2010/01/15

了解 SELinux 的 security Context ,並修正錯誤。

SELINUX 小州老師這份講義很棒,請先看這裡了解他。 

鳥哥也有更新這部份的資料了

所以我就補充這段!!!
  • 了解 SELinux 的 security Context
  • 環境確認:
  1. 確認 SELinux 打開為 Enforcing mode ,如果沒有請執行 system-config-securitylevel 並把 SELinux: Enforcing(強制) 及 Firewall stop(停用)
  2. 要有student帳號,如果沒有請建立帳號 student 密碼 linux
# useradd -g users -m student
# echo 'student:linux' | chpasswd
  • 安裝 httpd 套件並啟動,然後測試 webserver ,yum setup
# yum install httpd 
# service httpd restart
* elink http://127.0.0.1 
  • 以 root 身份,建立兩個檔案
  1. /home/student/home.html 內容為 「home directory」
  2. /tmp/tmp.html 內容為 「tmp directory」
  • 把這兩個檔案搬移到 /var/www/html (httpd 預設根目錄),並使用 ls -lZ 觀看 selinux content
# mv /tmp/tmp.html  /var/www/html
# mv /home/student/home.html /var/www/html
# ls /var/www/html -lZ
-rw-r--r--  root root root:object_r:user_home_t        home.html
-rw-r--r--  root root root:object_r:tmp_t              tmp.html
  • 使用 elinks 觀看這兩個檔案 http://127.0.0.1/home.htmlhttp://127.0.0.1/tmp.html
  • 會產生 SELinux 錯誤,請觀看 /var/log/messages 及 /var/log/audit/audit.log 的錯誤紀錄,系統會伴隨錯誤發生,可以用文字命令 sealert 指令來觀看參考訊息提供錯誤的修正參考資訊,圖形介面也會有相關的提示星星。
[root@localhost html]# sealert -l 45ff7c2f-1b79-4746-8280-f7ef6fd06d5d (看log有寫怎麼下)

Summary:

SELinux is preventing the httpd from using potentially mislabeled files
(/var/www/html/tmp.html).

Detailed Description:

SELinux has denied httpd access to potentially mislabeled file(s)
(/var/www/html/tmp.html). This means that SELinux will not allow httpd to use
these files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is that
the files end up with the wrong file context which confined applications are not
allowed to access.

Allowing Access:

If you want httpd to access this files, you need to relabel them using
restorecon -v '/var/www/html/tmp.html'. You might want to relabel the entire
directory using restorecon -R -v '/var/www/html'.

Additional Information:

Source Context                root:system_r:httpd_t
Target Context                root:object_r:tmp_t
Target Objects                /var/www/html/tmp.html [ file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          
Host                          localhost.localdomain
Source RPM Packages           httpd-2.2.3-31.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-255.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.18-164.el5 #1 SMP
                              Tue Aug 18 15:51:54 EDT 2009 i686 i686
Alert Count                   2
First Seen                    Sat Jan 16 05:28:13 2010
Last Seen                     Sat Jan 16 05:28:13 2010
Local ID                      45ff7c2f-1b79-4746-8280-f7ef6fd06d5d
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC msg=audit(1263590893.105:76): avc:  denied 
 { getattr } for  pid=4486 comm="httpd" path="/var/www/html/tmp.html" dev=hda5 
ino=100522 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:tmp_t:s0 
tclass=file

host=localhost.localdomain type=SYSCALL msg=audit(1263590893.105:76): 
arch=40000003 syscall=196 success=no exit=-13 a0=92c5218 a1=bf9e14cc a2=943ff4 
a3=2008171 items=0 ppid=4483 pid=4486 auid=0 uid=48 gid=48 euid=48 suid=48 
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=2 comm="httpd" exe="/usr
/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)
  • 使用 restorecon 或是 chcon 修正這些錯誤。讓網頁可正常顯示。
# restorecon /var/www/html/home.html 
或是
# chcon -u system_u -r object_r -t httpd_sys_content_t /var/www/html/tmp.html 
結果
# ls -lZ
-rw-r--r--  root root system_u:object_r:httpd_sys_content_t home.html
-rw-r--r--  root root system_u:object_r:httpd_sys_content_t tmp.html
  • 在使用 elinks 測試看看應該就可以了!!!

沒有留言: