enabled 1
type=AVC msg=audit(1468290595.971:435): avc: denied { read } for pid=13078 comm="ifconfig" path="/run/vmware-active-nics" dev="tmpfs" ino=46486 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1468290595.979:436): avc: denied { read } for pid=13082 comm="ifconfig" path="/run/vmware-active-nics" dev="tmpfs" ino=46486 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
...//中间省略
type=AVC msg=audit(1468898414.527:903): avc: denied { getattr } for pid=13679 comm="httpd" path="/var/www/html/test1.html" dev="dm-0" ino=201327593 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
[root@selinux ~]#
查看日志/var/log/messages
[root@selinux ~]# tail /var/log/messages | grep setroubleshoot
Jul 19 11:36:01 localhost setroubleshoot: failed to retrieve rpm info for /var/www/html/test1.html
Jul 19 11:36:01 localhost setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/test1.html. For complete SELinux messages. run sealert -l 5dfbbffe-6d2b-4945-93d8-0cc3ff229a38
Jul 19 11:36:06 localhost setroubleshoot: failed to retrieve rpm info for /var/www/html/test1.html
Jul 19 11:36:06 localhost setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/test1.html. For complete SELinux messages. run sealert -l 5dfbbffe-6d2b-4945-93d8-0cc3ff229a38
Jul 19 11:36:06 localhost setroubleshoot: failed to retrieve rpm info for /var/www/html/test1.html
Jul 19 11:36:06 localhost setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/test1.html. For complete SELinux messages. run sealert -l 5dfbbffe-6d2b-4945-93d8-0cc3ff229a38
[root@selinux ~]#
sealert -l ...
[root@selinux ~]# sealert -l 5dfbbffe-6d2b-4945-93d8-0cc3ff229a38
SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/html/test1.html.
***** Plugin restorecon (99.5 confidence) suggests ************************
If you want to fix the label.
/var/www/html/test1.html default label should be httpd_sys_content_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /var/www/html/test1.html
***** Plugin catchall (1.49 confidence) suggests **************************
If you believe that httpd should be allowed getattr access on the test1.html file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context unconfined_u:object_r:admin_home_t:s0
Target Objects /var/www/html/test1.html [ file ]
Source httpd
Source Path /usr/sbin/httpd
Port
Host localhost.localdomain
Source RPM Packages httpd-2.4.6-40.el7.centos.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-60.el7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name selinux
Platform Linux selinux 3.10.0-327.el7.x86_64 #1 SMP Thu Nov
19 22:10:57 UTC 2015 x86_64 x86_64
Alert Count 5
First Seen 2016-07-19 11:20:14 CST
Last Seen 2016-07-19 11:36:06 CST
Local ID 5dfbbffe-6d2b-4945-93d8-0cc3ff229a38
Raw Audit Messages
type=AVC msg=audit(1468899366.426:925): avc: denied { getattr } for pid=13678 comm="httpd" path="/var/www/html/test1.html" dev="dm-0" ino=201327593 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
type=SYSCALL msg=audit(1468899366.426:925): arch=x86_64 syscall=lstat success=no exit=EACCES a0=7f7e478af3a8 a1=7fff0e662070 a2=7fff0e662070 a3=0 items=0 ppid=13668 pid=13678 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: httpd,httpd_t,admin_home_t,file,getattr
[root@selinux ~]#
从上面可以看出来已经给出了一个解决办法
# /sbin/restorecon -v /var/www/html/test1.html
更改html下面所有文件的label
[root@selinux ~]# restorecon -Rv /var/www/html/
restorecon reset /var/www/html/test1.html context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
[root@selinux ~]#
查看更改label后,html下所有文件的context信息
[root@selinux ~]# ls /var/www/html/* -Z
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/test1.html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/test2.html
[root@selinux ~]#
使用chon修改
[root@selinux ~]# chcon -t admin_home_t /var/www/html/test2.html
[root@selinux ~]# ls /var/www/html/test2.html
/var/www/html/test2.html
[root@selinux ~]# ls /var/www/html/test2.html -Z
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /var/www/html/test2.html
[root@selinux ~]# chcon -t httpd_sys_content_t /var/www/html/test2.html
[root@selinux ~]# ls /var/www/html/test2.html -Z
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/test2.html
[root@selinux ~]#
chon --reference
[root@selinux ~]# chcon -t admin_home_t /var/www/html/test2.html
[root@selinux ~]# ls /var/www/html/test2.html -Z
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /var/www/html/test2.html
[root@selinux ~]# chcon --reference=/var/www/html/test1.html /var/www/html/test2.html
[root@selinux ~]# ls /var/www/html/test2.html -Z
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/test2.html
[root@selinux ~]#
>
[root@selinux ~]# getsebool -a
abrt_anon_write --> off
abrt_handle_event --> off
abrt_upload_watch_anon_write --> on
antivirus_can_scan_system --> off
antivirus_use_jit --> off
auditadm_exec_content --> on
authlogin_nsswitch_use_ldap --> off
authlogin_radius --> off
authlogin_yubikey --> off
awstats_purge_apache_log_files --> off
boinc_execmem --> on
cdrecord_read_content --> off
cluster_can_network_connect --> off
....//中间省略
xguest_connect_network --> on
xguest_exec_content --> on
xguest_mount_media --> on
xguest_use_bluetooth --> on
xserver_clients_write_xshm --> off
xserver_execmem --> off
xserver_object_manager --> off
zabbix_can_network --> off
zarafa_setrlimit --> off
zebra_write_config --> off
zoneminder_anon_write --> off
zoneminder_run_sudo --> off
[root@selinux ~]#
getsebool reports where a particular SELinux boolean or all SELinux booleans are on or off In certain situations a boolean can be in one state with a pending change to the other state. getsebool will report this as a pending change. The pending value indicates the value that will be applied upon the next boolean commit.
The setting of boolean values occurs in two stages; first the pending value is changed, then the booleans are committed, causing their active values to become their pending values. This allows a group of booleans to be changed in a single transaction, by setting all of their pending values as desired and then committing once.
-a Show all SELinux booleans.
semanage boolean –l
[root@selinux ~]# semanage boolean -l
SELinux boolean State Default Description
ftp_home_dir (off , off) Allow ftp to home dir
smartmon_3ware (off , off) Allow smartmon to 3ware
mpd_enable_homedirs (off , off) Allow mpd to enable homedirs
xdm_sysadm_login (off , off) Allow xdm to sysadm login
xen_use_nfs (off , off) Allow xen to use nfs
mozilla_read_content (off , off) Allow mozilla to read content
ssh_chroot_rw_homedirs (off , off) Allow ssh to chroot rw homedirs
mount_anyfile (on , on) Allow mount to anyfile
cron_userdomain_transition (on , on) Allow cron to userdomain transition
icecast_use_any_tcp_ports (off , off) Allow icecast to use any tcp ports
openvpn_can_network_connect (on , on) Allow openvpn to can network connect
zoneminder_anon_write (off , off) Allow zoneminder to anon write
minidlna_read_generic_user_content (off , off) Allow minidlna to read generic user content
spamassassin_can_network (off , off) Allow spamassassin to can network
gluster_anon_write (off , off) Allow gluster to anon write
deny_ptrace (off , off) Allow deny to ptrace
selinuxuser_execmod (on , on) Allow selinuxuser to execmod
httpd_can_network_relay (off , off) Allow httpd to can network relay
...//中间省略
domain_fd_use (on , on) Allow domain to fd use
virt_read_qemu_ga_data (off , off) Allow virt to read qemu ga data
virt_use_samba (off , off) Allow virt to use samba
cluster_use_execmem (off , off) Allow cluster to use execmem
nfs_export_all_ro (on , on) Allow nfs to export all ro
cron_can_relabel (off , off) Allow cron to can relabel
sftpd_anon_write (off , off) Allow sftpd to anon write
[root@selinux ~]#
[root@selinux ftp]# cd pub
[root@selinux pub]# echo "this test is test boolean" > test1.txt
[root@selinux pub]# cd /root
[root@selinux ~]# echo "this text is from root" > test2.txt
[root@selinux ~]# which ftp
/usr/bin/which: no ftp in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
[root@selinux ~]#
[root@selinux ~]# mv test2.txt /var/ftp/pub
[root@selinux pub]# ls -Z
-rw-r--r--. root root unconfined_u:object_r:public_content_t:s0 test1.txt
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 test2.txt
[root@selinux pub]#
使用匿名登录测试:
[root@selinux pub]# ftp 192.168.142.161
Connected to 192.168.142.161 (192.168.142.161).
220 (vsFTPd 3.0.2)
Name (192.168.142.161:root): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd pub
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (192,168,142,161,140,54).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 26 Jul 19 04:05 test1.txt
226 Directory send OK.
ftp>
查看日志/var/log/audit/audit.log
[root@selinux pub]# audit2why < /var/log/audit/audit.log
...//省略
type=AVC msg=audit(1468929713.186:1569): avc: denied { getattr } for pid=53302 comm="vsftpd" path="/pub/test2.txt" dev="dm-0" ino=201346124 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
Was caused by:
The boolean ftpd_full_access was set incorrectly.
Description:
Allow ftpd to full access
Allow access by executing:
# setsebool -P ftpd_full_access 1
[root@selinux pub]#
从上面可以看出解决办法是
setsebool -P ftpd_full_access 1
audit2allow
[root@selinux pub]# audit2allow < /var/log/audit/audit.log
#============= ftpd_t ==============
#!!!! This avc can be allowed using the boolean 'ftpd_full_access'
allow ftpd_t admin_home_t:file getattr;
#============= httpd_t ==============
allow httpd_t admin_home_t:file getattr;
#============= ifconfig_t ==============
allow ifconfig_t var_run_t:file read;
#============= unconfined_t ==============
allow unconfined_t self:capability2 mac_admin;
#============= xdm_t ==============
#!!!! This avc can be allowed using the boolean 'polyinstantiation_enabled'
allow xdm_t admin_home_t:dir create;
[root@selinux pub]#
这里也能看出来"This avc can be allowed using the boolean 'ftpd_full_access' allow ftpd_t admin_home_t:file getattr"
设置ftpd_full_access的布尔值为开启
[root@selinux pub]# getsebool -a | grep ftp
ftp_home_dir --> off
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
tftp_anon_write --> off
tftp_home_dir --> off
[root@selinux pub]#
这里可以看出来"ftpd_full_access --> off"
设置ftpd_full_access为永久开启
[root@selinux pub]# setsebool -P ftpd_full_access 1
[root@selinux pub]# getsebool -a | grep ftp
ftp_home_dir --> on
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> on
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
tftp_anon_write --> off
tftp_home_dir --> off
[root@selinux pub]#
验证修改的结果
[root@selinux pub]# ftp 192.168.142.161
Connected to 192.168.142.161 (192.168.142.161).
220 (vsFTPd 3.0.2)
Name (192.168.142.161:root): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd pub
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (192,168,142,161,25,5).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 26 Jul 19 04:05 test1.txt
-rw-r--r-- 1 0 0 23 Jul 19 04:05 test2.txt
226 Directory send OK.
ftp>
这个时候发现可以访问test2.txt
可以通过yum查看sesearch需要的安装包
[root@selinux pub]# yum search sesearch
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
========================================== Matched: sesearch ===========================================
setools-console.x86_64 : Policy analysis command-line tools for SELinux
[root@selinux pub]#