# yum install setroubleshoot
# yum install policycoreutils-gui
# getenforce
# setneforce 1
# setenforce 0
/etc/selinux/config
SELINUX=permissive
SELINUXTYPE=targeted
SELINUX=enforcing
SELINUXTYPE=targeted
第2章 SELinux のステータスおよびモードの変更 Red Hat Enterprise Linux 8 | Red Hat Customer Portal
# sealert -a /var/log/audit/audit.log
# grep <分析して出てきたキーワード> /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
# setenforce 0
# semodule -r mypol
# service auditd rotate
# service auditd status
# service auditd restart
# setenforce 1
# cat /var/log/audit/audit.log | audit2allow -M mypol_XXX
# grep "項目1\|項目2\|項目3" /var/log/audit/audit.log | audit2allow -M mypol_XXX
# vi mypol_XXX.te
# checkmodule -M -m -o mypol_XXX.mod mypol_XXX.te
# semodule_package -o mypol_XXX.pp -m mypol_XXX.mod
# semodule -i mypol_XXX.pp
#!/bin/bash
if [ $# -lt 1 ]; then
echo "usage: $0 <policy.te>"
echo "SELinux Policy ファイルをコンパイル&インストールします。"
exit 1
fi
POLICYNAME="$1"
POLICYNAME=${POLICYNAME##*/}
POLICYNAME=${POLICYNAME%.*}
checkmodule -M -m -o ${POLICYNAME}.mod ${POLICYNAME}.te
semodule_package -o ${POLICYNAME}.pp -m ${POLICYNAME}.mod
rm -f ${POLICYNAME}.mod
EXIST=`semodule -l | grep ${POLICYNAME}`
if [ -n "$EXIST" ]; then
semodule -v -r ${POLICYNAME}
fi
semodule -v -i ${POLICYNAME}.pp
#!/usr/bin/perl
use strict;
use warnings;
use utf8;
my $fileNameIn = shift or die("usage: sort_policy.pl <infile.te>\n");
my $fileNameOut = $fileNameIn . '.sorted';
open( my $fhIn, '<', $fileNameIn ) or die( "$fileNameIn: $!\n" );
open( my $fhOut, '>', $fileNameOut ) or die( "$fileNameOut: $!\n" );
while( my $line = <$fhIn> ){
if ( $line =~ /^require\s+\{/ ){
last;
}
print $fhOut $line;
}
print $fhOut "require {\n";
my @types = ();
my @classes = ();
while( my $line = <$fhIn> ){
if ( $line =~ /^\}/ ){
last;
}
$line = sortInBracket( $line );
if ( $line =~ /^\s+type/ ){
push( @types, $line );
} else {
push( @classes, $line );
}
}
print $fhOut sort( @types );
print $fhOut sort( @classes );
print $fhOut "}\n";
while( my $line = <$fhIn> ){
if ( $line =~ /^allow\s/ ){
$line = sortInBracket( $line );
}
print $fhOut $line;
}
close( $fhIn );
close( $fhOut );
exit();
sub sortInBracket
{
my $line = shift || '';
$line =~ s<\{\s*([^\}]+)\s*\}><'{ '.join(" ", sort(split(/\s+/, $1))).' }'>e;
return $line;
}
# EOF
# getsebool -a | grep http
# setsebool -P ftp_home_dir 1
# setsebool -P allow_ftpd_full_access 1
# setsebool -P httpd_can_sendmail 1
# setsebool -P httpd_can_network_connect 1
# setsebool -P httpd_can_network_connect_db 1
# setsebool -P httpd_read_user_content 1
# setsebool -P httpd_sys_script_anon_write 1
# setsebool -P named_write_master_zones 1
# setsebool -P samba_enable_home_dirs 1
# setsebool -P samba_export_all_rw 1
# semanage port -l | grep ssh
# semanage port -a -t ssh_port_t -p tcp <追加ポート>
# semanage port -l | grep pop_port_t
# semanage port -a -t pop_port_t -p tcp <追加ポート>
# ls -lZ
# chcon -R -t httpd_sys_content_t <ディレクトリ>
# find . -name "*.cgi" -or -name "*.pl" | xargs chcon -v -t httpd_sys_script_exec_t
# chcon --no-dereference -t httpd_sys_script_exec_t <シンボリックリンク>
# chmod 777 /var/www/vh1-html/Service1/store/
# semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/vh1-html/Service1/store/(.*)"
# restorecon -vR /var/www/vh1-html/Service1/store/
type=AVC msg=audit(xxx.xxx:xxx): avc: denied { getattr } for pid=xxx comm="ps" path="/proc/<pid>" dev=proc
ino=xxx scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir
ps に、 <pid> directory の getattr アクセスがデフォルトで許可されるべきです。
This version of the page was edited by TakeAsh at 2020-09-05 08:01:04. View the most recent version.