# dnf install policycoreutils policycoreutils-gui libselinux-utils setools-console checkpolicy
# dnf install policycoreutils-python-utils selinux-policy-*
# dnf install setroubleshoot
# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: disabled
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
# vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted# vi /var/log/audit/audit.log
# audit2allow -w -a
# sesearch --allow
# sesearch --neverallow
# sesearch --auditallow
# sesearch --dontaudit
# getsebool -a
# semanage export
# grep denied /var/log/audit/audit.log | tail -10 | audit2allow# tail -f /var/log/httpd/error_log
# semodule -DB # dontauditルール無効
# semodule -B # dontauditルール有効# tail -f /var/log/audit/audit.log | grep denied
# find / -inum 17350933 # inodeからファイル名# chcon -t httpd_sys_script_exec_t /var/www/html/hello.sh # ラベル付与
・httpd_sys_script_exec_t : 実行可能
・httpd_sys_rw_content_t : 読み書き可能
# semanage fcontext -l | grep httpd_sys_script_exec_t
・httpd_sys_content_t : 読み取りのみ・httpd_sys_script_exec_t : 実行可能
・httpd_sys_rw_content_t : 読み書き可能
# semanage fcontext -l | grep /var/www/
# ps -efZ | grep httpd
# ls -lZ
# ls -ldZ
# sealert -l "*"
# matchpathcon /var/www/html /var/test_www/html
# semanage fcontext -a -e /var/www /var/test_www
# restorecon -Rv /var/
【エラー発生】
# semodule -X 300 -i my-zabbixserver.pp
Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/300/my-04iscsi/cil:2
semodule: Failed!
# bzip2 -d /var/lib/selinux/targeted/tmp/modules/300/my-04iscsi/cil
# cat cil.out
(typeattributeset cil_gen_require systemd_systemctl_exec_t)
(typeattributeset cil_gen_require NetworkManager_dispatcher_t)
(typeattributeset cil_gen_require passwd_file_t)
(allow NetworkManager_dispatcher_t passwd_file_t (file (getattr open read)))
(allow NetworkManager_dispatcher_t systemd_systemctl_exec_t (file (execute_no_trans)))
(allow NetworkManager_dispatcher_t systemd_systemctl_exec_t (file (execute getattr open read)))
# seinfo -t|grep NetworkManager_dispatcher_t
無い!!
【参考】
すごく読み易い。感謝です。
https://www.tohoho-web.com/ex/selinux.html
0 件のコメント:
コメントを投稿